summaryrefslogtreecommitdiffstats
path: root/sys/kern
diff options
context:
space:
mode:
Diffstat (limited to 'sys/kern')
-rw-r--r--sys/kern/kern_ktrace.c2
-rw-r--r--sys/kern/kern_mac.c67
-rw-r--r--sys/kern/tty_tty.c6
-rw-r--r--sys/kern/vfs_extattr.c12
-rw-r--r--sys/kern/vfs_syscalls.c12
-rw-r--r--sys/kern/vfs_vnops.c12
6 files changed, 74 insertions, 37 deletions
diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c
index 5a40e09..a21f5e2 100644
--- a/sys/kern/kern_ktrace.c
+++ b/sys/kern/kern_ktrace.c
@@ -771,7 +771,7 @@ ktr_writerequest(struct ktr_request *req)
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
(void)VOP_LEASE(vp, td, cred, LEASE_WRITE);
#ifdef MAC
- error = mac_check_vnode_op(cred, vp, MAC_OP_VNODE_WRITE);
+ error = mac_check_vnode_write(cred, vp);
if (error == 0)
#endif
error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred);
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c
index 0d6a898..f8cb676 100644
--- a/sys/kern/kern_mac.c
+++ b/sys/kern/kern_mac.c
@@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
- case MAC_CHECK_VNODE_OP:
- mpc->mpc_ops->mpo_check_vnode_op =
- mpe->mpe_function;
- break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_POLL:
+ mpc->mpc_ops->mpo_check_vnode_poll =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_READ:
+ mpc->mpc_ops->mpo_check_vnode_read =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_WRITE:
+ mpc->mpc_ops->mpo_check_vnode_write =
+ mpe->mpe_function;
+ break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
}
int
-mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
int error;
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+
if (!mac_enforce_fs)
return (0);
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ return (error);
+}
+
+int
+mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+
+ if (!mac_enforce_fs)
+ return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
- MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
+ MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
+mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
@@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
if (error)
return (error);
- MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+
return (error);
}
@@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
+int
+mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+
+ if (!mac_enforce_fs)
+ return (0);
+
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+
+ return (error);
+}
+
+
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its
diff --git a/sys/kern/tty_tty.c b/sys/kern/tty_tty.c
index f70f585..86132d9 100644
--- a/sys/kern/tty_tty.c
+++ b/sys/kern/tty_tty.c
@@ -131,7 +131,7 @@ cttyread(dev, uio, flag)
vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
/* XXX: Shouldn't the cred below be td->td_ucred not NOCRED? */
- error = mac_check_vnode_op(td->td_ucred, ttyvp, MAC_OP_VNODE_READ);
+ error = mac_check_vnode_read(td->td_ucred, ttyvp);
if (error == 0)
#endif
error = VOP_READ(ttyvp, uio, flag, NOCRED);
@@ -166,7 +166,7 @@ cttywrite(dev, uio, flag)
vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
/* XXX: shouldn't the cred below be td->td_ucred not NOCRED? */
- error = mac_check_vnode_op(td->td_ucred, ttyvp, MAC_OP_VNODE_WRITE);
+ error = mac_check_vnode_write(td->td_ucred, ttyvp);
if (error == 0)
#endif
error = VOP_WRITE(ttyvp, uio, flag, NOCRED);
@@ -236,7 +236,7 @@ cttypoll(dev, events, td)
return (seltrue(dev, events, td));
#ifdef MAC
vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td);
- error = mac_check_vnode_op(td->td_ucred, ttyvp, MAC_OP_VNODE_POLL);
+ error = mac_check_vnode_poll(td->td_ucred, ttyvp);
VOP_UNLOCK(ttyvp, 0, td);
if (error)
return (error);
diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c
index 39f8423..fce45fe 100644
--- a/sys/kern/vfs_extattr.c
+++ b/sys/kern/vfs_extattr.c
@@ -734,8 +734,7 @@ open(td, uap)
vat.va_size = 0;
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
- error = mac_check_vnode_op(td->td_ucred, vp,
- MAC_OP_VNODE_WRITE);
+ error = mac_check_vnode_write(td->td_ucred, vp);
if (error == 0)
#endif
error = VOP_SETATTR(vp, &vat, td->td_ucred, td);
@@ -2368,8 +2367,7 @@ truncate(td, uap)
if (vp->v_type == VDIR)
error = EISDIR;
#ifdef MAC
- else if ((error = mac_check_vnode_op(td->td_ucred, vp,
- MAC_OP_VNODE_WRITE))) {}
+ else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {}
#endif
else if ((error = vn_writechk(vp)) == 0 &&
(error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td)) == 0) {
@@ -2426,8 +2424,7 @@ ftruncate(td, uap)
if (vp->v_type == VDIR)
error = EISDIR;
#ifdef MAC
- else if ((error = mac_check_vnode_op(td->td_ucred, vp,
- MAC_OP_VNODE_WRITE))) {}
+ else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {}
#endif
else if ((error = vn_writechk(vp)) == 0) {
VATTR_NULL(&vattr);
@@ -3345,8 +3342,7 @@ fhopen(td, uap)
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); /* XXX */
#ifdef MAC
- error = mac_check_vnode_op(td->td_ucred, vp,
- MAC_OP_VNODE_WRITE);
+ error = mac_check_vnode_write(td->td_ucred, vp);
if (error == 0) {
#endif
VATTR_NULL(vap);
diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 39f8423..fce45fe 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -734,8 +734,7 @@ open(td, uap)
vat.va_size = 0;
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
- error = mac_check_vnode_op(td->td_ucred, vp,
- MAC_OP_VNODE_WRITE);
+ error = mac_check_vnode_write(td->td_ucred, vp);
if (error == 0)
#endif
error = VOP_SETATTR(vp, &vat, td->td_ucred, td);
@@ -2368,8 +2367,7 @@ truncate(td, uap)
if (vp->v_type == VDIR)
error = EISDIR;
#ifdef MAC
- else if ((error = mac_check_vnode_op(td->td_ucred, vp,
- MAC_OP_VNODE_WRITE))) {}
+ else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {}
#endif
else if ((error = vn_writechk(vp)) == 0 &&
(error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td)) == 0) {
@@ -2426,8 +2424,7 @@ ftruncate(td, uap)
if (vp->v_type == VDIR)
error = EISDIR;
#ifdef MAC
- else if ((error = mac_check_vnode_op(td->td_ucred, vp,
- MAC_OP_VNODE_WRITE))) {}
+ else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {}
#endif
else if ((error = vn_writechk(vp)) == 0) {
VATTR_NULL(&vattr);
@@ -3345,8 +3342,7 @@ fhopen(td, uap)
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); /* XXX */
#ifdef MAC
- error = mac_check_vnode_op(td->td_ucred, vp,
- MAC_OP_VNODE_WRITE);
+ error = mac_check_vnode_write(td->td_ucred, vp);
if (error == 0) {
#endif
VATTR_NULL(vap);
diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c
index 07e5fc9..08bdeb2 100644
--- a/sys/kern/vfs_vnops.c
+++ b/sys/kern/vfs_vnops.c
@@ -402,11 +402,9 @@ vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, active_cred, file_cred,
#ifdef MAC
if ((ioflg & IO_NOMACCHECK) == 0) {
if (rw == UIO_READ)
- error = mac_check_vnode_op(active_cred, vp,
- MAC_OP_VNODE_READ);
+ error = mac_check_vnode_read(active_cred, vp);
else
- error = mac_check_vnode_op(active_cred, vp,
- MAC_OP_VNODE_WRITE);
+ error = mac_check_vnode_write(active_cred, vp);
}
#endif
if (error == 0) {
@@ -507,7 +505,7 @@ vn_read(fp, uio, active_cred, flags, td)
ioflag |= sequential_heuristic(uio, fp);
#ifdef MAC
- error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_READ);
+ error = mac_check_vnode_read(active_cred, vp);
if (error == 0)
#endif
error = VOP_READ(vp, uio, ioflag, fp->f_cred);
@@ -562,7 +560,7 @@ vn_write(fp, uio, active_cred, flags, td)
uio->uio_offset = fp->f_offset;
ioflag |= sequential_heuristic(uio, fp);
#ifdef MAC
- error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_WRITE);
+ error = mac_check_vnode_write(active_cred, vp);
if (error == 0)
#endif
error = VOP_WRITE(vp, uio, ioflag, fp->f_cred);
@@ -807,7 +805,7 @@ vn_poll(fp, events, active_cred, td)
vp = (struct vnode *)fp->f_data;
#ifdef MAC
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
- error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_POLL);
+ error = mac_check_vnode_poll(active_cred, vp);
VOP_UNLOCK(vp, 0, td);
if (error)
return (error);
OpenPOWER on IntegriCloud