Date: Tue, 25 Nov 2003 12:13:40 -0800 (PST) From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 43042 for review Message-ID: <200311252013.hAPKDeoD025178@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=43042 Change 43042 by areisse@areisse_ibook on 2003/11/25 12:13:24 Alternate implementation of mac checks in hfs_readdirattr. Here, the file is displayed with the "do not enter" when mac denies access (the same behavior as dac denials). Affected files ... .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/hfs/hfs_attrlist.c#3 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/hfs/hfs_attrlist.c#3 (text+ko) ==== @@ -779,6 +779,7 @@ /* * Get in memory cnode data (if any). */ + int mperm = 0; #ifdef MAC /* * XXXMAC: Try forcing the vnode into memory so that @@ -790,16 +791,8 @@ printf("hfs_readdirattr(): warning got %d\n", error); cp = hfs_chashget(dcp->c_dev, cattrp->ca_fileid, 0, &vp, &rvp); } else { - error = mac_check_vnode_stat(current_proc()->p_ucred, ap->a_cred, vp); - if (error) { -#if 0 - vput(vp); -#endif - printf("hfs_readdirattr(): FYI, failed with %d\n", error); -#if 0 - continue; -#endif - } + mperm = mac_check_vnode_stat(current_proc()->p_ucred, ap->a_cred, vp); + cp = vp->v_data; rvp = NULL; } @@ -824,6 +817,16 @@ } } } + struct cat_attr cattrtmp; + if (mperm) + { + bzero (&cattrtmp, sizeof (struct cat_attr)); + cattrtmp.ca_fileid = cattrp->ca_fileid; + cattrtmp.ca_mode = cattrp->ca_mode & ~07777; + cattrtmp.ca_nlink = 1; + cattrp = &cattrtmp; + } + *((u_long *)attrptr)++ = 0; /* move it past length */ attrblk.ab_attrlist = alist; attrblk.ab_attrbufpp = &attrptr; @@ -1048,6 +1051,19 @@ *abp->ab_varbufpp = varbufptr; } +#ifdef MAC +static int access_all (struct vnode *vp, struct proc *p) +{ + int r = VOP_ACCESS (vp, VREAD, p->p_ucred, p) || mac_check_vnode_access (p->p_ucred, vp, VREAD) ? 0 : R_OK; + if (!VOP_ACCESS (vp, VWRITE, p->p_ucred, p) && !mac_check_vnode_access (p->p_ucred, vp, VWRITE)) + r |= W_OK; + if (!VOP_ACCESS (vp, VEXEC, p->p_ucred, p) && !mac_check_vnode_access (p->p_ucred, vp, VEXEC)) + r |= X_OK; + + return r; +} +#endif + /* * Pack common volume attributes. */ @@ -1174,8 +1190,11 @@ } if (ATTR_CMN_USERACCESS & attr) { *((u_long *)attrbufptr)++ = - DerivePermissionSummary(cp->c_uid, cp->c_gid, cp->c_mode, - VTOVFS(vp), current_proc()->p_ucred, current_proc()); +#ifdef MAC + vp ? access_all (vp, current_proc()) : +#endif + DerivePermissionSummary(cp->c_uid, cp->c_gid, cp->c_mode, + VTOVFS(vp), current_proc()->p_ucred, current_proc()); } *abp->ab_attrbufpp = attrbufptr; @@ -1474,9 +1493,12 @@ } if (ATTR_CMN_USERACCESS & attr) { *((u_long *)attrbufptr)++ = - DerivePermissionSummary(cap->ca_uid, cap->ca_gid, - cap->ca_mode, mp, current_proc()->p_ucred, - current_proc()); +#ifdef MAC + vp ? access_all (vp, current_proc()) : +#endif + DerivePermissionSummary(cap->ca_uid, cap->ca_gid, + cap->ca_mode, mp, current_proc()->p_ucred, + current_proc()); } *abp->ab_attrbufpp = attrbufptr;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311252013.hAPKDeoD025178>