Break out mac_check_pipe_op() into component check entry points:

mac_check_pipe_poll(), mac_check_pipe_read(), mac_check_pipe_stat(), and mac_check_pipe_write(). This is improves consistency with other access control entry points and permits security modules to only control the object methods that they are interested in, avoiding switch statements. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
author: rwatson <rwatson@FreeBSD.org> 2002-08-19 16:59:37 +0000
committer: rwatson <rwatson@FreeBSD.org> 2002-08-19 16:59:37 +0000
commit: fd544421f3cc773adffc30e30d715352a4a0e51e (patch)
tree: 179942e973f357333f9720ca7246b8b3ad349cef /sys/security
parent: d0709eea67e0ae904f80928991bf3ce66b3fcbc4 (diff)
download: FreeBSD-src-fd544421f3cc773adffc30e30d715352a4a0e51e.zip
FreeBSD-src-fd544421f3cc773adffc30e30d715352a4a0e51e.tar.gz
15 files changed, 618 insertions, 97 deletions
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index f8cb676..7bf7393 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_pipe_ioctl =
 			    mpe->mpe_function;
 			break;
-		case MAC_CHECK_PIPE_OP:
-			mpc->mpc_ops->mpo_check_pipe_op =
+		case MAC_CHECK_PIPE_POLL:
+			mpc->mpc_ops->mpo_check_pipe_poll =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_PIPE_READ:
+			mpc->mpc_ops->mpo_check_pipe_read =
 			    mpe->mpe_function;
 			break;
 		case MAC_CHECK_PIPE_RELABEL:
 			mpc->mpc_ops->mpo_check_pipe_relabel =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_PIPE_STAT:
+			mpc->mpc_ops->mpo_check_pipe_stat =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_PIPE_WRITE:
+			mpc->mpc_ops->mpo_check_pipe_write =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_PROC_DEBUG:
 			mpc->mpc_ops->mpo_check_proc_debug =
 			    mpe->mpe_function;
@@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
 }
 
 int
-mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
+mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
 {
 	int error;
 
-	MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op);
+	MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
+mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
 
 	return (error);
 }
@@ -2560,6 +2582,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
 }
 
 int
+mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
+mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
 mac_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	int error;
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 3d73df4..1f36d55 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -181,19 +181,6 @@ int	__mac_set_proc(struct mac *_mac_p);
 #else /* _KERNEL */
 
 /*
- * MAC entry point operations
- */
-enum mac_ep_ops {
-	MAC_OP_VNODE_READ,
-	MAC_OP_VNODE_WRITE,
-	MAC_OP_VNODE_POLL,
-	MAC_OP_PIPE_READ,
-	MAC_OP_PIPE_WRITE,
-	MAC_OP_PIPE_STAT,
-	MAC_OP_PIPE_POLL
-};
-
-/*
  * Kernel functions to manage and evaluate labels.
  */
 struct bpf_d;
@@ -307,9 +294,12 @@ int	mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet);
 int	mac_check_cred_visible(struct ucred *u1, struct ucred *u2);
 int	mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m);
 int	mac_check_mount_stat(struct ucred *cred, struct mount *mp);
-int	mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op);
 int	mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
 	    unsigned long cmd, void *data);
+int	mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe);
+int	mac_check_pipe_read(struct ucred *cred, struct pipe *pipe);
+int	mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe);
+int	mac_check_pipe_write(struct ucred *cred, struct pipe *pipe);
 int	mac_check_proc_debug(struct ucred *cred, struct proc *proc);
 int	mac_check_proc_sched(struct ucred *cred, struct proc *proc);
 int	mac_check_proc_signal(struct ucred *cred, struct proc *proc,
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index f8cb676..7bf7393 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_pipe_ioctl =
 			    mpe->mpe_function;
 			break;
-		case MAC_CHECK_PIPE_OP:
-			mpc->mpc_ops->mpo_check_pipe_op =
+		case MAC_CHECK_PIPE_POLL:
+			mpc->mpc_ops->mpo_check_pipe_poll =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_PIPE_READ:
+			mpc->mpc_ops->mpo_check_pipe_read =
 			    mpe->mpe_function;
 			break;
 		case MAC_CHECK_PIPE_RELABEL:
 			mpc->mpc_ops->mpo_check_pipe_relabel =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_PIPE_STAT:
+			mpc->mpc_ops->mpo_check_pipe_stat =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_PIPE_WRITE:
+			mpc->mpc_ops->mpo_check_pipe_write =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_PROC_DEBUG:
 			mpc->mpc_ops->mpo_check_proc_debug =
 			    mpe->mpe_function;
@@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
 }
 
 int
-mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
+mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
 {
 	int error;
 
-	MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op);
+	MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
+mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
 
 	return (error);
 }
@@ -2560,6 +2582,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
 }
 
 int
+mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
+mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
 mac_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	int error;
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index f8cb676..7bf7393 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_pipe_ioctl =
 			    mpe->mpe_function;
 			break;
-		case MAC_CHECK_PIPE_OP:
-			mpc->mpc_ops->mpo_check_pipe_op =
+		case MAC_CHECK_PIPE_POLL:
+			mpc->mpc_ops->mpo_check_pipe_poll =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_PIPE_READ:
+			mpc->mpc_ops->mpo_check_pipe_read =
 			    mpe->mpe_function;
 			break;
 		case MAC_CHECK_PIPE_RELABEL:
 			mpc->mpc_ops->mpo_check_pipe_relabel =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_PIPE_STAT:
+			mpc->mpc_ops->mpo_check_pipe_stat =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_PIPE_WRITE:
+			mpc->mpc_ops->mpo_check_pipe_write =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_PROC_DEBUG:
 			mpc->mpc_ops->mpo_check_proc_debug =
 			    mpe->mpe_function;
@@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
 }
 
 int
-mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
+mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
 {
 	int error;
 
-	MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op);
+	MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
+mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
 
 	return (error);
 }
@@ -2560,6 +2582,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
 }
 
 int
+mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
+mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
 mac_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	int error;
diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c
index f8cb676..7bf7393 100644
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_pipe_ioctl =
 			    mpe->mpe_function;
 			break;
-		case MAC_CHECK_PIPE_OP:
-			mpc->mpc_ops->mpo_check_pipe_op =
+		case MAC_CHECK_PIPE_POLL:
+			mpc->mpc_ops->mpo_check_pipe_poll =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_PIPE_READ:
+			mpc->mpc_ops->mpo_check_pipe_read =
 			    mpe->mpe_function;
 			break;
 		case MAC_CHECK_PIPE_RELABEL:
 			mpc->mpc_ops->mpo_check_pipe_relabel =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_PIPE_STAT:
+			mpc->mpc_ops->mpo_check_pipe_stat =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_PIPE_WRITE:
+			mpc->mpc_ops->mpo_check_pipe_write =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_PROC_DEBUG:
 			mpc->mpc_ops->mpo_check_proc_debug =
 			    mpe->mpe_function;
@@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
 }
 
 int
-mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
+mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
 {
 	int error;
 
-	MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op);
+	MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
+mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
 
 	return (error);
 }
@@ -2560,6 +2582,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
 }
 
 int
+mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
+mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
 mac_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	int error;
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 9bc28ad..b3707c2 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -233,11 +233,17 @@ struct mac_policy_ops {
 		    struct label *mntlabel);
 	int	(*mpo_check_pipe_ioctl)(struct ucred *cred, struct pipe *pipe,
 		    struct label *pipelabel, unsigned long cmd, void *data); 
-	int	(*mpo_check_pipe_op)(struct ucred *cred, struct pipe *pipe,
-		    struct label *pipelabel, int op);
+	int	(*mpo_check_pipe_poll)(struct ucred *cred, struct pipe *pipe,
+		    struct label *pipelabel);
+	int	(*mpo_check_pipe_read)(struct ucred *cred, struct pipe *pipe,
+		    struct label *pipelabel);
 	int	(*mpo_check_pipe_relabel)(struct ucred *cred,
 		    struct pipe *pipe, struct label *pipelabel,
 		    struct label *newlabel);
+	int	(*mpo_check_pipe_stat)(struct ucred *cred, struct pipe *pipe,
+		    struct label *pipelabel);
+	int	(*mpo_check_pipe_write)(struct ucred *cred, struct pipe *pipe,
+		    struct label *pipelabel);
 	int	(*mpo_check_proc_debug)(struct ucred *cred,
 		    struct proc *proc);
 	int	(*mpo_check_proc_sched)(struct ucred *cred,
@@ -408,8 +414,11 @@ enum mac_op_constant {
 	MAC_CHECK_IFNET_TRANSMIT,
 	MAC_CHECK_MOUNT_STAT,
 	MAC_CHECK_PIPE_IOCTL,
-	MAC_CHECK_PIPE_OP,
+	MAC_CHECK_PIPE_POLL,
+	MAC_CHECK_PIPE_READ,
 	MAC_CHECK_PIPE_RELABEL,
+	MAC_CHECK_PIPE_STAT,
+	MAC_CHECK_PIPE_WRITE,
 	MAC_CHECK_PROC_DEBUG,
 	MAC_CHECK_PROC_SCHED,
 	MAC_CHECK_PROC_SIGNAL,
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index f8cb676..7bf7393 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_pipe_ioctl =
 			    mpe->mpe_function;
 			break;
-		case MAC_CHECK_PIPE_OP:
-			mpc->mpc_ops->mpo_check_pipe_op =
+		case MAC_CHECK_PIPE_POLL:
+			mpc->mpc_ops->mpo_check_pipe_poll =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_PIPE_READ:
+			mpc->mpc_ops->mpo_check_pipe_read =
 			    mpe->mpe_function;
 			break;
 		case MAC_CHECK_PIPE_RELABEL:
 			mpc->mpc_ops->mpo_check_pipe_relabel =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_PIPE_STAT:
+			mpc->mpc_ops->mpo_check_pipe_stat =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_PIPE_WRITE:
+			mpc->mpc_ops->mpo_check_pipe_write =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_PROC_DEBUG:
 			mpc->mpc_ops->mpo_check_proc_debug =
 			    mpe->mpe_function;
@@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
 }
 
 int
-mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
+mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
 {
 	int error;
 
-	MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op);
+	MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
+mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
 
 	return (error);
 }
@@ -2560,6 +2582,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
 }
 
 int
+mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
+mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
 mac_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	int error;
diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index f8cb676..7bf7393 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_pipe_ioctl =
 			    mpe->mpe_function;
 			break;
-		case MAC_CHECK_PIPE_OP:
-			mpc->mpc_ops->mpo_check_pipe_op =
+		case MAC_CHECK_PIPE_POLL:
+			mpc->mpc_ops->mpo_check_pipe_poll =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_PIPE_READ:
+			mpc->mpc_ops->mpo_check_pipe_read =
 			    mpe->mpe_function;
 			break;
 		case MAC_CHECK_PIPE_RELABEL:
 			mpc->mpc_ops->mpo_check_pipe_relabel =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_PIPE_STAT:
+			mpc->mpc_ops->mpo_check_pipe_stat =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_PIPE_WRITE:
+			mpc->mpc_ops->mpo_check_pipe_write =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_PROC_DEBUG:
 			mpc->mpc_ops->mpo_check_proc_debug =
 			    mpe->mpe_function;
@@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
 }
 
 int
-mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
+mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
 {
 	int error;
 
-	MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op);
+	MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
+mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
 
 	return (error);
 }
@@ -2560,6 +2582,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
 }
 
 int
+mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
+mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
 mac_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	int error;
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index f8cb676..7bf7393 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_pipe_ioctl =
 			    mpe->mpe_function;
 			break;
-		case MAC_CHECK_PIPE_OP:
-			mpc->mpc_ops->mpo_check_pipe_op =
+		case MAC_CHECK_PIPE_POLL:
+			mpc->mpc_ops->mpo_check_pipe_poll =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_PIPE_READ:
+			mpc->mpc_ops->mpo_check_pipe_read =
 			    mpe->mpe_function;
 			break;
 		case MAC_CHECK_PIPE_RELABEL:
 			mpc->mpc_ops->mpo_check_pipe_relabel =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_PIPE_STAT:
+			mpc->mpc_ops->mpo_check_pipe_stat =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_PIPE_WRITE:
+			mpc->mpc_ops->mpo_check_pipe_write =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_PROC_DEBUG:
 			mpc->mpc_ops->mpo_check_proc_debug =
 			    mpe->mpe_function;
@@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
 }
 
 int
-mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
+mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
 {
 	int error;
 
-	MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op);
+	MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
+mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
 
 	return (error);
 }
@@ -2560,6 +2582,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
 }
 
 int
+mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
+mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
 mac_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	int error;
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index f8cb676..7bf7393 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_pipe_ioctl =
 			    mpe->mpe_function;
 			break;
-		case MAC_CHECK_PIPE_OP:
-			mpc->mpc_ops->mpo_check_pipe_op =
+		case MAC_CHECK_PIPE_POLL:
+			mpc->mpc_ops->mpo_check_pipe_poll =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_PIPE_READ:
+			mpc->mpc_ops->mpo_check_pipe_read =
 			    mpe->mpe_function;
 			break;
 		case MAC_CHECK_PIPE_RELABEL:
 			mpc->mpc_ops->mpo_check_pipe_relabel =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_PIPE_STAT:
+			mpc->mpc_ops->mpo_check_pipe_stat =
+			    mpe->mpe_function;
+			break;
+		case MAC_CHECK_PIPE_WRITE:
+			mpc->mpc_ops->mpo_check_pipe_write =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_PROC_DEBUG:
 			mpc->mpc_ops->mpo_check_proc_debug =
 			    mpe->mpe_function;
@@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
 }
 
 int
-mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
+mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
 {
 	int error;
 
-	MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op);
+	MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
+mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
 
 	return (error);
 }
@@ -2560,6 +2582,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
 }
 
 int
+mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
+mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
+{
+	int error;
+
+	MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
+
+	return (error);
+}
+
+int
 mac_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	int error;
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 6e9e383..c830e7c 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1300,8 +1300,8 @@ mac_biba_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
 }
 
 static int
-mac_biba_check_pipe_op(struct ucred *cred, struct pipe *pipe,
-    struct label *pipelabel, int op)
+mac_biba_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
 {
 	struct mac_biba *subj, *obj;
 
@@ -1311,20 +1311,26 @@ mac_biba_check_pipe_op(struct ucred *cred, struct pipe *pipe,
 	subj = SLOT(&cred->cr_label);
 	obj = SLOT((pipelabel));
 
-	switch(op) {
-	case MAC_OP_PIPE_READ:
-	case MAC_OP_PIPE_STAT:
-	case MAC_OP_PIPE_POLL:
-		if (!mac_biba_dominate_single(obj, subj))
-			return (EACCES);
-		break;
-	case MAC_OP_PIPE_WRITE:
-		if (!mac_biba_dominate_single(subj, obj))
-			return (EACCES);
-		break;
-	default:
-		panic("mac_biba_check_pipe_op: invalid pipe operation");
-	}
+	if (!mac_biba_dominate_single(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mac_biba_check_pipe_read(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!mac_biba_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT((pipelabel));
+
+	if (!mac_biba_dominate_single(obj, subj))
+		return (EACCES);
 
 	return (0);
 }
@@ -1364,6 +1370,42 @@ mac_biba_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
 }
 
 static int
+mac_biba_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!mac_biba_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT((pipelabel));
+
+	if (!mac_biba_dominate_single(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mac_biba_check_pipe_write(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!mac_biba_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT((pipelabel));
+
+	if (!mac_biba_dominate_single(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
 mac_biba_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	struct mac_biba *subj, *obj;
@@ -2175,10 +2217,16 @@ static struct mac_policy_op_entry mac_biba_ops[] =
 	    (macop_t)mac_biba_check_mount_stat },
 	{ MAC_CHECK_PIPE_IOCTL,
 	    (macop_t)mac_biba_check_pipe_ioctl },
-	{ MAC_CHECK_PIPE_OP,
-	    (macop_t)mac_biba_check_pipe_op },
+	{ MAC_CHECK_PIPE_POLL,
+	    (macop_t)mac_biba_check_pipe_poll },
+	{ MAC_CHECK_PIPE_READ,
+	    (macop_t)mac_biba_check_pipe_read },
 	{ MAC_CHECK_PIPE_RELABEL,
 	    (macop_t)mac_biba_check_pipe_relabel },
+	{ MAC_CHECK_PIPE_STAT,
+	    (macop_t)mac_biba_check_pipe_stat },
+	{ MAC_CHECK_PIPE_WRITE,
+	    (macop_t)mac_biba_check_pipe_write },
 	{ MAC_CHECK_PROC_DEBUG,
 	    (macop_t)mac_biba_check_proc_debug },
 	{ MAC_CHECK_PROC_SCHED,
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index 4dca581..a61dd60 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -1247,8 +1247,8 @@ mac_mls_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
 }
 
 static int
-mac_mls_check_pipe_op(struct ucred *cred, struct pipe *pipe,
-    struct label *pipelabel, int op)
+mac_mls_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
 {
 	struct mac_mls *subj, *obj;
 
@@ -1258,20 +1258,26 @@ mac_mls_check_pipe_op(struct ucred *cred, struct pipe *pipe,
 	subj = SLOT(&cred->cr_label);
 	obj = SLOT((pipelabel));
 
-	switch(op) {
-	case MAC_OP_PIPE_READ:
-	case MAC_OP_PIPE_STAT:
-	case MAC_OP_PIPE_POLL:
-		if (!mac_mls_dominate_single(subj, obj))
-			return (EACCES);
-		break;
-	case MAC_OP_PIPE_WRITE:
-		if (!mac_mls_dominate_single(obj, subj))
-			return (EACCES);
-		break;
-	default:
-		panic("mac_mls_check_pipe_op: invalid pipe operation");
-	}
+	if (!mac_mls_dominate_single(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mac_mls_check_pipe_read(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mac_mls_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT((pipelabel));
+
+	if (!mac_mls_dominate_single(subj, obj))
+		return (EACCES);
 
 	return (0);
 }
@@ -1311,6 +1317,42 @@ mac_mls_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
 }
 
 static int
+mac_mls_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mac_mls_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT((pipelabel));
+
+	if (!mac_mls_dominate_single(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mac_mls_check_pipe_write(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mac_mls_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT((pipelabel));
+
+	if (!mac_mls_dominate_single(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
 mac_mls_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	struct mac_mls *subj, *obj;
@@ -2126,10 +2168,16 @@ static struct mac_policy_op_entry mac_mls_ops[] =
 	    (macop_t)mac_mls_check_mount_stat },
 	{ MAC_CHECK_PIPE_IOCTL,
 	    (macop_t)mac_mls_check_pipe_ioctl },
-	{ MAC_CHECK_PIPE_OP,
-	    (macop_t)mac_mls_check_pipe_op },
+	{ MAC_CHECK_PIPE_POLL,
+	    (macop_t)mac_mls_check_pipe_poll },
+	{ MAC_CHECK_PIPE_READ,
+	    (macop_t)mac_mls_check_pipe_read },
 	{ MAC_CHECK_PIPE_RELABEL,
 	    (macop_t)mac_mls_check_pipe_relabel },
+	{ MAC_CHECK_PIPE_STAT,
+	    (macop_t)mac_mls_check_pipe_stat },
+	{ MAC_CHECK_PIPE_WRITE,
+	    (macop_t)mac_mls_check_pipe_write },
 	{ MAC_CHECK_PROC_DEBUG,
 	    (macop_t)mac_mls_check_proc_debug },
 	{ MAC_CHECK_PROC_SCHED,
diff --git a/sys/security/mac_none/mac_none.c b/sys/security/mac_none/mac_none.c
index b7e5fdd..bc2da67 100644
--- a/sys/security/mac_none/mac_none.c
+++ b/sys/security/mac_none/mac_none.c
@@ -601,8 +601,16 @@ mac_none_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
 }
 
 static int
-mac_none_check_pipe_op(struct ucred *cred, struct pipe *pipe,
-    struct label *pipelabel, int op)
+mac_none_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
+{
+
+	return (0);
+}
+
+static int
+mac_none_check_pipe_read(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
 {
 
 	return (0);
@@ -617,6 +625,22 @@ mac_none_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
 }
 
 static int
+mac_none_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
+{
+
+	return (0);
+}
+
+static int
+mac_none_check_pipe_write(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
+{
+
+	return (0);
+}
+
+static int
 mac_none_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 
@@ -1052,10 +1076,16 @@ static struct mac_policy_op_entry mac_none_ops[] =
 	    (macop_t)mac_none_check_mount_stat },
 	{ MAC_CHECK_PIPE_IOCTL,
 	    (macop_t)mac_none_check_pipe_ioctl },
-	{ MAC_CHECK_PIPE_OP,
-	    (macop_t)mac_none_check_pipe_op },
+	{ MAC_CHECK_PIPE_POLL,
+	    (macop_t)mac_none_check_pipe_poll },
+	{ MAC_CHECK_PIPE_READ,
+	    (macop_t)mac_none_check_pipe_read },
 	{ MAC_CHECK_PIPE_RELABEL,
 	    (macop_t)mac_none_check_pipe_relabel },
+	{ MAC_CHECK_PIPE_STAT,
+	    (macop_t)mac_none_check_pipe_stat },
+	{ MAC_CHECK_PIPE_WRITE,
+	    (macop_t)mac_none_check_pipe_write },
 	{ MAC_CHECK_PROC_DEBUG,
 	    (macop_t)mac_none_check_proc_debug },
 	{ MAC_CHECK_PROC_SCHED,
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index b7e5fdd..bc2da67 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -601,8 +601,16 @@ mac_none_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
 }
 
 static int
-mac_none_check_pipe_op(struct ucred *cred, struct pipe *pipe,
-    struct label *pipelabel, int op)
+mac_none_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
+{
+
+	return (0);
+}
+
+static int
+mac_none_check_pipe_read(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
 {
 
 	return (0);
@@ -617,6 +625,22 @@ mac_none_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
 }
 
 static int
+mac_none_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
+{
+
+	return (0);
+}
+
+static int
+mac_none_check_pipe_write(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
+{
+
+	return (0);
+}
+
+static int
 mac_none_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 
@@ -1052,10 +1076,16 @@ static struct mac_policy_op_entry mac_none_ops[] =
 	    (macop_t)mac_none_check_mount_stat },
 	{ MAC_CHECK_PIPE_IOCTL,
 	    (macop_t)mac_none_check_pipe_ioctl },
-	{ MAC_CHECK_PIPE_OP,
-	    (macop_t)mac_none_check_pipe_op },
+	{ MAC_CHECK_PIPE_POLL,
+	    (macop_t)mac_none_check_pipe_poll },
+	{ MAC_CHECK_PIPE_READ,
+	    (macop_t)mac_none_check_pipe_read },
 	{ MAC_CHECK_PIPE_RELABEL,
 	    (macop_t)mac_none_check_pipe_relabel },
+	{ MAC_CHECK_PIPE_STAT,
+	    (macop_t)mac_none_check_pipe_stat },
+	{ MAC_CHECK_PIPE_WRITE,
+	    (macop_t)mac_none_check_pipe_write },
 	{ MAC_CHECK_PROC_DEBUG,
 	    (macop_t)mac_none_check_proc_debug },
 	{ MAC_CHECK_PROC_SCHED,
diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c
index 5c97a1b..76f645d 100644
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@@ -809,8 +809,16 @@ mac_test_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
 }
 
 static int
-mac_test_check_pipe_op(struct ucred *cred, struct pipe *pipe,
-    struct label *pipelabel, int op)
+mac_test_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
+{
+
+	return (0);
+}
+
+static int
+mac_test_check_pipe_read(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
 {
 
 	return (0);
@@ -825,6 +833,22 @@ mac_test_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
 }
 
 static int
+mac_test_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
+{
+
+	return (0);
+}
+
+static int
+mac_test_check_pipe_write(struct ucred *cred, struct pipe *pipe,
+    struct label *pipelabel)
+{
+
+	return (0);
+}
+
+static int
 mac_test_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 
@@ -1258,10 +1282,16 @@ static struct mac_policy_op_entry mac_test_ops[] =
 	    (macop_t)mac_test_check_mount_stat },
 	{ MAC_CHECK_PIPE_IOCTL,
 	    (macop_t)mac_test_check_pipe_ioctl },
-	{ MAC_CHECK_PIPE_OP,
-	    (macop_t)mac_test_check_pipe_op },
+	{ MAC_CHECK_PIPE_POLL,
+	    (macop_t)mac_test_check_pipe_poll },
+	{ MAC_CHECK_PIPE_READ,
+	    (macop_t)mac_test_check_pipe_read },
 	{ MAC_CHECK_PIPE_RELABEL,
 	    (macop_t)mac_test_check_pipe_relabel },
+	{ MAC_CHECK_PIPE_STAT,
+	    (macop_t)mac_test_check_pipe_stat },
+	{ MAC_CHECK_PIPE_WRITE,
+	    (macop_t)mac_test_check_pipe_write },
 	{ MAC_CHECK_PROC_DEBUG,
 	    (macop_t)mac_test_check_proc_debug },
 	{ MAC_CHECK_PROC_SCHED,
author	rwatson <rwatson@FreeBSD.org>	2002-08-19 16:59:37 +0000
committer	rwatson <rwatson@FreeBSD.org>	2002-08-19 16:59:37 +0000
commit	fd544421f3cc773adffc30e30d715352a4a0e51e (patch)
tree	179942e973f357333f9720ca7246b8b3ad349cef /sys/security
parent	d0709eea67e0ae904f80928991bf3ce66b3fcbc4 (diff)
download	FreeBSD-src-fd544421f3cc773adffc30e30d715352a4a0e51e.zip FreeBSD-src-fd544421f3cc773adffc30e30d715352a4a0e51e.tar.gz