diff options
author | rwatson <rwatson@FreeBSD.org> | 2002-08-01 01:04:16 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2002-08-01 01:04:16 +0000 |
commit | c16bdd7f110da347d5649306347f754a2017c086 (patch) | |
tree | e98961e21320e9a73254901b88de4c024a796b69 /sys/kern/vfs_acl.c | |
parent | 4f9b822dcc26530a823de828e4bcd4caea7319a7 (diff) | |
download | FreeBSD-src-c16bdd7f110da347d5649306347f754a2017c086.zip FreeBSD-src-c16bdd7f110da347d5649306347f754a2017c086.tar.gz |
Introduce support for Mandatory Access Control and extensible
kernel access control.
Instrument the kernel ACL retrieval and modification system calls
to invoke MAC framework entry points to authorize these operations.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'sys/kern/vfs_acl.c')
-rw-r--r-- | sys/kern/vfs_acl.c | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/sys/kern/vfs_acl.c b/sys/kern/vfs_acl.c index 60ce1bf..2a182cd 100644 --- a/sys/kern/vfs_acl.c +++ b/sys/kern/vfs_acl.c @@ -32,10 +32,13 @@ * Support for POSIX.1e access control lists. */ +#include "opt_mac.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/sysproto.h> #include <sys/kernel.h> +#include <sys/mac.h> #include <sys/malloc.h> #include <sys/vnode.h> #include <sys/lock.h> @@ -582,7 +585,15 @@ vacl_set_acl(struct thread *td, struct vnode *vp, acl_type_t type, return (error); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); +#ifdef MAC + error = mac_check_vnode_setacl(td->td_ucred, vp, type, &inkernacl); + if (error != 0) + goto out; +#endif error = VOP_SETACL(vp, type, &inkernacl, td->td_ucred, td); +#ifdef MAC +out: +#endif VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); return(error); @@ -600,7 +611,15 @@ vacl_get_acl(struct thread *td, struct vnode *vp, acl_type_t type, VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); +#ifdef MAC + error = mac_check_vnode_getacl(td->td_ucred, vp, type); + if (error != 0) + goto out; +#endif error = VOP_GETACL(vp, type, &inkernelacl, td->td_ucred, td); +#ifdef MAC +out: +#endif VOP_UNLOCK(vp, 0, td); if (error == 0) error = copyout(&inkernelacl, aclp, sizeof(struct acl)); @@ -621,7 +640,15 @@ vacl_delete(struct thread *td, struct vnode *vp, acl_type_t type) return (error); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = VOP_SETACL(vp, type, NULL, td->td_ucred, td); +#ifdef MAC + error = mac_check_vnode_deleteacl(td->td_ucred, vp, type); + if (error) + goto out; +#endif + error = VOP_SETACL(vp, type, 0, td->td_ucred, td); +#ifdef MAC +out: +#endif VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); return (error); |