From b0388fc24a420479ae7a20ff88596aa5b5c56c47 Mon Sep 17 00:00:00 2001 From: rwatson Date: Mon, 12 Aug 2002 16:43:04 +0000 Subject: Pass IO_NOMACCHECK to vn_rdwr() in the following checks to prevent enforcement of MAC policy on the read or write operations: - In ext2fs, don't enforce MAC on loop-back reads and writes supporting directory read operations in lookup(), directory modifications in rename(), directory write operations in mkdir(), symlink write operations in symlink(). - In the NFS client locking code, perform vn_rdwr() on the NFS locking socket without enforcing MAC, since the write is done on behalf of the kernel NFS implementation rather than the user process. - In UFS, don't enforce MAC on loop-back reads and writes supporting directory read operations in lookup(), and symlink write operations in symlink(). Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs --- sys/gnu/ext2fs/ext2_lookup.c | 8 +++++--- sys/gnu/ext2fs/ext2_vnops.c | 15 ++++++++------- 2 files changed, 13 insertions(+), 10 deletions(-) (limited to 'sys/gnu/ext2fs') diff --git a/sys/gnu/ext2fs/ext2_lookup.c b/sys/gnu/ext2fs/ext2_lookup.c index 07e9b2f..b550540 100644 --- a/sys/gnu/ext2fs/ext2_lookup.c +++ b/sys/gnu/ext2fs/ext2_lookup.c @@ -1009,8 +1009,9 @@ ext2_dirempty(ip, parentino, cred) #define MINDIRSIZ (sizeof (struct dirtemplate) / 2) for (off = 0; off < ip->i_size; off += dp->rec_len) { - error = vn_rdwr(UIO_READ, ITOV(ip), (caddr_t)dp, MINDIRSIZ, off, - UIO_SYSSPACE, IO_NODELOCKED, cred, &count, (struct thread *)0); + error = vn_rdwr(UIO_READ, ITOV(ip), (caddr_t)dp, MINDIRSIZ, + off, UIO_SYSSPACE, IO_NODELOCKED | IO_NOMACCHECK, cred, + &count, (struct thread *)0); /* * Since we read MINDIRSIZ, residual must * be 0 unless we're at end of file. @@ -1074,7 +1075,8 @@ ext2_checkpath(source, target, cred) } error = vn_rdwr(UIO_READ, vp, (caddr_t)&dirbuf, sizeof (struct dirtemplate), (off_t)0, UIO_SYSSPACE, - IO_NODELOCKED, cred, (int *)0, (struct thread *)0); + IO_NODELOCKED | IO_NOMACCHECK, cred, (int *)0, + (struct thread *)0); if (error != 0) break; namlen = dirbuf.dotdot_type; /* like ufs little-endian */ diff --git a/sys/gnu/ext2fs/ext2_vnops.c b/sys/gnu/ext2fs/ext2_vnops.c index 4474c23..915276d 100644 --- a/sys/gnu/ext2fs/ext2_vnops.c +++ b/sys/gnu/ext2fs/ext2_vnops.c @@ -1223,7 +1223,7 @@ abortit: dp->i_flag |= IN_CHANGE; error = vn_rdwr(UIO_READ, fvp, (caddr_t)&dirbuf, sizeof (struct dirtemplate), (off_t)0, - UIO_SYSSPACE, IO_NODELOCKED, + UIO_SYSSPACE, IO_NODELOCKED | IO_NOMACCHECK, tcnp->cn_cred, (int *)0, (struct thread *)0); if (error == 0) { /* Like ufs little-endian: */ @@ -1239,9 +1239,9 @@ abortit: (caddr_t)&dirbuf, sizeof (struct dirtemplate), (off_t)0, UIO_SYSSPACE, - IO_NODELOCKED|IO_SYNC, - tcnp->cn_cred, (int *)0, - (struct thread *)0); + IO_NODELOCKED | IO_SYNC | + IO_NOMACCHECK, tcnp->cn_cred, + (int *)0, (struct thread *)0); cache_purge(fdvp); } } @@ -1376,7 +1376,8 @@ ext2_mkdir(ap) dirtemplate.dotdot_reclen = DIRBLKSIZ - 12; error = vn_rdwr(UIO_WRITE, tvp, (caddr_t)&dirtemplate, sizeof (dirtemplate), (off_t)0, UIO_SYSSPACE, - IO_NODELOCKED|IO_SYNC, cnp->cn_cred, (int *)0, (struct thread *)0); + IO_NODELOCKED | IO_SYNC | IO_NOMACCHECK, cnp->cn_cred, (int *)0, + (struct thread *)0); if (error) { dp->i_nlink--; dp->i_flag |= IN_CHANGE; @@ -1512,8 +1513,8 @@ ext2_symlink(ap) ip->i_flag |= IN_CHANGE | IN_UPDATE; } else error = vn_rdwr(UIO_WRITE, vp, ap->a_target, len, (off_t)0, - UIO_SYSSPACE, IO_NODELOCKED, ap->a_cnp->cn_cred, (int *)0, - (struct thread *)0); + UIO_SYSSPACE, IO_NODELOCKED | IO_NOMACCHECK, + ap->a_cnp->cn_cred, (int *)0, (struct thread *)0); if (error) vput(vp); return (error); -- cgit v1.1