diff options
| author | rwatson <rwatson@FreeBSD.org> | 2002-08-12 01:42:21 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2002-08-12 01:42:21 +0000 |
| commit | a4eb7ce808d8aa9bcb0b39d62536b680d6e3fc62 (patch) | |
| tree | 89aaf09efa84f105c340e51b0b6b7ea5f7bef708 /sys | |
| parent | dadba87516b8e6a04dc94399bc47e1b9af9750f3 (diff) | |
| download | FreeBSD-src-a4eb7ce808d8aa9bcb0b39d62536b680d6e3fc62.zip FreeBSD-src-a4eb7ce808d8aa9bcb0b39d62536b680d6e3fc62.tar.gz | |
Enforce MAC policies for the locally implemented vnode services in
SVR4 emulation relating to readdir() and fd_revoke(). All other
services appear to be implemented by simply wrapping existing
FreeBSD native system call implementations, so don't require local
instrumentation in the emulator module.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/compat/svr4/svr4_fcntl.c | 12 | ||||
| -rw-r--r-- | sys/compat/svr4/svr4_misc.c | 16 |
2 files changed, 28 insertions, 0 deletions
diff --git a/sys/compat/svr4/svr4_fcntl.c b/sys/compat/svr4/svr4_fcntl.c index cf2fa0a..e63ac02 100644 --- a/sys/compat/svr4/svr4_fcntl.c +++ b/sys/compat/svr4/svr4_fcntl.c @@ -30,12 +30,16 @@ * * $FreeBSD$ */ + +#include "opt_mac.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/file.h> #include <sys/filedesc.h> /*#include <sys/ioctl.h>*/ #include <sys/lock.h> +#include <sys/mac.h> #include <sys/mount.h> #include <sys/mutex.h> #include <sys/namei.h> @@ -260,6 +264,14 @@ fd_revoke(td, fd) goto out; } +#ifdef MAC + vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); + error = mac_check_vnode_revoke(td->td_ucred, vp); + VOP_UNLOCK(vp, 0, td); + if (error) + goto out; +#endif + if ((error = VOP_GETATTR(vp, &vattr, td->td_ucred, td)) != 0) goto out; diff --git a/sys/compat/svr4/svr4_misc.c b/sys/compat/svr4/svr4_misc.c index f60d62c..6f7a65e 100644 --- a/sys/compat/svr4/svr4_misc.c +++ b/sys/compat/svr4/svr4_misc.c @@ -35,6 +35,8 @@ * handled here. */ +#include "opt_mac.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/dirent.h> @@ -43,6 +45,7 @@ #include <sys/jail.h> #include <sys/kernel.h> #include <sys/lock.h> +#include <sys/mac.h> #include <sys/malloc.h> #include <sys/file.h> /* Must come after sys/malloc.h */ #include <sys/mman.h> @@ -310,6 +313,12 @@ again: cookies = NULL; } +#ifdef MAC + error = mac_check_vnode_readdir(td->td_ucred, vp); + if (error) + return (error); +#endif + error = VOP_READDIR(vp, &auio, fp->f_cred, &eofflag, &ncookies, &cookies); if (error) { @@ -462,6 +471,13 @@ again: auio.uio_td = td; auio.uio_resid = buflen; auio.uio_offset = off; + +#ifdef MAC + error = mac_check_vnode_readdir(td->td_ucred, vp); + if (error) + goto out; +#endif + /* * First we read into the malloc'ed buffer, then * we massage it into user space, one record at a time. |
