diff options
author | rwatson <rwatson@FreeBSD.org> | 2006-12-20 23:18:17 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2006-12-20 23:18:17 +0000 |
commit | 00c95308bf0f405320c0417c58a318ae4b19bff8 (patch) | |
tree | 091840731a29f9e41279e9ec5244ebee529500dc /sys/security | |
parent | 08ad649b5f2dcb8857e390ad30a032d4e17fec57 (diff) | |
download | FreeBSD-src-00c95308bf0f405320c0417c58a318ae4b19bff8.zip FreeBSD-src-00c95308bf0f405320c0417c58a318ae4b19bff8.tar.gz |
Trim trailing white space, clean up comment line wrapping and formatting.
Document mac_associate_nfsd_label().
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/security')
-rw-r--r-- | sys/security/mac/mac_vfs.c | 31 |
1 files changed, 21 insertions, 10 deletions
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index ef667b1..403bc1c 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -13,7 +13,7 @@ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * - * This software was enhanced by SPARTA ISSO under SPAWAR contract + * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * * Redistribution and use in source and binary forms, with or without @@ -74,8 +74,8 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_internal.h> /* - * Warn about EA transactions only the first time they happen. - * Weak coherency, no locking. + * Warn about EA transactions only the first time they happen. No locking on + * this variable. */ static int ea_warn_once = 0; @@ -978,9 +978,11 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) /* * Multi-phase commit. First check the policies to confirm the - * change is OK. Then commit via the filesystem. Finally, - * update the actual vnode label. Question: maybe the filesystem - * should update the vnode at the end as part of VOP_SETLABEL()? + * change is OK. Then commit via the filesystem. Finally, update + * the actual vnode label. + * + * Question: maybe the filesystem should update the vnode at the end + * as part of VOP_SETLABEL()? */ error = mac_check_vnode_relabel(cred, vp, intlabel); if (error) @@ -988,10 +990,10 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) /* * VADMIN provides the opportunity for the filesystem to make - * decisions about who is and is not able to modify labels - * and protections on files. This might not be right. We can't - * assume VOP_SETLABEL() will do it, because we might implement - * that as part of vop_stdsetlabel_ea(). + * decisions about who is and is not able to modify labels and + * protections on files. This might not be right. We can't assume + * VOP_SETLABEL() will do it, because we might implement that as + * part of vop_stdsetlabel_ea(). */ error = VOP_ACCESS(vp, VADMIN, cred, curthread); if (error) @@ -1004,6 +1006,15 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) return (0); } +/* + * When a thread becomes an NFS server daemon, its credential may need to be + * updated to reflect this so that policies can recognize when file system + * operations originate from the network. + * + * At some point, it would be desirable if the credential used for each NFS + * RPC could be set based on the RPC context (i.e., source system, etc) to + * provide more fine-grained access control. + */ void mac_associate_nfsd_label(struct ucred *cred) { |