PERFORCE change 36498 for review
Robert Watson
rwatson at FreeBSD.org
Wed Aug 20 18:21:22 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=36498
Change 36498 by rwatson at rwatson_paprika on 2003/08/20 11:21:18
Attempt to reduce inter-branch diffs by deleting trailing
whitespace.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#10 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#10 (text+ko) ====
@@ -88,8 +88,8 @@
printf("sebsd:: destroy\n");
}
-/*
- * Check whether a task is allowed to use a capability.
+/*
+ * Check whether a task is allowed to use a capability.
*/
static int
cred_has_capability(struct ucred *cred, int cap)
@@ -102,7 +102,7 @@
AVC_AUDIT_DATA_INIT(&ad, CAP);
ad.u.cap = cap;
- return avc_has_perm_audit(task->sid, task->sid,
+ return avc_has_perm_audit(task->sid, task->sid,
SECCLASS_CAPABILITY, cap, &ad);
}
@@ -114,7 +114,7 @@
task = SLOT(&cred->cr_label);
target = SLOT(&proc->p_ucred->cr_label);
- return (avc_has_perm_ref(task->sid, target->sid, SECCLASS_PROCESS,
+ return (avc_has_perm_ref(task->sid, target->sid, SECCLASS_PROCESS,
perm, &target->avcr));
}
@@ -139,7 +139,7 @@
task = SLOT(&cred->cr_label);
- return (avc_has_perm(task->sid, SECINITSID_KERNEL,
+ return (avc_has_perm(task->sid, SECINITSID_KERNEL,
SECCLASS_SYSTEM, perm));
}
@@ -150,7 +150,7 @@
task = SLOT(&cred->cr_label);
- return (avc_has_perm(task->sid, SECINITSID_SECURITY,
+ return (avc_has_perm(task->sid, SECINITSID_SECURITY,
SECCLASS_SECURITY, perm));
}
@@ -160,16 +160,16 @@
return (cred_has_system(td->td_proc->p_ucred, perm));
}
-
+
int
thread_has_security(struct thread *td, access_vector_t perm)
{
return (cred_has_security(td->td_proc->p_ucred, perm));
}
-
+
static __inline security_class_t
-vnode_type_to_security_class(enum vtype vt)
+vnode_type_to_security_class(enum vtype vt)
{
switch (vt) {
case VREG:
@@ -221,27 +221,27 @@
}
static __inline access_vector_t
-file_mask_to_av(enum vtype vt, int mask)
+file_mask_to_av(enum vtype vt, int mask)
{
access_vector_t av = 0;
if (vt != VDIR) {
- if (mask & VEXEC)
+ if (mask & VEXEC)
av |= FILE__EXECUTE;
- if (mask & VREAD)
+ if (mask & VREAD)
av |= FILE__READ;
if (mask & VAPPEND)
av |= FILE__APPEND;
- else if (mask & VWRITE)
+ else if (mask & VWRITE)
av |= FILE__WRITE;
} else {
- if (mask & VEXEC)
+ if (mask & VEXEC)
av |= DIR__SEARCH;
- if (mask & VWRITE)
+ if (mask & VWRITE)
av |= DIR__WRITE;
- if (mask & VREAD)
+ if (mask & VREAD)
av |= DIR__READ;
}
@@ -274,7 +274,7 @@
return 1; /* TBD: debugging */
}
}
- return avc_has_perm_ref_audit(task->sid, file->sid, file->sclass,
+ return avc_has_perm_ref_audit(task->sid, file->sid, file->sclass,
perm, aeref ? aeref : &file->avcr, &ad);
}
@@ -287,11 +287,11 @@
task = SLOT(&cred->cr_label);
file = SLOT(pipe->pipe_label);
- /*
- * TBD: No audit information yet
+ /*
+ * TBD: No audit information yet
*/
- return(avc_has_perm_ref(task->sid, file->sid, file->sclass,
+ return(avc_has_perm_ref(task->sid, file->sid, file->sclass,
perm, &file->avcr));
}
@@ -427,14 +427,14 @@
context_len = sizeof(context); /* TBD: bad fixed length */
error = vn_extattr_get(vp, IO_NODELOCKED,
- SEBSD_MAC_EXTATTR_NAMESPACE,
+ SEBSD_MAC_EXTATTR_NAMESPACE,
SEBSD_MAC_EXTATTR_NAME,
&context_len, context, curthread);
if (error == ENOATTR || error == EOPNOTSUPP) {
vsec->sid = SECINITSID_UNLABELED; /* Use the default label */
struct vattr va;
- /*
+ /*
(void)VOP_GETATTR(vp, &va, curthread->td_ucred, curthread);
printf("sebsd_update_vnode_from_extattr: no label for "
"inode=%ld, fsid=%d\n", va.va_fileid, va.va_fsid);
@@ -498,7 +498,7 @@
parent = SLOT(&cred_parent->cr_label);
task = SLOT(&cred_child->cr_label);
- /* Default to using the attributes from the parent process */
+ /* Default to using the attributes from the parent process */
task->osid = parent->osid;
task->sid = parent->sid;
@@ -534,14 +534,14 @@
/* Default to the filesystem SID. */
dirent->sid = sbsec->sid;
dirent->task_sid = SECINITSID_KERNEL;
- dirent->sclass =
+ dirent->sclass =
dirent_type_to_security_class(devfs_dirent->de_dirent->d_type);
/* Obtain a SID based on the fstype, path, and class. */
path = malloc(strlen(fullpath) + 2, M_SEBSD, M_ZERO | M_WAITOK);
path[0] = '/';
strcpy(&path[1], fullpath);
- rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, dirent->sclass,
+ rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, dirent->sclass,
&newsid);
if (rc == 0)
dirent->sid = newsid;
@@ -579,7 +579,7 @@
path = malloc(strlen(fullpath) + 2, M_SEBSD, M_ZERO | M_WAITOK);
path[0] = '/';
strcpy(&path[1], fullpath);
- rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, dirent->sclass,
+ rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, dirent->sclass,
&newsid);
if (rc == 0)
dirent->sid = newsid;
@@ -587,8 +587,8 @@
/* TBD: debugging */
if (sebsd_verbose > 1) {
printf("%s(%s): sbsid=%d, mountpoint=%s, "
- "rc=%d, sclass=%d, computedsid=%d, dirent=%d\n",
- __func__, path, sbsec->sid, mp->mnt_stat.f_mntonname, rc,
+ "rc=%d, sclass=%d, computedsid=%d, dirent=%d\n",
+ __func__, path, sbsec->sid, mp->mnt_stat.f_mntonname, rc,
dirent->sclass, newsid, dirent->sid);
}
free(path, M_SEBSD);
@@ -622,21 +622,21 @@
path = malloc(strlen(fullpath) + 2, M_SEBSD, M_ZERO | M_WAITOK);
path[0] = '/';
strcpy(&path[1], fullpath);
- rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, lnksec->sclass,
+ rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, lnksec->sclass,
&newsid);
if (rc == 0)
lnksec->sid = newsid;
if (sebsd_verbose > 1) {
printf("%s(%s): sbsid=%d, mountpoint=%s, rc=%d, sclass=%d, "
- "computedsid=%d, dirent=%d\n", __func__, path,
- sbsec->sid, mp->mnt_stat.f_mntonname, rc,
+ "computedsid=%d, dirent=%d\n", __func__, path,
+ sbsec->sid, mp->mnt_stat.f_mntonname, rc,
lnksec->sclass, newsid, lnksec->sid);
}
free(path, M_SEBSD);
}
-/*
+/*
* Use the allocating task SID to label pipes. On Linux, pipes reside
* in a pseudo filesystem.
*/
@@ -710,14 +710,14 @@
unique and persistent inode numbers. */
sbsec->uses_psids = 1;
- /*
+ /*
* TBD: need to correctly label mountpoint with persistent
* label at this point (currently vnode is unavailable)
*/
break;
case SECURITY_FS_USE_TRANS:
- /* Transition SIDs are used for pseudo filesystems like
+ /* Transition SIDs are used for pseudo filesystems like
devpts and tmpfs where you want the SID to be derived
from the SID of the creating process and the SID of
the filesystem. */
@@ -736,12 +736,12 @@
break;
case SECURITY_FS_USE_NONE:
/* No labeling support configured for this filesystem type.
- Don't appear to require labeling for binfmt_misc, bdev,
+ Don't appear to require labeling for binfmt_misc, bdev,
or rootfs. */
break;
default:
printf("%s: security_fs_use(%s) returned unrecognized "
- "behavior %d\n", __FUNCTION__, mp->mnt_vfc->vfc_name,
+ "behavior %d\n", __FUNCTION__, mp->mnt_vfc->vfc_name,
behavior);
behavior = SECURITY_FS_USE_NONE;
break;
@@ -807,7 +807,7 @@
vsec->sclass = vnode_type_to_security_class(child->v_type);
/* store label in vnode */
- error = security_sid_to_context(vsec->sid, &context,
+ error = security_sid_to_context(vsec->sid, &context,
&context_len);
if (error)
return (error);
@@ -891,7 +891,7 @@
rc = avc_has_perm(task->sid, newfile->sid, file->sclass,
FIFO_FILE__RELABELTO);
- /*
+ /*
* TBD: SELinux also check filesystem associate permission:
return avc_has_perm_audit(newsid,
sbsec->sid,
@@ -1012,7 +1012,7 @@
/*
* Should have already checked all the permissions, so just see if
- * the SIDS are going to match.
+ * the SIDS are going to match.
*/
if (execlabel == NULL) {
(void)security_transition_sid(task->sid, file->sid,
@@ -1193,8 +1193,8 @@
AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.vp = dvp;
- rc = avc_has_perm_ref_audit(task->sid, dir->sid, SECCLASS_DIR,
- DIR__ADD_NAME | DIR__SEARCH,
+ rc = avc_has_perm_ref_audit(task->sid, dir->sid, SECCLASS_DIR,
+ DIR__ADD_NAME | DIR__SEARCH,
&dir->avcr, &ad);
if (rc)
return rc;
@@ -1214,9 +1214,9 @@
*/
if (dir->i_sb) {
sbsec = dir->i_sb->s_security;
- rc = avc_has_perm_audit(newsid, sbsec->sid, SECCLASS_FILESYSTEM,
+ rc = avc_has_perm_audit(newsid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__ASSOCIATE, &ad);
-#endif
+#endif
return 0;
}
@@ -1239,7 +1239,7 @@
AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.vp = vp;
- rc = avc_has_perm_ref_audit(task->sid, dir->sid, SECCLASS_DIR,
+ rc = avc_has_perm_ref_audit(task->sid, dir->sid, SECCLASS_DIR,
DIR__SEARCH | DIR__REMOVE_NAME, &dir->avcr, &ad);
if (rc)
@@ -1250,7 +1250,7 @@
else
av = FILE__UNLINK;
- rc = avc_has_perm_ref_audit(task->sid, file->sid, file->sclass,
+ rc = avc_has_perm_ref_audit(task->sid, file->sid, file->sclass,
av, &file->avcr, &ad);
return (rc);
@@ -1290,7 +1290,7 @@
ad.u.fs.vp = vp;
if (newsid == task->sid) {
- rc = avc_has_perm_audit(task->sid, file->sid, SECCLASS_FILE,
+ rc = avc_has_perm_audit(task->sid, file->sid, SECCLASS_FILE,
FILE__EXECUTE_NO_TRANS, &ad);
if (rc)
@@ -1304,7 +1304,7 @@
if (rc)
return EACCES;
- rc = avc_has_perm_audit(newsid, file->sid, SECCLASS_FILE,
+ rc = avc_has_perm_audit(newsid, file->sid, SECCLASS_FILE,
FILE__ENTRYPOINT, &ad);
if (rc)
@@ -1313,10 +1313,10 @@
/*
* TBD: Check ptrace permission between the parent and
* the new SID for this process if this process is
- * being traced.
+ * being traced.
*/
- /*
+ /*
* TBD: Check share permission between the old and new
* SIDs of the process if the process will share
* state.
@@ -1359,19 +1359,19 @@
AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.vp = vp;
- rc = avc_has_perm_ref_audit(task->sid, dir->sid, SECCLASS_DIR,
+ rc = avc_has_perm_ref_audit(task->sid, dir->sid, SECCLASS_DIR,
DIR__SEARCH | DIR__ADD_NAME, &dir->avcr, &ad);
if (rc)
return rc;
- rc = avc_has_perm_ref_audit(task->sid, file->sid, file->sclass,
+ rc = avc_has_perm_ref_audit(task->sid, file->sid, file->sclass,
FILE__LINK, &file->avcr, &ad);
return (0);
}
static int
-sebsd_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
+sebsd_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct componentname *cnp)
{
@@ -1444,12 +1444,12 @@
old->sid, vp->v_type);
return 0; /* TBD: debugging */
}
- rc = avc_has_perm_ref_audit(task->sid, old->sid, old->sclass,
+ rc = avc_has_perm_ref_audit(task->sid, old->sid, old->sclass,
FILE__RELABELFROM, &old->avcr, &ad);
if (rc)
return (rc);
- rc = avc_has_perm_audit(task->sid, new->sid, old->sclass,
+ rc = avc_has_perm_audit(task->sid, new->sid, old->sclass,
FILE__RELABELTO, &ad);
if (rc)
@@ -1465,7 +1465,7 @@
static int
sebsd_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
+ struct label *dlabel, struct vnode *vp, struct label *label,
struct componentname *cnp)
{
struct task_security_struct *task;
@@ -1490,8 +1490,8 @@
return 0; /* TBD: debugging */
}
- rc = avc_has_perm_ref_audit(task->sid, old_file->sid,
- old_file->sclass, FILE__RENAME,
+ rc = avc_has_perm_ref_audit(task->sid, old_file->sid,
+ old_file->sclass, FILE__RENAME,
&old_file->avcr, &ad);
if (rc)
return (rc);
@@ -1519,7 +1519,7 @@
* test. TBD - find a way!
*/
if (vp->v_type == VDIR && !samedir) {
- rc = avc_has_perm_ref(task->sid, old_file->sid,
+ rc = avc_has_perm_ref(task->sid, old_file->sid,
old_file->sclass, DIR__REPARENT,
&old_file->avcr);
if (rc)
@@ -1534,7 +1534,7 @@
AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.vp = vp;
- rc = avc_has_perm_ref(task->sid, new_dir->sid, SECCLASS_DIR,
+ rc = avc_has_perm_ref(task->sid, new_dir->sid, SECCLASS_DIR,
av, &new_dir->avcr);
if (rc)
return (rc);
@@ -1547,11 +1547,11 @@
return 0; /* TBD: debugging */
}
if (vp->v_type == VDIR) {
- rc = avc_has_perm_ref(task->sid, new_file->sid,
+ rc = avc_has_perm_ref(task->sid, new_file->sid,
new_file->sclass,
DIR__RMDIR, &new_file->avcr);
} else {
- rc = avc_has_perm_ref(task->sid, new_file->sid,
+ rc = avc_has_perm_ref(task->sid, new_file->sid,
new_file->sclass,
FILE__UNLINK, &new_file->avcr);
}
@@ -1635,14 +1635,14 @@
}
static int
-sebsd_check_system_acct(struct ucred *cred, struct vnode *vp,
+sebsd_check_system_acct(struct ucred *cred, struct vnode *vp,
struct label *vlabel)
{
return(cred_has_capability(cred, CAPABILITY__SYS_PACCT));
}
-/*
+/*
* TBD: LSM/SELinux doesn't have a nfsd hook
*/
static int
@@ -1683,12 +1683,12 @@
return vnode_has_perm(cred, vp, FILE__SWAPON, NULL);
}
-/*
- * TBD: Sysctl access control is not currently implemented
+/*
+ * TBD: Sysctl access control is not currently implemented
*/
static int
sebsd_check_system_sysctl(struct ucred *cred, int *name,
- u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new,
+ u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new,
size_t newlen)
{
@@ -1696,7 +1696,7 @@
}
static int
-sebsd_check_vnode_write(struct ucred *cred, struct ucred *file_cred,
+sebsd_check_vnode_write(struct ucred *cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
{
@@ -1719,10 +1719,10 @@
if (vp) {
av = FILE__READ;
- if (newmapping & PROT_WRITE)
+ if (newmapping & PROT_WRITE)
av |= FILE__WRITE;
- if (newmapping & PROT_EXEC)
+ if (newmapping & PROT_EXEC)
av |= FILE__EXECUTE;
return (vnode_has_perm(cred, vp, av, NULL));
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list