diff options
author | rwatson <rwatson@FreeBSD.org> | 2008-10-30 10:13:53 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2008-10-30 10:13:53 +0000 |
commit | fbca48f8d5b2e879565c548e81b7c3da7d1b36dc (patch) | |
tree | f1848eacef8e918850bc229ac60547bb8dd3b54b | |
parent | 9aa53c183c5aea55d2727d095b9ba2bf806e4af9 (diff) | |
download | FreeBSD-src-fbca48f8d5b2e879565c548e81b7c3da7d1b36dc.zip FreeBSD-src-fbca48f8d5b2e879565c548e81b7c3da7d1b36dc.tar.gz |
The V* flags passed using an accmode_t to the access() and open()
access control checks in mac_bsdextended are not in the same
namespace as the MBI_ flags used in ugidfw policies, so add an
explicit conversion routine to get from one to the other.
Obtained from: TrustedBSD Project
-rw-r--r-- | sys/security/mac_bsdextended/mac_bsdextended.c | 23 | ||||
-rw-r--r-- | sys/security/mac_bsdextended/ugidfw_internal.h | 1 | ||||
-rw-r--r-- | sys/security/mac_bsdextended/ugidfw_vnode.c | 14 |
3 files changed, 26 insertions, 12 deletions
diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c index 14706e0..0f7d5f8 100644 --- a/sys/security/mac_bsdextended/mac_bsdextended.c +++ b/sys/security/mac_bsdextended/mac_bsdextended.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005 Tom Rhodes * Copyright (c) 2006 SPARTA, Inc. @@ -465,6 +465,27 @@ ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode) return (ugidfw_check(cred, vp, &vap, acc_mode)); } +int +ugidfw_accmode2mbi(accmode_t accmode) +{ + int mbi; + + mbi = 0; + if (accmode & VEXEC) + mbi |= MBI_EXEC; + if (accmode & VWRITE) + mbi |= MBI_WRITE; + if (accmode & VREAD) + mbi |= MBI_READ; + if (accmode & VADMIN) + mbi |= MBI_ADMIN; + if (accmode & VSTAT) + mbi |= MBI_STAT; + if (accmode & VAPPEND) + mbi |= MBI_APPEND; + return (mbi); +} + static struct mac_policy_ops ugidfw_ops = { .mpo_destroy = ugidfw_destroy, diff --git a/sys/security/mac_bsdextended/ugidfw_internal.h b/sys/security/mac_bsdextended/ugidfw_internal.h index 6e979cf..c53326d 100644 --- a/sys/security/mac_bsdextended/ugidfw_internal.h +++ b/sys/security/mac_bsdextended/ugidfw_internal.h @@ -34,6 +34,7 @@ /* * Central access control routines used by object-specific checks. */ +int ugidfw_accmode2mbi(accmode_t accmode); int ugidfw_check(struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode); int ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode); diff --git a/sys/security/mac_bsdextended/ugidfw_vnode.c b/sys/security/mac_bsdextended/ugidfw_vnode.c index 3d760bc..bfcc5ac 100644 --- a/sys/security/mac_bsdextended/ugidfw_vnode.c +++ b/sys/security/mac_bsdextended/ugidfw_vnode.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005 Tom Rhodes * Copyright (c) 2006 SPARTA, Inc. @@ -65,11 +65,7 @@ ugidfw_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *vplabel, accmode_t accmode) { - /* - * XXX: We pass accmode_t variable containing V* constants - * as an int containing MBI_* constants. - */ - return (ugidfw_check_vp(cred, vp, (int)accmode)); + return (ugidfw_check_vp(cred, vp, ugidfw_accmode2mbi(accmode))); } int @@ -175,11 +171,7 @@ ugidfw_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, accmode_t accmode) { - /* - * XXX: We pass accmode_t variable containing V* constants - * as an int containing MBI_* constants. - */ - return (ugidfw_check_vp(cred, vp, (int)accmode)); + return (ugidfw_check_vp(cred, vp, ugidfw_accmode2mbi(accmode))); } int |