PERFORCE change 40437 for review

Fri Oct 24 14:38:22 PDT 2003

http://perforce.freebsd.org/chv.cgi?CH=40437

Change 40437 by rwatson at rwatson_tislabs on 2003/10/24 14:37:54

	Flesh out the mount-related pieces in mac_vfs.c with local
	modifications from kern_mac.c in the SEBSD branch:
	
	- Add mac_init_mount_label(), mac_destroy_mount_label(),
	  mac_copy_mount_label(), mac_externalize_mount_label(),
	  mac_internalize_mount_label().
	- Add mac_check_mount(), mac_check_umount(), mac_check_remount().
	- Add optional mount label argument to mac_create_mount().
	- Add credential to mac_create_devfs_device() for use with cloning.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_internal.h#2 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_vfs.c#2 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_internal.h#2 (text+ko) ====

@@ -109,6 +109,9 @@
 int	mac_internalize_cred_label(struct label *label, char *string);
 void	mac_relabel_cred(struct ucred *cred, struct label *newlabel);
 
+int	mac_externalize_mount_label(struct label *label, char *elements,
+	    char *outbuf, size_t outbuflen, int flags);
+int	mac_internalize_mount_label(struct label *label, char *string);
 
 void	mac_copy_pipe_label(struct label *src, struct label *dest);
 void	mac_destroy_pipe_label(struct label *label);

==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_vfs.c#2 (text+ko) ====

@@ -110,12 +110,19 @@
 }
 
 void
+mac_init_mount_label(struct label *label)
+{
+
+	mac_init_label(label);
+	MAC_PERFORM(init_mount_label, label);
+}
+
+void
 mac_init_mount(struct mount *mp)
 {
 
-	mac_init_label(&mp->mnt_mntlabel);
+	mac_init_mount_label(&mp->mnt_mntlabel);
 	mac_init_label(&mp->mnt_fslabel);
-	MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
 	MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
 	MAC_DEBUG_COUNTER_INC(&nmacmounts);
 }
@@ -146,13 +153,20 @@
 }
 
 void
+mac_destroy_mount_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_mount_label, label);
+	mac_destroy_label(label);
+}
+
+void
 mac_destroy_mount(struct mount *mp)
 {
 
-	MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+	mac_destroy_mount_label(&mp->mnt_mntlabel);
 	MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
 	mac_destroy_label(&mp->mnt_fslabel);
-	mac_destroy_label(&mp->mnt_mntlabel);
 	MAC_DEBUG_COUNTER_DEC(&nmacmounts);
 }
 
@@ -173,6 +187,13 @@
 }
 
 void
+mac_copy_mount_label(struct label *src, struct label *dest)
+{
+
+	MAC_PERFORM(copy_mount_label, src, dest);
+}
+
+void
 mac_copy_vnode_label(struct label *src, struct label *dest)
 {
 
@@ -180,6 +201,17 @@
 }
 
 int
+mac_externalize_mount_label(struct label *label, char *elements,
+    char *outbuf, size_t outbuflen, int flags)
+{
+	int error;
+
+	MAC_EXTERNALIZE(mount_label, label, elements, outbuf, outbuflen);
+
+	return (error);
+}
+
+int
 mac_externalize_vnode_label(struct label *label, char *elements,
     char *outbuf, size_t outbuflen, int flags)
 {
@@ -191,6 +223,16 @@
 }
 
 int
+mac_internalize_mount_label(struct label *label, char *string)
+{
+	int error;
+
+	MAC_INTERNALIZE(mount_label, label, string);
+
+	return (error);
+}
+
+int
 mac_internalize_vnode_label(struct label *label, char *string)
 {
 	int error;
@@ -342,6 +384,47 @@
 }
 
 int
+mac_check_mount(struct ucred *cred, struct vnode *vp, const char *vfc_name,
+    struct label *mntlabel)
+{
+	int error;
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_mount, cred, vp, &vp->v_label, vfc_name, mntlabel);
+
+	return (error);
+}
+
+int
+mac_check_umount(struct ucred *cred, struct mount *mp)
+{	int error;
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_umount, cred, mp, &mp->mnt_mntlabel);
+
+	return (error);
+}
+
+int
+mac_check_remount(struct ucred *cred, struct mount *mp,
+    struct label *mount_arg_label)
+{
+	int error;
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_remount, cred, mp, &mp->mnt_mntlabel,
+	    mount_arg_label);
+
+	return (error);
+}
+
+int
 mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode)
 {
 	int error;
@@ -853,11 +936,12 @@
 }
 
 void
-mac_create_mount(struct ucred *cred, struct mount *mp)
+mac_create_mount(struct ucred *cred, struct mount *mp,
+    struct label *mount_arg_label)
 {
 
 	MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel,
-	    &mp->mnt_fslabel);
+	    &mp->mnt_fslabel, mount_arg_label);
 }
 
 void
@@ -882,11 +966,11 @@
 }
 
 void
-mac_create_devfs_device(struct mount *mp, dev_t dev, struct devfs_dirent *de,
-    const char *fullpath)
+mac_create_devfs_device(struct ucred *cred, struct mount *mp, dev_t dev,
+    struct devfs_dirent *de, const char *fullpath)
 {
 
-	MAC_PERFORM(create_devfs_device, mp, dev, de, &de->de_label,
+	MAC_PERFORM(create_devfs_device, cred, mp, dev, de, &de->de_label,
 	    fullpath);
 }
 
