summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--sys/kern/kern_acl.c29
-rw-r--r--sys/kern/subr_acl_posix1e.c29
-rw-r--r--sys/kern/vfs_acl.c29
3 files changed, 84 insertions, 3 deletions
diff --git a/sys/kern/kern_acl.c b/sys/kern/kern_acl.c
index 60ce1bf..2a182cd 100644
--- a/sys/kern/kern_acl.c
+++ b/sys/kern/kern_acl.c
@@ -32,10 +32,13 @@
* Support for POSIX.1e access control lists.
*/
+#include "opt_mac.h"
+
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/sysproto.h>
#include <sys/kernel.h>
+#include <sys/mac.h>
#include <sys/malloc.h>
#include <sys/vnode.h>
#include <sys/lock.h>
@@ -582,7 +585,15 @@ vacl_set_acl(struct thread *td, struct vnode *vp, acl_type_t type,
return (error);
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
+#ifdef MAC
+ error = mac_check_vnode_setacl(td->td_ucred, vp, type, &inkernacl);
+ if (error != 0)
+ goto out;
+#endif
error = VOP_SETACL(vp, type, &inkernacl, td->td_ucred, td);
+#ifdef MAC
+out:
+#endif
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
return(error);
@@ -600,7 +611,15 @@ vacl_get_acl(struct thread *td, struct vnode *vp, acl_type_t type,
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
+#ifdef MAC
+ error = mac_check_vnode_getacl(td->td_ucred, vp, type);
+ if (error != 0)
+ goto out;
+#endif
error = VOP_GETACL(vp, type, &inkernelacl, td->td_ucred, td);
+#ifdef MAC
+out:
+#endif
VOP_UNLOCK(vp, 0, td);
if (error == 0)
error = copyout(&inkernelacl, aclp, sizeof(struct acl));
@@ -621,7 +640,15 @@ vacl_delete(struct thread *td, struct vnode *vp, acl_type_t type)
return (error);
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
- error = VOP_SETACL(vp, type, NULL, td->td_ucred, td);
+#ifdef MAC
+ error = mac_check_vnode_deleteacl(td->td_ucred, vp, type);
+ if (error)
+ goto out;
+#endif
+ error = VOP_SETACL(vp, type, 0, td->td_ucred, td);
+#ifdef MAC
+out:
+#endif
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
return (error);
diff --git a/sys/kern/subr_acl_posix1e.c b/sys/kern/subr_acl_posix1e.c
index 60ce1bf..2a182cd 100644
--- a/sys/kern/subr_acl_posix1e.c
+++ b/sys/kern/subr_acl_posix1e.c
@@ -32,10 +32,13 @@
* Support for POSIX.1e access control lists.
*/
+#include "opt_mac.h"
+
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/sysproto.h>
#include <sys/kernel.h>
+#include <sys/mac.h>
#include <sys/malloc.h>
#include <sys/vnode.h>
#include <sys/lock.h>
@@ -582,7 +585,15 @@ vacl_set_acl(struct thread *td, struct vnode *vp, acl_type_t type,
return (error);
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
+#ifdef MAC
+ error = mac_check_vnode_setacl(td->td_ucred, vp, type, &inkernacl);
+ if (error != 0)
+ goto out;
+#endif
error = VOP_SETACL(vp, type, &inkernacl, td->td_ucred, td);
+#ifdef MAC
+out:
+#endif
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
return(error);
@@ -600,7 +611,15 @@ vacl_get_acl(struct thread *td, struct vnode *vp, acl_type_t type,
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
+#ifdef MAC
+ error = mac_check_vnode_getacl(td->td_ucred, vp, type);
+ if (error != 0)
+ goto out;
+#endif
error = VOP_GETACL(vp, type, &inkernelacl, td->td_ucred, td);
+#ifdef MAC
+out:
+#endif
VOP_UNLOCK(vp, 0, td);
if (error == 0)
error = copyout(&inkernelacl, aclp, sizeof(struct acl));
@@ -621,7 +640,15 @@ vacl_delete(struct thread *td, struct vnode *vp, acl_type_t type)
return (error);
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
- error = VOP_SETACL(vp, type, NULL, td->td_ucred, td);
+#ifdef MAC
+ error = mac_check_vnode_deleteacl(td->td_ucred, vp, type);
+ if (error)
+ goto out;
+#endif
+ error = VOP_SETACL(vp, type, 0, td->td_ucred, td);
+#ifdef MAC
+out:
+#endif
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
return (error);
diff --git a/sys/kern/vfs_acl.c b/sys/kern/vfs_acl.c
index 60ce1bf..2a182cd 100644
--- a/sys/kern/vfs_acl.c
+++ b/sys/kern/vfs_acl.c
@@ -32,10 +32,13 @@
* Support for POSIX.1e access control lists.
*/
+#include "opt_mac.h"
+
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/sysproto.h>
#include <sys/kernel.h>
+#include <sys/mac.h>
#include <sys/malloc.h>
#include <sys/vnode.h>
#include <sys/lock.h>
@@ -582,7 +585,15 @@ vacl_set_acl(struct thread *td, struct vnode *vp, acl_type_t type,
return (error);
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
+#ifdef MAC
+ error = mac_check_vnode_setacl(td->td_ucred, vp, type, &inkernacl);
+ if (error != 0)
+ goto out;
+#endif
error = VOP_SETACL(vp, type, &inkernacl, td->td_ucred, td);
+#ifdef MAC
+out:
+#endif
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
return(error);
@@ -600,7 +611,15 @@ vacl_get_acl(struct thread *td, struct vnode *vp, acl_type_t type,
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
+#ifdef MAC
+ error = mac_check_vnode_getacl(td->td_ucred, vp, type);
+ if (error != 0)
+ goto out;
+#endif
error = VOP_GETACL(vp, type, &inkernelacl, td->td_ucred, td);
+#ifdef MAC
+out:
+#endif
VOP_UNLOCK(vp, 0, td);
if (error == 0)
error = copyout(&inkernelacl, aclp, sizeof(struct acl));
@@ -621,7 +640,15 @@ vacl_delete(struct thread *td, struct vnode *vp, acl_type_t type)
return (error);
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
- error = VOP_SETACL(vp, type, NULL, td->td_ucred, td);
+#ifdef MAC
+ error = mac_check_vnode_deleteacl(td->td_ucred, vp, type);
+ if (error)
+ goto out;
+#endif
+ error = VOP_SETACL(vp, type, 0, td->td_ucred, td);
+#ifdef MAC
+out:
+#endif
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
return (error);
OpenPOWER on IntegriCloud