Add necessary instrumentation to IBCS2 emulation support for mandatory

access control: as with SVR4, very few changes required since almost
all services are implemented by wrapping existing native FreeBSD
system calls.  Only readdir() calls need additional instrumentation.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs

1 files changed, 15 insertions, 0 deletions

diff --git a/sys/i386/ibcs2/ibcs2_misc.c b/sys/i386/ibcs2/ibcs2_misc.c
index 7274ea7..5892ef7 100644
--- a/sys/i386/ibcs2/ibcs2_misc.c
+++ b/sys/i386/ibcs2/ibcs2_misc.c
@@ -54,6 +54,8 @@
  * IBCS2 system calls that are implemented differently in BSD are
  * handled here.
  */
+#include "opt_mac.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/dirent.h>
@@ -61,6 +63,7 @@
 #include <sys/filedesc.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
+#include <sys/mac.h>
 #include <sys/malloc.h>
 #include <sys/file.h>			/* Must come after sys/malloc.h */
 #include <sys/mutex.h>
@@ -348,6 +351,12 @@ again:
 		cookies = NULL;
 	}
 
+#ifdef MAC
+	error = mac_check_vnode_readdir(td->td_ucred, vp);
+	if (error)
+		goto out;
+#endif
+
 	/*
 	 * First we read into the malloc'ed buffer, then
 	 * we massage it into user space, one record at a time.
@@ -503,6 +512,12 @@ again:
 		cookies = NULL;
 	}
 
+#ifdef MAC
+	error = mac_check_vnode_readdir(td->td_ucred, vp);
+	if (error)
+		goto out;
+#endif
+
 	/*
 	 * First we read into the malloc'ed buffer, then
 	 * we massage it into user space, one record at a time.