From owner-p4-projects  Tue Oct  8  4:59:41 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 2F04337B404; Tue,  8 Oct 2002 04:59:36 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9F5D537B401
	for <perforce@freebsd.org>; Tue,  8 Oct 2002 04:59:35 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4CE2643E42
	for <perforce@freebsd.org>; Tue,  8 Oct 2002 04:59:35 -0700 (PDT)
	(envelope-from cvance@tislabs.com)
Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g98BxZCo052948
	for <perforce@freebsd.org>; Tue, 8 Oct 2002 04:59:35 -0700 (PDT)
	(envelope-from cvance@tislabs.com)
Received: (from perforce@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g98BxYOM052945
	for perforce@freebsd.org; Tue, 8 Oct 2002 04:59:34 -0700 (PDT)
Date: Tue, 8 Oct 2002 04:59:34 -0700 (PDT)
Message-Id: <200210081159.g98BxYOM052945@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: perforce set sender to cvance@tislabs.com using -f
From: Chris Vance <cvance@FreeBSD.org>
Subject: PERFORCE change 18927 for review
To: Perforce Change Reviews <perforce@freebsd.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=18927

Change 18927 by cvance@cvance_laptop on 2002/10/08 04:58:50

	Remove debugging statement that somehow survived until now

Affected files ...

.. //depot/projects/trustedbsd/mac/sbin/sebsd_setfiles/setfiles.c#7 edit
.. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#32 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sbin/sebsd_setfiles/setfiles.c#7 (text+ko) ====

@@ -220,7 +220,6 @@
 	}
 	argc -= optind;
 	argv += optind;
-	printf("optind = %d, argc now %d\n", optind, argc);
 
 	if (argc < 2) {
 		printUsage();

==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#32 (text+ko) ====

@@ -114,6 +114,60 @@
 	return (cred_has_system(td->td_proc->p_ucred, perm));
 }
 	      
+static __inline security_class_t
+vnode_type_to_security_class(enum vtype vt) 
+{
+	switch (vt) {
+	case VREG:
+		return SECCLASS_FILE;
+	case VDIR:
+		return SECCLASS_DIR;
+	case VBLK:
+		return SECCLASS_BLK_FILE;
+	case VCHR:
+		return SECCLASS_CHR_FILE;
+	case VLNK:
+		return SECCLASS_LNK_FILE;
+	case VSOCK:
+		return SECCLASS_SOCK_FILE;
+	case VFIFO:
+		return SECCLASS_FIFO_FILE;
+	case VNON:
+	case VBAD:
+		return SECCLASS_FILE;
+	}
+
+	return SECCLASS_FILE;
+}
+
+static __inline access_vector_t
+file_mask_to_av(enum vtype vt, int mask) 
+{
+	access_vector_t av = 0;
+
+	if (vt != VDIR) {
+		if (mask & VEXEC) 
+			av |= FILE__EXECUTE;
+		if (mask & VREAD) 
+			av |= FILE__READ;
+
+		if (mask & VAPPEND)
+			av |= FILE__APPEND;
+		else if (mask & VWRITE) 
+			av |= FILE__WRITE;
+
+	} else {
+		if (mask & VEXEC) 
+			av |= DIR__SEARCH;
+		if (mask & VWRITE) 
+			av |= DIR__WRITE;
+		if (mask & VREAD) 
+			av |= DIR__READ;
+	}
+
+	return av;
+}
+
 static int
 vnode_has_perm(struct ucred *cred, struct vnode *vp, access_vector_t perm,
 	       avc_entry_ref_t *aeref)
@@ -298,32 +352,6 @@
 	return (newsid != task->sid);
 }
 
-static __inline security_class_t
-vnode_type_to_security_class(enum vtype vt) 
-{
-	switch (vt) {
-	case VREG:
-		return SECCLASS_FILE;
-	case VDIR:
-		return SECCLASS_DIR;
-	case VBLK:
-		return SECCLASS_BLK_FILE;
-	case VCHR:
-		return SECCLASS_CHR_FILE;
-	case VLNK:
-		return SECCLASS_LNK_FILE;
-	case VSOCK:
-		return SECCLASS_SOCK_FILE;
-	case VFIFO:
-		return SECCLASS_FIFO_FILE;
-	case VNON:
-	case VBAD:
-		return SECCLASS_FILE;
-	}
-
-	return SECCLASS_FILE;
-}
-
 static void
 sebsd_init_vnode_label(struct label *label)
 {
@@ -500,9 +528,11 @@
 sebsd_check_vnode_access(struct ucred *cred, struct vnode *vp,
 			 struct label *label, mode_t flags)
 {
+	if (!flags)
+		return 0;
 
-	/* TBD: Not Implemented */
-	return (0);
+	return vnode_has_perm(cred, vp, file_mask_to_av(vp->v_type, flags),
+			      NULL);
 }
 
 static int
@@ -686,16 +716,18 @@
 sebsd_check_vnode_open(struct ucred *cred, struct vnode *vp,
 		       struct label *filelabel, mode_t acc_mode)
 {
-	/* TBD: Not Implemented */
-	return 0;
+	if (!acc_mode)
+		return 0;
+
+	return vnode_has_perm(cred, vp, file_mask_to_av(vp->v_type, acc_mode),
+			      NULL);
 }
 
 static int
 sebsd_check_vnode_poll(struct ucred *cred, struct ucred *file_cred,
 		       struct vnode *vp, struct label *label)
 {
-	/* TBD: Not Implemented */
-	return 0;
+	return vnode_has_perm(cred, vp, FILE__POLL, NULL);
 }
 
 static int
@@ -928,8 +960,26 @@
 sebsd_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
 		       struct label *label, int newmapping)
 {
-	/* TBD: Not Implemented */
-	return 0;
+#ifdef TBD
+	access_vector_t av;
+	
+	/* TBD: Incomplete */
+	if (vp) {
+		/* read access is always possible with a mapping */
+		av = FILE__READ;
+
+		/* write access only matters if the mapping is shared */
+		if ((flags & MAP_TYPE) == MAP_SHARED && (prot & PROT_WRITE)) 
+			av |= FILE__WRITE;
+
+		if (prot & PROT_EXEC) 
+			av |= FILE__EXECUTE;
+
+		return vnode_has_perm(cred, vp, av, NULL);
+	}
+#endif
+
+	return (0);
 }
 
 static int

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message