From owner-p4-projects@FreeBSD.ORG Sat Jul 26 12:13:31 2003 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id A6B9C37B404; Sat, 26 Jul 2003 12:13:30 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 73E3137B401 for ; Sat, 26 Jul 2003 12:13:30 -0700 (PDT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0D9743FCB for ; Sat, 26 Jul 2003 12:13:28 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h6QJDS0U069336 for ; Sat, 26 Jul 2003 12:13:28 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h6QJDSjL069329 for perforce@freebsd.org; Sat, 26 Jul 2003 12:13:28 -0700 (PDT) Date: Sat, 26 Jul 2003 12:13:28 -0700 (PDT) Message-Id: <200307261913.h6QJDSjL069329@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Subject: PERFORCE change 35050 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jul 2003 19:13:31 -0000 http://perforce.freebsd.org/chv.cgi?CH=35050 Change 35050 by rwatson@rwatson_tislabs on 2003/07/26 12:13:16 Use the mac_check_vnode_deleteextattr and mac_check_vnode_listextattr checks to test for delete and list permission rather than setextattr and getextattr checks. Policy updates to follow. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#392 edit .. //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#106 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#392 (text+ko) ==== @@ -1663,6 +1663,22 @@ } int +mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, + int attrnamespace, const char *name) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr"); + + if (!mac_enforce_fs) + return (0); + + MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label, + attrnamespace, name); + return (error); +} + +int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct image_params *imgp) { @@ -1727,6 +1743,22 @@ } int +mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, + int attrnamespace) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr"); + + if (!mac_enforce_fs) + return (0); + + MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label, + attrnamespace); + return (error); +} + +int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { ==== //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#106 (text+ko) ==== @@ -4240,8 +4240,8 @@ vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_setextattr(td->td_ucred, vp, attrnamespace, - attrname, NULL); + error = mac_check_vnode_deleteextattr(td->td_ucred, vp, attrnamespace, + attrname); if (error) goto done; #endif @@ -4387,8 +4387,7 @@ sizep = &size; #ifdef MAC - error = mac_check_vnode_getextattr(td->td_ucred, vp, attrnamespace, - "", &auio); + error = mac_check_vnode_listextattr(td->td_ucred, vp, attrnamespace); if (error) goto done; #endif