PERFORCE change 15682 for review

Robert Watson rwatson at freebsd.org
Thu Aug 8 14:52:47 GMT 2002


http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15682

Change 15682 by rwatson at rwatson_paprika on 2002/08/08 07:52:26

	Push down the SLOT() mapping from the entry point implementations
	to the supporting functions (mac_te_check(), copy(), et al),
	simplifying the entry point implementations.
	
	Teach TE how to see a "null" TE label, which requests no update
	during a relabel operation.  Allow null TE relabels without
	privilege so that relative label updates dealing only with other
	policies will function correctly.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#68 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#68 (text+ko) ====

@@ -506,11 +506,15 @@
 }
 
 static int
-mac_te_check(struct mac_te *subject, struct mac_te *object, int object_class,
+mac_te_check(struct label *lsubject, struct label *lobject, int object_class,
     int operation)
 {
+	struct mac_te *subject, *object;
 	int match;
 	int rule;
+	
+	subject = SLOT(lsubject);
+	object = SLOT(lobject);
 
 	if (!mac_te_enabled)
 		return (0);
@@ -549,11 +553,11 @@
 }
 
 static void
-mac_te_init_label_as(struct mac_te *telabel, char *type)
+mac_te_init_label_as(struct mac_te *mac_te, char *type)
 {
 
-	bzero(&telabel->mt_type, MAC_TE_TYPE_MAXLEN+1);
-	strncpy(telabel->mt_type, type, MAC_TE_TYPE_MAXLEN);
+	bzero(&mac_te->mt_type, MAC_TE_TYPE_MAXLEN+1);
+	strncpy(mac_te->mt_type, type, MAC_TE_TYPE_MAXLEN);
 }
 
 static void
@@ -564,18 +568,24 @@
 }
 
 static void
-mac_te_copy_label_teonly(const struct mac_te *labelfrom,
-    struct mac_te *labelto)
+mac_te_copy_label_teonly(const struct mac_te *from, struct mac_te *to)
 {
 
-	bcopy(labelfrom, labelto, sizeof(*labelto));
+	bcopy(from, to, sizeof(*to));
 }
 
 static void
-mac_te_copy_label(struct mac_te *tefrom, struct mac_te *teto)
+mac_te_copy_label(const struct label *from, struct label *to)
+{
+
+	mac_te_copy_label_teonly(SLOT(from), SLOT(to));
+}
+
+static int
+mac_te_null_label(struct label *label)
 {
 
-	mac_te_copy_label_teonly(tefrom, teto);
+	return (strlen(SLOT(label)->mt_type) == 0);
 }
 
 static void
@@ -596,15 +606,15 @@
 mac_te_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
 {
 
-	mac_te_copy_label(SLOT(&cred_parent->cr_label),
-	    SLOT(&cred_child->cr_label));
+	mac_te_copy_label(&cred_parent->cr_label, &cred_child->cr_label);
 }
 
 static void
 mac_te_relabel_cred(struct ucred *cred, struct label *newlabel)
 {
 
-	mac_te_copy_label(SLOT(newlabel), SLOT(&cred->cr_label));
+	if (!mac_te_null_label(newlabel))
+		mac_te_copy_label(newlabel, &cred->cr_label);
 }
 
 static void
@@ -612,7 +622,8 @@
     struct label *ifnetlabel, struct label *newlabel)
 {
 
-	mac_te_copy_label(SLOT(newlabel), SLOT(ifnetlabel));
+	if (!mac_te_null_label(newlabel))
+		mac_te_copy_label(newlabel, ifnetlabel);
 }
 
 static int
@@ -623,42 +634,43 @@
 	if (!mac_te_enabled)
 		return (0);
 
-	return (mac_te_check(SLOT(bpflabel), SLOT(ifnetlabel),
-	    MAC_TE_CLASS_BPF, MAC_TE_OPERATION_BPF_RECEIVE));
+	return (mac_te_check(bpflabel, ifnetlabel, MAC_TE_CLASS_BPF,
+	    MAC_TE_OPERATION_BPF_RECEIVE));
 }
 
 static int
 mac_te_check_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
-	int error, privilege_needed;
 
-	/* Allow no-op updates without privilege. */
-	privilege_needed = 0;
-	if (!mac_te_equal(&cred->cr_label, newlabel))
-		privilege_needed = 1;
+	/* Don't prevent relabel if no-op. */
+	if (mac_te_null_label(newlabel))
+		return (0);
+	if (mac_te_equal(&cred->cr_label, newlabel))
+		return (0);
 
-	if (privilege_needed) {
-		error = suser_cred(cred, 0);
-		if (error)
-			return (error);
-	}
-
-	return (0);
+	/* We should check the TE policy here, but instead we require root. */
+	return (suser_cred(cred, 0));
 }
 
 static int
 mac_te_check_cred_visible(struct ucred *u1, struct ucred *u2)
 {
  
-	return (mac_te_check(SLOT(&u1->cr_label), SLOT(&u2->cr_label),
-	    MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_SEE));
+	return (mac_te_check(&u1->cr_label, &u2->cr_label, MAC_TE_CLASS_PROC,
+	    MAC_TE_OPERATION_PROC_SEE));
 }
 
 static int
 mac_te_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
-    struct label *newlabel)
+    struct label *ifnetlabel, struct label *newlabel)
 {
+	/* Don't prevent relabel if no-op. */
+	if (mac_te_null_label(newlabel))
+		return (0);
+	if (mac_te_equal(ifnetlabel, newlabel))
+		return (0);
 
+	/* We should check the TE policy here, but instead we require root. */
 	return (suser_cred(cred, 0));
 }
 
@@ -672,8 +684,8 @@
 	 * mbuf as an object.  Since sockets are objects, this is
 	 * probably wrong.
 	 */
-	return (mac_te_check(SLOT(ifnetlabel), SLOT(mbuflabel),
-	    MAC_TE_CLASS_MBUF, MAC_TE_OPERATION_MBUF_SEND));
+	return (mac_te_check(ifnetlabel, mbuflabel, MAC_TE_CLASS_MBUF,
+	    MAC_TE_OPERATION_MBUF_SEND));
 }
 
 static int
@@ -682,8 +694,8 @@
 {
 	int error;
 
-	error = mac_te_check(SLOT(&cred->cr_label), SLOT(mplabel),
-	    MAC_TE_CLASS_FS, MAC_TE_OPERATION_FS_STATFS);
+	error = mac_te_check(&cred->cr_label, mplabel, MAC_TE_CLASS_FS,
+	    MAC_TE_OPERATION_FS_STATFS);
 
 	return (error);
 }
@@ -712,40 +724,39 @@
 mac_te_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
     struct label *pipelabel, struct label *newlabel)
 {
-	int error;
 
-	error = suser_cred(cred, 0);
-	if (error)
-		return (error);
+	/* Don't prevent relabel if no-op. */
+	if (mac_te_null_label(newlabel))
+		return (0);
+	if (mac_te_equal(newlabel, pipelabel))
+		return (0);
 
-	return (0);
+	/* We should check the TE policy here, but instead we require root. */
+	return (suser_cred(cred, 0));
 }
 
 static int
 mac_te_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 
-	return (mac_te_check(SLOT(&cred->cr_label),
-	    SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC,
-	    MAC_TE_OPERATION_PROC_DEBUG));
+	return (mac_te_check(&cred->cr_label, &proc->p_ucred->cr_label,
+	    MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_DEBUG));
 }
 
 static int
 mac_te_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
 {
 
-	return (mac_te_check(SLOT(&cred->cr_label),
-	    SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC,
-	    MAC_TE_OPERATION_PROC_SIGNAL));
+	return (mac_te_check(&cred->cr_label, &proc->p_ucred->cr_label,
+	    MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_SIGNAL));
 }
 
 static int
 mac_te_check_proc_sched(struct ucred *cred, struct proc *proc)
 {
 
-	return (mac_te_check(SLOT(&cred->cr_label),
-	    SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC,
-	    MAC_TE_OPERATION_PROC_SCHED));
+	return (mac_te_check(&cred->cr_label, &proc->p_ucred->cr_label,
+	    MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_SCHED));
 }
 
 static int
@@ -756,7 +767,7 @@
 	if (!mac_te_enabled)
 		return (0);
 
-	return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel),
+	return (mac_te_check(&cred->cr_label, socketlabel,
 	    MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_BIND));
 }
 
@@ -768,7 +779,7 @@
 	if (!mac_te_enabled)
 		return (0);
 
-	return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel),
+	return (mac_te_check(&cred->cr_label, socketlabel,
 	    MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_CONNECT));
 }
 
@@ -780,7 +791,7 @@
 	if (!mac_te_enabled)
 		return (0);
 
-	return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel),
+	return (mac_te_check(&cred->cr_label, socketlabel,
 	    MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_LISTEN));
 }
 
@@ -789,21 +800,23 @@
     struct mbuf *m, struct label *mbuflabel)
 {
 
-	return (mac_te_check(SLOT(socketlabel), SLOT(mbuflabel),
-	    MAC_TE_CLASS_MBUF, MAC_TE_OPERATION_MBUF_RECEIVE));
+	return (mac_te_check(socketlabel, mbuflabel, MAC_TE_CLASS_MBUF,
+	    MAC_TE_OPERATION_MBUF_RECEIVE));
 }
 
 static int
 mac_te_check_socket_relabel(struct ucred *cred, struct socket *socket,
     struct label *socketlabel, struct label *newlabel)
 {
-	int error;
 
-	error = suser_cred(cred, 0);
-	if (error)
-		return (error);
+	/* Don't prevent relabel if no-op. */
+	if (mac_te_null_label(newlabel))
+		return (0);
+	if (mac_te_equal(newlabel, socketlabel))
+		return (0);
 
-	return (0);
+	/* We should check the TE policy here, but instead we require root. */
+	return (suser_cred(cred, 0));
 }
 
 static int
@@ -811,7 +824,7 @@
     struct label *socketlabel)
 {
  
-	return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel),
+	return (mac_te_check(&cred->cr_label, socketlabel,
 	    MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_SEE));
 }
 
@@ -831,21 +844,22 @@
     struct label *bdlabel)
 {
 
-	mac_te_copy_label(SLOT(&cred->cr_label), SLOT(bdlabel));
+	mac_te_copy_label(&cred->cr_label, bdlabel);
 }
 
 static void
 mac_te_create_object(struct ucred *cred, struct label *label)
 {
 
-	mac_te_copy_label(SLOT(&cred->cr_label), SLOT(label));
+	mac_te_copy_label(&cred->cr_label, label);
 }
 
 static void
-mac_te_create_object_from_object(struct label *oldlabel, struct label *newlabel)
+mac_te_create_object_from_object(struct label *oldlabel,
+    struct label *newlabel)
 {
 
-	mac_te_copy_label(SLOT(oldlabel), SLOT(newlabel));
+	mac_te_copy_label(oldlabel, newlabel);
 }
 
 static void
@@ -853,7 +867,7 @@
     struct mbuf *datagram, struct label *datagramlabel)
 {
 
-	mac_te_copy_label(SLOT(ipqlabel), SLOT(datagramlabel));
+	mac_te_copy_label(ipqlabel, datagramlabel);
 }
 
 static void
@@ -862,7 +876,7 @@
 {
 
 	mac_te_init_label(SLOT(fragmentlabel));
-	mac_te_copy_label(SLOT(datagramlabel), SLOT(fragmentlabel));
+	mac_te_copy_label(datagramlabel, fragmentlabel);
 }
 
 static void
@@ -870,7 +884,7 @@
     struct mbuf *ipq, struct label *ipqlabel)
 {
 
-	mac_te_copy_label(SLOT(fragmentlabel), SLOT(ipqlabel));
+	mac_te_copy_label(fragmentlabel, ipqlabel);
 }
 
 static void
@@ -879,7 +893,7 @@
     struct label *newmbuflabel)
 {
 
-	mac_te_copy_label(SLOT(oldmbuflabel), SLOT(newmbuflabel));
+	mac_te_copy_label(oldmbuflabel, newmbuflabel);
 }
 
 static void
@@ -895,7 +909,7 @@
     struct mbuf *m, struct label *mlabel)
 {
 
-	mac_te_copy_label(SLOT(iflabel), SLOT(mlabel));
+	mac_te_copy_label(iflabel, mlabel);
 }
 
 static void
@@ -904,7 +918,7 @@
     struct mbuf *newmbuf, struct label *nmblabel)
 {
 
-	mac_te_copy_label(SLOT(oldmblabel), SLOT(nmblabel));
+	mac_te_copy_label(oldmblabel, nmblabel);
 }
 
 static void
@@ -912,7 +926,7 @@
     struct mbuf *newmbuf, struct label *nmblabel)
 {
 
-	mac_te_copy_label(SLOT(oldmblabel), SLOT(nmblabel));
+	mac_te_copy_label(oldmblabel, nmblabel);
 }
 
 static int
@@ -928,7 +942,7 @@
     struct mbuf *m, struct label *mlabel)
 {
 
-	mac_te_copy_label(SLOT(solabel), SLOT(mlabel));
+	mac_te_copy_label(solabel, mlabel);
 }
 
 static void
@@ -962,7 +976,8 @@
     struct label *oldlabel, struct label *newlabel)
 {
 
-	mac_te_copy_label(SLOT(newlabel), SLOT(oldlabel));
+	if (!mac_te_null_label(newlabel))
+		mac_te_copy_label(newlabel, oldlabel);
 }
 
 static void
@@ -970,7 +985,8 @@
     struct label *pipelabel, struct label *newlabel)
 {
 
-	mac_te_copy_label(SLOT(newlabel), SLOT(pipelabel));
+	if (!mac_te_null_label(newlabel))
+		mac_te_copy_label(newlabel, pipelabel);
 }
 
 static void
@@ -978,7 +994,7 @@
     struct socket *socket, struct label *sopeerlabel)
 {
 
-	mac_te_copy_label(SLOT(mlabel), SLOT(sopeerlabel));
+	mac_te_copy_label(mlabel, sopeerlabel);
 }
 
 static void
@@ -987,7 +1003,7 @@
     struct label *newpeerlabel)
 {
 
-	mac_te_copy_label(SLOT(oldlabel), SLOT(newpeerlabel));
+	mac_te_copy_label(oldlabel, newpeerlabel);
 }
 
 static void
@@ -995,7 +1011,7 @@
     struct mbuf *mbuf, struct label *mblabel)
 {
 
-	mac_te_copy_label(SLOT(bdlabel), SLOT(mblabel));
+	mac_te_copy_label(bdlabel, mblabel);
 }
 
 static void
@@ -1019,10 +1035,11 @@
 
 static void
 mac_te_relabel_vnode(struct ucred *cred, struct vnode *vp,
-    struct label *vnodelabel, struct label *label)
+    struct label *vnodelabel, struct label *newlabel)
 {
 
-	mac_te_copy_label(SLOT(label), SLOT(vnodelabel));
+	if (!mac_te_null_label(newlabel))
+		mac_te_copy_label(newlabel, vnodelabel);
 }
 
 
@@ -1078,7 +1095,7 @@
     struct vnode *vp, struct label *vnodelabel)
 {
 
-	mac_te_copy_label(SLOT(direntlabel), SLOT(vnodelabel));
+	mac_te_copy_label(direntlabel, vnodelabel);
 }
 
 static void
@@ -1102,8 +1119,8 @@
     struct label *dlabel)
 {
 
-	return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
-	    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_CHDIR));
+	return (mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR,
+	    MAC_TE_OPERATION_DIR_CHDIR));
 }
 
 static int
@@ -1111,8 +1128,8 @@
     struct label *dlabel)
 {
 
-	return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
-	    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_CHROOT));
+	return (mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR,
+	    MAC_TE_OPERATION_DIR_CHROOT));
 }
 
 static int
@@ -1120,8 +1137,8 @@
     struct label *dlabel, struct componentname *cnp, struct vattr *vap)
 {
 
-	return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
-	    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE));
+	return (mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR,
+	    MAC_TE_OPERATION_DIR_WRITE));
 }
 
 static int
@@ -1131,19 +1148,19 @@
 {
 	int error;
 
-	error = mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
-	    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE);
+	error = mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR,
+	    MAC_TE_OPERATION_DIR_WRITE);
 	if (error)
 		return (error);
 	switch (vp->v_type) {
 	case VDIR:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETE));
+		return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+		    MAC_TE_OPERATION_DIR_DELETE));
 	case VLNK:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETE));
 	default:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETE));
 	}
 }
@@ -1155,13 +1172,13 @@
 
 	switch (vp->v_type) {
 	case VDIR:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETEACL));
+		return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+		    MAC_TE_OPERATION_DIR_DELETEACL));
 	case VLNK:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETEACL));
 	default:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETEACL));
 	}
 }
@@ -1171,8 +1188,8 @@
     struct label *label)
 {
 
-	return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-	    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_EXEC));
+	return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE,
+	    MAC_TE_OPERATION_FILE_EXEC));
 }
 
 static int
@@ -1182,13 +1199,13 @@
 
 	switch (vp->v_type) {
 	case VDIR:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_GETACL));
+		return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+		    MAC_TE_OPERATION_DIR_GETACL));
 	case VLNK:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_GETACL));
 	default:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_GETACL));
 	}
 }
@@ -1200,13 +1217,13 @@
 
 	switch (vp->v_type) {
 	case VDIR:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_DIR_GETEXTATTR));
 	case VLNK:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_GETEXTATTR));
 	default:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_GETEXTATTR));
 	}
 }
@@ -1216,30 +1233,26 @@
     struct label *dlabel, struct componentname *cnp)
 {
  
-	return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
-	    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_LOOKUP));
+	return (mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR,
+	    MAC_TE_OPERATION_DIR_LOOKUP));
 }
 
 static vm_prot_t
 mac_te_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
     struct label *label, int newmapping)
 {
-	struct mac_te *subj, *obj;
 	vm_prot_t prot = 0;
 
 	if (!mac_te_enabled || (!mac_te_revocation_enabled && !newmapping))
 		return (VM_PROT_ALL);
 
-	subj = SLOT(&cred->cr_label);
-	obj = SLOT(label);
-
-	if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
+	if (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE,
 	    MAC_TE_OPERATION_FILE_READ) == 0)
 		prot |= VM_PROT_READ;
-	if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
+	if (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE,
 	    MAC_TE_OPERATION_FILE_EXEC) == 0)
 		prot |= VM_PROT_EXECUTE;
-	if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
+	if (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE,
 	    MAC_TE_OPERATION_FILE_WRITE) == 0)
 		prot |= VM_PROT_WRITE;
 	return (prot);
@@ -1249,12 +1262,9 @@
 mac_te_check_vnode_open(struct ucred *cred, struct vnode *vp,
     struct label *filelabel, mode_t acc_mode)
 {
-	struct mac_te *subj, *obj;
 	int object_class, operation;
 	int error;
 
-	subj = SLOT(&cred->cr_label);
-	obj = SLOT(filelabel);
 	/*
 	 * Treat all vnode types as files, for the time being, except
 	 * for directories.
@@ -1277,7 +1287,8 @@
 		default:
 			panic("mac_te_vaccess: invalid object_class");
 		}
-		error = mac_te_check(subj, obj, object_class, operation);
+		error = mac_te_check(&cred->cr_label, filelabel, object_class,
+		    operation);
 		if (error)
 			return (error);
 	}
@@ -1292,7 +1303,8 @@
 		default:
 			panic("mac_te_vaccess: invalid object_class");
 		}
-		error = mac_te_check(subj, obj, object_class, operation);
+		error = mac_te_check(&cred->cr_label, filelabel, object_class,
+		    operation);
 		if (error)
 			return (error);
 	}
@@ -1307,7 +1319,8 @@
 		default:
 			panic("mac_te_vaccess: invalid object_class");
 		}
-		error = mac_te_check(subj, obj, object_class, operation);
+		error = mac_te_check(&cred->cr_label, filelabel, object_class,
+		    operation);
 		if (error)
 			return (error);
 	}
@@ -1318,16 +1331,12 @@
 mac_te_check_vnode_poll(struct ucred *active_cred, struct ucred *saved_cred,
     struct vnode *vp, struct label *label)
 {
-	struct mac_te *subj, *obj;
 	int error;
 
 	if (!mac_te_revocation_enabled)
 		return (0);
 
-	subj = SLOT(&active_cred->cr_label);
-	obj = SLOT(label);
-
-	error = mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
+	error = mac_te_check(&active_cred->cr_label, label, MAC_TE_CLASS_FILE,
 	    MAC_TE_OPERATION_FILE_POLL);
 
 	return (error);
@@ -1337,16 +1346,12 @@
 mac_te_check_vnode_read(struct ucred *active_cred, struct ucred *saved_cred,
     struct vnode *vp, struct label *label)
 {
-	struct mac_te *subj, *obj;
 	int error;
 
 	if (!mac_te_revocation_enabled)
 		return (0);
 
-	subj = SLOT(&active_cred->cr_label);
-	obj = SLOT(label);
-
-	error = mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
+	error = mac_te_check(&active_cred->cr_label, label, MAC_TE_CLASS_FILE,
 	    MAC_TE_OPERATION_FILE_READ);
 
 	return (error);
@@ -1356,12 +1361,8 @@
 mac_te_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
     struct label *dlabel)
 {
-	struct mac_te *subj, *obj;
 
-	subj = SLOT(&cred->cr_label);
-	obj = SLOT(dlabel);
-
-	return (mac_te_check(subj, obj, MAC_TE_CLASS_DIR,
+	return (mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR,
 	    MAC_TE_OPERATION_DIR_READDIR));
 }
 
@@ -1369,33 +1370,24 @@
 mac_te_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
     struct label *vnodelabel)
 {
-	struct mac_te *subj, *obj;
 
-	subj = SLOT(&cred->cr_label);
-	obj = SLOT(vnodelabel);
-
-	return (mac_te_check(subj, obj, MAC_TE_CLASS_SYMLINK,
-	    MAC_TE_OPERATION_SYMLINK_READLINK));
+	return (mac_te_check(&cred->cr_label, vnodelabel,
+	    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_READLINK));
 }
 
 static int
 mac_te_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
     struct label *oldlabel, struct label *newlabel)
 {
-	int error, privilege_needed;
 
-	/* Allow no-op updates without privilege. */
-	privilege_needed = 0;
-	if (!mac_te_equal(&cred->cr_label, newlabel))
-		privilege_needed = 1;
+	/* Don't prevent relabel if no-op. */
+	if (mac_te_null_label(newlabel))
+		return (0);
+	if (mac_te_equal(&cred->cr_label, newlabel))
+		return (0);
 
-	if (privilege_needed) {
-		error = suser_cred(cred, 0);
-		if (error)
-			return (error);
-	}
-
-	return (0);
+	/* We should check the TE policy here, but instead we require root. */
+	return (suser_cred(cred, 0));
 }
 
 static int
@@ -1403,8 +1395,8 @@
     struct label *label)
 {
 
-	return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-	    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_ADMIN));
+	return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE,
+	    MAC_TE_OPERATION_FILE_ADMIN));
 }
 
 static int
@@ -1414,13 +1406,13 @@
 
 	switch (vp->v_type) {
 	case VDIR:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_SETACL));
+		return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+		    MAC_TE_OPERATION_DIR_SETACL));
 	case VLNK:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_SETACL));
 	default:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_SETACL));
 	}
 }
@@ -1432,10 +1424,10 @@
 
 	switch (vp->v_type) {
 	case VDIR:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_SETEXTATTR));
+		return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+		    MAC_TE_OPERATION_DIR_SETEXTATTR));
 	default:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_SETEXTATTR));
 	}
 }
@@ -1447,13 +1439,13 @@
 
 	switch (vp->v_type) {
 	case VDIR:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_ADMIN));
+		return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+		    MAC_TE_OPERATION_DIR_ADMIN));
 	case VLNK:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_ADMIN));
 	default:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_ADMIN));
 	}
 }
@@ -1465,13 +1457,13 @@
 
 	switch (vp->v_type) {
 	case VDIR:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_ADMIN));
+		return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+		    MAC_TE_OPERATION_DIR_ADMIN));
 	case VLNK:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_ADMIN));
 	default:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_ADMIN));
 	}
 }
@@ -1483,13 +1475,13 @@
 
 	switch (vp->v_type) {
 	case VDIR:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_ADMIN));
+		return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+		    MAC_TE_OPERATION_DIR_ADMIN));
 	case VLNK:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_ADMIN));
 	default:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_ADMIN));
 	}
 }
@@ -1501,13 +1493,13 @@
 
 	switch (vp->v_type) {
 	case VDIR:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_ADMIN));
+		return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+		    MAC_TE_OPERATION_DIR_ADMIN));
 	case VLNK:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_ADMIN));
 	default:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_ADMIN));
 	}
 }
@@ -1519,20 +1511,20 @@
 {
 	int error;
 
-	error = mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
-	    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE);
+	error = mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR,
+	    MAC_TE_OPERATION_DIR_WRITE);
 	if (error)
 		return (error);
 	/* Not really correct. */
 	switch (vp->v_type) {
 	case VDIR:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETE));
+		return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+		    MAC_TE_OPERATION_DIR_DELETE));
 	case VLNK:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETE));
 	default:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETE));
 	}
 }
@@ -1544,20 +1536,20 @@
 {
 	int error;
 
-	error = mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
-	    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE);
+	error = mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR,
+	    MAC_TE_OPERATION_DIR_WRITE);
 	if (error || label == NULL || vp == NULL)
 		return (error);
 	/* Not really correct. */
 	switch (vp->v_type) {
 	case VDIR:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETE));
+		return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+		    MAC_TE_OPERATION_DIR_DELETE));
 	case VLNK:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETE));
 	default:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETE));
 	}
 }
@@ -1569,13 +1561,13 @@
 
 	switch (vp->v_type) {
 	case VDIR:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_STAT));
+		return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR,
+		    MAC_TE_OPERATION_DIR_STAT));
 	case VLNK:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_STAT));
 	default:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		return (mac_te_check(&cred->cr_label, label,
 		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_STAT));
 	}
 }
@@ -1584,16 +1576,12 @@
 mac_te_check_vnode_write(struct ucred *active_cred, struct ucred *saved_cred,
     struct vnode *vp, struct label *label)
 {
-	struct mac_te *subj, *obj;
 	int error;
 
 	if (!mac_te_revocation_enabled)
 		return (0);
 
-	subj = SLOT(&active_cred->cr_label);
-	obj = SLOT(label);
-
-	error = mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
+	error = mac_te_check(&active_cred->cr_label, label, MAC_TE_CLASS_FILE,
 	    MAC_TE_OPERATION_FILE_WRITE);
 
 	return (error);
@@ -1628,7 +1616,7 @@
 		}
 	}
 
-	mac_te_copy_label(SLOT(&old->cr_label), SLOT(&new->cr_label));
+	mac_te_copy_label(&old->cr_label, &new->cr_label);
 }
 
 static int
@@ -1656,7 +1644,7 @@
     struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
 {
 
-	mac_te_copy_label(SLOT(vnodelabel), SLOT(direntlabel));
+	mac_te_copy_label(vnodelabel, direntlabel);
 }
 

>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message



More information about the trustedbsd-cvs mailing list