summaryrefslogtreecommitdiffstats
path: root/sys/security/mac
diff options
context:
space:
mode:
Diffstat (limited to 'sys/security/mac')
-rw-r--r--sys/security/mac/mac_framework.c67
-rw-r--r--sys/security/mac/mac_framework.h4
-rw-r--r--sys/security/mac/mac_internal.h67
-rw-r--r--sys/security/mac/mac_net.c67
-rw-r--r--sys/security/mac/mac_pipe.c67
-rw-r--r--sys/security/mac/mac_policy.h12
-rw-r--r--sys/security/mac/mac_process.c67
-rw-r--r--sys/security/mac/mac_syscalls.c67
-rw-r--r--sys/security/mac/mac_system.c67
-rw-r--r--sys/security/mac/mac_vfs.c67
10 files changed, 468 insertions, 84 deletions
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index 0d6a898..f8cb676 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
- case MAC_CHECK_VNODE_OP:
- mpc->mpc_ops->mpo_check_vnode_op =
- mpe->mpe_function;
- break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_POLL:
+ mpc->mpc_ops->mpo_check_vnode_poll =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_READ:
+ mpc->mpc_ops->mpo_check_vnode_read =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_WRITE:
+ mpc->mpc_ops->mpo_check_vnode_write =
+ mpe->mpe_function;
+ break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
}
int
-mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
int error;
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+
if (!mac_enforce_fs)
return (0);
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ return (error);
+}
+
+int
+mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+
+ if (!mac_enforce_fs)
+ return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
- MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
+ MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
+mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
@@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
if (error)
return (error);
- MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+
return (error);
}
@@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
+int
+mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+
+ if (!mac_enforce_fs)
+ return (0);
+
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+
+ return (error);
+}
+
+
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index d80387c..3d73df4 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -341,9 +341,10 @@ int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
/* XXX This u_char should be vm_prot_t! */
u_char mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp,
int newmapping);
-int mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op);
int mac_check_vnode_open(struct ucred *cred, struct vnode *vp,
mode_t acc_mode);
+int mac_check_vnode_poll(struct ucred *cred, struct vnode *vp);
+int mac_check_vnode_read(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
@@ -364,6 +365,7 @@ int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
struct timespec atime, struct timespec mtime);
int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp);
+int mac_check_vnode_write(struct ucred *cred, struct vnode *vp);
int mac_getsockopt_label_get(struct ucred *cred, struct socket *so,
struct mac *extmac);
int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so,
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index 0d6a898..f8cb676 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
- case MAC_CHECK_VNODE_OP:
- mpc->mpc_ops->mpo_check_vnode_op =
- mpe->mpe_function;
- break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_POLL:
+ mpc->mpc_ops->mpo_check_vnode_poll =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_READ:
+ mpc->mpc_ops->mpo_check_vnode_read =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_WRITE:
+ mpc->mpc_ops->mpo_check_vnode_write =
+ mpe->mpe_function;
+ break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
}
int
-mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
int error;
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+
if (!mac_enforce_fs)
return (0);
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ return (error);
+}
+
+int
+mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+
+ if (!mac_enforce_fs)
+ return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
- MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
+ MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
+mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
@@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
if (error)
return (error);
- MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+
return (error);
}
@@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
+int
+mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+
+ if (!mac_enforce_fs)
+ return (0);
+
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+
+ return (error);
+}
+
+
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 0d6a898..f8cb676 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
- case MAC_CHECK_VNODE_OP:
- mpc->mpc_ops->mpo_check_vnode_op =
- mpe->mpe_function;
- break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_POLL:
+ mpc->mpc_ops->mpo_check_vnode_poll =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_READ:
+ mpc->mpc_ops->mpo_check_vnode_read =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_WRITE:
+ mpc->mpc_ops->mpo_check_vnode_write =
+ mpe->mpe_function;
+ break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
}
int
-mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
int error;
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+
if (!mac_enforce_fs)
return (0);
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ return (error);
+}
+
+int
+mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+
+ if (!mac_enforce_fs)
+ return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
- MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
+ MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
+mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
@@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
if (error)
return (error);
- MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+
return (error);
}
@@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
+int
+mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+
+ if (!mac_enforce_fs)
+ return (0);
+
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+
+ return (error);
+}
+
+
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its
diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c
index 0d6a898..f8cb676 100644
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
- case MAC_CHECK_VNODE_OP:
- mpc->mpc_ops->mpo_check_vnode_op =
- mpe->mpe_function;
- break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_POLL:
+ mpc->mpc_ops->mpo_check_vnode_poll =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_READ:
+ mpc->mpc_ops->mpo_check_vnode_read =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_WRITE:
+ mpc->mpc_ops->mpo_check_vnode_write =
+ mpe->mpe_function;
+ break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
}
int
-mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
int error;
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+
if (!mac_enforce_fs)
return (0);
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ return (error);
+}
+
+int
+mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+
+ if (!mac_enforce_fs)
+ return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
- MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
+ MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
+mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
@@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
if (error)
return (error);
- MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+
return (error);
}
@@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
+int
+mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+
+ if (!mac_enforce_fs)
+ return (0);
+
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+
+ return (error);
+}
+
+
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 5463fa9..9bc28ad 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -286,10 +286,12 @@ struct mac_policy_ops {
struct componentname *cnp);
vm_prot_t (*mpo_check_vnode_mmap_perms)(struct ucred *cred,
struct vnode *vp, struct label *label, int newmapping);
- int (*mpo_check_vnode_op)(struct ucred *cred, struct vnode *vp,
- struct label *label, int op);
int (*mpo_check_vnode_open)(struct ucred *cred, struct vnode *vp,
struct label *label, mode_t acc_mode);
+ int (*mpo_check_vnode_poll)(struct ucred *cred, struct vnode *vp,
+ struct label *label);
+ int (*mpo_check_vnode_read)(struct ucred *cred, struct vnode *vp,
+ struct label *label);
int (*mpo_check_vnode_readdir)(struct ucred *cred,
struct vnode *dvp, struct label *dlabel);
int (*mpo_check_vnode_readlink)(struct ucred *cred,
@@ -324,6 +326,8 @@ struct mac_policy_ops {
struct timespec atime, struct timespec mtime);
int (*mpo_check_vnode_stat)(struct ucred *cred, struct vnode *vp,
struct label *label);
+ int (*mpo_check_vnode_write)(struct ucred *cred, struct vnode *vp,
+ struct label *label);
};
typedef const void *macop_t;
@@ -426,8 +430,9 @@ enum mac_op_constant {
MAC_CHECK_VNODE_GETEXTATTR,
MAC_CHECK_VNODE_LOOKUP,
MAC_CHECK_VNODE_MMAP_PERMS,
- MAC_CHECK_VNODE_OP,
MAC_CHECK_VNODE_OPEN,
+ MAC_CHECK_VNODE_POLL,
+ MAC_CHECK_VNODE_READ,
MAC_CHECK_VNODE_READDIR,
MAC_CHECK_VNODE_READLINK,
MAC_CHECK_VNODE_RELABEL,
@@ -441,6 +446,7 @@ enum mac_op_constant {
MAC_CHECK_VNODE_SETOWNER,
MAC_CHECK_VNODE_SETUTIMES,
MAC_CHECK_VNODE_STAT,
+ MAC_CHECK_VNODE_WRITE,
};
struct mac_policy_op_entry {
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index 0d6a898..f8cb676 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
- case MAC_CHECK_VNODE_OP:
- mpc->mpc_ops->mpo_check_vnode_op =
- mpe->mpe_function;
- break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_POLL:
+ mpc->mpc_ops->mpo_check_vnode_poll =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_READ:
+ mpc->mpc_ops->mpo_check_vnode_read =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_WRITE:
+ mpc->mpc_ops->mpo_check_vnode_write =
+ mpe->mpe_function;
+ break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
}
int
-mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
int error;
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+
if (!mac_enforce_fs)
return (0);
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ return (error);
+}
+
+int
+mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+
+ if (!mac_enforce_fs)
+ return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
- MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
+ MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
+mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
@@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
if (error)
return (error);
- MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+
return (error);
}
@@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
+int
+mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+
+ if (!mac_enforce_fs)
+ return (0);
+
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+
+ return (error);
+}
+
+
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its
diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index 0d6a898..f8cb676 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
- case MAC_CHECK_VNODE_OP:
- mpc->mpc_ops->mpo_check_vnode_op =
- mpe->mpe_function;
- break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_POLL:
+ mpc->mpc_ops->mpo_check_vnode_poll =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_READ:
+ mpc->mpc_ops->mpo_check_vnode_read =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_WRITE:
+ mpc->mpc_ops->mpo_check_vnode_write =
+ mpe->mpe_function;
+ break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
}
int
-mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
int error;
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+
if (!mac_enforce_fs)
return (0);
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ return (error);
+}
+
+int
+mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+
+ if (!mac_enforce_fs)
+ return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
- MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
+ MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
+mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
@@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
if (error)
return (error);
- MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+
return (error);
}
@@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
+int
+mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+
+ if (!mac_enforce_fs)
+ return (0);
+
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+
+ return (error);
+}
+
+
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index 0d6a898..f8cb676 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
- case MAC_CHECK_VNODE_OP:
- mpc->mpc_ops->mpo_check_vnode_op =
- mpe->mpe_function;
- break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_POLL:
+ mpc->mpc_ops->mpo_check_vnode_poll =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_READ:
+ mpc->mpc_ops->mpo_check_vnode_read =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_WRITE:
+ mpc->mpc_ops->mpo_check_vnode_write =
+ mpe->mpe_function;
+ break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
}
int
-mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
int error;
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+
if (!mac_enforce_fs)
return (0);
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ return (error);
+}
+
+int
+mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+
+ if (!mac_enforce_fs)
+ return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
- MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
+ MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
+mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
@@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
if (error)
return (error);
- MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+
return (error);
}
@@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
+int
+mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+
+ if (!mac_enforce_fs)
+ return (0);
+
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+
+ return (error);
+}
+
+
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index 0d6a898..f8cb676 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
- case MAC_CHECK_VNODE_OP:
- mpc->mpc_ops->mpo_check_vnode_op =
- mpe->mpe_function;
- break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_POLL:
+ mpc->mpc_ops->mpo_check_vnode_poll =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_READ:
+ mpc->mpc_ops->mpo_check_vnode_read =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_WRITE:
+ mpc->mpc_ops->mpo_check_vnode_write =
+ mpe->mpe_function;
+ break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
}
int
-mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
int error;
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+
if (!mac_enforce_fs)
return (0);
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ return (error);
+}
+
+int
+mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+
+ if (!mac_enforce_fs)
+ return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
- MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
+ MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
+mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
@@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
if (error)
return (error);
- MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
+
return (error);
}
@@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
+int
+mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+
+ if (!mac_enforce_fs)
+ return (0);
+
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
+
+ return (error);
+}
+
+
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its
OpenPOWER on IntegriCloud