diff options
author | rwatson <rwatson@FreeBSD.org> | 2002-08-19 19:04:53 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2002-08-19 19:04:53 +0000 |
commit | a1cb1e3bedf5e17c3e47858fd715df1bf1e274ae (patch) | |
tree | 77c1982dd4eb706f6b2cec714687d0049945f5b5 /sys/security | |
parent | 32d992cd392a444b63141edb7a5b5d0483eb36f2 (diff) | |
download | FreeBSD-src-a1cb1e3bedf5e17c3e47858fd715df1bf1e274ae.zip FreeBSD-src-a1cb1e3bedf5e17c3e47858fd715df1bf1e274ae.tar.gz |
Pass active_cred and file_cred into the MAC framework explicitly
for mac_check_vnode_{poll,read,stat,write}(). Pass in fp->f_cred
when calling these checks with a struct file available. Otherwise,
pass NOCRED. All currently MAC policies use active_cred, but
could now offer the cached credential semantic used for the base
system security model.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'sys/security')
-rw-r--r-- | sys/security/mac/mac_framework.c | 32 | ||||
-rw-r--r-- | sys/security/mac/mac_framework.h | 12 | ||||
-rw-r--r-- | sys/security/mac/mac_internal.h | 32 | ||||
-rw-r--r-- | sys/security/mac/mac_net.c | 32 | ||||
-rw-r--r-- | sys/security/mac/mac_pipe.c | 32 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 12 | ||||
-rw-r--r-- | sys/security/mac/mac_process.c | 32 | ||||
-rw-r--r-- | sys/security/mac/mac_syscalls.c | 32 | ||||
-rw-r--r-- | sys/security/mac/mac_system.c | 32 | ||||
-rw-r--r-- | sys/security/mac/mac_vfs.c | 32 | ||||
-rw-r--r-- | sys/security/mac_biba/mac_biba.c | 24 | ||||
-rw-r--r-- | sys/security/mac_bsdextended/mac_bsdextended.c | 9 | ||||
-rw-r--r-- | sys/security/mac_mls/mac_mls.c | 24 | ||||
-rw-r--r-- | sys/security/mac_none/mac_none.c | 16 | ||||
-rw-r--r-- | sys/security/mac_stub/mac_stub.c | 16 | ||||
-rw-r--r-- | sys/security/mac_test/mac_test.c | 16 |
16 files changed, 229 insertions, 156 deletions
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 107b2d2..17dd122 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -1804,7 +1804,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) } int -mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -1813,17 +1814,19 @@ mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, + &vp->v_label); return (error); } int -mac_check_vnode_read(struct ucred *cred, struct vnode *vp) +mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -1832,11 +1835,12 @@ mac_check_vnode_read(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, + &vp->v_label); return (error); } @@ -2076,7 +2080,8 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } int -mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) +mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -2085,16 +2090,18 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, + &vp->v_label); return (error); } int -mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -2103,11 +2110,12 @@ mac_check_vnode_write(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, + &vp->v_label); return (error); } diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 0696f3c..b413220 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -338,8 +338,10 @@ u_char mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping); int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode); -int mac_check_vnode_poll(struct ucred *cred, struct vnode *vp); -int mac_check_vnode_read(struct ucred *cred, struct vnode *vp); +int mac_check_vnode_poll(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp); +int mac_check_vnode_read(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp); int mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp); int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp); int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, @@ -359,8 +361,10 @@ int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid); int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime); -int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp); -int mac_check_vnode_write(struct ucred *cred, struct vnode *vp); +int mac_check_vnode_stat(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp); +int mac_check_vnode_write(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp); int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 107b2d2..17dd122 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -1804,7 +1804,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) } int -mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -1813,17 +1814,19 @@ mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, + &vp->v_label); return (error); } int -mac_check_vnode_read(struct ucred *cred, struct vnode *vp) +mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -1832,11 +1835,12 @@ mac_check_vnode_read(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, + &vp->v_label); return (error); } @@ -2076,7 +2080,8 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } int -mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) +mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -2085,16 +2090,18 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, + &vp->v_label); return (error); } int -mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -2103,11 +2110,12 @@ mac_check_vnode_write(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, + &vp->v_label); return (error); } diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 107b2d2..17dd122 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -1804,7 +1804,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) } int -mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -1813,17 +1814,19 @@ mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, + &vp->v_label); return (error); } int -mac_check_vnode_read(struct ucred *cred, struct vnode *vp) +mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -1832,11 +1835,12 @@ mac_check_vnode_read(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, + &vp->v_label); return (error); } @@ -2076,7 +2080,8 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } int -mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) +mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -2085,16 +2090,18 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, + &vp->v_label); return (error); } int -mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -2103,11 +2110,12 @@ mac_check_vnode_write(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, + &vp->v_label); return (error); } diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 107b2d2..17dd122 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -1804,7 +1804,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) } int -mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -1813,17 +1814,19 @@ mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, + &vp->v_label); return (error); } int -mac_check_vnode_read(struct ucred *cred, struct vnode *vp) +mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -1832,11 +1835,12 @@ mac_check_vnode_read(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, + &vp->v_label); return (error); } @@ -2076,7 +2080,8 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } int -mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) +mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -2085,16 +2090,18 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, + &vp->v_label); return (error); } int -mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -2103,11 +2110,12 @@ mac_check_vnode_write(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, + &vp->v_label); return (error); } diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index d0065aa..c3f2046 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -301,9 +301,11 @@ struct mac_policy_ops { struct vnode *vp, struct label *label, int newmapping); int (*mpo_check_vnode_open)(struct ucred *cred, struct vnode *vp, struct label *label, mode_t acc_mode); - int (*mpo_check_vnode_poll)(struct ucred *cred, struct vnode *vp, + int (*mpo_check_vnode_poll)(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp, struct label *label); - int (*mpo_check_vnode_read)(struct ucred *cred, struct vnode *vp, + int (*mpo_check_vnode_read)(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp, struct label *label); int (*mpo_check_vnode_readdir)(struct ucred *cred, struct vnode *dvp, struct label *dlabel); @@ -337,9 +339,11 @@ struct mac_policy_ops { int (*mpo_check_vnode_setutimes)(struct ucred *cred, struct vnode *vp, struct label *label, struct timespec atime, struct timespec mtime); - int (*mpo_check_vnode_stat)(struct ucred *cred, struct vnode *vp, + int (*mpo_check_vnode_stat)(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp, struct label *label); - int (*mpo_check_vnode_write)(struct ucred *cred, struct vnode *vp, + int (*mpo_check_vnode_write)(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp, struct label *label); }; diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 107b2d2..17dd122 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -1804,7 +1804,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) } int -mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -1813,17 +1814,19 @@ mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, + &vp->v_label); return (error); } int -mac_check_vnode_read(struct ucred *cred, struct vnode *vp) +mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -1832,11 +1835,12 @@ mac_check_vnode_read(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, + &vp->v_label); return (error); } @@ -2076,7 +2080,8 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } int -mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) +mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -2085,16 +2090,18 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, + &vp->v_label); return (error); } int -mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -2103,11 +2110,12 @@ mac_check_vnode_write(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, + &vp->v_label); return (error); } diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index 107b2d2..17dd122 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -1804,7 +1804,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) } int -mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -1813,17 +1814,19 @@ mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, + &vp->v_label); return (error); } int -mac_check_vnode_read(struct ucred *cred, struct vnode *vp) +mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -1832,11 +1835,12 @@ mac_check_vnode_read(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, + &vp->v_label); return (error); } @@ -2076,7 +2080,8 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } int -mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) +mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -2085,16 +2090,18 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, + &vp->v_label); return (error); } int -mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -2103,11 +2110,12 @@ mac_check_vnode_write(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, + &vp->v_label); return (error); } diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 107b2d2..17dd122 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -1804,7 +1804,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) } int -mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -1813,17 +1814,19 @@ mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, + &vp->v_label); return (error); } int -mac_check_vnode_read(struct ucred *cred, struct vnode *vp) +mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -1832,11 +1835,12 @@ mac_check_vnode_read(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, + &vp->v_label); return (error); } @@ -2076,7 +2080,8 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } int -mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) +mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -2085,16 +2090,18 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, + &vp->v_label); return (error); } int -mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -2103,11 +2110,12 @@ mac_check_vnode_write(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, + &vp->v_label); return (error); } diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 107b2d2..17dd122 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -1804,7 +1804,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) } int -mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -1813,17 +1814,19 @@ mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, + &vp->v_label); return (error); } int -mac_check_vnode_read(struct ucred *cred, struct vnode *vp) +mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -1832,11 +1835,12 @@ mac_check_vnode_read(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, + &vp->v_label); return (error); } @@ -2076,7 +2080,8 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } int -mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) +mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -2085,16 +2090,18 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, + &vp->v_label); return (error); } int -mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp) { int error; @@ -2103,11 +2110,12 @@ mac_check_vnode_write(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - error = vn_refreshlabel(vp, cred); + error = vn_refreshlabel(vp, active_cred); if (error) return (error); - MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, + &vp->v_label); return (error); } diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index c830e7c..3f26d36 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1731,15 +1731,15 @@ mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_poll(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_biba_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp, struct label *label) { struct mac_biba *subj, *obj; if (!mac_biba_enabled || !mac_biba_revocation_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(&active_cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) @@ -1749,15 +1749,15 @@ mac_biba_check_vnode_poll(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_read(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_biba_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp, struct label *label) { struct mac_biba *subj, *obj; if (!mac_biba_enabled || !mac_biba_revocation_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(&active_cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) @@ -2016,15 +2016,15 @@ mac_biba_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_stat(struct ucred *cred, struct vnode *vp, - struct label *vnodelabel) +mac_biba_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp, struct label *vnodelabel) { struct mac_biba *subj, *obj; if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(&active_cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(obj, subj)) @@ -2034,15 +2034,15 @@ mac_biba_check_vnode_stat(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_write(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_biba_check_vnode_write(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp, struct label *label) { struct mac_biba *subj, *obj; if (!mac_biba_enabled || !mac_biba_revocation_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(&active_cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(subj, obj)) diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c index f0f6cee..7fae867 100644 --- a/sys/security/mac_bsdextended/mac_bsdextended.c +++ b/sys/security/mac_bsdextended/mac_bsdextended.c @@ -675,8 +675,8 @@ mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_stat(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_bsdextended_check_vnode_stat(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp, struct label *label) { struct vattr vap; int error; @@ -684,10 +684,11 @@ mac_bsdextended_check_vnode_stat(struct ucred *cred, struct vnode *vp, if (!mac_bsdextended_enabled) return (0); - error = VOP_GETATTR(vp, &vap, cred, curthread); + error = VOP_GETATTR(vp, &vap, active_cred, curthread); if (error) return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VSTAT)); + return (mac_bsdextended_check(active_cred, vap.va_uid, vap.va_gid, + VSTAT)); } static struct mac_policy_op_entry mac_bsdextended_ops[] = diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index a61dd60..ace75dd 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1681,15 +1681,15 @@ mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_poll(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_mls_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp, struct label *label) { struct mac_mls *subj, *obj; if (!mac_mls_enabled || !mac_mls_revocation_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(&active_cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(subj, obj)) @@ -1699,15 +1699,15 @@ mac_mls_check_vnode_poll(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_read(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_mls_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp, struct label *label) { struct mac_mls *subj, *obj; if (!mac_mls_enabled || !mac_mls_revocation_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(&active_cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(subj, obj)) @@ -1967,15 +1967,15 @@ mac_mls_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_stat(struct ucred *cred, struct vnode *vp, - struct label *vnodelabel) +mac_mls_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp, struct label *vnodelabel) { struct mac_mls *subj, *obj; if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(&active_cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(subj, obj)) @@ -1985,15 +1985,15 @@ mac_mls_check_vnode_stat(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_write(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_mls_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp, struct label *label) { struct mac_mls *subj, *obj; if (!mac_mls_enabled || !mac_mls_revocation_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(&active_cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj)) diff --git a/sys/security/mac_none/mac_none.c b/sys/security/mac_none/mac_none.c index bc2da67..e473dd8 100644 --- a/sys/security/mac_none/mac_none.c +++ b/sys/security/mac_none/mac_none.c @@ -799,16 +799,16 @@ mac_none_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -mac_none_check_vnode_poll(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_none_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp, struct label *label) { return (0); } static int -mac_none_check_vnode_read(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_none_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp, struct label *label) { return (0); @@ -913,16 +913,16 @@ mac_none_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_none_check_vnode_stat(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_none_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp, struct label *label) { return (0); } static int -mac_none_check_vnode_write(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_none_check_vnode_write(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp, struct label *label) { return (0); diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index bc2da67..e473dd8 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -799,16 +799,16 @@ mac_none_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -mac_none_check_vnode_poll(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_none_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp, struct label *label) { return (0); } static int -mac_none_check_vnode_read(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_none_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp, struct label *label) { return (0); @@ -913,16 +913,16 @@ mac_none_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_none_check_vnode_stat(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_none_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp, struct label *label) { return (0); } static int -mac_none_check_vnode_write(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_none_check_vnode_write(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp, struct label *label) { return (0); diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 76f645d..e6b5da8 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1007,16 +1007,16 @@ mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -mac_test_check_vnode_poll(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp, struct label *label) { return (0); } static int -mac_test_check_vnode_read(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp, struct label *label) { return (0); @@ -1121,16 +1121,16 @@ mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_test_check_vnode_stat(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, + struct vnode *vp, struct label *label) { return (0); } static int -mac_test_check_vnode_write(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_test_check_vnode_write(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp, struct label *label) { return (0); |