Date: Tue, 7 Mar 2006 16:52:14 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 92923 for review Message-ID: <200603071652.k27GqE2c014165@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=92923 Change 92923 by millert@millert_ibook on 2006/03/07 16:51:39 In access(), do not pass uninitialized flags variable to mac_check_vnode_access(). Don't clobber non-zero error value from DAC check with a zero error value from the MAC check. Affected files ... .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/vfs/vfs_syscalls.c#3 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/vfs/vfs_syscalls.c#3 (text+ko) ==== @@ -1792,8 +1792,8 @@ vp = nd.ni_vp; /* Flags == 0 means only check for existence. */ + flags = 0; if (uap->flags) { - flags = 0; if (uap->flags & R_OK) flags |= VREAD; if (uap->flags & W_OK) @@ -1804,7 +1804,17 @@ error = VOP_ACCESS(vp, flags, cred, p); } #ifdef MAC - error = mac_check_vnode_access(cred, vp, flags); + /* + * Override DAC error value with MAC error value unless + * MAC returns OK and DAC returns error. + */ + { + int mac_error; + + mac_error = mac_check_vnode_access(cred, vp, flags); + if (mac_error) + error = mac_error; + } #endif vput(vp); out1:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200603071652.k27GqE2c014165>