From owner-p4-projects@FreeBSD.ORG Fri Oct 24 14:38:21 2003 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id D055016A4C0; Fri, 24 Oct 2003 14:38:21 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A681316A4B3 for ; Fri, 24 Oct 2003 14:38:21 -0700 (PDT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1A8843FB1 for ; Fri, 24 Oct 2003 14:38:20 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.9/8.12.9) with ESMTP id h9OLcKXJ025679 for ; Fri, 24 Oct 2003 14:38:20 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.9/8.12.9/Submit) id h9OLcKIp025676 for perforce@freebsd.org; Fri, 24 Oct 2003 14:38:20 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Fri, 24 Oct 2003 14:38:20 -0700 (PDT) Message-Id: <200310242138.h9OLcKIp025676@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Subject: PERFORCE change 40437 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2003 21:38:22 -0000 http://perforce.freebsd.org/chv.cgi?CH=40437 Change 40437 by rwatson@rwatson_tislabs on 2003/10/24 14:37:54 Flesh out the mount-related pieces in mac_vfs.c with local modifications from kern_mac.c in the SEBSD branch: - Add mac_init_mount_label(), mac_destroy_mount_label(), mac_copy_mount_label(), mac_externalize_mount_label(), mac_internalize_mount_label(). - Add mac_check_mount(), mac_check_umount(), mac_check_remount(). - Add optional mount label argument to mac_create_mount(). - Add credential to mac_create_devfs_device() for use with cloning. Affected files ... .. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_internal.h#2 edit .. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_vfs.c#2 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_internal.h#2 (text+ko) ==== @@ -109,6 +109,9 @@ int mac_internalize_cred_label(struct label *label, char *string); void mac_relabel_cred(struct ucred *cred, struct label *newlabel); +int mac_externalize_mount_label(struct label *label, char *elements, + char *outbuf, size_t outbuflen, int flags); +int mac_internalize_mount_label(struct label *label, char *string); void mac_copy_pipe_label(struct label *src, struct label *dest); void mac_destroy_pipe_label(struct label *label); ==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_vfs.c#2 (text+ko) ==== @@ -110,12 +110,19 @@ } void +mac_init_mount_label(struct label *label) +{ + + mac_init_label(label); + MAC_PERFORM(init_mount_label, label); +} + +void mac_init_mount(struct mount *mp) { - mac_init_label(&mp->mnt_mntlabel); + mac_init_mount_label(&mp->mnt_mntlabel); mac_init_label(&mp->mnt_fslabel); - MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel); MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel); MAC_DEBUG_COUNTER_INC(&nmacmounts); } @@ -146,13 +153,20 @@ } void +mac_destroy_mount_label(struct label *label) +{ + + MAC_PERFORM(destroy_mount_label, label); + mac_destroy_label(label); +} + +void mac_destroy_mount(struct mount *mp) { - MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel); + mac_destroy_mount_label(&mp->mnt_mntlabel); MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel); mac_destroy_label(&mp->mnt_fslabel); - mac_destroy_label(&mp->mnt_mntlabel); MAC_DEBUG_COUNTER_DEC(&nmacmounts); } @@ -173,6 +187,13 @@ } void +mac_copy_mount_label(struct label *src, struct label *dest) +{ + + MAC_PERFORM(copy_mount_label, src, dest); +} + +void mac_copy_vnode_label(struct label *src, struct label *dest) { @@ -180,6 +201,17 @@ } int +mac_externalize_mount_label(struct label *label, char *elements, + char *outbuf, size_t outbuflen, int flags) +{ + int error; + + MAC_EXTERNALIZE(mount_label, label, elements, outbuf, outbuflen); + + return (error); +} + +int mac_externalize_vnode_label(struct label *label, char *elements, char *outbuf, size_t outbuflen, int flags) { @@ -191,6 +223,16 @@ } int +mac_internalize_mount_label(struct label *label, char *string) +{ + int error; + + MAC_INTERNALIZE(mount_label, label, string); + + return (error); +} + +int mac_internalize_vnode_label(struct label *label, char *string) { int error; @@ -342,6 +384,47 @@ } int +mac_check_mount(struct ucred *cred, struct vnode *vp, const char *vfc_name, + struct label *mntlabel) +{ + int error; + + if (!mac_enforce_fs) + return (0); + + MAC_CHECK(check_mount, cred, vp, &vp->v_label, vfc_name, mntlabel); + + return (error); +} + +int +mac_check_umount(struct ucred *cred, struct mount *mp) +{ int error; + + if (!mac_enforce_fs) + return (0); + + MAC_CHECK(check_umount, cred, mp, &mp->mnt_mntlabel); + + return (error); +} + +int +mac_check_remount(struct ucred *cred, struct mount *mp, + struct label *mount_arg_label) +{ + int error; + + if (!mac_enforce_fs) + return (0); + + MAC_CHECK(check_remount, cred, mp, &mp->mnt_mntlabel, + mount_arg_label); + + return (error); +} + +int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode) { int error; @@ -853,11 +936,12 @@ } void -mac_create_mount(struct ucred *cred, struct mount *mp) +mac_create_mount(struct ucred *cred, struct mount *mp, + struct label *mount_arg_label) { MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel, - &mp->mnt_fslabel); + &mp->mnt_fslabel, mount_arg_label); } void @@ -882,11 +966,11 @@ } void -mac_create_devfs_device(struct mount *mp, dev_t dev, struct devfs_dirent *de, - const char *fullpath) +mac_create_devfs_device(struct ucred *cred, struct mount *mp, dev_t dev, + struct devfs_dirent *de, const char *fullpath) { - MAC_PERFORM(create_devfs_device, mp, dev, de, &de->de_label, + MAC_PERFORM(create_devfs_device, cred, mp, dev, de, &de->de_label, fullpath); }