In continuation of early fileop credential changes, modify fo_ioctl() to

accept an 'active_cred' argument reflecting the credential of the thread
initiating the ioctl operation.

- Change fo_ioctl() to accept active_cred; change consumers of the
  fo_ioctl() interface to generally pass active_cred from td->td_ucred.
- In fifofs, initialize filetmp.f_cred to ap->a_cred so that the
  invocations of soo_ioctl() are provided access to the calling f_cred.
  Pass ap->a_td->td_ucred as the active_cred, but note that this is
  required because we don't yet distinguish file_cred and active_cred
  in invoking VOP's.
- Update kqueue_ioctl() for its new argument.
- Update pipe_ioctl() for its new argument, pass active_cred rather
  than td_ucred to MAC for authorization.
- Update soo_ioctl() for its new argument.
- Update vn_ioctl() for its new argument, use active_cred rather than
  td->td_ucred to authorize VOP_IOCTL() and the associated VOP_GETATTR().

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs

6 files changed, 26 insertions, 20 deletions

diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c
index bc09bfd..37dc894 100644
--- a/sys/kern/kern_descrip.c
+++ b/sys/kern/kern_descrip.c
@@ -101,7 +101,7 @@ static int do_dup(struct filedesc *fdp, int old, int new, register_t *retval,
 static int badfo_readwrite(struct file *fp, struct uio *uio,
     struct ucred *active_cred, int flags, struct thread *td);
 static int badfo_ioctl(struct file *fp, u_long com, void *data,
-    struct thread *td);
+    struct ucred *active_cred, struct thread *td);
 static int badfo_poll(struct file *fp, int events,
     struct ucred *active_cred, struct thread *td);
 static int badfo_kqfilter(struct file *fp, struct knote *kn);
@@ -315,34 +315,35 @@ fcntl(td, uap)
 		fp->f_flag &= ~FCNTLFLAGS;
 		fp->f_flag |= FFLAGS(uap->arg & ~O_ACCMODE) & FCNTLFLAGS;
 		tmp = fp->f_flag & FNONBLOCK;
-		error = fo_ioctl(fp, FIONBIO, &tmp, td);
+		error = fo_ioctl(fp, FIONBIO, &tmp, td->td_ucred, td);
 		if (error) {
 			fdrop(fp, td);
 			break;
 		}
 		tmp = fp->f_flag & FASYNC;
-		error = fo_ioctl(fp, FIOASYNC, &tmp, td);
+		error = fo_ioctl(fp, FIOASYNC, &tmp, td->td_ucred, td);
 		if (!error) {
 			fdrop(fp, td);
 			break;
 		}
 		fp->f_flag &= ~FNONBLOCK;
 		tmp = 0;
-		(void)fo_ioctl(fp, FIONBIO, &tmp, td);
+		(void)fo_ioctl(fp, FIONBIO, &tmp, td->td_ucred, td);
 		fdrop(fp, td);
 		break;
 
 	case F_GETOWN:
 		fhold(fp);
 		FILEDESC_UNLOCK(fdp);
-		error = fo_ioctl(fp, FIOGETOWN, (void *)td->td_retval, td);
+		error = fo_ioctl(fp, FIOGETOWN, (void *)td->td_retval,
+		    td->td_ucred, td);
 		fdrop(fp, td);
 		break;
 
 	case F_SETOWN:
 		fhold(fp);
 		FILEDESC_UNLOCK(fdp);
-		error = fo_ioctl(fp, FIOSETOWN, &uap->arg, td);
+		error = fo_ioctl(fp, FIOSETOWN, &uap->arg, td->td_ucred, td);
 		fdrop(fp, td);
 		break;
 
@@ -2159,10 +2160,11 @@ badfo_readwrite(fp, uio, active_cred, flags, td)
 }
 
 static int
-badfo_ioctl(fp, com, data, td)
+badfo_ioctl(fp, com, data, active_cred, td)
 	struct file *fp;
 	u_long com;
 	void *data;
+	struct ucred *active_cred;
 	struct thread *td;
 {
 
diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c
index 820775d..d8bc894 100644
--- a/sys/kern/kern_event.c
+++ b/sys/kern/kern_event.c
@@ -61,7 +61,7 @@ static int 	kqueue_read(struct file *fp, struct uio *uio,
 static int	kqueue_write(struct file *fp, struct uio *uio,
 		    struct ucred *active_cred, int flags, struct thread *td);
 static int	kqueue_ioctl(struct file *fp, u_long com, void *data,
-		    struct thread *td);
+		    struct ucred *active_cred, struct thread *td);
 static int 	kqueue_poll(struct file *fp, int events,
 		    struct ucred *active_cred, struct thread *td);
 static int 	kqueue_kqfilter(struct file *fp, struct knote *kn);
@@ -794,7 +794,8 @@ kqueue_write(struct file *fp, struct uio *uio, struct ucred *active_cred,
 
 /*ARGSUSED*/
 static int
-kqueue_ioctl(struct file *fp, u_long com, void *data, struct thread *td)
+kqueue_ioctl(struct file *fp, u_long com, void *data,
+	struct ucred *active_cred, struct thread *td)
 {
 	return (ENOTTY);
 }
diff --git a/sys/kern/sys_generic.c b/sys/kern/sys_generic.c
index 55babb2..8e209bb 100644
--- a/sys/kern/sys_generic.c
+++ b/sys/kern/sys_generic.c
@@ -656,7 +656,7 @@ ioctl(td, uap)
 		else
 			fp->f_flag &= ~FNONBLOCK;
 		FILE_UNLOCK(fp);
-		error = fo_ioctl(fp, FIONBIO, &tmp, td);
+		error = fo_ioctl(fp, FIONBIO, &tmp, td->td_ucred, td);
 		break;
 
 	case FIOASYNC:
@@ -666,11 +666,11 @@ ioctl(td, uap)
 		else
 			fp->f_flag &= ~FASYNC;
 		FILE_UNLOCK(fp);
-		error = fo_ioctl(fp, FIOASYNC, &tmp, td);
+		error = fo_ioctl(fp, FIOASYNC, &tmp, td->td_ucred, td);
 		break;
 
 	default:
-		error = fo_ioctl(fp, com, data, td);
+		error = fo_ioctl(fp, com, data, td->td_ucred, td);
 		/*
 		 * Copy any data to user, size was
 		 * already set and checked above.
diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c
index 624ac6b..d956501 100644
--- a/sys/kern/sys_pipe.c
+++ b/sys/kern/sys_pipe.c
@@ -105,7 +105,7 @@ static int pipe_kqfilter(struct file *fp, struct knote *kn);
 static int pipe_stat(struct file *fp, struct stat *sb,
 		struct ucred *active_cred, struct thread *td);
 static int pipe_ioctl(struct file *fp, u_long cmd, void *data,
-		struct thread *td);
+		struct ucred *active_cred, struct thread *td);
 
 static struct fileops pipeops = {
 	pipe_read, pipe_write, pipe_ioctl, pipe_poll, pipe_kqfilter,
@@ -1155,10 +1155,11 @@ pipe_write(fp, uio, active_cred, flags, td)
  * we implement a very minimal set of ioctls for compatibility with sockets.
  */
 int
-pipe_ioctl(fp, cmd, data, td)
+pipe_ioctl(fp, cmd, data, active_cred, td)
 	struct file *fp;
 	u_long cmd;
 	void *data;
+	struct ucred *active_cred;
 	struct thread *td;
 {
 	struct pipe *mpipe = (struct pipe *)fp->f_data;
@@ -1166,7 +1167,7 @@ pipe_ioctl(fp, cmd, data, td)
 	int error;
 
 	/* XXXMAC: Pipe should be locked for this check. */
-	error = mac_check_pipe_ioctl(td->td_ucred, mpipe, cmd, data);
+	error = mac_check_pipe_ioctl(active_cred, mpipe, cmd, data);
 	if (error)
 		return (error);
 #endif
diff --git a/sys/kern/sys_socket.c b/sys/kern/sys_socket.c
index 53ca5b9..b4a9442 100644
--- a/sys/kern/sys_socket.c
+++ b/sys/kern/sys_socket.c
@@ -93,10 +93,11 @@ soo_write(fp, uio, active_cred, flags, td)
 }
 
 int
-soo_ioctl(fp, cmd, data, td)
+soo_ioctl(fp, cmd, data, active_cred, td)
 	struct file *fp;
 	u_long cmd;
 	void *data;
+	struct ucred *active_cred;
 	struct thread *td;
 {
 	register struct socket *so = (struct socket *)fp->f_data;
diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c
index af5faed..07e5fc9 100644
--- a/sys/kern/vfs_vnops.c
+++ b/sys/kern/vfs_vnops.c
@@ -65,7 +65,7 @@
 
 static int vn_closefile(struct file *fp, struct thread *td);
 static int vn_ioctl(struct file *fp, u_long com, void *data, 
-		struct thread *td);
+		struct ucred *active_cred, struct thread *td);
 static int vn_read(struct file *fp, struct uio *uio, 
 		struct ucred *active_cred, int flags, struct thread *td);
 static int vn_poll(struct file *fp, int events, struct ucred *active_cred,
@@ -721,10 +721,11 @@ vn_stat(vp, sb, active_cred, file_cred, td)
  * File table vnode ioctl routine.
  */
 static int
-vn_ioctl(fp, com, data, td)
+vn_ioctl(fp, com, data, active_cred, td)
 	struct file *fp;
 	u_long com;
 	void *data;
+	struct ucred *active_cred;
 	struct thread *td;
 {
 	register struct vnode *vp = ((struct vnode *)fp->f_data);
@@ -738,7 +739,7 @@ vn_ioctl(fp, com, data, td)
 	case VDIR:
 		if (com == FIONREAD) {
 			vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
-			error = VOP_GETATTR(vp, &vattr, td->td_ucred, td);
+			error = VOP_GETATTR(vp, &vattr, active_cred, td);
 			VOP_UNLOCK(vp, 0, td);
 			if (error)
 				return (error);
@@ -762,7 +763,7 @@ vn_ioctl(fp, com, data, td)
 			*(int *)data = devsw(vp->v_rdev)->d_flags & D_TYPEMASK;
 			return (0);
 		}
-		error = VOP_IOCTL(vp, com, data, fp->f_flag, td->td_ucred, td);
+		error = VOP_IOCTL(vp, com, data, fp->f_flag, active_cred, td);
 		if (error == 0 && com == TIOCSCTTY) {
 
 			/* Do nothing if reassigning same control tty */