diff options
| author | rwatson <rwatson@FreeBSD.org> | 2008-10-27 12:09:15 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2008-10-27 12:09:15 +0000 |
| commit | 3adba7f0f03bcf201bdd2f3955ab4c467e2142e9 (patch) | |
| tree | 93397b4fabcdc25d140b74ba86f19f0375555f62 /sys/security/mac_bsdextended/mac_bsdextended.c | |
| parent | af744391b67d479e9240f3b2aff0f6d0a33b59cd (diff) | |
| download | FreeBSD-src-3adba7f0f03bcf201bdd2f3955ab4c467e2142e9.zip FreeBSD-src-3adba7f0f03bcf201bdd2f3955ab4c467e2142e9.tar.gz | |
Break mac_bsdextended.c out into multiple .c files, with the base access
control logic and policy registration remaining in that file, and access
control checks broken out into other files by class of check.
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/security/mac_bsdextended/mac_bsdextended.c')
| -rw-r--r-- | sys/security/mac_bsdextended/mac_bsdextended.c | 275 |
1 files changed, 3 insertions, 272 deletions
diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c index e7997ba..1c8e6c7 100644 --- a/sys/security/mac_bsdextended/mac_bsdextended.c +++ b/sys/security/mac_bsdextended/mac_bsdextended.c @@ -65,6 +65,7 @@ #include <security/mac/mac_policy.h> #include <security/mac_bsdextended/mac_bsdextended.h> +#include <security/mac_bsdextended/ugidfw_internal.h> static struct mtx ugidfw_mtx; @@ -415,7 +416,7 @@ ugidfw_rulecheck(struct mac_bsdextended_rule *rule, return (0); } -static int +int ugidfw_check(struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode) { @@ -445,7 +446,7 @@ ugidfw_check(struct ucred *cred, struct vnode *vp, struct vattr *vap, return (0); } -static int +int ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode) { int error; @@ -459,276 +460,6 @@ ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode) return (ugidfw_check(cred, vp, &vap, acc_mode)); } -/* - * Object-specific entry point implementations are sorted alphabetically by - * object type and then by operation. - */ -static int -ugidfw_system_check_acct(struct ucred *cred, struct vnode *vp, - struct label *vplabel) -{ - - if (vp != NULL) - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); - else - return (0); -} - -static int -ugidfw_system_check_auditctl(struct ucred *cred, struct vnode *vp, - struct label *vplabel) -{ - - if (vp != NULL) - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); - else - return (0); -} - -static int -ugidfw_system_check_swapon(struct ucred *cred, struct vnode *vp, - struct label *vplabel) -{ - - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); -} - -static int -ugidfw_vnode_check_access(struct ucred *cred, struct vnode *vp, - struct label *vplabel, int acc_mode) -{ - - return (ugidfw_check_vp(cred, vp, acc_mode)); -} - -static int -ugidfw_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, - struct label *dvplabel) -{ - - return (ugidfw_check_vp(cred, dvp, MBI_EXEC)); -} - -static int -ugidfw_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, - struct label *dvplabel) -{ - - return (ugidfw_check_vp(cred, dvp, MBI_EXEC)); -} - -static int -ugidfw_check_create_vnode(struct ucred *cred, struct vnode *dvp, - struct label *dvplabel, struct componentname *cnp, struct vattr *vap) -{ - - return (ugidfw_check_vp(cred, dvp, MBI_WRITE)); -} - -static int -ugidfw_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, - struct label *vplabel, acl_type_t type) -{ - - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); -} - -static int -ugidfw_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, - struct label *vplabel, int attrnamespace, const char *name) -{ - - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); -} - -static int -ugidfw_vnode_check_exec(struct ucred *cred, struct vnode *vp, - struct label *vplabel, struct image_params *imgp, - struct label *execlabel) -{ - - return (ugidfw_check_vp(cred, vp, MBI_READ|MBI_EXEC)); -} - -static int -ugidfw_vnode_check_getacl(struct ucred *cred, struct vnode *vp, - struct label *vplabel, acl_type_t type) -{ - - return (ugidfw_check_vp(cred, vp, MBI_STAT)); -} - -static int -ugidfw_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, - struct label *vplabel, int attrnamespace, const char *name, - struct uio *uio) -{ - - return (ugidfw_check_vp(cred, vp, MBI_READ)); -} - -static int -ugidfw_vnode_check_link(struct ucred *cred, struct vnode *dvp, - struct label *dvplabel, struct vnode *vp, struct label *label, - struct componentname *cnp) -{ - int error; - - error = ugidfw_check_vp(cred, dvp, MBI_WRITE); - if (error) - return (error); - error = ugidfw_check_vp(cred, vp, MBI_WRITE); - if (error) - return (error); - return (0); -} - -static int -ugidfw_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, - struct label *vplabel, int attrnamespace) -{ - - return (ugidfw_check_vp(cred, vp, MBI_READ)); -} - -static int -ugidfw_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, - struct label *dvplabel, struct componentname *cnp) -{ - - return (ugidfw_check_vp(cred, dvp, MBI_EXEC)); -} - -static int -ugidfw_vnode_check_open(struct ucred *cred, struct vnode *vp, - struct label *vplabel, int acc_mode) -{ - - return (ugidfw_check_vp(cred, vp, acc_mode)); -} - -static int -ugidfw_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, - struct label *dvplabel) -{ - - return (ugidfw_check_vp(cred, dvp, MBI_READ)); -} - -static int -ugidfw_vnode_check_readdlink(struct ucred *cred, struct vnode *vp, - struct label *vplabel) -{ - - return (ugidfw_check_vp(cred, vp, MBI_READ)); -} - -static int -ugidfw_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, - struct label *dvplabel, struct vnode *vp, struct label *vplabel, - struct componentname *cnp) -{ - int error; - - error = ugidfw_check_vp(cred, dvp, MBI_WRITE); - if (error) - return (error); - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); -} - -static int -ugidfw_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, - struct label *dvplabel, struct vnode *vp, struct label *vplabel, - int samedir, struct componentname *cnp) -{ - int error; - - error = ugidfw_check_vp(cred, dvp, MBI_WRITE); - if (error) - return (error); - if (vp != NULL) - error = ugidfw_check_vp(cred, vp, MBI_WRITE); - return (error); -} - -static int -ugidfw_vnode_check_revoke(struct ucred *cred, struct vnode *vp, - struct label *vplabel) -{ - - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); -} - -static int -ugidfw_check_setacl_vnode(struct ucred *cred, struct vnode *vp, - struct label *vplabel, acl_type_t type, struct acl *acl) -{ - - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); -} - -static int -ugidfw_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, - struct label *vplabel, int attrnamespace, const char *name, - struct uio *uio) -{ - - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); -} - -static int -ugidfw_vnode_check_setflags(struct ucred *cred, struct vnode *vp, - struct label *vplabel, u_long flags) -{ - - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); -} - -static int -ugidfw_vnode_check_setmode(struct ucred *cred, struct vnode *vp, - struct label *vplabel, mode_t mode) -{ - - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); -} - -static int -ugidfw_vnode_check_setowner(struct ucred *cred, struct vnode *vp, - struct label *vplabel, uid_t uid, gid_t gid) -{ - - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); -} - -static int -ugidfw_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, - struct label *vplabel, struct timespec atime, struct timespec utime) -{ - - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); -} - -static int -ugidfw_vnode_check_stat(struct ucred *active_cred, - struct ucred *file_cred, struct vnode *vp, struct label *vplabel) -{ - - return (ugidfw_check_vp(active_cred, vp, MBI_STAT)); -} - -static int -ugidfw_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, - struct label *dvplabel, struct vnode *vp, struct label *vplabel, - struct componentname *cnp) -{ - int error; - - error = ugidfw_check_vp(cred, dvp, MBI_WRITE); - if (error) - return (error); - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); -} - static struct mac_policy_ops ugidfw_ops = { .mpo_destroy = ugidfw_destroy, |
