PERFORCE change 15682 for review
Robert Watson
rwatson at freebsd.org
Thu Aug 8 14:52:47 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15682
Change 15682 by rwatson at rwatson_paprika on 2002/08/08 07:52:26
Push down the SLOT() mapping from the entry point implementations
to the supporting functions (mac_te_check(), copy(), et al),
simplifying the entry point implementations.
Teach TE how to see a "null" TE label, which requests no update
during a relabel operation. Allow null TE relabels without
privilege so that relative label updates dealing only with other
policies will function correctly.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#68 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#68 (text+ko) ====
@@ -506,11 +506,15 @@
}
static int
-mac_te_check(struct mac_te *subject, struct mac_te *object, int object_class,
+mac_te_check(struct label *lsubject, struct label *lobject, int object_class,
int operation)
{
+ struct mac_te *subject, *object;
int match;
int rule;
+
+ subject = SLOT(lsubject);
+ object = SLOT(lobject);
if (!mac_te_enabled)
return (0);
@@ -549,11 +553,11 @@
}
static void
-mac_te_init_label_as(struct mac_te *telabel, char *type)
+mac_te_init_label_as(struct mac_te *mac_te, char *type)
{
- bzero(&telabel->mt_type, MAC_TE_TYPE_MAXLEN+1);
- strncpy(telabel->mt_type, type, MAC_TE_TYPE_MAXLEN);
+ bzero(&mac_te->mt_type, MAC_TE_TYPE_MAXLEN+1);
+ strncpy(mac_te->mt_type, type, MAC_TE_TYPE_MAXLEN);
}
static void
@@ -564,18 +568,24 @@
}
static void
-mac_te_copy_label_teonly(const struct mac_te *labelfrom,
- struct mac_te *labelto)
+mac_te_copy_label_teonly(const struct mac_te *from, struct mac_te *to)
{
- bcopy(labelfrom, labelto, sizeof(*labelto));
+ bcopy(from, to, sizeof(*to));
}
static void
-mac_te_copy_label(struct mac_te *tefrom, struct mac_te *teto)
+mac_te_copy_label(const struct label *from, struct label *to)
+{
+
+ mac_te_copy_label_teonly(SLOT(from), SLOT(to));
+}
+
+static int
+mac_te_null_label(struct label *label)
{
- mac_te_copy_label_teonly(tefrom, teto);
+ return (strlen(SLOT(label)->mt_type) == 0);
}
static void
@@ -596,15 +606,15 @@
mac_te_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
{
- mac_te_copy_label(SLOT(&cred_parent->cr_label),
- SLOT(&cred_child->cr_label));
+ mac_te_copy_label(&cred_parent->cr_label, &cred_child->cr_label);
}
static void
mac_te_relabel_cred(struct ucred *cred, struct label *newlabel)
{
- mac_te_copy_label(SLOT(newlabel), SLOT(&cred->cr_label));
+ if (!mac_te_null_label(newlabel))
+ mac_te_copy_label(newlabel, &cred->cr_label);
}
static void
@@ -612,7 +622,8 @@
struct label *ifnetlabel, struct label *newlabel)
{
- mac_te_copy_label(SLOT(newlabel), SLOT(ifnetlabel));
+ if (!mac_te_null_label(newlabel))
+ mac_te_copy_label(newlabel, ifnetlabel);
}
static int
@@ -623,42 +634,43 @@
if (!mac_te_enabled)
return (0);
- return (mac_te_check(SLOT(bpflabel), SLOT(ifnetlabel),
- MAC_TE_CLASS_BPF, MAC_TE_OPERATION_BPF_RECEIVE));
+ return (mac_te_check(bpflabel, ifnetlabel, MAC_TE_CLASS_BPF,
+ MAC_TE_OPERATION_BPF_RECEIVE));
}
static int
mac_te_check_cred_relabel(struct ucred *cred, struct label *newlabel)
{
- int error, privilege_needed;
- /* Allow no-op updates without privilege. */
- privilege_needed = 0;
- if (!mac_te_equal(&cred->cr_label, newlabel))
- privilege_needed = 1;
+ /* Don't prevent relabel if no-op. */
+ if (mac_te_null_label(newlabel))
+ return (0);
+ if (mac_te_equal(&cred->cr_label, newlabel))
+ return (0);
- if (privilege_needed) {
- error = suser_cred(cred, 0);
- if (error)
- return (error);
- }
-
- return (0);
+ /* We should check the TE policy here, but instead we require root. */
+ return (suser_cred(cred, 0));
}
static int
mac_te_check_cred_visible(struct ucred *u1, struct ucred *u2)
{
- return (mac_te_check(SLOT(&u1->cr_label), SLOT(&u2->cr_label),
- MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_SEE));
+ return (mac_te_check(&u1->cr_label, &u2->cr_label, MAC_TE_CLASS_PROC,
+ MAC_TE_OPERATION_PROC_SEE));
}
static int
mac_te_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
- struct label *newlabel)
+ struct label *ifnetlabel, struct label *newlabel)
{
+ /* Don't prevent relabel if no-op. */
+ if (mac_te_null_label(newlabel))
+ return (0);
+ if (mac_te_equal(ifnetlabel, newlabel))
+ return (0);
+ /* We should check the TE policy here, but instead we require root. */
return (suser_cred(cred, 0));
}
@@ -672,8 +684,8 @@
* mbuf as an object. Since sockets are objects, this is
* probably wrong.
*/
- return (mac_te_check(SLOT(ifnetlabel), SLOT(mbuflabel),
- MAC_TE_CLASS_MBUF, MAC_TE_OPERATION_MBUF_SEND));
+ return (mac_te_check(ifnetlabel, mbuflabel, MAC_TE_CLASS_MBUF,
+ MAC_TE_OPERATION_MBUF_SEND));
}
static int
@@ -682,8 +694,8 @@
{
int error;
- error = mac_te_check(SLOT(&cred->cr_label), SLOT(mplabel),
- MAC_TE_CLASS_FS, MAC_TE_OPERATION_FS_STATFS);
+ error = mac_te_check(&cred->cr_label, mplabel, MAC_TE_CLASS_FS,
+ MAC_TE_OPERATION_FS_STATFS);
return (error);
}
@@ -712,40 +724,39 @@
mac_te_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, struct label *newlabel)
{
- int error;
- error = suser_cred(cred, 0);
- if (error)
- return (error);
+ /* Don't prevent relabel if no-op. */
+ if (mac_te_null_label(newlabel))
+ return (0);
+ if (mac_te_equal(newlabel, pipelabel))
+ return (0);
- return (0);
+ /* We should check the TE policy here, but instead we require root. */
+ return (suser_cred(cred, 0));
}
static int
mac_te_check_proc_debug(struct ucred *cred, struct proc *proc)
{
- return (mac_te_check(SLOT(&cred->cr_label),
- SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC,
- MAC_TE_OPERATION_PROC_DEBUG));
+ return (mac_te_check(&cred->cr_label, &proc->p_ucred->cr_label,
+ MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_DEBUG));
}
static int
mac_te_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
{
- return (mac_te_check(SLOT(&cred->cr_label),
- SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC,
- MAC_TE_OPERATION_PROC_SIGNAL));
+ return (mac_te_check(&cred->cr_label, &proc->p_ucred->cr_label,
+ MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_SIGNAL));
}
static int
mac_te_check_proc_sched(struct ucred *cred, struct proc *proc)
{
- return (mac_te_check(SLOT(&cred->cr_label),
- SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC,
- MAC_TE_OPERATION_PROC_SCHED));
+ return (mac_te_check(&cred->cr_label, &proc->p_ucred->cr_label,
+ MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_SCHED));
}
static int
@@ -756,7 +767,7 @@
if (!mac_te_enabled)
return (0);
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel),
+ return (mac_te_check(&cred->cr_label, socketlabel,
MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_BIND));
}
@@ -768,7 +779,7 @@
if (!mac_te_enabled)
return (0);
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel),
+ return (mac_te_check(&cred->cr_label, socketlabel,
MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_CONNECT));
}
@@ -780,7 +791,7 @@
if (!mac_te_enabled)
return (0);
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel),
+ return (mac_te_check(&cred->cr_label, socketlabel,
MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_LISTEN));
}
@@ -789,21 +800,23 @@
struct mbuf *m, struct label *mbuflabel)
{
- return (mac_te_check(SLOT(socketlabel), SLOT(mbuflabel),
- MAC_TE_CLASS_MBUF, MAC_TE_OPERATION_MBUF_RECEIVE));
+ return (mac_te_check(socketlabel, mbuflabel, MAC_TE_CLASS_MBUF,
+ MAC_TE_OPERATION_MBUF_RECEIVE));
}
static int
mac_te_check_socket_relabel(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct label *newlabel)
{
- int error;
- error = suser_cred(cred, 0);
- if (error)
- return (error);
+ /* Don't prevent relabel if no-op. */
+ if (mac_te_null_label(newlabel))
+ return (0);
+ if (mac_te_equal(newlabel, socketlabel))
+ return (0);
- return (0);
+ /* We should check the TE policy here, but instead we require root. */
+ return (suser_cred(cred, 0));
}
static int
@@ -811,7 +824,7 @@
struct label *socketlabel)
{
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel),
+ return (mac_te_check(&cred->cr_label, socketlabel,
MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_SEE));
}
@@ -831,21 +844,22 @@
struct label *bdlabel)
{
- mac_te_copy_label(SLOT(&cred->cr_label), SLOT(bdlabel));
+ mac_te_copy_label(&cred->cr_label, bdlabel);
}
static void
mac_te_create_object(struct ucred *cred, struct label *label)
{
- mac_te_copy_label(SLOT(&cred->cr_label), SLOT(label));
+ mac_te_copy_label(&cred->cr_label, label);
}
static void
-mac_te_create_object_from_object(struct label *oldlabel, struct label *newlabel)
+mac_te_create_object_from_object(struct label *oldlabel,
+ struct label *newlabel)
{
- mac_te_copy_label(SLOT(oldlabel), SLOT(newlabel));
+ mac_te_copy_label(oldlabel, newlabel);
}
static void
@@ -853,7 +867,7 @@
struct mbuf *datagram, struct label *datagramlabel)
{
- mac_te_copy_label(SLOT(ipqlabel), SLOT(datagramlabel));
+ mac_te_copy_label(ipqlabel, datagramlabel);
}
static void
@@ -862,7 +876,7 @@
{
mac_te_init_label(SLOT(fragmentlabel));
- mac_te_copy_label(SLOT(datagramlabel), SLOT(fragmentlabel));
+ mac_te_copy_label(datagramlabel, fragmentlabel);
}
static void
@@ -870,7 +884,7 @@
struct mbuf *ipq, struct label *ipqlabel)
{
- mac_te_copy_label(SLOT(fragmentlabel), SLOT(ipqlabel));
+ mac_te_copy_label(fragmentlabel, ipqlabel);
}
static void
@@ -879,7 +893,7 @@
struct label *newmbuflabel)
{
- mac_te_copy_label(SLOT(oldmbuflabel), SLOT(newmbuflabel));
+ mac_te_copy_label(oldmbuflabel, newmbuflabel);
}
static void
@@ -895,7 +909,7 @@
struct mbuf *m, struct label *mlabel)
{
- mac_te_copy_label(SLOT(iflabel), SLOT(mlabel));
+ mac_te_copy_label(iflabel, mlabel);
}
static void
@@ -904,7 +918,7 @@
struct mbuf *newmbuf, struct label *nmblabel)
{
- mac_te_copy_label(SLOT(oldmblabel), SLOT(nmblabel));
+ mac_te_copy_label(oldmblabel, nmblabel);
}
static void
@@ -912,7 +926,7 @@
struct mbuf *newmbuf, struct label *nmblabel)
{
- mac_te_copy_label(SLOT(oldmblabel), SLOT(nmblabel));
+ mac_te_copy_label(oldmblabel, nmblabel);
}
static int
@@ -928,7 +942,7 @@
struct mbuf *m, struct label *mlabel)
{
- mac_te_copy_label(SLOT(solabel), SLOT(mlabel));
+ mac_te_copy_label(solabel, mlabel);
}
static void
@@ -962,7 +976,8 @@
struct label *oldlabel, struct label *newlabel)
{
- mac_te_copy_label(SLOT(newlabel), SLOT(oldlabel));
+ if (!mac_te_null_label(newlabel))
+ mac_te_copy_label(newlabel, oldlabel);
}
static void
@@ -970,7 +985,8 @@
struct label *pipelabel, struct label *newlabel)
{
- mac_te_copy_label(SLOT(newlabel), SLOT(pipelabel));
+ if (!mac_te_null_label(newlabel))
+ mac_te_copy_label(newlabel, pipelabel);
}
static void
@@ -978,7 +994,7 @@
struct socket *socket, struct label *sopeerlabel)
{
- mac_te_copy_label(SLOT(mlabel), SLOT(sopeerlabel));
+ mac_te_copy_label(mlabel, sopeerlabel);
}
static void
@@ -987,7 +1003,7 @@
struct label *newpeerlabel)
{
- mac_te_copy_label(SLOT(oldlabel), SLOT(newpeerlabel));
+ mac_te_copy_label(oldlabel, newpeerlabel);
}
static void
@@ -995,7 +1011,7 @@
struct mbuf *mbuf, struct label *mblabel)
{
- mac_te_copy_label(SLOT(bdlabel), SLOT(mblabel));
+ mac_te_copy_label(bdlabel, mblabel);
}
static void
@@ -1019,10 +1035,11 @@
static void
mac_te_relabel_vnode(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, struct label *label)
+ struct label *vnodelabel, struct label *newlabel)
{
- mac_te_copy_label(SLOT(label), SLOT(vnodelabel));
+ if (!mac_te_null_label(newlabel))
+ mac_te_copy_label(newlabel, vnodelabel);
}
@@ -1078,7 +1095,7 @@
struct vnode *vp, struct label *vnodelabel)
{
- mac_te_copy_label(SLOT(direntlabel), SLOT(vnodelabel));
+ mac_te_copy_label(direntlabel, vnodelabel);
}
static void
@@ -1102,8 +1119,8 @@
struct label *dlabel)
{
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_CHDIR));
+ return (mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_CHDIR));
}
static int
@@ -1111,8 +1128,8 @@
struct label *dlabel)
{
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_CHROOT));
+ return (mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_CHROOT));
}
static int
@@ -1120,8 +1137,8 @@
struct label *dlabel, struct componentname *cnp, struct vattr *vap)
{
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE));
+ return (mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_WRITE));
}
static int
@@ -1131,19 +1148,19 @@
{
int error;
- error = mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE);
+ error = mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_WRITE);
if (error)
return (error);
switch (vp->v_type) {
case VDIR:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETE));
+ return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_DELETE));
case VLNK:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETE));
default:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETE));
}
}
@@ -1155,13 +1172,13 @@
switch (vp->v_type) {
case VDIR:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETEACL));
+ return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_DELETEACL));
case VLNK:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETEACL));
default:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETEACL));
}
}
@@ -1171,8 +1188,8 @@
struct label *label)
{
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_EXEC));
+ return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE,
+ MAC_TE_OPERATION_FILE_EXEC));
}
static int
@@ -1182,13 +1199,13 @@
switch (vp->v_type) {
case VDIR:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_GETACL));
+ return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_GETACL));
case VLNK:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_GETACL));
default:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_GETACL));
}
}
@@ -1200,13 +1217,13 @@
switch (vp->v_type) {
case VDIR:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_FILE, MAC_TE_OPERATION_DIR_GETEXTATTR));
case VLNK:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_GETEXTATTR));
default:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_GETEXTATTR));
}
}
@@ -1216,30 +1233,26 @@
struct label *dlabel, struct componentname *cnp)
{
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_LOOKUP));
+ return (mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_LOOKUP));
}
static vm_prot_t
mac_te_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
struct label *label, int newmapping)
{
- struct mac_te *subj, *obj;
vm_prot_t prot = 0;
if (!mac_te_enabled || (!mac_te_revocation_enabled && !newmapping))
return (VM_PROT_ALL);
- subj = SLOT(&cred->cr_label);
- obj = SLOT(label);
-
- if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
+ if (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE,
MAC_TE_OPERATION_FILE_READ) == 0)
prot |= VM_PROT_READ;
- if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
+ if (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE,
MAC_TE_OPERATION_FILE_EXEC) == 0)
prot |= VM_PROT_EXECUTE;
- if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
+ if (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE,
MAC_TE_OPERATION_FILE_WRITE) == 0)
prot |= VM_PROT_WRITE;
return (prot);
@@ -1249,12 +1262,9 @@
mac_te_check_vnode_open(struct ucred *cred, struct vnode *vp,
struct label *filelabel, mode_t acc_mode)
{
- struct mac_te *subj, *obj;
int object_class, operation;
int error;
- subj = SLOT(&cred->cr_label);
- obj = SLOT(filelabel);
/*
* Treat all vnode types as files, for the time being, except
* for directories.
@@ -1277,7 +1287,8 @@
default:
panic("mac_te_vaccess: invalid object_class");
}
- error = mac_te_check(subj, obj, object_class, operation);
+ error = mac_te_check(&cred->cr_label, filelabel, object_class,
+ operation);
if (error)
return (error);
}
@@ -1292,7 +1303,8 @@
default:
panic("mac_te_vaccess: invalid object_class");
}
- error = mac_te_check(subj, obj, object_class, operation);
+ error = mac_te_check(&cred->cr_label, filelabel, object_class,
+ operation);
if (error)
return (error);
}
@@ -1307,7 +1319,8 @@
default:
panic("mac_te_vaccess: invalid object_class");
}
- error = mac_te_check(subj, obj, object_class, operation);
+ error = mac_te_check(&cred->cr_label, filelabel, object_class,
+ operation);
if (error)
return (error);
}
@@ -1318,16 +1331,12 @@
mac_te_check_vnode_poll(struct ucred *active_cred, struct ucred *saved_cred,
struct vnode *vp, struct label *label)
{
- struct mac_te *subj, *obj;
int error;
if (!mac_te_revocation_enabled)
return (0);
- subj = SLOT(&active_cred->cr_label);
- obj = SLOT(label);
-
- error = mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
+ error = mac_te_check(&active_cred->cr_label, label, MAC_TE_CLASS_FILE,
MAC_TE_OPERATION_FILE_POLL);
return (error);
@@ -1337,16 +1346,12 @@
mac_te_check_vnode_read(struct ucred *active_cred, struct ucred *saved_cred,
struct vnode *vp, struct label *label)
{
- struct mac_te *subj, *obj;
int error;
if (!mac_te_revocation_enabled)
return (0);
- subj = SLOT(&active_cred->cr_label);
- obj = SLOT(label);
-
- error = mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
+ error = mac_te_check(&active_cred->cr_label, label, MAC_TE_CLASS_FILE,
MAC_TE_OPERATION_FILE_READ);
return (error);
@@ -1356,12 +1361,8 @@
mac_te_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
struct label *dlabel)
{
- struct mac_te *subj, *obj;
- subj = SLOT(&cred->cr_label);
- obj = SLOT(dlabel);
-
- return (mac_te_check(subj, obj, MAC_TE_CLASS_DIR,
+ return (mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR,
MAC_TE_OPERATION_DIR_READDIR));
}
@@ -1369,33 +1370,24 @@
mac_te_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
struct label *vnodelabel)
{
- struct mac_te *subj, *obj;
- subj = SLOT(&cred->cr_label);
- obj = SLOT(vnodelabel);
-
- return (mac_te_check(subj, obj, MAC_TE_CLASS_SYMLINK,
- MAC_TE_OPERATION_SYMLINK_READLINK));
+ return (mac_te_check(&cred->cr_label, vnodelabel,
+ MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_READLINK));
}
static int
mac_te_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
struct label *oldlabel, struct label *newlabel)
{
- int error, privilege_needed;
- /* Allow no-op updates without privilege. */
- privilege_needed = 0;
- if (!mac_te_equal(&cred->cr_label, newlabel))
- privilege_needed = 1;
+ /* Don't prevent relabel if no-op. */
+ if (mac_te_null_label(newlabel))
+ return (0);
+ if (mac_te_equal(&cred->cr_label, newlabel))
+ return (0);
- if (privilege_needed) {
- error = suser_cred(cred, 0);
- if (error)
- return (error);
- }
-
- return (0);
+ /* We should check the TE policy here, but instead we require root. */
+ return (suser_cred(cred, 0));
}
static int
@@ -1403,8 +1395,8 @@
struct label *label)
{
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_ADMIN));
+ return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE,
+ MAC_TE_OPERATION_FILE_ADMIN));
}
static int
@@ -1414,13 +1406,13 @@
switch (vp->v_type) {
case VDIR:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_SETACL));
+ return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_SETACL));
case VLNK:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_SETACL));
default:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_SETACL));
}
}
@@ -1432,10 +1424,10 @@
switch (vp->v_type) {
case VDIR:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_SETEXTATTR));
+ return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_SETEXTATTR));
default:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_SETEXTATTR));
}
}
@@ -1447,13 +1439,13 @@
switch (vp->v_type) {
case VDIR:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_ADMIN));
+ return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_ADMIN));
case VLNK:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_ADMIN));
default:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_ADMIN));
}
}
@@ -1465,13 +1457,13 @@
switch (vp->v_type) {
case VDIR:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_ADMIN));
+ return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_ADMIN));
case VLNK:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_ADMIN));
default:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_ADMIN));
}
}
@@ -1483,13 +1475,13 @@
switch (vp->v_type) {
case VDIR:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_ADMIN));
+ return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_ADMIN));
case VLNK:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_ADMIN));
default:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_ADMIN));
}
}
@@ -1501,13 +1493,13 @@
switch (vp->v_type) {
case VDIR:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_ADMIN));
+ return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_ADMIN));
case VLNK:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_ADMIN));
default:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_ADMIN));
}
}
@@ -1519,20 +1511,20 @@
{
int error;
- error = mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE);
+ error = mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_WRITE);
if (error)
return (error);
/* Not really correct. */
switch (vp->v_type) {
case VDIR:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETE));
+ return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_DELETE));
case VLNK:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETE));
default:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETE));
}
}
@@ -1544,20 +1536,20 @@
{
int error;
- error = mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE);
+ error = mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_WRITE);
if (error || label == NULL || vp == NULL)
return (error);
/* Not really correct. */
switch (vp->v_type) {
case VDIR:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETE));
+ return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_DELETE));
case VLNK:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETE));
default:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETE));
}
}
@@ -1569,13 +1561,13 @@
switch (vp->v_type) {
case VDIR:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_STAT));
+ return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+ MAC_TE_OPERATION_DIR_STAT));
case VLNK:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_STAT));
default:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ return (mac_te_check(&cred->cr_label, label,
MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_STAT));
}
}
@@ -1584,16 +1576,12 @@
mac_te_check_vnode_write(struct ucred *active_cred, struct ucred *saved_cred,
struct vnode *vp, struct label *label)
{
- struct mac_te *subj, *obj;
int error;
if (!mac_te_revocation_enabled)
return (0);
- subj = SLOT(&active_cred->cr_label);
- obj = SLOT(label);
-
- error = mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
+ error = mac_te_check(&active_cred->cr_label, label, MAC_TE_CLASS_FILE,
MAC_TE_OPERATION_FILE_WRITE);
return (error);
@@ -1628,7 +1616,7 @@
}
}
- mac_te_copy_label(SLOT(&old->cr_label), SLOT(&new->cr_label));
+ mac_te_copy_label(&old->cr_label, &new->cr_label);
}
static int
@@ -1656,7 +1644,7 @@
struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
{
- mac_te_copy_label(SLOT(vnodelabel), SLOT(direntlabel));
+ mac_te_copy_label(vnodelabel, direntlabel);
}
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list