PERFORCE change 35050 for review

Robert Watson rwatson at FreeBSD.org
Sat Jul 26 19:13:28 GMT 2003 

http://perforce.freebsd.org/chv.cgi?CH=35050

Change 35050 by rwatson at rwatson_tislabs on 2003/07/26 12:13:16

	Use the mac_check_vnode_deleteextattr and
	mac_check_vnode_listextattr checks to test for delete and
	list permission rather than setextattr and getextattr
	checks.
	
	Policy updates to follow.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#392 edit
.. //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#106 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#392 (text+ko) ====

@@ -1663,6 +1663,22 @@
 }
 
 int
+mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace, const char *name)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label,
+	    attrnamespace, name);
+	return (error);
+}
+
+int
 mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
     struct image_params *imgp)
 {
@@ -1727,6 +1743,22 @@
 }
 
 int
+mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label,
+	    attrnamespace);
+	return (error);
+}
+
+int
 mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp)
 {

==== //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#106 (text+ko) ====

@@ -4240,8 +4240,8 @@
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
 
 #ifdef MAC
-	error = mac_check_vnode_setextattr(td->td_ucred, vp, attrnamespace,
-	    attrname, NULL);
+	error = mac_check_vnode_deleteextattr(td->td_ucred, vp, attrnamespace,
+	    attrname);
 	if (error)
 		goto done;
 #endif
@@ -4387,8 +4387,7 @@
 		sizep = &size;
 
 #ifdef MAC
-	error = mac_check_vnode_getextattr(td->td_ucred, vp, attrnamespace,
-	    "", &auio);
+	error = mac_check_vnode_listextattr(td->td_ucred, vp, attrnamespace);
 	if (error)
 		goto done;
 #endif
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list