From 0ad8692247694171bf2d3f963f24b15f5223a0de Mon Sep 17 00:00:00 2001 From: trasz Date: Tue, 28 Oct 2008 13:44:11 +0000 Subject: Introduce accmode_t. This is required for NFSv4 ACLs - it will be neccessary to add more V* constants, and the variables changed by this patch were often being assigned to mode_t variables, which is 16 bit. Approved by: rwatson (mentor) --- sys/security/mac/mac_framework.h | 5 +++-- sys/security/mac/mac_policy.h | 7 +++++-- sys/security/mac/mac_vfs.c | 8 ++++---- sys/security/mac_biba/mac_biba.c | 6 +++--- sys/security/mac_bsdextended/ugidfw_internal.h | 4 ++-- sys/security/mac_bsdextended/ugidfw_vnode.c | 16 ++++++++++++---- sys/security/mac_lomac/mac_lomac.c | 4 ++-- sys/security/mac_mls/mac_mls.c | 6 +++--- sys/security/mac_stub/mac_stub.c | 2 +- sys/security/mac_test/mac_test.c | 4 ++-- 10 files changed, 37 insertions(+), 25 deletions(-) (limited to 'sys/security') diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 4cb5262..4da4af9 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -88,6 +88,7 @@ struct vnode; struct vop_setlabel_args; #include /* XXX acl_type_t */ +#include /* accmode_t */ /* * Entry points to the TrustedBSD MAC Framework from the remainder of the @@ -365,7 +366,7 @@ void mac_thread_userret(struct thread *td); int mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp); void mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp); int mac_vnode_check_access(struct ucred *cred, struct vnode *vp, - int acc_mode); + accmode_t accmode); int mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp); int mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp); int mac_vnode_check_create(struct ucred *cred, struct vnode *dvp, @@ -391,7 +392,7 @@ int mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, int mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot); int mac_vnode_check_open(struct ucred *cred, struct vnode *vp, - int acc_mode); + accmode_t accmode); int mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); int mac_vnode_check_read(struct ucred *active_cred, diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 0188a38..ecf68a6 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -61,6 +61,7 @@ * alphabetically. */ #include /* XXX acl_type_t */ +#include /* XXX accmode_t */ struct acl; struct auditinfo; @@ -530,7 +531,8 @@ typedef void (*mpo_vnode_associate_singlelabel_t)(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel); typedef int (*mpo_vnode_check_access_t)(struct ucred *cred, - struct vnode *vp, struct label *vplabel, int acc_mode); + struct vnode *vp, struct label *vplabel, + accmode_t accmode); typedef int (*mpo_vnode_check_chdir_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel); typedef int (*mpo_vnode_check_chroot_t)(struct ucred *cred, @@ -571,7 +573,8 @@ typedef void (*mpo_vnode_check_mmap_downgrade_t)(struct ucred *cred, typedef int (*mpo_vnode_check_mprotect_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot); typedef int (*mpo_vnode_check_open_t)(struct ucred *cred, - struct vnode *vp, struct label *vplabel, int acc_mode); + struct vnode *vp, struct label *vplabel, + accmode_t accmode); typedef int (*mpo_vnode_check_poll_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel); diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 8a31f95..42da76c 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -362,13 +362,13 @@ mac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp, } int -mac_vnode_check_access(struct ucred *cred, struct vnode *vp, int acc_mode) +mac_vnode_check_access(struct ucred *cred, struct vnode *vp, accmode_t accmode) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_access"); - MAC_CHECK(vnode_check_access, cred, vp, vp->v_label, acc_mode); + MAC_CHECK(vnode_check_access, cred, vp, vp->v_label, accmode); return (error); } @@ -546,13 +546,13 @@ mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot) } int -mac_vnode_check_open(struct ucred *cred, struct vnode *vp, int acc_mode) +mac_vnode_check_open(struct ucred *cred, struct vnode *vp, accmode_t accmode) { int error; ASSERT_VOP_LOCKED(vp, "mac_vnode_check_open"); - MAC_CHECK(vnode_check_open, cred, vp, vp->v_label, acc_mode); + MAC_CHECK(vnode_check_open, cred, vp, vp->v_label, accmode); return (error); } diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index c8085c1..4e10f27 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -2882,7 +2882,7 @@ biba_vnode_check_mmap(struct ucred *cred, struct vnode *vp, static int biba_vnode_check_open(struct ucred *cred, struct vnode *vp, - struct label *vplabel, int acc_mode) + struct label *vplabel, accmode_t accmode) { struct mac_biba *subj, *obj; @@ -2893,11 +2893,11 @@ biba_vnode_check_open(struct ucred *cred, struct vnode *vp, obj = SLOT(vplabel); /* XXX privilege override for admin? */ - if (acc_mode & (VREAD | VEXEC | VSTAT)) { + if (accmode & (VREAD | VEXEC | VSTAT)) { if (!biba_dominate_effective(obj, subj)) return (EACCES); } - if (acc_mode & (VWRITE | VAPPEND | VADMIN)) { + if (accmode & (VWRITE | VAPPEND | VADMIN)) { if (!biba_dominate_effective(subj, obj)) return (EACCES); } diff --git a/sys/security/mac_bsdextended/ugidfw_internal.h b/sys/security/mac_bsdextended/ugidfw_internal.h index e85f303..6e979cf 100644 --- a/sys/security/mac_bsdextended/ugidfw_internal.h +++ b/sys/security/mac_bsdextended/ugidfw_internal.h @@ -52,7 +52,7 @@ int ugidfw_system_check_swapon(struct ucred *cred, struct vnode *vp, * Vnode access control checks. */ int ugidfw_vnode_check_access(struct ucred *cred, struct vnode *vp, - struct label *vplabel, int acc_mode); + struct label *vplabel, accmode_t accmode); int ugidfw_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel); int ugidfw_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, @@ -81,7 +81,7 @@ int ugidfw_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, int ugidfw_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp); int ugidfw_vnode_check_open(struct ucred *cred, struct vnode *vp, - struct label *vplabel, int acc_mode); + struct label *vplabel, accmode_t accmode); int ugidfw_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel); int ugidfw_vnode_check_readdlink(struct ucred *cred, struct vnode *vp, diff --git a/sys/security/mac_bsdextended/ugidfw_vnode.c b/sys/security/mac_bsdextended/ugidfw_vnode.c index 5953078..3d760bc 100644 --- a/sys/security/mac_bsdextended/ugidfw_vnode.c +++ b/sys/security/mac_bsdextended/ugidfw_vnode.c @@ -62,10 +62,14 @@ int ugidfw_vnode_check_access(struct ucred *cred, struct vnode *vp, - struct label *vplabel, int acc_mode) + struct label *vplabel, accmode_t accmode) { - return (ugidfw_check_vp(cred, vp, acc_mode)); + /* + * XXX: We pass accmode_t variable containing V* constants + * as an int containing MBI_* constants. + */ + return (ugidfw_check_vp(cred, vp, (int)accmode)); } int @@ -168,10 +172,14 @@ ugidfw_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, int ugidfw_vnode_check_open(struct ucred *cred, struct vnode *vp, - struct label *vplabel, int acc_mode) + struct label *vplabel, accmode_t accmode) { - return (ugidfw_check_vp(cred, vp, acc_mode)); + /* + * XXX: We pass accmode_t variable containing V* constants + * as an int containing MBI_* constants. + */ + return (ugidfw_check_vp(cred, vp, (int)accmode)); } int diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index 304a712..9eb2701 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -2430,7 +2430,7 @@ lomac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp, static int lomac_vnode_check_open(struct ucred *cred, struct vnode *vp, - struct label *vplabel, int acc_mode) + struct label *vplabel, accmode_t accmode) { struct mac_lomac *subj, *obj; @@ -2441,7 +2441,7 @@ lomac_vnode_check_open(struct ucred *cred, struct vnode *vp, obj = SLOT(vplabel); /* XXX privilege override for admin? */ - if (acc_mode & (VWRITE | VAPPEND | VADMIN)) { + if (accmode & (VWRITE | VAPPEND | VADMIN)) { if (!lomac_subject_dominate(subj, obj)) return (EACCES); } diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 84b8c99..217fa5f 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -2505,7 +2505,7 @@ mls_vnode_check_mmap(struct ucred *cred, struct vnode *vp, static int mls_vnode_check_open(struct ucred *cred, struct vnode *vp, - struct label *vplabel, int acc_mode) + struct label *vplabel, accmode_t accmode) { struct mac_mls *subj, *obj; @@ -2516,11 +2516,11 @@ mls_vnode_check_open(struct ucred *cred, struct vnode *vp, obj = SLOT(vplabel); /* XXX privilege override for admin? */ - if (acc_mode & (VREAD | VEXEC | VSTAT)) { + if (accmode & (VREAD | VEXEC | VSTAT)) { if (!mls_dominate_effective(subj, obj)) return (EACCES); } - if (acc_mode & (VWRITE | VAPPEND | VADMIN)) { + if (accmode & (VWRITE | VAPPEND | VADMIN)) { if (!mls_dominate_effective(obj, subj)) return (EACCES); } diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index e1e2269..e8e2422 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -1337,7 +1337,7 @@ stub_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, static int stub_vnode_check_open(struct ucred *cred, struct vnode *vp, - struct label *vplabel, int acc_mode) + struct label *vplabel, accmode_t accmode) { return (0); diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index d727e1a..08f8dd8 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -2326,7 +2326,7 @@ test_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, COUNTER_DECL(vnode_check_access); static int test_vnode_check_access(struct ucred *cred, struct vnode *vp, - struct label *vplabel, int acc_mode) + struct label *vplabel, accmode_t accmode) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); @@ -2500,7 +2500,7 @@ test_vnode_check_mmap(struct ucred *cred, struct vnode *vp, COUNTER_DECL(vnode_check_open); static int test_vnode_check_open(struct ucred *cred, struct vnode *vp, - struct label *vplabel, int acc_mode) + struct label *vplabel, accmode_t accmode) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); -- cgit v1.1