diff options
| author | rwatson <rwatson@FreeBSD.org> | 2002-08-01 01:33:12 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2002-08-01 01:33:12 +0000 |
| commit | 3ce5d5484cfbe7bd6f19b66612d0a5582f13fab0 (patch) | |
| tree | ac3d1b39774dfa77453f4585450743cb4262f4b0 /sys | |
| parent | 6d0d48759b3059a7047764333355b5992445a4d3 (diff) | |
| download | FreeBSD-src-3ce5d5484cfbe7bd6f19b66612d0a5582f13fab0.zip FreeBSD-src-3ce5d5484cfbe7bd6f19b66612d0a5582f13fab0.tar.gz | |
Introduce support for Mandatory Access Control and extensible
kernel access control.
Modify pseudofs so that it can support synthetic file systems with
the multilabel flag set. In particular, implement vop_refreshlabel()
as pn_refreshlabel(). Implement pfs_refreshlabel() to invoke this,
and have it fall back to the mount label if the file system does
not implement pn_refreshlabel() for the node. Otherwise, permit
the file system to determine how the service is provided.
Approved by: des
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/fs/pseudofs/pseudofs.h | 10 | ||||
| -rw-r--r-- | sys/fs/pseudofs/pseudofs_vnops.c | 50 | ||||
| -rw-r--r-- | sys/modules/pseudofs/Makefile | 3 |
3 files changed, 62 insertions, 1 deletions
diff --git a/sys/fs/pseudofs/pseudofs.h b/sys/fs/pseudofs/pseudofs.h index 69044d0..05882bf 100644 --- a/sys/fs/pseudofs/pseudofs.h +++ b/sys/fs/pseudofs/pseudofs.h @@ -145,6 +145,15 @@ struct ucred; typedef int (*pfs_getextattr_t)(PFS_GETEXTATTR_ARGS); /* + * Getlabel callback + */ +#define PFS_REFRESHLABEL_ARGS \ + struct thread *td, struct proc *p, struct vnode *vp, \ + struct pfs_node *pn, struct ucred *cred +struct mac; +typedef int (*pfs_refreshlabel_t)(PFS_REFRESHLABEL_ARGS); + +/* * Last-close callback */ #define PFS_CLOSE_ARGS \ @@ -185,6 +194,7 @@ struct pfs_node { pfs_attr_t pn_attr; pfs_vis_t pn_vis; pfs_getextattr_t pn_getextattr; + pfs_refreshlabel_t pn_refreshlabel; void *pn_data; int pn_flags; diff --git a/sys/fs/pseudofs/pseudofs_vnops.c b/sys/fs/pseudofs/pseudofs_vnops.c index 0eed8ea..6298fb9 100644 --- a/sys/fs/pseudofs/pseudofs_vnops.c +++ b/sys/fs/pseudofs/pseudofs_vnops.c @@ -28,6 +28,8 @@ * $FreeBSD$ */ +#include "opt_mac.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> @@ -35,6 +37,7 @@ #include <sys/dirent.h> #include <sys/fcntl.h> #include <sys/lock.h> +#include <sys/mac.h> #include <sys/mount.h> #include <sys/mutex.h> #include <sys/namei.h> @@ -729,6 +732,50 @@ pfs_reclaim(struct vop_reclaim_args *va) return (pfs_vncache_free(va->a_vp)); } +#ifdef MAC +/* + * Refresh the vnode label as appropriate for the pseudo-file system. + */ +static int +pfs_refreshlabel(struct vop_refreshlabel_args *va) +{ + struct vnode *vn = va->a_vp; + struct pfs_vdata *pvd = (struct pfs_vdata *)vn->v_data; + struct pfs_node *pn = pvd->pvd_pn; + struct proc *proc = NULL; + int error; + + PFS_TRACE((pd->pn_name)); + + if (pn->pn_refreshlabel == NULL) { + mac_update_vnode_from_mount(vn, vn->v_mount); + return (0); + } + + /* + * This is necessary because either process' privileges may + * have changed since the last open() call. + */ + if (!pfs_visible(curthread, pn, pvd->pvd_pid)) + PFS_RETURN (EIO); + + /* XXX duplicate bits of pfs_visible() */ + if (pvd->pvd_pid != NO_PID) { + if ((proc = pfind(pvd->pvd_pid)) == NULL) + PFS_RETURN (EIO); + _PHOLD(proc); + PROC_UNLOCK(proc); + } + + error = (pn->pn_refreshlabel)(curthread, proc, vn, pn, va->a_cred); + + if (proc != NULL) + PRELE(proc); + + PFS_RETURN (error); +} +#endif + /* * Set attributes */ @@ -821,6 +868,9 @@ static struct vnodeopv_entry_desc pfs_vnodeop_entries[] = { { &vop_readdir_desc, (vop_t *)pfs_readdir }, { &vop_readlink_desc, (vop_t *)pfs_readlink }, { &vop_reclaim_desc, (vop_t *)pfs_reclaim }, +#ifdef MAC + { &vop_refreshlabel_desc, (vop_t *)pfs_refreshlabel }, +#endif { &vop_remove_desc, (vop_t *)vop_eopnotsupp }, { &vop_rename_desc, (vop_t *)vop_eopnotsupp }, { &vop_rmdir_desc, (vop_t *)vop_eopnotsupp }, diff --git a/sys/modules/pseudofs/Makefile b/sys/modules/pseudofs/Makefile index d0c41ce..e84a639 100644 --- a/sys/modules/pseudofs/Makefile +++ b/sys/modules/pseudofs/Makefile @@ -3,7 +3,8 @@ .PATH: ${.CURDIR}/../../fs/pseudofs KMOD= pseudofs -SRCS= vnode_if.h \ +SRCS= opt_mac.h \ + vnode_if.h \ pseudofs.c \ pseudofs_fileno.c \ pseudofs_vncache.c \ |
