PERFORCE change 15098 for review
Robert Watson
rwatson at freebsd.org
Mon Jul 29 03:47:58 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15098
Change 15098 by rwatson at rwatson_paprika on 2002/07/28 20:47:15
Reorder vnode checks to match canonical mac_policy order to
improve readability.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#63 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#63 (text+ko) ====
@@ -1088,6 +1088,200 @@
}
static int
+mac_te_check_vnode_access(struct ucred *cred, struct vnode *vp,
+ struct label *label, mode_t flags)
+{
+
+ return (mac_te_check_open_vnode(cred, vp, label, flags));
+}
+
+static int
+mac_te_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
+ struct label *dlabel)
+{
+
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
+ MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_CHDIR));
+}
+
+static int
+mac_te_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
+ struct label *dlabel)
+{
+
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
+ MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_CHROOT));
+}
+
+static int
+mac_te_check_vnode_create(struct ucred *cred, struct vnode *dvp,
+ struct label *dlabel, struct componentname *cnp, struct vattr *vap)
+{
+
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
+ MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE));
+}
+
+static int
+mac_te_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
+ struct label *dlabel, struct vnode *vp, struct label *label,
+ struct componentname *cnp)
+{
+ int error;
+
+ error = mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
+ MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE);
+ if (error)
+ return (error);
+ switch (vp->v_type) {
+ case VDIR:
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETE));
+ case VLNK:
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETE));
+ default:
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETE));
+ }
+}
+
+static int
+mac_te_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
+ struct label *label, acl_type_t type)
+{
+
+ switch (vp->v_type) {
+ case VDIR:
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETEACL));
+ case VLNK:
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETEACL));
+ default:
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETEACL));
+ }
+}
+
+static int
+mac_te_check_exec_vnode(struct ucred *cred, struct vnode *vp,
+ struct label *label)
+{
+
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_EXEC));
+}
+
+static int
+mac_te_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
+ struct label *label, acl_type_t type)
+{
+
+ switch (vp->v_type) {
+ case VDIR:
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_GETACL));
+ case VLNK:
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_GETACL));
+ default:
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_GETACL));
+ }
+}
+
+static int
+mac_te_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
+ struct label *label, int attrnamespace, const char *name, struct uio *uio)
+{
+
+ switch (vp->v_type) {
+ case VDIR:
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ MAC_TE_CLASS_FILE, MAC_TE_OPERATION_DIR_GETEXTATTR));
+ case VLNK:
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_GETEXTATTR));
+ default:
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+ MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_GETEXTATTR));
+ }
+}
+
+static int
+mac_te_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
+ struct label *dlabel, struct componentname *cnp)
+{
+
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
+ MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_LOOKUP));
+}
+
+static vm_prot_t
+mac_te_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
+ struct label *label, int newmapping)
+{
+ struct mac_te *subj, *obj;
+ vm_prot_t prot = 0;
+
+ if (!mac_te_enabled || (!mac_te_revocation_enabled && !newmapping))
+ return (VM_PROT_ALL);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(label);
+
+ if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
+ MAC_TE_OPERATION_FILE_READ) == 0)
+ prot |= VM_PROT_READ;
+ if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
+ MAC_TE_OPERATION_FILE_EXEC) == 0)
+ prot |= VM_PROT_EXECUTE;
+ if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
+ MAC_TE_OPERATION_FILE_WRITE) == 0)
+ prot |= VM_PROT_WRITE;
+ return (prot);
+}
+
+static int
+mac_te_check_vnode_op(struct ucred *cred, struct vnode *vp,
+ struct label *label, int op)
+{
+ struct mac_te *subj, *obj;
+ int error, te_class, te_op;
+
+ if (!mac_te_revocation_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(label);
+
+ te_class = MAC_TE_CLASS_FILE;
+ switch (op) {
+ case MAC_OP_VNODE_POLL:
+ te_op = MAC_TE_OPERATION_FILE_POLL;
+ break;
+
+ case MAC_OP_VNODE_READ:
+ te_op = MAC_TE_OPERATION_FILE_READ;
+ break;
+
+ case MAC_OP_VNODE_WRITE:
+ te_op = MAC_TE_OPERATION_FILE_WRITE;
+ break;
+
+ default:
+ printf("mac_te_check_vnode_op: unknown operation %d\n",
+ op);
+ return (EINVAL);
+ }
+
+ error = mac_te_check(subj, obj, MAC_TE_CLASS_FILE, te_op);
+
+ return (error);
+}
+
+static int
mac_te_check_open_vnode(struct ucred *cred, struct vnode *vp,
struct label *filelabel, mode_t acc_mode)
{
@@ -1203,60 +1397,6 @@
}
static int
-mac_te_check_exec_vnode(struct ucred *cred, struct vnode *vp,
- struct label *label)
-{
-
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_EXEC));
-}
-
-static int
-mac_te_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type)
-{
-
- switch (vp->v_type) {
- case VDIR:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_GETACL));
- case VLNK:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_GETACL));
- default:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_GETACL));
- }
-}
-
-static int
-mac_te_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace, const char *name, struct uio *uio)
-{
-
- switch (vp->v_type) {
- case VDIR:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_FILE, MAC_TE_OPERATION_DIR_GETEXTATTR));
- case VLNK:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_GETEXTATTR));
- default:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_GETEXTATTR));
- }
-}
-
-static int
-mac_te_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct componentname *cnp)
-{
-
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_LOOKUP));
-}
-
-static int
mac_te_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
struct label *label)
{
@@ -1371,83 +1511,6 @@
}
static int
-mac_te_check_vnode_access(struct ucred *cred, struct vnode *vp,
- struct label *label, mode_t flags)
-{
-
- return (mac_te_check_open_vnode(cred, vp, label, flags));
-}
-
-static int
-mac_te_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel)
-{
-
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_CHDIR));
-}
-
-static int
-mac_te_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel)
-{
-
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_CHROOT));
-}
-
-static int
-mac_te_check_vnode_create(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct componentname *cnp, struct vattr *vap)
-{
-
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE));
-}
-
-static int
-mac_te_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
- struct componentname *cnp)
-{
- int error;
-
- error = mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE);
- if (error)
- return (error);
- switch (vp->v_type) {
- case VDIR:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETE));
- case VLNK:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETE));
- default:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETE));
- }
-}
-
-static int
-mac_te_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type)
-{
-
- switch (vp->v_type) {
- case VDIR:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETEACL));
- case VLNK:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETEACL));
- default:
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
- MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETEACL));
- }
-}
-
-static int
mac_te_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct vnode *vp, struct label *label,
struct componentname *cnp)
@@ -1567,69 +1630,6 @@
return (0);
}
-static vm_prot_t
-mac_te_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
- struct label *label, int newmapping)
-{
- struct mac_te *subj, *obj;
- vm_prot_t prot = 0;
-
- if (!mac_te_enabled || (!mac_te_revocation_enabled && !newmapping))
- return (VM_PROT_ALL);
-
- subj = SLOT(&cred->cr_label);
- obj = SLOT(label);
-
- if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
- MAC_TE_OPERATION_FILE_READ) == 0)
- prot |= VM_PROT_READ;
- if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
- MAC_TE_OPERATION_FILE_EXEC) == 0)
- prot |= VM_PROT_EXECUTE;
- if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
- MAC_TE_OPERATION_FILE_WRITE) == 0)
- prot |= VM_PROT_WRITE;
- return (prot);
-}
-
-static int
-mac_te_check_vnode_op(struct ucred *cred, struct vnode *vp,
- struct label *label, int op)
-{
- struct mac_te *subj, *obj;
- int error, te_class, te_op;
-
- if (!mac_te_revocation_enabled)
- return (0);
-
- subj = SLOT(&cred->cr_label);
- obj = SLOT(label);
-
- te_class = MAC_TE_CLASS_FILE;
- switch (op) {
- case MAC_OP_VNODE_POLL:
- te_op = MAC_TE_OPERATION_FILE_POLL;
- break;
-
- case MAC_OP_VNODE_READ:
- te_op = MAC_TE_OPERATION_FILE_READ;
- break;
-
- case MAC_OP_VNODE_WRITE:
- te_op = MAC_TE_OPERATION_FILE_WRITE;
- break;
-
- default:
- printf("mac_te_check_vnode_op: unknown operation %d\n",
- op);
- return (EINVAL);
- }
-
- error = mac_te_check(subj, obj, MAC_TE_CLASS_FILE, te_op);
-
- return (error);
-}
-
static void
mac_te_update_devfsdirent_from_vnode(struct devfs_dirent *devfs_dirent,
struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list