PERFORCE change 40055 for review
Robert Watson
rwatson at FreeBSD.org
Tue Oct 21 01:38:00 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=40055
Change 40055 by rwatson at rwatson_tislabs on 2003/10/20 18:37:44
Move file system related MAC entry point and infrastructure
code from kern_mac.c to mac_fs.c. The split of exec and
VM functionality will probably require some refinement.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/conf/files#90 edit
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#418 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_fs.c#2 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_internal.h#6 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/conf/files#90 (text+ko) ====
@@ -1588,6 +1588,7 @@
posix4/p1003_1b.c standard
posix4/posix4_mib.c standard
kern/uipc_sem.c optional p1003_1b_semaphores
+security/mac/mac_fs.c optional mac
security/mac/mac_net.c optional mac
security/mac/mac_pipe.c optional mac
security/mac/mac_posix_sem.c optional mac
==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#418 (text+ko) ====
@@ -116,12 +116,6 @@
int mac_late = 0;
/*
- * Warn about EA transactions only the first time they happen.
- * Weak coherency, no locking.
- */
-static int ea_warn_once = 0;
-
-/*
* Flag to indicate whether or not we should allocate label storage for
* new mbufs. Since most dynamic policies we currently work with don't
* rely on mbuf labeling, try to avoid paying the cost of mtag allocation
@@ -136,12 +130,7 @@
int mac_labelmbufs = 0;
#endif
-static int mac_enforce_fs = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW,
- &mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
-TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
-
-static int mac_enforce_process = 1;
+int mac_enforce_process = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
&mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
@@ -175,34 +164,22 @@
SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
"TrustedBSD MAC object counters");
-static unsigned int nmaccreds, nmacmounts, nmactemp, nmacvnodes,
- nmacdevfsdirents, nmacprocs;
+static unsigned int nmaccreds, nmactemp, nmacprocs;
SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD,
&nmaccreds, 0, "number of ucreds in use");
SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD,
&nmacprocs, 0, "number of procs in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD,
- &nmacmounts, 0, "number of mounts in use");
SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
&nmactemp, 0, "number of temporary labels in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, vnodes, CTLFLAG_RD,
- &nmacvnodes, 0, "number of vnodes in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD,
- &nmacdevfsdirents, 0, "number of devfs dirents inuse");
#endif
static int mac_policy_register(struct mac_policy_conf *mpc);
static int mac_policy_unregister(struct mac_policy_conf *mpc);
-static void mac_check_vnode_mmap_downgrade(struct ucred *cred,
- struct vnode *vp, int *prot);
static void mac_cred_mmapped_drop_perms_recurse(struct thread *td,
struct ucred *cred, struct vm_map *map);
-static int mac_setlabel_vnode_extattr(struct ucred *cred,
- struct vnode *vp, struct label *intlabel);
-
MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage");
/*
@@ -615,26 +592,6 @@
}
void
-mac_init_devfsdirent(struct devfs_dirent *de)
-{
-
- mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent_label, &de->de_label);
- MAC_DEBUG_COUNTER_INC(&nmacdevfsdirents);
-}
-
-void
-mac_init_mount(struct mount *mp)
-{
-
- mac_init_label(&mp->mnt_mntlabel);
- mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
- MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
- MAC_DEBUG_COUNTER_INC(&nmacmounts);
-}
-
-void
mac_init_proc(struct proc *p)
{
@@ -643,22 +600,6 @@
MAC_DEBUG_COUNTER_INC(&nmacprocs);
}
-void
-mac_init_vnode_label(struct label *label)
-{
-
- mac_init_label(label);
- MAC_PERFORM(init_vnode_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacvnodes);
-}
-
-void
-mac_init_vnode(struct vnode *vp)
-{
-
- mac_init_vnode_label(&vp->v_label);
-}
-
static void
mac_destroy_cred_label(struct label *label)
{
@@ -676,26 +617,6 @@
}
void
-mac_destroy_devfsdirent(struct devfs_dirent *de)
-{
-
- MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
- mac_destroy_label(&de->de_label);
- MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents);
-}
-
-void
-mac_destroy_mount(struct mount *mp)
-{
-
- MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
- MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
- mac_destroy_label(&mp->mnt_fslabel);
- mac_destroy_label(&mp->mnt_mntlabel);
- MAC_DEBUG_COUNTER_DEC(&nmacmounts);
-}
-
-void
mac_destroy_proc(struct proc *p)
{
@@ -704,29 +625,6 @@
MAC_DEBUG_COUNTER_DEC(&nmacprocs);
}
-void
-mac_destroy_vnode_label(struct label *label)
-{
-
- MAC_PERFORM(destroy_vnode_label, label);
- mac_destroy_label(label);
- MAC_DEBUG_COUNTER_DEC(&nmacvnodes);
-}
-
-void
-mac_destroy_vnode(struct vnode *vp)
-{
-
- mac_destroy_vnode_label(&vp->v_label);
-}
-
-void
-mac_copy_vnode_label(struct label *src, struct label *dest)
-{
-
- MAC_PERFORM(copy_vnode_label, src, dest);
-}
-
int
mac_check_structmac_consistent(struct mac *mac)
{
@@ -750,17 +648,6 @@
}
static int
-mac_externalize_vnode_label(struct label *label, char *elements,
- char *outbuf, size_t outbuflen, int flags)
-{
- int error;
-
- MAC_EXTERNALIZE(vnode_label, label, elements, outbuf, outbuflen);
-
- return (error);
-}
-
-static int
mac_internalize_cred_label(struct label *label, char *string)
{
int error;
@@ -770,16 +657,6 @@
return (error);
}
-static int
-mac_internalize_vnode_label(struct label *label, char *string)
-{
- int error;
-
- MAC_INTERNALIZE(vnode_label, label, string);
-
- return (error);
-}
-
/*
* Initialize MAC label for the first kernel process, from which other
* kernel processes and threads are spawned.
@@ -821,115 +698,6 @@
MAC_PERFORM(create_cred, parent_cred, child_cred);
}
-void
-mac_update_devfsdirent(struct mount *mp, struct devfs_dirent *de,
- struct vnode *vp)
-{
-
- MAC_PERFORM(update_devfsdirent, mp, de, &de->de_label, vp,
- &vp->v_label);
-}
-
-void
-mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de,
- struct vnode *vp)
-{
-
- MAC_PERFORM(associate_vnode_devfs, mp, &mp->mnt_fslabel, de,
- &de->de_label, vp, &vp->v_label);
-}
-
-int
-mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr");
-
- MAC_CHECK(associate_vnode_extattr, mp, &mp->mnt_fslabel, vp,
- &vp->v_label);
-
- return (error);
-}
-
-void
-mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp)
-{
-
- MAC_PERFORM(associate_vnode_singlelabel, mp, &mp->mnt_fslabel, vp,
- &vp->v_label);
-}
-
-int
-mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
- struct vnode *dvp, struct vnode *vp, struct componentname *cnp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(dvp, "mac_create_vnode_extattr");
- ASSERT_VOP_LOCKED(vp, "mac_create_vnode_extattr");
-
- error = VOP_OPENEXTATTR(vp, cred, curthread);
- if (error == EOPNOTSUPP) {
- /* XXX: Optionally abort if transactions not supported. */
- if (ea_warn_once == 0) {
- printf("Warning: transactions not supported "
- "in EA write.\n");
- ea_warn_once = 1;
- }
- } else if (error)
- return (error);
-
- MAC_CHECK(create_vnode_extattr, cred, mp, &mp->mnt_fslabel,
- dvp, &dvp->v_label, vp, &vp->v_label, cnp);
-
- if (error) {
- VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
- return (error);
- }
-
- error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread);
-
- if (error == EOPNOTSUPP)
- error = 0; /* XXX */
-
- return (error);
-}
-
-static int
-mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
- struct label *intlabel)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_setlabel_vnode_extattr");
-
- error = VOP_OPENEXTATTR(vp, cred, curthread);
- if (error == EOPNOTSUPP) {
- /* XXX: Optionally abort if transactions not supported. */
- if (ea_warn_once == 0) {
- printf("Warning: transactions not supported "
- "in EA write.\n");
- ea_warn_once = 1;
- }
- } else if (error)
- return (error);
-
- MAC_CHECK(setlabel_vnode_extattr, cred, vp, &vp->v_label, intlabel);
-
- if (error) {
- VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
- return (error);
- }
-
- error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread);
-
- if (error == EOPNOTSUPP)
- error = 0; /* XXX */
-
- return (error);
-}
-
int
mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
struct label *execlabelstorage)
@@ -974,542 +742,6 @@
mac_destroy_cred_label(imgp->execlabel);
}
-void
-mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
- struct label *interpvnodelabel, struct image_params *imgp)
-{
-
- ASSERT_VOP_LOCKED(vp, "mac_execve_transition");
-
- if (!mac_enforce_process && !mac_enforce_fs)
- return;
-
- MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label,
- interpvnodelabel, imgp, imgp->execlabel);
-}
-
-int
-mac_execve_will_transition(struct ucred *old, struct vnode *vp,
- struct label *interpvnodelabel, struct image_params *imgp)
-{
- int result;
-
- ASSERT_VOP_LOCKED(vp, "mac_execve_will_transition");
-
- if (!mac_enforce_process && !mac_enforce_fs)
- return (0);
-
- result = 0;
- MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label,
- interpvnodelabel, imgp, imgp->execlabel);
-
- return (result);
-}
-
-int
-mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, acc_mode);
- return (error);
-}
-
-int
-mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label);
- return (error);
-}
-
-int
-mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label);
- return (error);
-}
-
-int
-mac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
- struct componentname *cnp, struct vattr *vap)
-{
- int error;
-
- ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap);
- return (error);
-}
-
-int
-mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp,
- struct componentname *cnp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete");
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp,
- &vp->v_label, cnp);
- return (error);
-}
-
-int
-mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
- acl_type_t type)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type);
- return (error);
-}
-
-int
-mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
- int attrnamespace, const char *name)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label,
- attrnamespace, name);
- return (error);
-}
-
-int
-mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
- struct image_params *imgp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec");
-
- if (!mac_enforce_process && !mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp,
- imgp->execlabel);
-
- return (error);
-}
-
-int
-mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type);
- return (error);
-}
-
-int
-mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
- int attrnamespace, const char *name, struct uio *uio)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label,
- attrnamespace, name, uio);
- return (error);
-}
-
-int
-mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
- struct vnode *vp, struct componentname *cnp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link");
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp,
- &vp->v_label, cnp);
- return (error);
-}
-
-int
-mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
- int attrnamespace)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label,
- attrnamespace);
- return (error);
-}
-
-int
-mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
- struct componentname *cnp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp);
- return (error);
-}
-
-int
-mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap");
-
- if (!mac_enforce_fs || !mac_enforce_vm)
- return (0);
-
- MAC_CHECK(check_vnode_mmap, cred, vp, &vp->v_label, prot);
- return (error);
-}
-
-void
-mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot)
-{
- int result = *prot;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_downgrade");
-
- if (!mac_enforce_fs || !mac_enforce_vm)
- return;
-
- MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, &vp->v_label,
- &result);
-
- *prot = result;
-}
-
-int
-mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mprotect");
-
- if (!mac_enforce_fs || !mac_enforce_vm)
- return (0);
-
- MAC_CHECK(check_vnode_mprotect, cred, vp, &vp->v_label, prot);
- return (error);
-}
-
-int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, int acc_mode)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
- return (error);
-}
-
-int
-mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
- struct vnode *vp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
- &vp->v_label);
-
- return (error);
-}
-
-int
-mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
- struct vnode *vp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
- &vp->v_label);
-
- return (error);
-}
-
-int
-mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label);
- return (error);
-}
-
-int
-mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label);
- return (error);
-}
-
-static int
-mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
- struct label *newlabel)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel");
-
- MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel);
-
- return (error);
-}
-
-int
-mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
- struct vnode *vp, struct componentname *cnp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from");
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp,
- &vp->v_label, cnp);
- return (error);
-}
-
-int
-mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
- struct vnode *vp, int samedir, struct componentname *cnp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to");
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp,
- vp != NULL ? &vp->v_label : NULL, samedir, cnp);
- return (error);
-}
-
-int
-mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label);
- return (error);
-}
-
-int
-mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
- struct acl *acl)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl);
- return (error);
-}
-
-int
-mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
- int attrnamespace, const char *name, struct uio *uio)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label,
- attrnamespace, name, uio);
- return (error);
-}
-
-int
-mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags);
- return (error);
-}
-
-int
-mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode);
- return (error);
-}
-
-int
-mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
- gid_t gid)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid);
- return (error);
-}
-
-int
-mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
- struct timespec atime, struct timespec mtime)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime,
- mtime);
- return (error);
-}
-
-int
-mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
- struct vnode *vp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
- &vp->v_label);
- return (error);
-}
-
-int
-mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
- struct vnode *vp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
- &vp->v_label);
-
- return (error);
-}
-
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its
@@ -1682,29 +914,6 @@
MAC_PERFORM(relabel_cred, cred, newlabel);
}
-void
-mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel)
-{
-
- MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel);
-}
-
-void
-mac_create_mount(struct ucred *cred, struct mount *mp)
-{
-
- MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel,
- &mp->mnt_fslabel);
-}
-
-void
-mac_create_root_mount(struct ucred *cred, struct mount *mp)
-{
-
- MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel,
- &mp->mnt_fslabel);
-}
-
static int
mac_check_cred_relabel(struct ucred *cred, struct label *newlabel)
{
@@ -1729,19 +938,6 @@
}
int
-mac_check_mount_stat(struct ucred *cred, struct mount *mount)
-{
- int error;
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel);
-
- return (error);
-}
-
-int
mac_check_proc_debug(struct ucred *cred, struct proc *proc)
{
int error;
@@ -1801,102 +997,6 @@
return (error);
}
-void
-mac_create_devfs_device(struct mount *mp, dev_t dev, struct devfs_dirent *de,
- const char *fullpath)
-{
-
- MAC_PERFORM(create_devfs_device, mp, dev, de, &de->de_label,
- fullpath);
-}
-
-void
-mac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
- struct devfs_dirent *dd, struct devfs_dirent *de, const char *fullpath)
-{
-
- MAC_PERFORM(create_devfs_symlink, cred, mp, dd, &dd->de_label, de,
- &de->de_label, fullpath);
-}
-
-void
-mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen,
- struct devfs_dirent *de, const char *fullpath)
-{
-
- MAC_PERFORM(create_devfs_directory, mp, dirname, dirnamelen, de,
- &de->de_label, fullpath);
-}
-
-/*
- * Implementation of VOP_SETLABEL() that relies on extended attributes
- * to store label data. Can be referenced by filesystems supporting
- * extended attributes.
- */
-int
-vop_stdsetlabel_ea(struct vop_setlabel_args *ap)
-{
- struct vnode *vp = ap->a_vp;
- struct label *intlabel = ap->a_label;
- int error;
-
- ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea");
-
- if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0)
- return (EOPNOTSUPP);
-
- error = mac_setlabel_vnode_extattr(ap->a_cred, vp, intlabel);
- if (error)
- return (error);
-
- mac_relabel_vnode(ap->a_cred, vp, intlabel);
-
- return (0);
-}
-
-static int
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list