Break out mac_check_vnode_op() into three seperate checks:

mac_check_vnode_poll(), mac_check_vnode_read(), mac_check_vnode_write(). This improves the consistency with other existing vnode checks, and allows policies to avoid implementing switch statements to determine what operations they do and do not want to authorize. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
author: rwatson <rwatson@FreeBSD.org> 2002-08-19 16:43:25 +0000
committer: rwatson <rwatson@FreeBSD.org> 2002-08-19 16:43:25 +0000
commit: 1a7cd1a210c4be2ec85df8513276938c23be1b95 (patch)
tree: b56250ebc97ff756401e26512847769076ec6e53 /sys/security
parent: 25617b8fc0dd0452d39b8873c1df9d7fc6fbbf9c (diff)
download: FreeBSD-src-1a7cd1a210c4be2ec85df8513276938c23be1b95.zip
FreeBSD-src-1a7cd1a210c4be2ec85df8513276938c23be1b95.tar.gz
15 files changed, 678 insertions, 148 deletions
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index 0d6a898..f8cb676 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_vnode_mmap_perms =
 			    mpe->mpe_function;
 			break;
-		case MAC_CHECK_VNODE_OP:
-			mpc->mpc_ops->mpo_check_vnode_op =
-			    mpe->mpe_function;
-			break;
 		case MAC_CHECK_VNODE_OPEN:
 			mpc->mpc_ops->mpo_check_vnode_open =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_VNODE_POLL:
+			mpc->mpc_ops->mpo_check_vnode_poll =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_VNODE_READ:
+			mpc->mpc_ops->mpo_check_vnode_read =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_VNODE_READDIR:
 			mpc->mpc_ops->mpo_check_vnode_readdir =
 			    mpe->mpe_function;
@@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_vnode_stat =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_VNODE_WRITE:
+			mpc->mpc_ops->mpo_check_vnode_write =
+			    mpe->mpe_function;
+			break;
 /*
 		default:
 			printf("MAC policy `%s': unknown operation %d\n",
@@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
 }
 
 int
-mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
 {
 	int error;
 
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+
 	if (!mac_enforce_fs)
 		return (0);
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
+	error = vn_refreshlabel(vp, cred);
+	if (error)
+		return (error);
+
+	MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+	return (error);
+}
+
+int
+mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+
+	if (!mac_enforce_fs)
+		return (0);
 
 	error = vn_refreshlabel(vp, cred);
 	if (error)
 		return (error);
 
-	MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
+	MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
 
 	return (error);
 }
 
 int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
+mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
 
 	if (!mac_enforce_fs)
 		return (0);
@@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
 	if (error)
 		return (error);
 
-	MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+	MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+
 	return (error);
 }
 
@@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
 	return (error);
 }
 
+int
+mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	error = vn_refreshlabel(vp, cred);
+	if (error)
+		return (error);
+
+	MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+
+	return (error);
+}
+
+
 /*
  * When relabeling a process, call out to the policies for the maximum
  * permission allowed for each object type we know about in its
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index d80387c..3d73df4 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -341,9 +341,10 @@ int	mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
 /* XXX This u_char should be vm_prot_t! */
 u_char	mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp,
 	    int newmapping);
-int	mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op);
 int	mac_check_vnode_open(struct ucred *cred, struct vnode *vp,
 	    mode_t acc_mode);
+int	mac_check_vnode_poll(struct ucred *cred, struct vnode *vp);
+int	mac_check_vnode_read(struct ucred *cred, struct vnode *vp);
 int	mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp);
 int	mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp);
 int	mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
@@ -364,6 +365,7 @@ int	mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
 int	mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
 	    struct timespec atime, struct timespec mtime);
 int	mac_check_vnode_stat(struct ucred *cred, struct vnode *vp);
+int	mac_check_vnode_write(struct ucred *cred, struct vnode *vp);
 int	mac_getsockopt_label_get(struct ucred *cred, struct socket *so,
 	    struct mac *extmac);
 int	mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so,
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index 0d6a898..f8cb676 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_vnode_mmap_perms =
 			    mpe->mpe_function;
 			break;
-		case MAC_CHECK_VNODE_OP:
-			mpc->mpc_ops->mpo_check_vnode_op =
-			    mpe->mpe_function;
-			break;
 		case MAC_CHECK_VNODE_OPEN:
 			mpc->mpc_ops->mpo_check_vnode_open =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_VNODE_POLL:
+			mpc->mpc_ops->mpo_check_vnode_poll =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_VNODE_READ:
+			mpc->mpc_ops->mpo_check_vnode_read =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_VNODE_READDIR:
 			mpc->mpc_ops->mpo_check_vnode_readdir =
 			    mpe->mpe_function;
@@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_vnode_stat =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_VNODE_WRITE:
+			mpc->mpc_ops->mpo_check_vnode_write =
+			    mpe->mpe_function;
+			break;
 /*
 		default:
 			printf("MAC policy `%s': unknown operation %d\n",
@@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
 }
 
 int
-mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
 {
 	int error;
 
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+
 	if (!mac_enforce_fs)
 		return (0);
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
+	error = vn_refreshlabel(vp, cred);
+	if (error)
+		return (error);
+
+	MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+	return (error);
+}
+
+int
+mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+
+	if (!mac_enforce_fs)
+		return (0);
 
 	error = vn_refreshlabel(vp, cred);
 	if (error)
 		return (error);
 
-	MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
+	MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
 
 	return (error);
 }
 
 int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
+mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
 
 	if (!mac_enforce_fs)
 		return (0);
@@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
 	if (error)
 		return (error);
 
-	MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+	MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+
 	return (error);
 }
 
@@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
 	return (error);
 }
 
+int
+mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	error = vn_refreshlabel(vp, cred);
+	if (error)
+		return (error);
+
+	MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+
+	return (error);
+}
+
+
 /*
  * When relabeling a process, call out to the policies for the maximum
  * permission allowed for each object type we know about in its
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 0d6a898..f8cb676 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_vnode_mmap_perms =
 			    mpe->mpe_function;
 			break;
-		case MAC_CHECK_VNODE_OP:
-			mpc->mpc_ops->mpo_check_vnode_op =
-			    mpe->mpe_function;
-			break;
 		case MAC_CHECK_VNODE_OPEN:
 			mpc->mpc_ops->mpo_check_vnode_open =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_VNODE_POLL:
+			mpc->mpc_ops->mpo_check_vnode_poll =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_VNODE_READ:
+			mpc->mpc_ops->mpo_check_vnode_read =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_VNODE_READDIR:
 			mpc->mpc_ops->mpo_check_vnode_readdir =
 			    mpe->mpe_function;
@@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_vnode_stat =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_VNODE_WRITE:
+			mpc->mpc_ops->mpo_check_vnode_write =
+			    mpe->mpe_function;
+			break;
 /*
 		default:
 			printf("MAC policy `%s': unknown operation %d\n",
@@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
 }
 
 int
-mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
 {
 	int error;
 
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+
 	if (!mac_enforce_fs)
 		return (0);
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
+	error = vn_refreshlabel(vp, cred);
+	if (error)
+		return (error);
+
+	MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+	return (error);
+}
+
+int
+mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+
+	if (!mac_enforce_fs)
+		return (0);
 
 	error = vn_refreshlabel(vp, cred);
 	if (error)
 		return (error);
 
-	MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
+	MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
 
 	return (error);
 }
 
 int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
+mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
 
 	if (!mac_enforce_fs)
 		return (0);
@@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
 	if (error)
 		return (error);
 
-	MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+	MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+
 	return (error);
 }
 
@@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
 	return (error);
 }
 
+int
+mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	error = vn_refreshlabel(vp, cred);
+	if (error)
+		return (error);
+
+	MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+
+	return (error);
+}
+
+
 /*
  * When relabeling a process, call out to the policies for the maximum
  * permission allowed for each object type we know about in its
diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c
index 0d6a898..f8cb676 100644
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_vnode_mmap_perms =
 			    mpe->mpe_function;
 			break;
-		case MAC_CHECK_VNODE_OP:
-			mpc->mpc_ops->mpo_check_vnode_op =
-			    mpe->mpe_function;
-			break;
 		case MAC_CHECK_VNODE_OPEN:
 			mpc->mpc_ops->mpo_check_vnode_open =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_VNODE_POLL:
+			mpc->mpc_ops->mpo_check_vnode_poll =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_VNODE_READ:
+			mpc->mpc_ops->mpo_check_vnode_read =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_VNODE_READDIR:
 			mpc->mpc_ops->mpo_check_vnode_readdir =
 			    mpe->mpe_function;
@@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_vnode_stat =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_VNODE_WRITE:
+			mpc->mpc_ops->mpo_check_vnode_write =
+			    mpe->mpe_function;
+			break;
 /*
 		default:
 			printf("MAC policy `%s': unknown operation %d\n",
@@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
 }
 
 int
-mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
 {
 	int error;
 
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+
 	if (!mac_enforce_fs)
 		return (0);
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
+	error = vn_refreshlabel(vp, cred);
+	if (error)
+		return (error);
+
+	MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+	return (error);
+}
+
+int
+mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+
+	if (!mac_enforce_fs)
+		return (0);
 
 	error = vn_refreshlabel(vp, cred);
 	if (error)
 		return (error);
 
-	MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
+	MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
 
 	return (error);
 }
 
 int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
+mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
 
 	if (!mac_enforce_fs)
 		return (0);
@@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
 	if (error)
 		return (error);
 
-	MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+	MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+
 	return (error);
 }
 
@@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
 	return (error);
 }
 
+int
+mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	error = vn_refreshlabel(vp, cred);
+	if (error)
+		return (error);
+
+	MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+
+	return (error);
+}
+
+
 /*
  * When relabeling a process, call out to the policies for the maximum
  * permission allowed for each object type we know about in its
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 5463fa9..9bc28ad 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -286,10 +286,12 @@ struct mac_policy_ops {
 		    struct componentname *cnp);
 	vm_prot_t	(*mpo_check_vnode_mmap_perms)(struct ucred *cred,
 		    struct vnode *vp, struct label *label, int newmapping);
-	int	(*mpo_check_vnode_op)(struct ucred *cred, struct vnode *vp,
-		    struct label *label, int op);
 	int	(*mpo_check_vnode_open)(struct ucred *cred, struct vnode *vp,
 		    struct label *label, mode_t acc_mode);
+	int	(*mpo_check_vnode_poll)(struct ucred *cred, struct vnode *vp,
+		    struct label *label);
+	int	(*mpo_check_vnode_read)(struct ucred *cred, struct vnode *vp,
+		    struct label *label);
 	int	(*mpo_check_vnode_readdir)(struct ucred *cred,
 		    struct vnode *dvp, struct label *dlabel);
 	int	(*mpo_check_vnode_readlink)(struct ucred *cred,
@@ -324,6 +326,8 @@ struct mac_policy_ops {
 		    struct timespec atime, struct timespec mtime);
 	int	(*mpo_check_vnode_stat)(struct ucred *cred, struct vnode *vp,
 		    struct label *label);
+	int	(*mpo_check_vnode_write)(struct ucred *cred, struct vnode *vp,
+		    struct label *label);
 };
 
 typedef const void *macop_t;
@@ -426,8 +430,9 @@ enum mac_op_constant {
 	MAC_CHECK_VNODE_GETEXTATTR,
 	MAC_CHECK_VNODE_LOOKUP,
 	MAC_CHECK_VNODE_MMAP_PERMS,
-	MAC_CHECK_VNODE_OP,
 	MAC_CHECK_VNODE_OPEN,
+	MAC_CHECK_VNODE_POLL,
+	MAC_CHECK_VNODE_READ,
 	MAC_CHECK_VNODE_READDIR,
 	MAC_CHECK_VNODE_READLINK,
 	MAC_CHECK_VNODE_RELABEL,
@@ -441,6 +446,7 @@ enum mac_op_constant {
 	MAC_CHECK_VNODE_SETOWNER,
 	MAC_CHECK_VNODE_SETUTIMES,
 	MAC_CHECK_VNODE_STAT,
+	MAC_CHECK_VNODE_WRITE,
 };
 
 struct mac_policy_op_entry {
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index 0d6a898..f8cb676 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_vnode_mmap_perms =
 			    mpe->mpe_function;
 			break;
-		case MAC_CHECK_VNODE_OP:
-			mpc->mpc_ops->mpo_check_vnode_op =
-			    mpe->mpe_function;
-			break;
 		case MAC_CHECK_VNODE_OPEN:
 			mpc->mpc_ops->mpo_check_vnode_open =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_VNODE_POLL:
+			mpc->mpc_ops->mpo_check_vnode_poll =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_VNODE_READ:
+			mpc->mpc_ops->mpo_check_vnode_read =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_VNODE_READDIR:
 			mpc->mpc_ops->mpo_check_vnode_readdir =
 			    mpe->mpe_function;
@@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_vnode_stat =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_VNODE_WRITE:
+			mpc->mpc_ops->mpo_check_vnode_write =
+			    mpe->mpe_function;
+			break;
 /*
 		default:
 			printf("MAC policy `%s': unknown operation %d\n",
@@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
 }
 
 int
-mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
 {
 	int error;
 
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+
 	if (!mac_enforce_fs)
 		return (0);
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
+	error = vn_refreshlabel(vp, cred);
+	if (error)
+		return (error);
+
+	MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+	return (error);
+}
+
+int
+mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+
+	if (!mac_enforce_fs)
+		return (0);
 
 	error = vn_refreshlabel(vp, cred);
 	if (error)
 		return (error);
 
-	MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
+	MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
 
 	return (error);
 }
 
 int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
+mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
 
 	if (!mac_enforce_fs)
 		return (0);
@@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
 	if (error)
 		return (error);
 
-	MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+	MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+
 	return (error);
 }
 
@@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
 	return (error);
 }
 
+int
+mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	error = vn_refreshlabel(vp, cred);
+	if (error)
+		return (error);
+
+	MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+
+	return (error);
+}
+
+
 /*
  * When relabeling a process, call out to the policies for the maximum
  * permission allowed for each object type we know about in its
diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index 0d6a898..f8cb676 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_vnode_mmap_perms =
 			    mpe->mpe_function;
 			break;
-		case MAC_CHECK_VNODE_OP:
-			mpc->mpc_ops->mpo_check_vnode_op =
-			    mpe->mpe_function;
-			break;
 		case MAC_CHECK_VNODE_OPEN:
 			mpc->mpc_ops->mpo_check_vnode_open =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_VNODE_POLL:
+			mpc->mpc_ops->mpo_check_vnode_poll =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_VNODE_READ:
+			mpc->mpc_ops->mpo_check_vnode_read =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_VNODE_READDIR:
 			mpc->mpc_ops->mpo_check_vnode_readdir =
 			    mpe->mpe_function;
@@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_vnode_stat =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_VNODE_WRITE:
+			mpc->mpc_ops->mpo_check_vnode_write =
+			    mpe->mpe_function;
+			break;
 /*
 		default:
 			printf("MAC policy `%s': unknown operation %d\n",
@@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
 }
 
 int
-mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
 {
 	int error;
 
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+
 	if (!mac_enforce_fs)
 		return (0);
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
+	error = vn_refreshlabel(vp, cred);
+	if (error)
+		return (error);
+
+	MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+	return (error);
+}
+
+int
+mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+
+	if (!mac_enforce_fs)
+		return (0);
 
 	error = vn_refreshlabel(vp, cred);
 	if (error)
 		return (error);
 
-	MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
+	MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
 
 	return (error);
 }
 
 int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
+mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
 
 	if (!mac_enforce_fs)
 		return (0);
@@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
 	if (error)
 		return (error);
 
-	MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+	MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+
 	return (error);
 }
 
@@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
 	return (error);
 }
 
+int
+mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	error = vn_refreshlabel(vp, cred);
+	if (error)
+		return (error);
+
+	MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+
+	return (error);
+}
+
+
 /*
  * When relabeling a process, call out to the policies for the maximum
  * permission allowed for each object type we know about in its
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index 0d6a898..f8cb676 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_vnode_mmap_perms =
 			    mpe->mpe_function;
 			break;
-		case MAC_CHECK_VNODE_OP:
-			mpc->mpc_ops->mpo_check_vnode_op =
-			    mpe->mpe_function;
-			break;
 		case MAC_CHECK_VNODE_OPEN:
 			mpc->mpc_ops->mpo_check_vnode_open =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_VNODE_POLL:
+			mpc->mpc_ops->mpo_check_vnode_poll =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_VNODE_READ:
+			mpc->mpc_ops->mpo_check_vnode_read =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_VNODE_READDIR:
 			mpc->mpc_ops->mpo_check_vnode_readdir =
 			    mpe->mpe_function;
@@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_vnode_stat =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_VNODE_WRITE:
+			mpc->mpc_ops->mpo_check_vnode_write =
+			    mpe->mpe_function;
+			break;
 /*
 		default:
 			printf("MAC policy `%s': unknown operation %d\n",
@@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
 }
 
 int
-mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
 {
 	int error;
 
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+
 	if (!mac_enforce_fs)
 		return (0);
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
+	error = vn_refreshlabel(vp, cred);
+	if (error)
+		return (error);
+
+	MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+	return (error);
+}
+
+int
+mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+
+	if (!mac_enforce_fs)
+		return (0);
 
 	error = vn_refreshlabel(vp, cred);
 	if (error)
 		return (error);
 
-	MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
+	MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
 
 	return (error);
 }
 
 int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
+mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
 
 	if (!mac_enforce_fs)
 		return (0);
@@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
 	if (error)
 		return (error);
 
-	MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+	MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+
 	return (error);
 }
 
@@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
 	return (error);
 }
 
+int
+mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	error = vn_refreshlabel(vp, cred);
+	if (error)
+		return (error);
+
+	MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+
+	return (error);
+}
+
+
 /*
  * When relabeling a process, call out to the policies for the maximum
  * permission allowed for each object type we know about in its
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index 0d6a898..f8cb676 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_vnode_mmap_perms =
 			    mpe->mpe_function;
 			break;
-		case MAC_CHECK_VNODE_OP:
-			mpc->mpc_ops->mpo_check_vnode_op =
-			    mpe->mpe_function;
-			break;
 		case MAC_CHECK_VNODE_OPEN:
 			mpc->mpc_ops->mpo_check_vnode_open =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_VNODE_POLL:
+			mpc->mpc_ops->mpo_check_vnode_poll =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_VNODE_READ:
+			mpc->mpc_ops->mpo_check_vnode_read =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_VNODE_READDIR:
 			mpc->mpc_ops->mpo_check_vnode_readdir =
 			    mpe->mpe_function;
@@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_vnode_stat =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_VNODE_WRITE:
+			mpc->mpc_ops->mpo_check_vnode_write =
+			    mpe->mpe_function;
+			break;
 /*
 		default:
 			printf("MAC policy `%s': unknown operation %d\n",
@@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
 }
 
 int
-mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
 {
 	int error;
 
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+
 	if (!mac_enforce_fs)
 		return (0);
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
+	error = vn_refreshlabel(vp, cred);
+	if (error)
+		return (error);
+
+	MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+	return (error);
+}
+
+int
+mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+
+	if (!mac_enforce_fs)
+		return (0);
 
 	error = vn_refreshlabel(vp, cred);
 	if (error)
 		return (error);
 
-	MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
+	MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
 
 	return (error);
 }
 
 int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
+mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
 
 	if (!mac_enforce_fs)
 		return (0);
@@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
 	if (error)
 		return (error);
 
-	MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+	MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+
 	return (error);
 }
 
@@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
 	return (error);
 }
 
+int
+mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	error = vn_refreshlabel(vp, cred);
+	if (error)
+		return (error);
+
+	MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+
+	return (error);
+}
+
+
 /*
  * When relabeling a process, call out to the policies for the maximum
  * permission allowed for each object type we know about in its
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 83c82e4..6e9e383 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1689,6 +1689,42 @@ mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp,
 }
 
 static int
+mac_biba_check_vnode_poll(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!mac_biba_enabled || !mac_biba_revocation_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT(label);
+
+	if (!mac_biba_dominate_single(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mac_biba_check_vnode_read(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!mac_biba_enabled || !mac_biba_revocation_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT(label);
+
+	if (!mac_biba_dominate_single(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
 mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
     struct label *dlabel)
 {
@@ -1955,6 +1991,24 @@ mac_biba_check_vnode_stat(struct ucred *cred, struct vnode *vp,
 	return (0);
 }
 
+static int
+mac_biba_check_vnode_write(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!mac_biba_enabled || !mac_biba_revocation_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT(label);
+
+	if (!mac_biba_dominate_single(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
 static vm_prot_t
 mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
     struct label *label, int newmapping)
@@ -1975,36 +2029,6 @@ mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
 	return (prot);
 }
 
-static int
-mac_biba_check_vnode_op(struct ucred *cred, struct vnode *vp,
-    struct label *label, int op)
-{
-	struct mac_biba *subj, *obj;
-
-	if (!mac_biba_enabled || !mac_biba_revocation_enabled)
-		return (0);
-
-	subj = SLOT(&cred->cr_label);
-	obj = SLOT(label);
-
-	switch (op) {
-	case MAC_OP_VNODE_POLL:
-	case MAC_OP_VNODE_READ:
-		if (!mac_biba_dominate_single(obj, subj))
-			return (EACCES);
-		return (0);
-
-	case MAC_OP_VNODE_WRITE:
-		if (!mac_biba_dominate_single(subj, obj))
-			return (EACCES);
-		return (0);
-
-	default:
-		printf("mac_biba_check_vnode_op: unknown operation %d\n", op);
-		return (EINVAL);
-	}
-}
-
 static struct mac_policy_op_entry mac_biba_ops[] =
 {
 	{ MAC_DESTROY,
@@ -2189,6 +2213,10 @@ static struct mac_policy_op_entry mac_biba_ops[] =
 	    (macop_t)mac_biba_check_vnode_lookup },
 	{ MAC_CHECK_VNODE_OPEN,
 	    (macop_t)mac_biba_check_vnode_open },
+	{ MAC_CHECK_VNODE_POLL,
+	    (macop_t)mac_biba_check_vnode_poll },
+	{ MAC_CHECK_VNODE_READ,
+	    (macop_t)mac_biba_check_vnode_read },
 	{ MAC_CHECK_VNODE_READDIR,
 	    (macop_t)mac_biba_check_vnode_readdir },
 	{ MAC_CHECK_VNODE_READLINK,
@@ -2215,10 +2243,10 @@ static struct mac_policy_op_entry mac_biba_ops[] =
 	    (macop_t)mac_biba_check_vnode_setutimes },
 	{ MAC_CHECK_VNODE_STAT,
 	    (macop_t)mac_biba_check_vnode_stat },
+	{ MAC_CHECK_VNODE_WRITE,
+	    (macop_t)mac_biba_check_vnode_write },
 	{ MAC_CHECK_VNODE_MMAP_PERMS,
 	    (macop_t)mac_biba_check_vnode_mmap_perms },
-	{ MAC_CHECK_VNODE_OP,
-	    (macop_t)mac_biba_check_vnode_op },
 	{ MAC_OP_LAST, NULL }
 };
 
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index 958bda9..4dca581 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -1639,6 +1639,42 @@ mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp,
 }
 
 static int
+mac_mls_check_vnode_poll(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mac_mls_enabled || !mac_mls_revocation_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT(label);
+
+	if (!mac_mls_dominate_single(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mac_mls_check_vnode_read(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mac_mls_enabled || !mac_mls_revocation_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT(label);
+
+	if (!mac_mls_dominate_single(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
 mac_mls_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
     struct label *dlabel)
 {
@@ -1906,6 +1942,24 @@ mac_mls_check_vnode_stat(struct ucred *cred, struct vnode *vp,
 	return (0);
 }
 
+static int
+mac_mls_check_vnode_write(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mac_mls_enabled || !mac_mls_revocation_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT(label);
+
+	if (!mac_mls_dominate_single(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
 static vm_prot_t
 mac_mls_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
     struct label *label, int newmapping)
@@ -1926,36 +1980,6 @@ mac_mls_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
 	return (prot);
 }
 
-static int
-mac_mls_check_vnode_op(struct ucred *cred, struct vnode *vp,
-    struct label *label, int op)
-{
-	struct mac_mls *subj, *obj;
-
-	if (!mac_mls_enabled || !mac_mls_revocation_enabled)
-		return (0);
-
-	subj = SLOT(&cred->cr_label);
-	obj = SLOT(label);
-
-	switch (op) {
-	case MAC_OP_VNODE_POLL:
-	case MAC_OP_VNODE_READ:
-		if (!mac_mls_dominate_single(subj, obj))
-			return (EACCES);
-		return (0);
-
-	case MAC_OP_VNODE_WRITE:
-		if (!mac_mls_dominate_single(obj, subj))
-			return (EACCES);
-		return (0);
-
-	default:
-		printf("mac_mls_check_vnode_op: unknown operation %d\n", op);
-		return (EINVAL);
-	}
-}
-
 static struct mac_policy_op_entry mac_mls_ops[] =
 {
 	{ MAC_DESTROY,
@@ -2140,6 +2164,10 @@ static struct mac_policy_op_entry mac_mls_ops[] =
 	    (macop_t)mac_mls_check_vnode_lookup },
 	{ MAC_CHECK_VNODE_OPEN,
 	    (macop_t)mac_mls_check_vnode_open },
+	{ MAC_CHECK_VNODE_POLL,
+	    (macop_t)mac_mls_check_vnode_poll },
+	{ MAC_CHECK_VNODE_READ,
+	    (macop_t)mac_mls_check_vnode_read },
 	{ MAC_CHECK_VNODE_READDIR,
 	    (macop_t)mac_mls_check_vnode_readdir },
 	{ MAC_CHECK_VNODE_READLINK,
@@ -2166,10 +2194,10 @@ static struct mac_policy_op_entry mac_mls_ops[] =
 	    (macop_t)mac_mls_check_vnode_setutimes },
 	{ MAC_CHECK_VNODE_STAT,
 	    (macop_t)mac_mls_check_vnode_stat },
+	{ MAC_CHECK_VNODE_WRITE,
+	    (macop_t)mac_mls_check_vnode_write },
 	{ MAC_CHECK_VNODE_MMAP_PERMS,
 	    (macop_t)mac_mls_check_vnode_mmap_perms },
-	{ MAC_CHECK_VNODE_OP,
-	    (macop_t)mac_mls_check_vnode_op },
 	{ MAC_OP_LAST, NULL }
 };
 
diff --git a/sys/security/mac_none/mac_none.c b/sys/security/mac_none/mac_none.c
index b1f154e..b7e5fdd 100644
--- a/sys/security/mac_none/mac_none.c
+++ b/sys/security/mac_none/mac_none.c
@@ -775,6 +775,22 @@ mac_none_check_vnode_open(struct ucred *cred, struct vnode *vp,
 }
 
 static int
+mac_none_check_vnode_poll(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+
+	return (0);
+}
+
+static int
+mac_none_check_vnode_read(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+
+	return (0);
+}
+
+static int
 mac_none_check_vnode_readdir(struct ucred *cred, struct vnode *vp,
     struct label *dlabel)
 {
@@ -880,6 +896,14 @@ mac_none_check_vnode_stat(struct ucred *cred, struct vnode *vp,
 	return (0);
 }
 
+static int
+mac_none_check_vnode_write(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+
+	return (0);
+}
+
 static struct mac_policy_op_entry mac_none_ops[] =
 {
 	{ MAC_DESTROY,
@@ -1072,6 +1096,10 @@ static struct mac_policy_op_entry mac_none_ops[] =
 	    (macop_t)mac_none_check_vnode_lookup },
 	{ MAC_CHECK_VNODE_OPEN,
 	    (macop_t)mac_none_check_vnode_open },
+	{ MAC_CHECK_VNODE_POLL,
+	    (macop_t)mac_none_check_vnode_poll },
+	{ MAC_CHECK_VNODE_READ,
+	    (macop_t)mac_none_check_vnode_read },
 	{ MAC_CHECK_VNODE_READDIR,
 	    (macop_t)mac_none_check_vnode_readdir },
 	{ MAC_CHECK_VNODE_READLINK,
@@ -1098,6 +1126,8 @@ static struct mac_policy_op_entry mac_none_ops[] =
 	    (macop_t)mac_none_check_vnode_setutimes },
 	{ MAC_CHECK_VNODE_STAT,
 	    (macop_t)mac_none_check_vnode_stat },
+	{ MAC_CHECK_VNODE_WRITE,
+	    (macop_t)mac_none_check_vnode_write },
 	{ MAC_OP_LAST, NULL }
 };
 
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index b1f154e..b7e5fdd 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -775,6 +775,22 @@ mac_none_check_vnode_open(struct ucred *cred, struct vnode *vp,
 }
 
 static int
+mac_none_check_vnode_poll(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+
+	return (0);
+}
+
+static int
+mac_none_check_vnode_read(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+
+	return (0);
+}
+
+static int
 mac_none_check_vnode_readdir(struct ucred *cred, struct vnode *vp,
     struct label *dlabel)
 {
@@ -880,6 +896,14 @@ mac_none_check_vnode_stat(struct ucred *cred, struct vnode *vp,
 	return (0);
 }
 
+static int
+mac_none_check_vnode_write(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+
+	return (0);
+}
+
 static struct mac_policy_op_entry mac_none_ops[] =
 {
 	{ MAC_DESTROY,
@@ -1072,6 +1096,10 @@ static struct mac_policy_op_entry mac_none_ops[] =
 	    (macop_t)mac_none_check_vnode_lookup },
 	{ MAC_CHECK_VNODE_OPEN,
 	    (macop_t)mac_none_check_vnode_open },
+	{ MAC_CHECK_VNODE_POLL,
+	    (macop_t)mac_none_check_vnode_poll },
+	{ MAC_CHECK_VNODE_READ,
+	    (macop_t)mac_none_check_vnode_read },
 	{ MAC_CHECK_VNODE_READDIR,
 	    (macop_t)mac_none_check_vnode_readdir },
 	{ MAC_CHECK_VNODE_READLINK,
@@ -1098,6 +1126,8 @@ static struct mac_policy_op_entry mac_none_ops[] =
 	    (macop_t)mac_none_check_vnode_setutimes },
 	{ MAC_CHECK_VNODE_STAT,
 	    (macop_t)mac_none_check_vnode_stat },
+	{ MAC_CHECK_VNODE_WRITE,
+	    (macop_t)mac_none_check_vnode_write },
 	{ MAC_OP_LAST, NULL }
 };
 
diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c
index 2e0d3ca..5c97a1b 100644
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@@ -983,6 +983,22 @@ mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp,
 }
 
 static int
+mac_test_check_vnode_poll(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+
+	return (0);
+}
+
+static int
+mac_test_check_vnode_read(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+
+	return (0);
+}
+
+static int
 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
     struct label *dlabel)
 {
@@ -1088,6 +1104,14 @@ mac_test_check_vnode_stat(struct ucred *cred, struct vnode *vp,
 	return (0);
 }
 
+static int
+mac_test_check_vnode_write(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+
+	return (0);
+}
+
 static struct mac_policy_op_entry mac_test_ops[] =
 {
 	{ MAC_DESTROY,
@@ -1278,6 +1302,10 @@ static struct mac_policy_op_entry mac_test_ops[] =
 	    (macop_t)mac_test_check_vnode_lookup },
 	{ MAC_CHECK_VNODE_OPEN,
 	    (macop_t)mac_test_check_vnode_open },
+	{ MAC_CHECK_VNODE_POLL,
+	    (macop_t)mac_test_check_vnode_poll },
+	{ MAC_CHECK_VNODE_READ,
+	    (macop_t)mac_test_check_vnode_read },
 	{ MAC_CHECK_VNODE_READDIR,
 	    (macop_t)mac_test_check_vnode_readdir },
 	{ MAC_CHECK_VNODE_READLINK,
@@ -1304,6 +1332,8 @@ static struct mac_policy_op_entry mac_test_ops[] =
 	    (macop_t)mac_test_check_vnode_setutimes },
 	{ MAC_CHECK_VNODE_STAT,
 	    (macop_t)mac_test_check_vnode_stat },
+	{ MAC_CHECK_VNODE_WRITE,
+	    (macop_t)mac_test_check_vnode_write },
 	{ MAC_OP_LAST, NULL }
 };
author	rwatson <rwatson@FreeBSD.org>	2002-08-19 16:43:25 +0000
committer	rwatson <rwatson@FreeBSD.org>	2002-08-19 16:43:25 +0000
commit	1a7cd1a210c4be2ec85df8513276938c23be1b95 (patch)
tree	b56250ebc97ff756401e26512847769076ec6e53 /sys/security
parent	25617b8fc0dd0452d39b8873c1df9d7fc6fbbf9c (diff)
download	FreeBSD-src-1a7cd1a210c4be2ec85df8513276938c23be1b95.zip FreeBSD-src-1a7cd1a210c4be2ec85df8513276938c23be1b95.tar.gz