PERFORCE change 19978 for review
Robert Watson
rwatson at freebsd.org
Wed Oct 23 18:02:00 GMT 2002
http://perforce.freebsd.org/chv.cgi?CH=19978
Change 19978 by rwatson at rwatson_tislabs on 2002/10/23 11:01:04
The new VFS world order for MAC:
(1) Remove vn_refreshlabel(), and move to a model where the label
is assumed to be present from inception of the vnode. For
single-label file systems, this is handled in getnewvnode();
for multi-label, the file system will perform appropriate
initialization for both the association and creation cases.
(2) Move to a model where vnodes are explicitly "created" (new
object with framework-generated label), or "associated"
with an existing persistent object and label.
(3) Deprecate procfs support: it worked fine for the poll model,
but poorly for the "from inception" model as you get a cache
coherrency problem. Since we now export label data using
mac_get_pid(), that's not a problem.
(4) As part of this change, break out each policy into using its
own extended attribute, and use UFS2 extended attribute
transactions to protect the coherency of labels during
multi-policy relables. If you're using UFS2, you'll lose
current labels, but no special configuration will be
required. If you're using UFS1, you'll need to allocate
new per-policy EA-backing files. Also, you won't get
the strong multi-policy consistency guarantees, so you
really want to move to UFS2.
This brings vnodes into line with all other labeled kernel objects
by making them use the init->create->relabel->destroy life cycle
rather than polling. It also fixes MAC label behavior in the
presence of shared vnode locks, which are being used in VFS
more now than they were when we did the initial design.
I did a first pass merge of SEBSD, but have not been able to
test it with file labeling, it might require fixing. Ditto
the work-in-progress mac_lomac.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/conf/files#64 edit
.. //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_vnops.c#33 edit
.. //depot/projects/trustedbsd/mac/sys/fs/procfs/procfs.c#12 edit
.. //depot/projects/trustedbsd/mac/sys/fs/procfs/procfs.h#10 edit
.. //depot/projects/trustedbsd/mac/sys/fs/procfs/procfs_mac.c#13 delete
.. //depot/projects/trustedbsd/mac/sys/fs/pseudofs/pseudofs.h#14 edit
.. //depot/projects/trustedbsd/mac/sys/fs/pseudofs/pseudofs_vnops.c#20 edit
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#326 edit
.. //depot/projects/trustedbsd/mac/sys/kern/vfs_subr.c#44 edit
.. //depot/projects/trustedbsd/mac/sys/modules/Makefile#45 edit
.. //depot/projects/trustedbsd/mac/sys/modules/procfs/Makefile#10 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#153 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#131 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#90 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#64 edit
.. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#50 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#189 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#147 edit
.. //depot/projects/trustedbsd/mac/sys/ufs/ffs/ffs_vfsops.c#25 edit
.. //depot/projects/trustedbsd/mac/sys/ufs/ufs/ufs_vnops.c#58 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/conf/files#64 (text+ko) ====
@@ -828,7 +828,6 @@
fs/procfs/procfs_dbregs.c optional procfs
fs/procfs/procfs_fpregs.c optional procfs
fs/procfs/procfs_ioctl.c optional procfs
-fs/procfs/procfs_mac.c optional procfs
fs/procfs/procfs_map.c optional procfs
fs/procfs/procfs_mem.c optional procfs
fs/procfs/procfs_note.c optional procfs
==== //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_vnops.c#33 (text+ko) ====
@@ -167,7 +167,7 @@
de->de_vnode = vp;
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
- mac_create_devfs_vnode(de, vp);
+ mac_associate_vnode_devfs(mp, de, vp);
#endif
*vpp = vp;
return (0);
==== //depot/projects/trustedbsd/mac/sys/fs/procfs/procfs.c#12 (text+ko) ====
@@ -153,7 +153,6 @@
dir = pfs_create_dir(root, "pid",
procfs_attr, NULL, PFS_PROCDEP);
- dir->pn_refreshlabel = procfs_piddir_refreshlabel;
pfs_create_file(dir, "cmdline", procfs_doproccmdline,
NULL, NULL, PFS_RD);
pfs_create_file(dir, "ctl", procfs_doprocctl,
==== //depot/projects/trustedbsd/mac/sys/fs/procfs/procfs.h#10 (text+ko) ====
@@ -61,9 +61,6 @@
/* Attributes */
int procfs_attr(PFS_ATTR_ARGS);
-/* MAC */
-int procfs_piddir_refreshlabel(PFS_REFRESHLABEL_ARGS);
-
/* Visibility */
int procfs_notsystem(PFS_VIS_ARGS);
int procfs_candebug(PFS_VIS_ARGS);
==== //depot/projects/trustedbsd/mac/sys/fs/pseudofs/pseudofs.h#14 (text+ko) ====
@@ -145,15 +145,6 @@
typedef int (*pfs_getextattr_t)(PFS_GETEXTATTR_ARGS);
/*
- * Getlabel callback
- */
-#define PFS_REFRESHLABEL_ARGS \
- struct thread *td, struct proc *p, struct vnode *vp, \
- struct pfs_node *pn, struct ucred *cred
-struct mac;
-typedef int (*pfs_refreshlabel_t)(PFS_REFRESHLABEL_ARGS);
-
-/*
* Last-close callback
*/
#define PFS_CLOSE_ARGS \
@@ -194,7 +185,6 @@
pfs_attr_t pn_attr;
pfs_vis_t pn_vis;
pfs_getextattr_t pn_getextattr;
- pfs_refreshlabel_t pn_refreshlabel;
void *pn_data;
int pn_flags;
==== //depot/projects/trustedbsd/mac/sys/fs/pseudofs/pseudofs_vnops.c#20 (text+ko) ====
@@ -28,8 +28,6 @@
* $FreeBSD: src/sys/fs/pseudofs/pseudofs_vnops.c,v 1.31 2002/09/25 02:32:40 jeff Exp $
*/
-#include "opt_mac.h"
-
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/systm.h>
@@ -37,7 +35,6 @@
#include <sys/dirent.h>
#include <sys/fcntl.h>
#include <sys/lock.h>
-#include <sys/mac.h>
#include <sys/mount.h>
#include <sys/mutex.h>
#include <sys/namei.h>
@@ -732,50 +729,6 @@
return (pfs_vncache_free(va->a_vp));
}
-#ifdef MAC
-/*
- * Refresh the vnode label as appropriate for the pseudo-file system.
- */
-static int
-pfs_refreshlabel(struct vop_refreshlabel_args *va)
-{
- struct vnode *vn = va->a_vp;
- struct pfs_vdata *pvd = (struct pfs_vdata *)vn->v_data;
- struct pfs_node *pn = pvd->pvd_pn;
- struct proc *proc = NULL;
- int error;
-
- PFS_TRACE((pd->pn_name));
-
- if (pn->pn_refreshlabel == NULL) {
- mac_update_vnode_from_mount(vn, vn->v_mount);
- return (0);
- }
-
- /*
- * This is necessary because either process' privileges may
- * have changed since the last open() call.
- */
- if (!pfs_visible(curthread, pn, pvd->pvd_pid))
- PFS_RETURN (EIO);
-
- /* XXX duplicate bits of pfs_visible() */
- if (pvd->pvd_pid != NO_PID) {
- if ((proc = pfind(pvd->pvd_pid)) == NULL)
- PFS_RETURN (EIO);
- _PHOLD(proc);
- PROC_UNLOCK(proc);
- }
-
- error = (pn->pn_refreshlabel)(curthread, proc, vn, pn, va->a_cred);
-
- if (proc != NULL)
- PRELE(proc);
-
- PFS_RETURN (error);
-}
-#endif
-
/*
* Set attributes
*/
==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#326 (text+ko) ====
@@ -147,23 +147,12 @@
&mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm);
-static int mac_label_size = sizeof(struct oldmac);
-SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD,
- &mac_label_size, 0, "Pre-compiled MAC label size");
-
static int mac_cache_fslabel_in_vnode = 1;
SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW,
&mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode");
TUNABLE_INT("security.mac.cache_fslabel_in_vnode",
&mac_cache_fslabel_in_vnode);
-static int mac_vnode_label_cache_hits = 0;
-SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD,
- &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels");
-static int mac_vnode_label_cache_misses = 0;
-SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD,
- &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels");
-
static int mac_mmap_revocation = 0;
SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW,
&mac_mmap_revocation, 0, "Revoke mmap access to files on subject "
@@ -218,12 +207,9 @@
#endif
static int error_select(int error1, int error2);
-static int mac_externalize_vnode_oldmac(struct label *label,
- struct oldmac *extmac);
static int mac_policy_register(struct mac_policy_conf *mpc);
static int mac_policy_unregister(struct mac_policy_conf *mpc);
-static int mac_stdcreatevnode_ea(struct vnode *vp);
static void mac_check_vnode_mmap_downgrade(struct ucred *cred,
struct vnode *vp, int *prot);
static void mac_cred_mmapped_drop_perms_recurse(struct thread *td,
@@ -231,6 +217,9 @@
static void mac_destroy_socket_label(struct label *label);
+static int mac_setlabel_vnode_extattr(struct ucred *cred,
+ struct vnode *vp, struct label *intlabel);
+
MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector");
MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage");
@@ -635,10 +624,6 @@
mpc->mpc_ops->mpo_externalize_vnode_label =
mpe->mpe_function;
break;
- case MAC_EXTERNALIZE_VNODE_OLDMAC:
- mpc->mpc_ops->mpo_externalize_vnode_oldmac =
- mpe->mpe_function;
- break;
case MAC_INTERNALIZE_CRED_LABEL:
mpc->mpc_ops->mpo_internalize_cred_label =
mpe->mpe_function;
@@ -675,14 +660,6 @@
mpc->mpc_ops->mpo_create_devfs_vnode =
mpe->mpe_function;
break;
- case MAC_STDCREATEVNODE_EA:
- mpc->mpc_ops->mpo_stdcreatevnode_ea =
- mpe->mpe_function;
- break;
- case MAC_CREATE_VNODE:
- mpc->mpc_ops->mpo_create_vnode =
- mpe->mpe_function;
- break;
case MAC_CREATE_MOUNT:
mpc->mpc_ops->mpo_create_mount =
mpe->mpe_function;
@@ -699,20 +676,24 @@
mpc->mpc_ops->mpo_update_devfsdirent =
mpe->mpe_function;
break;
- case MAC_UPDATE_PROCFSVNODE:
- mpc->mpc_ops->mpo_update_procfsvnode =
+ case MAC_ASSOCIATE_VNODE_DEVFS:
+ mpc->mpc_ops->mpo_associate_vnode_devfs =
+ mpe->mpe_function;
+ break;
+ case MAC_ASSOCIATE_VNODE_EXTATTR:
+ mpc->mpc_ops->mpo_associate_vnode_extattr =
mpe->mpe_function;
break;
- case MAC_UPDATE_VNODE_FROM_EXTATTR:
- mpc->mpc_ops->mpo_update_vnode_from_extattr =
+ case MAC_ASSOCIATE_VNODE_SINGLELABEL:
+ mpc->mpc_ops->mpo_associate_vnode_singlelabel =
mpe->mpe_function;
break;
- case MAC_UPDATE_VNODE_FROM_EXTERNALIZED:
- mpc->mpc_ops->mpo_update_vnode_from_externalized =
+ case MAC_CREATE_VNODE_EXTATTR:
+ mpc->mpc_ops->mpo_create_vnode_extattr =
mpe->mpe_function;
break;
- case MAC_UPDATE_VNODE_FROM_MOUNT:
- mpc->mpc_ops->mpo_update_vnode_from_mount =
+ case MAC_SETLABEL_VNODE_EXTATTR:
+ mpc->mpc_ops->mpo_setlabel_vnode_extattr =
mpe->mpe_function;
break;
case MAC_CREATE_MBUF_FROM_SOCKET:
@@ -1683,16 +1664,6 @@
}
static int
-mac_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac)
-{
- int error;
-
- MAC_CHECK(externalize_vnode_oldmac, label, extmac);
-
- return (error);
-}
-
-static int
mac_internalize_cred_label(struct label *label, char *string)
{
int error;
@@ -1791,285 +1762,120 @@
}
void
-mac_update_procfsvnode(struct vnode *vp, struct ucred *cred)
+mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de,
+ struct vnode *vp)
{
- MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred);
+ MAC_PERFORM(associate_vnode_devfs, mp, &mp->mnt_fslabel, de,
+ &de->de_label, vp, &vp->v_label);
}
-/*
- * Support callout for policies that manage their own externalization
- * using extended attributes.
- */
-static int
-mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp)
+int
+mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp)
{
int error;
- MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp,
- &mp->mnt_fslabel);
+ ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr");
- return (error);
-}
-
-/*
- * Given an externalized mac label, internalize it and stamp it on a
- * vnode.
- */
-static int
-mac_update_vnode_from_externalized(struct vnode *vp, struct oldmac *extmac)
-{
- int error;
+ MAC_CHECK(associate_vnode_extattr, mp, &mp->mnt_fslabel, vp,
+ &vp->v_label);
- MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac);
-
return (error);
}
-/*
- * Call out to individual policies to update the label in a vnode from
- * the mountpoint.
- */
void
-mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp)
+mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp)
{
- MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp,
- &mp->mnt_fslabel);
-
- ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount");
- if (mac_cache_fslabel_in_vnode)
- vp->v_vflag |= VV_CACHEDLABEL;
+ MAC_PERFORM(associate_vnode_singlelabel, mp, &mp->mnt_fslabel, vp,
+ &vp->v_label);
}
-/*
- * Implementation of VOP_REFRESHLABEL() that relies on extended attributes
- * to store label data. Can be referenced by filesystems supporting
- * extended attributes.
- */
int
-vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap)
+mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
+ struct vnode *dvp, struct vnode *vp, struct componentname *cnp)
{
- struct vnode *vp = ap->a_vp;
- struct oldmac extmac;
- int buflen, error;
+ int error;
- ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea");
+ ASSERT_VOP_LOCKED(dvp, "mac_create_vnode_extattr");
+ ASSERT_VOP_LOCKED(vp, "mac_create_vnode_extattr");
- /*
- * Call out to external policies first. Order doesn't really
- * matter, as long as failure of one assures failure of all.
- */
- error = mac_update_vnode_from_extattr(vp, vp->v_mount);
- if (error)
+ error = VOP_OPENEXTATTR(vp, cred, curthread);
+ if (error == EOPNOTSUPP) {
+ /* XXX: Optionally abort if transactions not supported. */
+ printf("Warning: transactions not supported in EA write.\n");
+ } else if (error)
return (error);
- buflen = sizeof(extmac);
- error = vn_extattr_get(vp, IO_NODELOCKED,
- FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen,
- (char *)&extmac, curthread);
- switch (error) {
- case 0:
- /* Got it */
- break;
+ MAC_CHECK(create_vnode_extattr, cred, mp, &mp->mnt_fslabel,
+ dvp, &dvp->v_label, vp, &vp->v_label, cnp);
- case ENOATTR:
- /*
- * Use the label from the mount point.
- */
- mac_update_vnode_from_mount(vp, vp->v_mount);
- return (0);
-
- case EOPNOTSUPP:
- default:
- /* Fail horribly. */
+ if (error) {
+ VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
return (error);
}
- if (buflen != sizeof(extmac))
- error = EPERM; /* Fail very closed. */
- if (error == 0)
- error = mac_update_vnode_from_externalized(vp, &extmac);
- if (error == 0)
- vp->v_vflag |= VV_CACHEDLABEL;
- else {
- struct vattr va;
+ error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread);
- printf("Corrupted label on %s",
- vp->v_mount->mnt_stat.f_mntonname);
- if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0)
- printf(" inum %ld", va.va_fileid);
-#ifdef MAC_DEBUG
- if (mac_debug_label_fallback) {
- printf(", falling back.\n");
- mac_update_vnode_from_mount(vp, vp->v_mount);
- error = 0;
- } else {
-#endif
- printf(".\n");
- error = EPERM;
-#ifdef MAC_DEBUG
- }
-#endif
- }
+ if (error == EOPNOTSUPP)
+ error = 0; /* XXX */
return (error);
}
-/*
- * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle
- * the labeling activity outselves. Filesystems should be careful not
- * to change their minds regarding whether they support vop_refreshlabel()
- * for a vnode or not. Don't cache the vnode here, allow the file
- * system code to determine if it's safe to cache. If we update from
- * the mount, don't cache since a change to the mount label should affect
- * all vnodes.
- */
static int
-vn_refreshlabel(struct vnode *vp, struct ucred *cred)
+mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
+ struct label *intlabel)
{
int error;
- ASSERT_VOP_LOCKED(vp, "vn_refreshlabel");
+ ASSERT_VOP_LOCKED(vp, "mac_setlabel_vnode_extattr");
- if (vp->v_mount == NULL) {
-/*
- Eventually, we probably want to special-case refreshing
- of deadfs vnodes, and if there's a lock-free race somewhere,
- that case might be handled here.
+ error = VOP_OPENEXTATTR(vp, cred, curthread);
+ if (error == EOPNOTSUPP) {
+ /* XXX: Optionally abort if transactions not supported. */
+ printf("Warning: transactions not supported in EA write.\n");
+ } else if (error)
+ return (error);
- mac_update_vnode_deadfs(vp);
- return (0);
- */
- /* printf("vn_refreshlabel: null v_mount\n"); */
- if (vp->v_type != VNON)
- printf(
- "vn_refreshlabel: null v_mount with non-VNON\n");
- return (EBADF);
- }
+ MAC_CHECK(setlabel_vnode_extattr, cred, vp, &vp->v_label, intlabel);
- if (vp->v_vflag & VV_CACHEDLABEL) {
- mac_vnode_label_cache_hits++;
- return (0);
- } else
- mac_vnode_label_cache_misses++;
-
- if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) {
- mac_update_vnode_from_mount(vp, vp->v_mount);
- return (0);
- }
-
- error = VOP_REFRESHLABEL(vp, cred, curthread);
- switch (error) {
- case EOPNOTSUPP:
- /*
- * If labels are not supported on this vnode, fall back to
- * the label in the mount and propagate it to the vnode.
- * There should probably be some sort of policy/flag/decision
- * about doing this.
- */
- mac_update_vnode_from_mount(vp, vp->v_mount);
- error = 0;
- default:
+ if (error) {
+ VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
return (error);
}
-}
-/*
- * Helper function for file systems using the vop_std*_ea() calls. This
- * function must be called after EA service is available for the vnode,
- * but before it's hooked up to the namespace so that the node persists
- * if there's a crash, or before it can be accessed. On successful
- * commit of the label to disk (etc), do cache the label.
- */
-int
-vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred)
-{
- struct oldmac extmac;
- int error;
+ error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread);
- ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea");
- if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) {
- mac_update_vnode_from_mount(tvp, tvp->v_mount);
- } else {
- error = vn_refreshlabel(dvp, cred);
- if (error)
- return (error);
+ if (error == EOPNOTSUPP)
+ error = 0; /* XXX */
- /*
- * Stick the label in the vnode. Then try to write to
- * disk. If we fail, return a failure to abort the
- * create operation. Really, this failure shouldn't
- * happen except in fairly unusual circumstances (out
- * of disk, etc).
- */
- mac_create_vnode(cred, dvp, tvp);
-
- error = mac_stdcreatevnode_ea(tvp);
- if (error)
- return (error);
-
- /*
- * XXX: Eventually this will go away and all policies will
- * directly manage their extended attributes.
- */
- error = mac_externalize_vnode_oldmac(&tvp->v_label, &extmac);
- if (error)
- return (error);
-
- error = vn_extattr_set(tvp, IO_NODELOCKED,
- FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME,
- sizeof(extmac), (char *)&extmac, curthread);
- if (error == 0)
- tvp->v_vflag |= VV_CACHEDLABEL;
- else {
-#if 0
- /*
- * In theory, we could have fall-back behavior here.
- * It would probably be incorrect.
- */
-#endif
- return (error);
- }
- }
-
- return (0);
+ return (error);
}
void
mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
struct label *shelllabel, struct image_params *imgp)
{
- int error;
ASSERT_VOP_LOCKED(vp, "mac_execve_transition");
if (!mac_enforce_process && !mac_enforce_fs)
return;
- error = vn_refreshlabel(vp, old);
- if (error) {
- printf("mac_execve_transition: vn_refreshlabel returned %d\n",
- error);
- printf("mac_execve_transition: using old vnode label\n");
- }
- MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, shelllabel,
- imgp);
+ MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label,
+ shelllabel, imgp);
}
int
mac_execve_will_transition(struct ucred *old, struct vnode *vp,
struct label *shelllabel, struct image_params *imgp)
{
- int error, result;
+ int result;
if (!mac_enforce_process && !mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, old);
- if (error)
- return (error);
-
result = 0;
MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label,
shelllabel, imgp);
@@ -2087,10 +1893,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags);
return (error);
}
@@ -2105,10 +1907,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(dvp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label);
return (error);
}
@@ -2123,10 +1921,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(dvp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label);
return (error);
}
@@ -2142,10 +1936,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(dvp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap);
return (error);
}
@@ -2162,13 +1952,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(dvp, cred);
- if (error)
- return (error);
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp,
&vp->v_label, cnp);
return (error);
@@ -2185,10 +1968,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type);
return (error);
}
@@ -2204,9 +1983,6 @@
if (!mac_enforce_process && !mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp);
return (error);
@@ -2222,10 +1998,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type);
return (error);
}
@@ -2241,10 +2013,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label,
attrnamespace, name, uio);
return (error);
@@ -2262,14 +2030,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(dvp, cred);
- if (error)
- return (error);
-
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp,
&vp->v_label, cnp);
return (error);
@@ -2286,10 +2046,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(dvp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp);
return (error);
}
@@ -2304,10 +2060,6 @@
if (!mac_enforce_fs || !mac_enforce_vm)
return (0);
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_mmap, cred, vp, &vp->v_label, prot);
return (error);
}
@@ -2338,10 +2090,6 @@
if (!mac_enforce_fs || !mac_enforce_vm)
return (0);
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_mprotect, cred, vp, &vp->v_label, prot);
return (error);
}
@@ -2356,10 +2104,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
return (error);
}
@@ -2375,10 +2119,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, active_cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
&vp->v_label);
@@ -2396,10 +2136,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, active_cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
&vp->v_label);
@@ -2416,10 +2152,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(dvp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label);
return (error);
}
@@ -2434,10 +2166,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label);
return (error);
}
@@ -2450,10 +2178,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel");
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel);
return (error);
@@ -2471,13 +2195,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(dvp, cred);
- if (error)
- return (error);
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp,
&vp->v_label, cnp);
return (error);
@@ -2495,14 +2212,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(dvp, cred);
- if (error)
- return (error);
- if (vp != NULL) {
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
- }
MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp,
vp != NULL ? &vp->v_label : NULL, samedir, cnp);
return (error);
@@ -2518,10 +2227,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label);
return (error);
}
@@ -2537,10 +2242,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl);
return (error);
}
@@ -2556,10 +2257,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label,
attrnamespace, name, uio);
return (error);
@@ -2575,10 +2272,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags);
return (error);
}
@@ -2593,10 +2286,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode);
return (error);
}
@@ -2612,10 +2301,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid);
return (error);
}
@@ -2631,10 +2316,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime,
mtime);
return (error);
@@ -2651,10 +2332,6 @@
if (!mac_enforce_fs)
return (0);
- error = vn_refreshlabel(vp, active_cred);
- if (error)
- return (error);
-
MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
&vp->v_label);
return (error);
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list