PERFORCE change 110123 for review
Todd Miller
millert at FreeBSD.org
Thu Nov 16 19:14:59 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=110123
Change 110123 by millert at millert_macbook on 2006/11/16 19:13:40
Remove mac_file_check_{get,change}_flags and
mac_file_check_{get,change}_ofileflags.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_descrip.c#7 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sys_generic.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#16 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_file.c#7 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#19 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#28 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#45 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_descrip.c#7 (text+ko) ====
@@ -410,42 +410,22 @@
goto out;
case F_GETFD:
-#ifdef MAC
- error = mac_file_check_get_ofileflags(proc_ucred(p),
- fp->f_fglob, *pop);
- if (error == 0)
-#endif
- *retval = (*pop & UF_EXCLOSE)? 1 : 0;
+ *retval = (*pop & UF_EXCLOSE)? 1 : 0;
+ error = 0;
goto out;
case F_SETFD:
-#ifdef MAC
- error = mac_file_check_change_ofileflags(proc_ucred(p),
- fp->f_fglob, *pop, (*pop &~ UF_EXCLOSE) |
- (uap->arg & 1 ? UF_EXCLOSE : 0));
- if (error == 0)
-#endif
- *pop = (*pop &~ UF_EXCLOSE) |
- (uap->arg & 1)? UF_EXCLOSE : 0;
+ *pop = (*pop &~ UF_EXCLOSE) |
+ (uap->arg & 1)? UF_EXCLOSE : 0;
+ error = 0;
goto out;
case F_GETFL:
-#ifdef MAC
- error = mac_file_check_get_flags(proc_ucred(p), fp->f_fglob,
- fp->f_flag);
- if (error == 0)
-#endif
- *retval = OFLAGS(fp->f_flag);
+ *retval = OFLAGS(fp->f_flag);
+ error = 0;
goto out;
case F_SETFL:
-#ifdef MAC
- error = mac_file_check_change_flags(proc_ucred(p),
- fp->f_fglob, fp->f_flag, (fp->f_flag & ~FCNTLFLAGS) |
- (FFLAGS(CAST_DOWN(int, uap->arg)) & FCNTLFLAGS));
- if (error)
- goto out;
-#endif
fp->f_flag &= ~FCNTLFLAGS;
tmp = CAST_DOWN(int, uap->arg);
fp->f_flag |= FFLAGS(tmp) & FCNTLFLAGS;
@@ -2484,12 +2464,6 @@
lf.l_len = 0;
if (how & LOCK_UN) {
lf.l_type = F_UNLCK;
-#ifdef MAC
- error = mac_file_check_change_flags(proc_ucred(p), fp->f_fglob,
- fp->f_flag, fp->f_flag & ~FHASLOCK);
- if (error)
- goto out;
-#endif
fp->f_flag &= ~FHASLOCK;
error = VNOP_ADVLOCK(vp, (caddr_t)fp->f_fglob, F_UNLCK, &lf, F_FLOCK, &context);
goto out;
@@ -2503,12 +2477,6 @@
goto out;
}
#ifdef MAC
- error = mac_file_check_change_flags(proc_ucred(p), fp->f_fglob,
- fp->f_flag, fp->f_flag | FHASLOCK);
- if (error)
- goto out;
-#endif
-#ifdef MAC
error = mac_file_check_lock(proc_ucred(p), fp->f_fglob, F_SETLK, &lf);
if (error)
goto out;
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sys_generic.c#5 (text+ko) ====
@@ -752,7 +752,7 @@
if (error)
goto out;
#endif
-
+
#if NETAT
/*
* ### LD 6/11/97 Hack Alert: this is to get AppleTalk to work
@@ -777,22 +777,12 @@
switch (com = uap->com) {
case FIONCLEX:
-#ifdef MAC
- error = mac_file_check_change_ofileflags(proc_ucred(p),
- fp->f_fglob, *fdflags(p, uap->fd),
- *fdflags(p, uap->fd) & ~UF_EXCLOSE);
- if (error == 0)
-#endif
- *fdflags(p, uap->fd) &= ~UF_EXCLOSE;
+ *fdflags(p, uap->fd) &= ~UF_EXCLOSE;
+ error =0;
goto out;
case FIOCLEX:
-#ifdef MAC
- error = mac_file_check_change_ofileflags(proc_ucred(p),
- fp->f_fglob, *fdflags(p, uap->fd),
- *fdflags(p, uap->fd) | UF_EXCLOSE);
- if (error == 0)
-#endif
- *fdflags(p, uap->fd) |= UF_EXCLOSE;
+ *fdflags(p, uap->fd) |= UF_EXCLOSE;
+ error =0;
goto out;
}
@@ -856,13 +846,6 @@
switch (com) {
case FIONBIO:
-#ifdef MAC
- error = mac_file_check_change_flags(proc_ucred(p), fp->f_fglob,
- fp->f_flag, *(int *)datap ? fp->f_flag | FNONBLOCK :
- fp->f_flag & ~FNONBLOCK);
- if (error)
- goto out;
-#endif
if ( (tmp = *(int *)datap) )
fp->f_flag |= FNONBLOCK;
else
@@ -871,13 +854,6 @@
break;
case FIOASYNC:
-#ifdef MAC
- error = mac_file_check_change_flags(proc_ucred(p), fp->f_fglob,
- fp->f_flag, *(int *)datap ? fp->f_flag | FASYNC :
- fp->f_flag & ~FASYNC);
- if (error)
- goto out;
-#endif
if ( (tmp = *(int *)datap) )
fp->f_flag |= FASYNC;
else
@@ -2495,4 +2471,3 @@
return(0);
}
-
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#16 (text+ko) ====
@@ -1746,13 +1746,6 @@
if ((flags & FNONBLOCK) == 0)
type |= F_WAIT;
#ifdef MAC
- error = mac_file_check_change_flags(vfs_context_ucred(ctx),
- fp->f_fglob, fp->f_fglob->fg_flag,
- fp->f_fglob->fg_flag | FHASLOCK);
- if (error)
- goto bad;
-#endif
-#ifdef MAC
error = mac_file_check_lock(vfs_context_ucred(ctx), fp->f_fglob,
F_SETLK, &lf);
if (error)
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_file.c#7 (text+ko) ====
@@ -143,48 +143,6 @@
}
int
-mac_file_check_get_flags(struct ucred *cred, struct fileglob *fg,
- u_int flags)
-{
- int error;
-
- MAC_CHECK(file_check_get_flags, cred, fg, fg->fg_label, flags);
- return (error);
-}
-
-int
-mac_file_check_get_ofileflags(struct ucred *cred, struct fileglob *fg,
- char flags)
-{
- int error;
-
- MAC_CHECK(file_check_get_ofileflags, cred, fg, fg->fg_label, flags);
- return (error);
-}
-
-int
-mac_file_check_change_flags(struct ucred *cred, struct fileglob *fg,
- u_int oldflags, u_int newflags)
-{
- int error;
-
- MAC_CHECK(file_check_change_flags, cred, fg, fg->fg_label, oldflags,
- newflags);
- return (error);
-}
-
-int
-mac_file_check_change_ofileflags(struct ucred *cred, struct fileglob *fg,
- char oldflags, char newflags)
-{
- int error;
-
- MAC_CHECK(file_check_change_ofileflags, cred, fg, fg->fg_label,
- oldflags, newflags);
- return (error);
-}
-
-int
mac_file_check_get_offset(struct ucred *cred, struct fileglob *fg)
{
int error;
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#19 (text+ko) ====
@@ -122,22 +122,14 @@
void mac_devfs_label_update(struct mount *mp, struct devnode *de,
struct vnode *vp);
int mac_execve_enter(user_addr_t mac_p, struct label *execlabel);
-int mac_file_check_change_flags(struct ucred *cred, struct fileglob *fg,
- u_int oldflags, u_int newflags);
int mac_file_check_change_offset(struct ucred *cred, struct fileglob *fg);
-int mac_file_check_change_ofileflags(struct ucred *cred,
- struct fileglob *fg, char oldflags, char newflags);
int mac_file_check_create(struct ucred *cred);
int mac_file_check_dup(struct ucred *cred, struct fileglob *fg, int newfd);
int mac_file_check_fcntl(struct ucred *cred, struct fileglob *fg, int cmd,
long arg);
int mac_file_check_get(struct ucred *cred, struct fileglob *fg,
char *elements, int len);
-int mac_file_check_get_flags(struct ucred *cred, struct fileglob *fg,
- u_int flags);
int mac_file_check_get_offset(struct ucred *cred, struct fileglob *fg);
-int mac_file_check_get_ofileflags(struct ucred *cred, struct fileglob *fg,
- char flags);
int mac_file_check_inherit(struct ucred *cred, struct fileglob *fg);
int mac_file_check_ioctl(struct ucred *cred, struct fileglob *fg,
u_long com, void *data);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#28 (text+ko) ====
@@ -580,48 +580,6 @@
struct label *vnodelabel
);
/**
- @brief Access control for changing file descriptor flags
- @param cred Subject credential
- @param fg Fileglob structure
- @param label Policy label for fg
- @param oldflags Old fd flags
- @param newflags New fd flags
-
- Determine whether the subject identified by the credential can
- change the specified flags for the fileglob structure represented by fg.
-
- @return Return 0 if access if granted, otherwise an appropriate
- value for errno should be returned.
-*/
-typedef int mpo_file_check_change_flags_t(
- struct ucred *cred,
- struct fileglob *fg,
- struct label *label,
- u_int oldflags,
- u_int newflags
-);
-/**
- @brief Access control for changing open file flags
- @param cred Subject credential
- @param fg Fileglob structure
- @param label Policy label for fg
- @param flags Old flags
- @param flags New flags
-
- Determine whether the subject identified by the credential can
- change the open file flags for the fileglob structure represented by fg.
-
- @return Return 0 if access if granted, otherwise an appropriate
- value for errno should be returned.
-*/
-typedef int mpo_file_check_change_ofileflags_t(
- struct ucred *cred,
- struct fileglob *fg,
- struct label *label,
- char oldflags,
- char newflags
-);
-/**
@brief Access control for changing the offset of a file descriptor
@param cred Subject credential
@param fg Fileglob structure
@@ -710,25 +668,6 @@
int len
);
/**
- @brief Access control for getting file descriptor flags
- @param cred Subject credential
- @param fg Fileglob structure
- @param label Policy label for fg
- @param flags Requested flags
-
- Determine whether the subject identified by the credential can
- get the specified flags for the fileglob structure represented by fg.
-
- @return Return 0 if access if granted, otherwise an appropriate
- value for errno should be returned.
-*/
-typedef int mpo_file_check_get_flags_t(
- struct ucred *cred,
- struct fileglob *fg,
- struct label *label,
- u_int flags
-);
-/**
@brief Access control for getting the offset of a file descriptor
@param cred Subject credential
@param fg Fileglob structure
@@ -746,25 +685,6 @@
struct label *label
);
/**
- @brief Access control for getting open file flags
- @param cred Subject credential
- @param fg Fileglob structure
- @param label Policy label for fg
- @param flags Requested flags
-
- Determine whether the subject identified by the credential can
- get the open file flags for the fileglob structure represented by fg.
-
- @return Return 0 if access if granted, otherwise an appropriate
- value for errno should be returned.
-*/
-typedef int mpo_file_check_get_ofileflags_t(
- struct ucred *cred,
- struct fileglob *fg,
- struct label *label,
- char flags
-);
-/**
@brief Access control for inheriting a file descriptor
@param cred Subject credential
@param fg Fileglob structure
@@ -5123,15 +5043,11 @@
mpo_devfs_label_destroy_t *mpo_devfs_label_destroy;
mpo_devfs_label_init_t *mpo_devfs_label_init;
mpo_devfs_label_update_t *mpo_devfs_label_update;
- mpo_file_check_change_flags_t *mpo_file_check_change_flags;
mpo_file_check_change_offset_t *mpo_file_check_change_offset;
- mpo_file_check_change_ofileflags_t *mpo_file_check_change_ofileflags;
mpo_file_check_create_t *mpo_file_check_create;
mpo_file_check_dup_t *mpo_file_check_dup;
mpo_file_check_fcntl_t *mpo_file_check_fcntl;
- mpo_file_check_get_flags_t *mpo_file_check_get_flags;
mpo_file_check_get_offset_t *mpo_file_check_get_offset;
- mpo_file_check_get_ofileflags_t *mpo_file_check_get_ofileflags;
mpo_file_check_get_t *mpo_file_check_get;
mpo_file_check_inherit_t *mpo_file_check_inherit;
mpo_file_check_ioctl_t *mpo_file_check_ioctl;
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#45 (text+ko) ====
@@ -3146,43 +3146,6 @@
}
static int
-sebsd_file_check_get_flags(struct ucred *cred, struct fileglob *fg,
- struct label *fglabel, u_int flags)
-{
-
- return (file_has_perm(cred, fg, fglabel, 0));
-}
-
-static int
-sebsd_file_check_get_ofileflags(struct ucred *cred, struct fileglob *fg,
- struct label *fglabel, char flags)
-{
-
- return (file_has_perm(cred, fg, fglabel, 0));
-}
-
-static int
-sebsd_file_check_change_flags(struct ucred *cred, struct fileglob *fg,
- struct label *fglabel, u_int oldflags, u_int newflags)
-{
- u_int32_t av = 0;
-
- if ((newflags & O_APPEND) && !(oldflags & O_APPEND))
- av = FILE__WRITE;
-
- return (file_has_perm(cred, fg, fglabel, av));
-}
-
-static int
-sebsd_file_check_change_ofileflags(struct ucred *cred, struct fileglob *fg,
- struct label *fglabel, char oldflags, char newflags)
-{
-
- /* XXX - should set av to something */
- return (file_has_perm(cred, fg, fglabel, 0));
-}
-
-static int
sebsd_file_check_get_offset(struct ucred *cred, struct fileglob *fg,
struct label *fglabel)
{
@@ -3552,13 +3515,9 @@
.mpo_devfs_label_destroy = sebsd_vnode_label_destroy,
.mpo_devfs_label_init = sebsd_vnode_label_init,
.mpo_devfs_label_update = sebsd_devfs_update,
- .mpo_file_check_change_flags = sebsd_file_check_change_flags,
.mpo_file_check_change_offset = sebsd_file_check_change_offset,
- .mpo_file_check_change_ofileflags = sebsd_file_check_change_ofileflags,
.mpo_file_check_dup = sebsd_file_check_dup,
- .mpo_file_check_get_flags = sebsd_file_check_get_flags,
.mpo_file_check_get_offset = sebsd_file_check_get_offset,
- .mpo_file_check_get_ofileflags = sebsd_file_check_get_ofileflags,
.mpo_file_check_inherit = sebsd_file_check_receive,
.mpo_file_check_ioctl = sebsd_file_check_ioctl,
.mpo_file_check_lock = sebsd_file_check_lock,
More information about the trustedbsd-cvs
mailing list