diff options
| author | rwatson <rwatson@FreeBSD.org> | 2003-08-21 13:53:01 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2003-08-21 13:53:01 +0000 |
| commit | 6f522a9e5248d735aaee5f9fd322c6c758801149 (patch) | |
| tree | 516e8cf5fae27c0606b263da692534ee28f2e34b /sys/kern | |
| parent | 1c5a183b7da9ef0273663eacb58ec473ec905d00 (diff) | |
| download | FreeBSD-src-6f522a9e5248d735aaee5f9fd322c6c758801149.zip FreeBSD-src-6f522a9e5248d735aaee5f9fd322c6c758801149.tar.gz | |
Add mac_check_vnode_deleteextattr() and mac_check_vnode_listextattr():
explicit access control checks to delete and list extended attributes
on a vnode, rather than implicitly combining with the setextattr and
getextattr checks. This reflects EA API changes in the kernel made
recently, including the move to explicit VOP's for both of these
operations.
Obtained from: TrustedBSD PRoject
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/kern')
| -rw-r--r-- | sys/kern/kern_mac.c | 32 | ||||
| -rw-r--r-- | sys/kern/vfs_extattr.c | 7 | ||||
| -rw-r--r-- | sys/kern/vfs_syscalls.c | 7 |
3 files changed, 38 insertions, 8 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index f3cc2f8..dcd8831 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -1614,6 +1614,22 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, } int +mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, + int attrnamespace, const char *name) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr"); + + if (!mac_enforce_fs) + return (0); + + MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label, + attrnamespace, name); + return (error); +} + +int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct image_params *imgp) { @@ -1678,6 +1694,22 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, } int +mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, + int attrnamespace) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr"); + + if (!mac_enforce_fs) + return (0); + + MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label, + attrnamespace); + return (error); +} + +int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c index 7d51ca7..5eeda6c 100644 --- a/sys/kern/vfs_extattr.c +++ b/sys/kern/vfs_extattr.c @@ -4270,8 +4270,8 @@ extattr_delete_vp(struct vnode *vp, int attrnamespace, const char *attrname, vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_setextattr(td->td_ucred, vp, attrnamespace, - attrname, NULL); + error = mac_check_vnode_deleteextattr(td->td_ucred, vp, attrnamespace, + attrname); if (error) goto done; #endif @@ -4418,8 +4418,7 @@ extattr_list_vp(struct vnode *vp, int attrnamespace, void *data, sizep = &size; #ifdef MAC - error = mac_check_vnode_getextattr(td->td_ucred, vp, attrnamespace, - "", &auio); + error = mac_check_vnode_listextattr(td->td_ucred, vp, attrnamespace); if (error) goto done; #endif diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 7d51ca7..5eeda6c 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -4270,8 +4270,8 @@ extattr_delete_vp(struct vnode *vp, int attrnamespace, const char *attrname, vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_setextattr(td->td_ucred, vp, attrnamespace, - attrname, NULL); + error = mac_check_vnode_deleteextattr(td->td_ucred, vp, attrnamespace, + attrname); if (error) goto done; #endif @@ -4418,8 +4418,7 @@ extattr_list_vp(struct vnode *vp, int attrnamespace, void *data, sizep = &size; #ifdef MAC - error = mac_check_vnode_getextattr(td->td_ucred, vp, attrnamespace, - "", &auio); + error = mac_check_vnode_listextattr(td->td_ucred, vp, attrnamespace); if (error) goto done; #endif |
