From owner-p4-projects@FreeBSD.ORG Tue Nov 14 18:53:22 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 0372616A4D8; Tue, 14 Nov 2006 18:53:22 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B88CB16A412 for ; Tue, 14 Nov 2006 18:53:21 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8943443D46 for ; Tue, 14 Nov 2006 18:53:21 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id kAEIrLNJ012750 for ; Tue, 14 Nov 2006 18:53:21 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id kAEIrLEc012745 for perforce@freebsd.org; Tue, 14 Nov 2006 18:53:21 GMT (envelope-from millert@freebsd.org) Date: Tue, 14 Nov 2006 18:53:21 GMT Message-Id: <200611141853.kAEIrLEc012745@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 109962 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Nov 2006 18:53:22 -0000 http://perforce.freebsd.org/chv.cgi?CH=109962 Change 109962 by millert@millert_g5tower on 2006/11/14 18:52:51 Adapt vnode_label_associate_file(), remove vnode_label_associate_cred() Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#37 edit .. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#17 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#37 (text+ko) ==== @@ -753,34 +753,33 @@ } static void -sebsd_vnode_label_associate_cred(struct ucred *cred, struct vnode *vp, - struct label *vlabel) -{ - struct task_security_struct *tsec; - struct vnode_security_struct *vsec; - - tsec = SLOT(cred->cr_label); - vsec = SLOT(vlabel); - - vsec->sid = vsec->task_sid = tsec->sid; - vsec->sclass = SECCLASS_FILE; /* XXX */ -} - -static void -sebsd_vnode_label_associate_file(struct ucred *cred, struct fileglob *fg, +sebsd_vnode_label_associate_file(struct ucred *cred, struct mount *mp, + struct label *mntlabel, struct fileglob *fg, struct label *fglabel, struct vnode *vp, struct label *vlabel) { struct task_security_struct *tsec; struct file_security_struct *fsec; struct vnode_security_struct *vsec; + struct mount_security_struct *sbsec; tsec = SLOT(cred->cr_label); - fsec = SLOT(fglabel); vsec = SLOT(vlabel); + vsec->task_sid = tsec->sid; + vsec->sclass = vnode_type_to_security_class(vp->v_type); - vsec->sid = fsec->sid; - vsec->task_sid = tsec->sid; - vsec->sclass = SECCLASS_FILE; /* XXX */ + /* + * Use file label if it exists, otherwise fall back + * on mount or cred labels. + */ + if (fglabel) { + fsec = SLOT(fglabel); + vsec->sid = fsec->sid; + } else if (mntlabel) { + sbsec = SLOT(mntlabel); + vsec->sid = sbsec->sid; + } else { + vsec->sid = tsec->sid; + } } static void @@ -3625,7 +3624,6 @@ .mpo_vnode_label_associate_posixsem = sebsd_vnode_label_associate_posixsem, .mpo_vnode_label_associate_posixshm = sebsd_vnode_label_associate_posixshm, .mpo_vnode_label_associate_pipe = sebsd_vnode_label_associate_pipe, - .mpo_vnode_label_associate_cred = sebsd_vnode_label_associate_cred, .mpo_vnode_label_associate_file = sebsd_vnode_label_associate_file, .mpo_devfs_label_update = sebsd_devfs_update, ==== //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#17 (text+ko) ==== @@ -1171,26 +1171,21 @@ } static void -mac_test_vnode_label_associate_file(struct ucred *cred, struct fileglob *fg, - struct label *fglabel, struct vnode *vp, struct label *vlabel) +mac_test_vnode_label_associate_file(struct ucred *cred, struct mount *mp, + struct label *mntlabel, struct fileglob *fg, struct label *fglabel, + struct vnode *vp, struct label *vlabel) { CHECKNULL(cred); - CHECKNULL(fg); CHECKNULL(vp); INIT_LABEL(vlabel, VNODETYPE); - USE_LABEL(fglabel, FILETYPE); -} -static void -mac_test_vnode_label_associate_cred(struct ucred *cred, struct vnode *vp, - struct label *vlabel) -{ - CHECKNULL(cred); - CHECKNULL(vp); - - INIT_LABEL(vlabel, VNODETYPE); - USE_LABEL(cred->cr_label, CREDTYPE); + if (fglabel) { + CHECKNULL(fg); + USE_LABEL(fglabel, FILETYPE); + } else { + USE_LABEL(cred->cr_label, CREDTYPE); + } } static void @@ -1922,7 +1917,6 @@ mac_test_vnode_label_associate_posixshm, .mpo_vnode_label_associate_pipe = mac_test_vnode_label_associate_pipe, .mpo_vnode_label_associate_file = mac_test_vnode_label_associate_file, - .mpo_vnode_label_associate_cred = mac_test_vnode_label_associate_cred, .mpo_devfs_label_associate_device= mac_test_devfs_label_associate_device, .mpo_devfs_label_associate_directory=