PERFORCE change 109962 for review

Tue Nov 14 19:01:42 UTC 2006

http://perforce.freebsd.org/chv.cgi?CH=109962

Change 109962 by millert at millert_g5tower on 2006/11/14 18:52:51

	Adapt vnode_label_associate_file(), remove vnode_label_associate_cred()

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#37 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#17 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#37 (text+ko) ====

@@ -753,34 +753,33 @@
 }
 
 static void
-sebsd_vnode_label_associate_cred(struct ucred *cred, struct vnode *vp,
-    struct label *vlabel)
-{
-	struct task_security_struct *tsec;
-	struct vnode_security_struct *vsec;
-
-	tsec = SLOT(cred->cr_label);
-	vsec = SLOT(vlabel);
-
-	vsec->sid = vsec->task_sid = tsec->sid;
-	vsec->sclass = SECCLASS_FILE;	/* XXX */
-}
-
-static void
-sebsd_vnode_label_associate_file(struct ucred *cred, struct fileglob *fg,
+sebsd_vnode_label_associate_file(struct ucred *cred, struct mount *mp,
+    struct label *mntlabel, struct fileglob *fg,
     struct label *fglabel, struct vnode *vp, struct label *vlabel)
 {
 	struct task_security_struct *tsec;
 	struct file_security_struct *fsec;
 	struct vnode_security_struct *vsec;
+	struct mount_security_struct *sbsec;
 
 	tsec = SLOT(cred->cr_label);
-	fsec = SLOT(fglabel);
 	vsec = SLOT(vlabel);
+	vsec->task_sid = tsec->sid;
+	vsec->sclass = vnode_type_to_security_class(vp->v_type);
 
-	vsec->sid = fsec->sid;
-	vsec->task_sid = tsec->sid;
-	vsec->sclass = SECCLASS_FILE;	/* XXX */
+	/*
+	 * Use file label if it exists, otherwise fall back
+	 * on mount or cred labels.
+	 */
+	if (fglabel) {
+		fsec = SLOT(fglabel);
+		vsec->sid = fsec->sid;
+	} else if (mntlabel) {
+		sbsec = SLOT(mntlabel);
+		vsec->sid = sbsec->sid;
+	} else {
+		vsec->sid = tsec->sid;
+	}
 }
 
 static void
@@ -3625,7 +3624,6 @@
 	.mpo_vnode_label_associate_posixsem = sebsd_vnode_label_associate_posixsem,
 	.mpo_vnode_label_associate_posixshm = sebsd_vnode_label_associate_posixshm,
 	.mpo_vnode_label_associate_pipe = sebsd_vnode_label_associate_pipe,
-	.mpo_vnode_label_associate_cred = sebsd_vnode_label_associate_cred,
 	.mpo_vnode_label_associate_file = sebsd_vnode_label_associate_file,
 	.mpo_devfs_label_update = sebsd_devfs_update,
 

==== //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#17 (text+ko) ====

@@ -1171,26 +1171,21 @@
 }
 
 static void
-mac_test_vnode_label_associate_file(struct ucred *cred, struct fileglob *fg,
-    struct label *fglabel, struct vnode *vp, struct label *vlabel)
+mac_test_vnode_label_associate_file(struct ucred *cred, struct mount *mp,
+    struct label *mntlabel, struct fileglob *fg, struct label *fglabel,
+    struct vnode *vp, struct label *vlabel)
 {
 	CHECKNULL(cred);
-	CHECKNULL(fg);
 	CHECKNULL(vp);
 
 	INIT_LABEL(vlabel, VNODETYPE);
-	USE_LABEL(fglabel, FILETYPE);
-}
 
-static void
-mac_test_vnode_label_associate_cred(struct ucred *cred, struct vnode *vp,
-    struct label *vlabel)
-{
-	CHECKNULL(cred);
-	CHECKNULL(vp);
-
-	INIT_LABEL(vlabel, VNODETYPE);
-	USE_LABEL(cred->cr_label, CREDTYPE);
+	if (fglabel) {
+		CHECKNULL(fg);
+		USE_LABEL(fglabel, FILETYPE);
+	} else {
+		USE_LABEL(cred->cr_label, CREDTYPE);
+	}
 }
 
 static void
@@ -1922,7 +1917,6 @@
 					mac_test_vnode_label_associate_posixshm,
 	.mpo_vnode_label_associate_pipe	= mac_test_vnode_label_associate_pipe,
 	.mpo_vnode_label_associate_file	= mac_test_vnode_label_associate_file,
-	.mpo_vnode_label_associate_cred	= mac_test_vnode_label_associate_cred,
 	.mpo_devfs_label_associate_device=
 					mac_test_devfs_label_associate_device,
 	.mpo_devfs_label_associate_directory=
