Break out mac_check_vnode_op() into three seperate checks:

mac_check_vnode_poll(), mac_check_vnode_read(), mac_check_vnode_write().
This improves the consistency with other existing vnode checks, and
allows policies to avoid implementing switch statements to determine
what operations they do and do not want to authorize.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs

1 files changed, 4 insertions, 8 deletions

diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c
index 39f8423..fce45fe 100644
--- a/sys/kern/vfs_extattr.c
+++ b/sys/kern/vfs_extattr.c
@@ -734,8 +734,7 @@ open(td, uap)
 		vat.va_size = 0;
 		vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
 #ifdef MAC
-		error = mac_check_vnode_op(td->td_ucred, vp,
-		    MAC_OP_VNODE_WRITE);
+		error = mac_check_vnode_write(td->td_ucred, vp);
 		if (error == 0)
 #endif
 			error = VOP_SETATTR(vp, &vat, td->td_ucred, td);
@@ -2368,8 +2367,7 @@ truncate(td, uap)
 	if (vp->v_type == VDIR)
 		error = EISDIR;
 #ifdef MAC
-	else if ((error = mac_check_vnode_op(td->td_ucred, vp,
-	    MAC_OP_VNODE_WRITE))) {}
+	else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {}
 #endif
 	else if ((error = vn_writechk(vp)) == 0 &&
 	    (error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td)) == 0) {
@@ -2426,8 +2424,7 @@ ftruncate(td, uap)
 	if (vp->v_type == VDIR)
 		error = EISDIR;
 #ifdef MAC
-	else if ((error = mac_check_vnode_op(td->td_ucred, vp,
-	    MAC_OP_VNODE_WRITE))) {}
+	else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {}
 #endif
 	else if ((error = vn_writechk(vp)) == 0) {
 		VATTR_NULL(&vattr);
@@ -3345,8 +3342,7 @@ fhopen(td, uap)
 		VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
 		vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);	/* XXX */
 #ifdef MAC
-		error = mac_check_vnode_op(td->td_ucred, vp,
-		    MAC_OP_VNODE_WRITE);
+		error = mac_check_vnode_write(td->td_ucred, vp);
 		if (error == 0) {
 #endif
 			VATTR_NULL(vap);