From 1a7cd1a210c4be2ec85df8513276938c23be1b95 Mon Sep 17 00:00:00 2001 From: rwatson Date: Mon, 19 Aug 2002 16:43:25 +0000 Subject: Break out mac_check_vnode_op() into three seperate checks: mac_check_vnode_poll(), mac_check_vnode_read(), mac_check_vnode_write(). This improves the consistency with other existing vnode checks, and allows policies to avoid implementing switch statements to determine what operations they do and do not want to authorize. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs --- sys/kern/vfs_vnops.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) (limited to 'sys/kern/vfs_vnops.c') diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c index 07e5fc9..08bdeb2 100644 --- a/sys/kern/vfs_vnops.c +++ b/sys/kern/vfs_vnops.c @@ -402,11 +402,9 @@ vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, active_cred, file_cred, #ifdef MAC if ((ioflg & IO_NOMACCHECK) == 0) { if (rw == UIO_READ) - error = mac_check_vnode_op(active_cred, vp, - MAC_OP_VNODE_READ); + error = mac_check_vnode_read(active_cred, vp); else - error = mac_check_vnode_op(active_cred, vp, - MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(active_cred, vp); } #endif if (error == 0) { @@ -507,7 +505,7 @@ vn_read(fp, uio, active_cred, flags, td) ioflag |= sequential_heuristic(uio, fp); #ifdef MAC - error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_READ); + error = mac_check_vnode_read(active_cred, vp); if (error == 0) #endif error = VOP_READ(vp, uio, ioflag, fp->f_cred); @@ -562,7 +560,7 @@ vn_write(fp, uio, active_cred, flags, td) uio->uio_offset = fp->f_offset; ioflag |= sequential_heuristic(uio, fp); #ifdef MAC - error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(active_cred, vp); if (error == 0) #endif error = VOP_WRITE(vp, uio, ioflag, fp->f_cred); @@ -807,7 +805,7 @@ vn_poll(fp, events, active_cred, td) vp = (struct vnode *)fp->f_data; #ifdef MAC vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_POLL); + error = mac_check_vnode_poll(active_cred, vp); VOP_UNLOCK(vp, 0, td); if (error) return (error); -- cgit v1.1