summaryrefslogtreecommitdiffstats
path: root/sys/kern
diff options
context:
space:
mode:
Diffstat (limited to 'sys/kern')
-rw-r--r--sys/kern/kern_ktrace.c2
-rw-r--r--sys/kern/kern_mac.c32
-rw-r--r--sys/kern/tty_tty.c11
-rw-r--r--sys/kern/vfs_extattr.c15
-rw-r--r--sys/kern/vfs_syscalls.c15
-rw-r--r--sys/kern/vfs_vnops.c14
6 files changed, 57 insertions, 32 deletions
diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c
index a21f5e2..71bdd24 100644
--- a/sys/kern/kern_ktrace.c
+++ b/sys/kern/kern_ktrace.c
@@ -771,7 +771,7 @@ ktr_writerequest(struct ktr_request *req)
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
(void)VOP_LEASE(vp, td, cred, LEASE_WRITE);
#ifdef MAC
- error = mac_check_vnode_write(cred, vp);
+ error = mac_check_vnode_write(cred, NOCRED, vp);
if (error == 0)
#endif
error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred);
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c
index 107b2d2..17dd122 100644
--- a/sys/kern/kern_mac.c
+++ b/sys/kern/kern_mac.c
@@ -1804,7 +1804,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
}
int
-mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
+ struct vnode *vp)
{
int error;
@@ -1813,17 +1814,19 @@ mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, cred);
+ error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
- MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
+ MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
+ &vp->v_label);
return (error);
}
int
-mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
+mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
+ struct vnode *vp)
{
int error;
@@ -1832,11 +1835,12 @@ mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, cred);
+ error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
- MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+ MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
+ &vp->v_label);
return (error);
}
@@ -2076,7 +2080,8 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
}
int
-mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
+mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
+ struct vnode *vp)
{
int error;
@@ -2085,16 +2090,18 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, cred);
+ error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
- MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label);
+ MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
+ &vp->v_label);
return (error);
}
int
-mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
+ struct vnode *vp)
{
int error;
@@ -2103,11 +2110,12 @@ mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, cred);
+ error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
- MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+ MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
+ &vp->v_label);
return (error);
}
diff --git a/sys/kern/tty_tty.c b/sys/kern/tty_tty.c
index 86132d9..a3a7a39 100644
--- a/sys/kern/tty_tty.c
+++ b/sys/kern/tty_tty.c
@@ -104,6 +104,7 @@ cttyopen(dev, flag, mode, td)
return (error);
}
#endif
+ /* XXX: Shouldn't this cred be td->td_ucred not NOCRED? */
error = VOP_OPEN(ttyvp, flag, NOCRED, td);
VOP_UNLOCK(ttyvp, 0, td);
return (error);
@@ -130,10 +131,10 @@ cttyread(dev, uio, flag)
return (EIO);
vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
- /* XXX: Shouldn't the cred below be td->td_ucred not NOCRED? */
- error = mac_check_vnode_read(td->td_ucred, ttyvp);
+ error = mac_check_vnode_read(td->td_ucred, NOCRED, ttyvp);
if (error == 0)
#endif
+ /* XXX: Shouldn't this cred be td->td_ucred not NOCRED? */
error = VOP_READ(ttyvp, uio, flag, NOCRED);
VOP_UNLOCK(ttyvp, 0, td);
return (error);
@@ -165,10 +166,10 @@ cttywrite(dev, uio, flag)
return (error);
vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
- /* XXX: shouldn't the cred below be td->td_ucred not NOCRED? */
- error = mac_check_vnode_write(td->td_ucred, ttyvp);
+ error = mac_check_vnode_write(td->td_ucred, NOCRED, ttyvp);
if (error == 0)
#endif
+ /* XXX: shouldn't this cred be td->td_ucred not NOCRED? */
error = VOP_WRITE(ttyvp, uio, flag, NOCRED);
VOP_UNLOCK(ttyvp, 0, td);
vn_finished_write(mp);
@@ -236,7 +237,7 @@ cttypoll(dev, events, td)
return (seltrue(dev, events, td));
#ifdef MAC
vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td);
- error = mac_check_vnode_poll(td->td_ucred, ttyvp);
+ error = mac_check_vnode_poll(td->td_ucred, NOCRED, ttyvp);
VOP_UNLOCK(ttyvp, 0, td);
if (error)
return (error);
diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c
index fce45fe..c09fbd7 100644
--- a/sys/kern/vfs_extattr.c
+++ b/sys/kern/vfs_extattr.c
@@ -734,7 +734,7 @@ open(td, uap)
vat.va_size = 0;
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
- error = mac_check_vnode_write(td->td_ucred, vp);
+ error = mac_check_vnode_write(td->td_ucred, fp->f_cred, vp);
if (error == 0)
#endif
error = VOP_SETATTR(vp, &vat, td->td_ucred, td);
@@ -2367,7 +2367,8 @@ truncate(td, uap)
if (vp->v_type == VDIR)
error = EISDIR;
#ifdef MAC
- else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {}
+ else if ((error = mac_check_vnode_write(td->td_ucred, NOCRED, vp))) {
+ }
#endif
else if ((error = vn_writechk(vp)) == 0 &&
(error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td)) == 0) {
@@ -2424,7 +2425,9 @@ ftruncate(td, uap)
if (vp->v_type == VDIR)
error = EISDIR;
#ifdef MAC
- else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {}
+ else if ((error = mac_check_vnode_write(td->td_ucred, fp->f_cred,
+ vp))) {
+ }
#endif
else if ((error = vn_writechk(vp)) == 0) {
VATTR_NULL(&vattr);
@@ -3342,7 +3345,11 @@ fhopen(td, uap)
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); /* XXX */
#ifdef MAC
- error = mac_check_vnode_write(td->td_ucred, vp);
+ /*
+ * We don't yet have fp->f_cred, so use td->td_ucred, which
+ * should be right.
+ */
+ error = mac_check_vnode_write(td->td_ucred, td->td_ucred, vp);
if (error == 0) {
#endif
VATTR_NULL(vap);
diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index fce45fe..c09fbd7 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -734,7 +734,7 @@ open(td, uap)
vat.va_size = 0;
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
- error = mac_check_vnode_write(td->td_ucred, vp);
+ error = mac_check_vnode_write(td->td_ucred, fp->f_cred, vp);
if (error == 0)
#endif
error = VOP_SETATTR(vp, &vat, td->td_ucred, td);
@@ -2367,7 +2367,8 @@ truncate(td, uap)
if (vp->v_type == VDIR)
error = EISDIR;
#ifdef MAC
- else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {}
+ else if ((error = mac_check_vnode_write(td->td_ucred, NOCRED, vp))) {
+ }
#endif
else if ((error = vn_writechk(vp)) == 0 &&
(error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td)) == 0) {
@@ -2424,7 +2425,9 @@ ftruncate(td, uap)
if (vp->v_type == VDIR)
error = EISDIR;
#ifdef MAC
- else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {}
+ else if ((error = mac_check_vnode_write(td->td_ucred, fp->f_cred,
+ vp))) {
+ }
#endif
else if ((error = vn_writechk(vp)) == 0) {
VATTR_NULL(&vattr);
@@ -3342,7 +3345,11 @@ fhopen(td, uap)
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); /* XXX */
#ifdef MAC
- error = mac_check_vnode_write(td->td_ucred, vp);
+ /*
+ * We don't yet have fp->f_cred, so use td->td_ucred, which
+ * should be right.
+ */
+ error = mac_check_vnode_write(td->td_ucred, td->td_ucred, vp);
if (error == 0) {
#endif
VATTR_NULL(vap);
diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c
index 08bdeb2..fc6c78e 100644
--- a/sys/kern/vfs_vnops.c
+++ b/sys/kern/vfs_vnops.c
@@ -402,9 +402,11 @@ vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, active_cred, file_cred,
#ifdef MAC
if ((ioflg & IO_NOMACCHECK) == 0) {
if (rw == UIO_READ)
- error = mac_check_vnode_read(active_cred, vp);
+ error = mac_check_vnode_read(active_cred, file_cred,
+ vp);
else
- error = mac_check_vnode_write(active_cred, vp);
+ error = mac_check_vnode_write(active_cred, file_cred,
+ vp);
}
#endif
if (error == 0) {
@@ -505,7 +507,7 @@ vn_read(fp, uio, active_cred, flags, td)
ioflag |= sequential_heuristic(uio, fp);
#ifdef MAC
- error = mac_check_vnode_read(active_cred, vp);
+ error = mac_check_vnode_read(active_cred, fp->f_cred, vp);
if (error == 0)
#endif
error = VOP_READ(vp, uio, ioflag, fp->f_cred);
@@ -560,7 +562,7 @@ vn_write(fp, uio, active_cred, flags, td)
uio->uio_offset = fp->f_offset;
ioflag |= sequential_heuristic(uio, fp);
#ifdef MAC
- error = mac_check_vnode_write(active_cred, vp);
+ error = mac_check_vnode_write(active_cred, fp->f_cred, vp);
if (error == 0)
#endif
error = VOP_WRITE(vp, uio, ioflag, fp->f_cred);
@@ -610,7 +612,7 @@ vn_stat(vp, sb, active_cred, file_cred, td)
u_short mode;
#ifdef MAC
- error = mac_check_vnode_stat(active_cred, vp);
+ error = mac_check_vnode_stat(active_cred, file_cred, vp);
if (error)
return (error);
#endif
@@ -805,7 +807,7 @@ vn_poll(fp, events, active_cred, td)
vp = (struct vnode *)fp->f_data;
#ifdef MAC
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
- error = mac_check_vnode_poll(active_cred, vp);
+ error = mac_check_vnode_poll(active_cred, fp->f_cred, vp);
VOP_UNLOCK(vp, 0, td);
if (error)
return (error);
OpenPOWER on IntegriCloud