From a1cb1e3bedf5e17c3e47858fd715df1bf1e274ae Mon Sep 17 00:00:00 2001 From: rwatson Date: Mon, 19 Aug 2002 19:04:53 +0000 Subject: Pass active_cred and file_cred into the MAC framework explicitly for mac_check_vnode_{poll,read,stat,write}(). Pass in fp->f_cred when calling these checks with a struct file available. Otherwise, pass NOCRED. All currently MAC policies use active_cred, but could now offer the cached credential semantic used for the base system security model. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs --- sys/security/mac_bsdextended/mac_bsdextended.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'sys/security/mac_bsdextended') diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c index f0f6cee..7fae867 100644 --- a/sys/security/mac_bsdextended/mac_bsdextended.c +++ b/sys/security/mac_bsdextended/mac_bsdextended.c @@ -675,8 +675,8 @@ mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_stat(struct ucred *cred, struct vnode *vp, - struct label *label) +mac_bsdextended_check_vnode_stat(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp, struct label *label) { struct vattr vap; int error; @@ -684,10 +684,11 @@ mac_bsdextended_check_vnode_stat(struct ucred *cred, struct vnode *vp, if (!mac_bsdextended_enabled) return (0); - error = VOP_GETATTR(vp, &vap, cred, curthread); + error = VOP_GETATTR(vp, &vap, active_cred, curthread); if (error) return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VSTAT)); + return (mac_bsdextended_check(active_cred, vap.va_uid, vap.va_gid, + VSTAT)); } static struct mac_policy_op_entry mac_bsdextended_ops[] = -- cgit v1.1