diff options
| author | rwatson <rwatson@FreeBSD.org> | 2002-10-19 21:25:51 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2002-10-19 21:25:51 +0000 |
| commit | 615a42874b2003a0b00545878a9e6e24d4a58d72 (patch) | |
| tree | c926c3101bf4e0c306e0e6c3a05276fb299c005b | |
| parent | 4c2d375ca4e58254fcc2d5f7c0259d285af557a0 (diff) | |
| download | FreeBSD-src-615a42874b2003a0b00545878a9e6e24d4a58d72.zip FreeBSD-src-615a42874b2003a0b00545878a9e6e24d4a58d72.tar.gz | |
Add a new 'NOMACCHECK' flag to namei() NDINIT flags, which permits the
caller to indicate that MAC checks are not required for the lookup.
Similar to IO_NOMACCHECK for vn_rdwr(), this indicates that the caller
has already performed all required protections and that this is an
internally generated operation. This will be used by the NFS server
code, as we don't currently enforce MAC protections against requests
delivered via NFS.
While here, add NOCROSSMOUNT to PARAMASK; apparently this was used at
one point for name lookup flag checking, but isn't any longer or it
would have triggered from the NFS server code passing it to indicate
that mountpoints shouldn't be crossed in lookups.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
| -rw-r--r-- | sys/kern/vfs_lookup.c | 17 | ||||
| -rw-r--r-- | sys/sys/namei.h | 3 |
2 files changed, 13 insertions, 7 deletions
diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c index db1b342..f064b64 100644 --- a/sys/kern/vfs_lookup.c +++ b/sys/kern/vfs_lookup.c @@ -216,9 +216,12 @@ namei(ndp) break; } #ifdef MAC - error = mac_check_vnode_readlink(td->td_ucred, ndp->ni_vp); - if (error) - break; + if ((cnp->cn_flags & NOMACCHECK) == 0) { + error = mac_check_vnode_readlink(td->td_ucred, + ndp->ni_vp); + if (error) + break; + } #endif if (ndp->ni_pathlen > 1) cp = uma_zalloc(namei_zone, M_WAITOK); @@ -471,9 +474,11 @@ dirloop: */ unionlookup: #ifdef MAC - error = mac_check_vnode_lookup(td->td_ucred, dp, cnp); - if (error) - goto bad; + if ((cnp->cn_flags & NOMACCHECK) == 0) { + error = mac_check_vnode_lookup(td->td_ucred, dp, cnp); + if (error) + goto bad; + } #endif ndp->ni_dvp = dp; ndp->ni_vp = NULL; diff --git a/sys/sys/namei.h b/sys/sys/namei.h index a06a045..00e7643 100644 --- a/sys/sys/namei.h +++ b/sys/sys/namei.h @@ -144,7 +144,8 @@ struct nameidata { #define ISUNICODE 0x100000 /* current component name is unicode*/ #define PDIRUNLOCK 0x200000 /* filesystem lookup() unlocked parent dir */ #define NOCROSSMOUNT 0x400000 /* do not cross mount points */ -#define PARAMASK 0x3ffe00 /* mask of parameter descriptors */ +#define NOMACCHECK 0x800000 /* do not perform MAC checks */ +#define PARAMASK 0xfffe00 /* mask of parameter descriptors */ /* * Initialization of an nameidata structure. |
