Add mac_check_vnode_deleteextattr() and mac_check_vnode_listextattr():

explicit access control checks to delete and list extended attributes
on a vnode, rather than implicitly combining with the setextattr and
getextattr checks.  This reflects EA API changes in the kernel made
recently, including the move to explicit VOP's for both of these
operations.

Obtained from:	TrustedBSD PRoject
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 32 insertions, 0 deletions

diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index f3cc2f8..dcd8831 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -1614,6 +1614,22 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 }
 
 int
+mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace, const char *name)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label,
+	    attrnamespace, name);
+	return (error);
+}
+
+int
 mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
     struct image_params *imgp)
 {
@@ -1678,6 +1694,22 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
 }
 
 int
+mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label,
+	    attrnamespace);
+	return (error);
+}
+
+int
 mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp)
 {