PERFORCE change 17933 for review
Robert Watson
rwatson at freebsd.org
Sun Sep 22 16:32:11 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=17933
Change 17933 by rwatson at rwatson_paprika on 2002/09/22 09:31:12
Apparently I neglected to commit the mac_mls implementation of
mpo_check_vnode_link() when I added that. Presumably a missed
p4 edit after a local chmod +w while on travel. Here it is.
As with other implementations, we have to wait for the IFC of
the VOP_LINK() changes from Don Lewis before we can do the
label checks on the target vnode.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#92 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#92 (text+ko) ====
@@ -1691,6 +1691,31 @@
}
static int
+mac_mls_check_vnode_link(struct ucred *cred, struct vnode *dvp,
+ struct label *dlabel, struct vnode *vp, struct label *label,
+ struct componentname *cnp)
+{
+ struct mac_mls *subj, *obj;
+
+ if (!mac_mls_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(dlabel);
+
+ if (!mac_mls_dominate_single(obj, subj))
+ return (EACCES);
+
+#if 0
+ obj = SLOT(dlabel);
+ if (!mac_mls_dominate_single(obj, subj))
+ return (EACCES);
+#endif
+
+ return (0);
+}
+
+static int
mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct componentname *cnp)
{
@@ -2308,6 +2333,8 @@
(macop_t)mac_mls_check_vnode_getacl },
{ MAC_CHECK_VNODE_GETEXTATTR,
(macop_t)mac_mls_check_vnode_getextattr },
+ { MAC_CHECK_VNODE_LINK,
+ (macop_t)mac_mls_check_vnode_link },
{ MAC_CHECK_VNODE_LOOKUP,
(macop_t)mac_mls_check_vnode_lookup },
{ MAC_CHECK_VNODE_OPEN,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list