Date: Mon, 6 Mar 2006 17:02:33 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 92857 for review Message-ID: <200603061702.k26H2XvP080821@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=92857 Change 92857 by rwatson@rwatson_zoo on 2006/03/06 17:01:52 Integrate TrustedBSD audit3 branch from TrustedBSD base branch: - OpenBSM 1.0 alpha 5 loop back. - dwmalone's structural improvements to mac_bsdextended. Affected files ... .. //depot/projects/trustedbsd/audit3/contrib/openbsm/FREEBSD-upgrade#4 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/README#11 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#7 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/audit/audit.c#7 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/audit_warn.c#4 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#8 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit.h#10 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_internal.h#8 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#9 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/compat/endian.h#5 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_audit.c#10 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_io.c#12 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_mask.c#10 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_notify.c#9 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_token.c#13 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_user.c#9 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_wrappers.c#10 integrate .. //depot/projects/trustedbsd/audit3/lib/libutil/pidfile.3#4 integrate .. //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#25 integrate .. //depot/projects/trustedbsd/audit3/sys/bsm/audit_internal.h#8 integrate .. //depot/projects/trustedbsd/audit3/sys/dev/mpt/mpt.c#8 integrate .. //depot/projects/trustedbsd/audit3/sys/geom/label/g_label_ufs.c#6 integrate .. //depot/projects/trustedbsd/audit3/sys/opencrypto/crypto.c#4 integrate .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit.c#16 integrate .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm_token.c#12 integrate .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_pipe.c#10 integrate .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_private.h#19 integrate .. //depot/projects/trustedbsd/audit3/sys/security/mac_bsdextended/mac_bsdextended.c#6 integrate .. //depot/projects/trustedbsd/audit3/usr.bin/finger/sprint.c#2 integrate Differences ... ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/FREEBSD-upgrade#4 (text) ==== @@ -6,12 +6,9 @@ src/contrib/openbsm The OpenBSM distribution itself src/sys/bsm Modified versions of some bsm/ include files src/sys/security/audit Kernel audit framework, some OpenBSM-based files -src/usr.sbin/audit Makefiles for OpenBSM-derived command -src/usr.sbin/auditd "" -src/usr.sbin/auditreduce "" -src/usr.sbin/praudit "" +src/usr.sbin/*audit* Makefiles for various OpenBSM tools src/etc/Makefile Installation of /etc OpenBSM files -src/lib/libbsm Build for OpenBSM library +src/lib/libbsm/* Build for OpenBSM library OpenBSM is normally built using an integrated autoconf/automake build system. For the purposes of tight integration with FreeBSD, we use an @@ -44,4 +41,4 @@ not on CVS vendor branches, but do have the same local vs. vendor merge issues. -$FreeBSD: src/contrib/openbsm/FREEBSD-upgrade,v 1.2 2006/02/06 00:03:39 rwatson Exp $ +$FreeBSD: src/contrib/openbsm/FREEBSD-upgrade,v 1.3 2006/03/04 16:50:04 rwatson Exp $ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/README#11 (text+ko) ==== @@ -95,4 +95,4 @@ http://www.TrustedBSD.org/ -$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/README#10 $ +$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/README#11 $ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#7 (text+ko) ==== @@ -14,4 +14,4 @@ on systems that don't have the necessary audit system calls; that would allow the full libbsm and tool set to build, just not run. -$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#6 $ +$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#7 $ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/audit/audit.c#7 (text+ko) ==== @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/audit/audit.c#6 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/audit/audit.c#7 $ */ /* * Program to trigger the audit daemon with a message that is either: ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/audit_warn.c#4 (text+ko) ==== @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/audit_warn.c#3 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/audit_warn.c#4 $ */ #include <sys/types.h> ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#8 (text+ko) ==== @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#7 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#8 $ */ #include <sys/types.h> ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit.h#10 (text+ko) ==== @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit.h#9 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit.h#10 $ */ #ifndef _BSM_AUDIT_H ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_internal.h#8 (text+ko) ==== @@ -34,7 +34,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_internal.h#7 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_internal.h#8 $ */ #ifndef _AUDIT_INTERNAL_H ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#9 (text+ko) ==== @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#8 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#9 $ */ #ifndef _LIBBSM_H_ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/compat/endian.h#5 (text+ko) ==== @@ -25,7 +25,7 @@ * SUCH DAMAGE. * * Derived from FreeBSD src/sys/sys/endian.h:1.6. - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/compat/endian.h#4 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/compat/endian.h#5 $ */ #ifndef _COMPAT_ENDIAN_H_ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_audit.c#10 (text+ko) ==== @@ -30,7 +30,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_audit.c#9 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_audit.c#10 $ */ #include <sys/types.h> ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_io.c#12 (text+ko) ==== @@ -31,7 +31,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_io.c#11 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_io.c#12 $ */ #include <sys/types.h> ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_mask.c#10 (text+ko) ==== @@ -27,7 +27,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_mask.c#9 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_mask.c#10 $ */ #include <sys/types.h> ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_notify.c#9 (text+ko) ==== @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_notify.c#8 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_notify.c#9 $ */ /* ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_token.c#13 (text+ko) ==== @@ -30,7 +30,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_token.c#12 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_token.c#13 $ */ #include <sys/types.h> ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_user.c#9 (text+ko) ==== @@ -27,7 +27,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_user.c#8 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_user.c#9 $ */ #include <bsm/libbsm.h> ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_wrappers.c#10 (text+ko) ==== @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_wrappers.c#9 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_wrappers.c#10 $ */ #ifdef __APPLE__ ==== //depot/projects/trustedbsd/audit3/lib/libutil/pidfile.3#4 (text+ko) ==== @@ -22,7 +22,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/lib/libutil/pidfile.3,v 1.4 2006/01/28 14:13:15 pjd Exp $ +.\" $FreeBSD: src/lib/libutil/pidfile.3,v 1.5 2006/03/04 15:20:28 keramida Exp $ .\" .Dd August 22, 2005 .Dt PIDFILE 3 @@ -120,8 +120,8 @@ pfh = pidfile_open("/var/run/daemon.pid", 0600, &otherpid); if (pfh == NULL) { if (errno == EEXIST) { - errx(EXIT_FAILURE, "Daemon already running, pid: %d.", - (int)otherpid); + errx(EXIT_FAILURE, "Daemon already running, pid: %jd.", + (intmax_t)otherpid); } /* If we cannot create pidfile from other reasons, only warn. */ warn("Cannot open or create pidfile"); @@ -147,7 +147,7 @@ /* Do child work. */ break; default: - syslog(LOG_INFO, "Child %d started.", (int)childpid); + syslog(LOG_INFO, "Child %jd started.", (intmax_t)childpid); break; } } ==== //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#25 (text+ko) ==== @@ -30,8 +30,8 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#24 $ - * $FreeBSD: src/sys/bsm/audit.h,v 1.2 2006/02/01 19:54:22 rwatson Exp $ + * $P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#25 $ + * $FreeBSD: src/sys/bsm/audit.h,v 1.3 2006/03/04 16:54:21 rwatson Exp $ */ #ifndef _BSM_AUDIT_H ==== //depot/projects/trustedbsd/audit3/sys/bsm/audit_internal.h#8 (text+ko) ==== @@ -34,7 +34,8 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit_internal.h#7 $ + * $P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit_internal.h#8 $ + * $FreeBSD: src/sys/bsm/audit_internal.h,v 1.2 2006/03/04 16:54:21 rwatson Exp $ */ #ifndef _AUDIT_INTERNAL_H @@ -68,6 +69,7 @@ typedef struct au_record au_record_t; + /* We could determined the header and trailer sizes by * defining appropriate structures. We hold off that approach * till we have a consistant way of using structures for all tokens. ==== //depot/projects/trustedbsd/audit3/sys/dev/mpt/mpt.c#8 (text+ko) ==== @@ -92,7 +92,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/sys/dev/mpt/mpt.c,v 1.18 2006/02/28 07:44:50 mjacob Exp $"); +__FBSDID("$FreeBSD: src/sys/dev/mpt/mpt.c,v 1.19 2006/03/04 21:46:34 mjacob Exp $"); #include <dev/mpt/mpt.h> #include <dev/mpt/mpt_cam.h> /* XXX For static handler registration */ @@ -502,12 +502,12 @@ handled += pers->event(mpt, req, msg); if (handled == 0 && mpt->mpt_pers_mask == 0) { - mpt_lprt(mpt, MPT_PRT_WARN, + mpt_lprt(mpt, MPT_PRT_INFO, "No Handlers For Any Event Notify Frames. " "Event %#x (ACK %sequired).\n", msg->Event, msg->AckRequired? "r" : "not r"); } else if (handled == 0) { - mpt_prt(mpt, + mpt_lprt(mpt, MPT_PRT_WARN, "Unhandled Event Notify Frame. Event %#x " "(ACK %sequired).\n", msg->Event, msg->AckRequired? "r" : "not r"); ==== //depot/projects/trustedbsd/audit3/sys/geom/label/g_label_ufs.c#6 (text+ko) ==== @@ -26,7 +26,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/sys/geom/label/g_label_ufs.c,v 1.9 2006/02/18 10:59:47 pjd Exp $"); +__FBSDID("$FreeBSD: src/sys/geom/label/g_label_ufs.c,v 1.10 2006/03/04 19:41:54 pjd Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -78,8 +78,13 @@ if (fs == NULL) continue; /* Check for magic and make sure things are the right size */ - if (fs->fs_magic != FS_UFS1_MAGIC && - fs->fs_magic != FS_UFS2_MAGIC) { + if (fs->fs_magic == FS_UFS1_MAGIC && + fs->fs_old_size * fs->fs_fsize == (int32_t)pp->mediasize) { + /* Valid UFS1. */ + } else if (fs->fs_magic == FS_UFS2_MAGIC && fs->fs_fsize > 0 && + pp->mediasize / fs->fs_fsize == fs->fs_size) { + /* Valid UFS2. */ + } else { g_free(fs); continue; } ==== //depot/projects/trustedbsd/audit3/sys/opencrypto/crypto.c#4 (text+ko) ==== @@ -21,7 +21,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/sys/opencrypto/crypto.c,v 1.16 2005/01/07 02:29:16 imp Exp $"); +__FBSDID("$FreeBSD: src/sys/opencrypto/crypto.c,v 1.17 2006/03/04 15:50:46 wkoszek Exp $"); #define CRYPTO_TIMING /* enable timing support */ @@ -252,6 +252,7 @@ }; MODULE_VERSION(crypto, 1); DECLARE_MODULE(crypto, crypto_mod, SI_SUB_DRIVERS, SI_ORDER_FIRST); +MODULE_DEPEND(crypto, zlib, 1, 1, 1); /* * Create a new session. ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit.c#16 (text+ko) ==== @@ -27,7 +27,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $FreeBSD: src/sys/security/audit/audit.c,v 1.7 2006/02/11 23:53:00 rwatson Exp $ + * $FreeBSD: src/sys/security/audit/audit.c,v 1.8 2006/03/04 17:00:55 rwatson Exp $ */ #include <sys/param.h> ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm_token.c#12 (text+ko) ==== @@ -30,7 +30,8 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm_token.c#11 $ + * $P4: //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm_token.c#12 $ + * $FreeBSD: src/sys/security/audit/audit_bsm_token.c,v 1.2 2006/03/04 17:00:55 rwatson Exp $ */ #include <sys/types.h> ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_pipe.c#10 (text+ko) ==== @@ -25,7 +25,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/security/audit/audit_pipe.c,v 1.2 2006/02/07 14:46:26 rwatson Exp $ + * $FreeBSD: src/sys/security/audit/audit_pipe.c,v 1.3 2006/03/04 17:09:17 rwatson Exp $ */ #include <sys/param.h> ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_private.h#19 (text+ko) ==== @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $FreeBSD: src/sys/security/audit/audit_private.h,v 1.2 2006/02/06 22:50:39 rwatson Exp $ + * $FreeBSD: src/sys/security/audit/audit_private.h,v 1.3 2006/03/04 17:00:55 rwatson Exp $ */ /* ==== //depot/projects/trustedbsd/audit3/sys/security/mac_bsdextended/mac_bsdextended.c#6 (text+ko) ==== @@ -33,7 +33,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/security/mac_bsdextended/mac_bsdextended.c,v 1.27 2006/01/15 01:02:20 csjp Exp $ + * $FreeBSD: src/sys/security/mac_bsdextended/mac_bsdextended.c,v 1.28 2006/03/04 20:47:19 dwmalone Exp $ */ /* @@ -353,11 +353,10 @@ } static int -mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_bsdextended_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode) { + int error; struct vattr vap; - int error; if (!mac_bsdextended_enabled) return (0); @@ -365,75 +364,49 @@ error = VOP_GETATTR(vp, &vap, cred, curthread); if (error) return (error); + return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_WRITE)); + acc_mode)); +} + +static int +mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); } static int mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp, struct label *label, int acc_mode) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, acc_mode)); + return (mac_bsdextended_check_vp(cred, vp, acc_mode)); } static int mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(dvp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_EXEC)); + return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC)); } static int mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(dvp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_EXEC)); + return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC)); } static int mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp, struct vattr *vap) { - struct vattr dvap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(dvp, &dvap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, dvap.va_uid, dvap.va_gid, - MBI_WRITE)); + return (mac_bsdextended_check_vp(cred, dvp, MBI_WRITE)); } static int @@ -441,59 +414,29 @@ struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp) { - struct vattr vap; int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(dvp, &vap, cred, curthread); + error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE); if (error) return (error); - error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_WRITE); - if (error) - return (error); - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_WRITE)); + return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); } static int mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_ADMIN)); + return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN)); } static int mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_WRITE)); + return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); } static int @@ -501,51 +444,24 @@ struct label *label, struct image_params *imgp, struct label *execlabel) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_READ|MBI_EXEC)); + return (mac_bsdextended_check_vp(cred, vp, MBI_READ|MBI_EXEC)); } static int mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_STAT)); + return (mac_bsdextended_check_vp(cred, vp, MBI_STAT)); } static int mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_READ)); + return (mac_bsdextended_check_vp(cred, vp, MBI_READ)); } static int @@ -553,25 +469,13 @@ struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp) { - struct vattr vap; int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(dvp, &vap, cred, curthread); + error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE); if (error) return (error); - error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_WRITE); - if (error) - return (error); - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_WRITE); + error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE); if (error) return (error); return (0); @@ -581,84 +485,40 @@ mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_READ)); + return (mac_bsdextended_check_vp(cred, vp, MBI_READ)); } static int mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(dvp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_EXEC)); + return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC)); } static int mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp, struct label *filelabel, int acc_mode) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, acc_mode)); + return (mac_bsdextended_check_vp(cred, vp, acc_mode)); } static int mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(dvp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_READ)); + return (mac_bsdextended_check_vp(cred, dvp, MBI_READ)); } static int mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp, struct label *label) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_READ)); + return (mac_bsdextended_check_vp(cred, vp, MBI_READ)); } static int @@ -666,24 +526,12 @@ struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp) { - struct vattr vap; int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(dvp, &vap, cred, curthread); + error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE); if (error) return (error); - error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_WRITE); - if (error) - return (error); - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_WRITE); + error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE); return (error); } @@ -693,27 +541,14 @@ struct label *dlabel, struct vnode *vp, struct label *label, int samedir, struct componentname *cnp) { - struct vattr vap; int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(dvp, &vap, cred, curthread); + error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE); if (error) return (error); - error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_WRITE); - if (error) - return (error); - if (vp != NULL) { - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_WRITE); - } + if (vp != NULL) + error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE); return (error); } @@ -722,136 +557,64 @@ mac_bsdextended_check_vnode_revoke(struct ucred *cred, struct vnode *vp, struct label *label) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_ADMIN)); + return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN)); } static int mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_ADMIN)); + return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN)); } static int mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_WRITE)); + return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); } static int mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp, struct label *label, u_long flags) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_ADMIN)); + return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN)); } static int mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp, struct label *label, mode_t mode) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_ADMIN)); + return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN)); } static int mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp, struct label *label, uid_t uid, gid_t gid) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_ADMIN)); + return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN)); } static int mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct label *label, struct timespec atime, struct timespec utime) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(vp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, - MBI_ADMIN)); + return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN)); } static int mac_bsdextended_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *label) { - struct vattr vap; - int error; - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(vp, &vap, active_cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(active_cred, vap.va_uid, vap.va_gid, - MBI_STAT)); + return (mac_bsdextended_check_vp(active_cred, vp, MBI_STAT)); } static struct mac_policy_ops mac_bsdextended_ops = ==== //depot/projects/trustedbsd/audit3/usr.bin/finger/sprint.c#2 (text+ko) ==== >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200603061702.k26H2XvP080821>