summaryrefslogtreecommitdiffstats
path: root/sys/kern/kern_mac.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/kern/kern_mac.c')
-rw-r--r--sys/kern/kern_mac.c67
1 files changed, 57 insertions, 10 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c
index 0d6a898..f8cb676 100644
--- a/sys/kern/kern_mac.c
+++ b/sys/kern/kern_mac.c
@@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
- case MAC_CHECK_VNODE_OP:
- mpc->mpc_ops->mpo_check_vnode_op =
- mpe->mpe_function;
- break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_POLL:
+ mpc->mpc_ops->mpo_check_vnode_poll =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_READ:
+ mpc->mpc_ops->mpo_check_vnode_read =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_WRITE:
+ mpc->mpc_ops->mpo_check_vnode_write =
+ mpe->mpe_function;
+ break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
}
int
-mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
int error;
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+
if (!mac_enforce_fs)
return (0);
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ return (error);
+}
+
+int
+mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+
+ if (!mac_enforce_fs)
+ return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
- MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
+ MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
+mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
@@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
if (error)
return (error);
- MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+
return (error);
}
@@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
+int
+mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+
+ if (!mac_enforce_fs)
+ return (0);
+
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+
+ return (error);
+}
+
+
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its
OpenPOWER on IntegriCloud