PERFORCE change 18955 for review
Robert Watson
rwatson at freebsd.org
Wed Oct 9 02:58:44 GMT 2002
http://perforce.freebsd.org/p4db/chv.cgi?CH=18955
Change 18955 by rwatson at rwatson_tislabs on 2002/10/08 19:58:11
Back out change set 18953: wrong branch.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/conf/files#55 edit
.. //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_vnops.c#29 edit
.. //depot/projects/trustedbsd/mac/sys/fs/procfs/procfs.c#10 edit
.. //depot/projects/trustedbsd/mac/sys/fs/procfs/procfs.h#9 edit
.. //depot/projects/trustedbsd/mac/sys/fs/pseudofs/pseudofs.h#12 edit
.. //depot/projects/trustedbsd/mac/sys/fs/pseudofs/pseudofs_vnops.c#19 edit
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#306 edit
.. //depot/projects/trustedbsd/mac/sys/kern/vfs_subr.c#42 edit
.. //depot/projects/trustedbsd/mac/sys/modules/Makefile#38 edit
.. //depot/projects/trustedbsd/mac/sys/modules/procfs/Makefile#9 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#131 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#176 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#138 edit
.. //depot/projects/trustedbsd/mac/sys/ufs/ffs/ffs_vfsops.c#20 edit
.. //depot/projects/trustedbsd/mac/sys/ufs/ufs/ufs_extattr.c#21 edit
.. //depot/projects/trustedbsd/mac/sys/ufs/ufs/ufs_vnops.c#51 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/conf/files#55 (text+ko) ====
@@ -759,6 +759,7 @@
fs/procfs/procfs_dbregs.c optional procfs
fs/procfs/procfs_fpregs.c optional procfs
fs/procfs/procfs_ioctl.c optional procfs
+fs/procfs/procfs_mac.c optional procfs
fs/procfs/procfs_map.c optional procfs
fs/procfs/procfs_mem.c optional procfs
fs/procfs/procfs_note.c optional procfs
==== //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_vnops.c#29 (text+ko) ====
@@ -167,7 +167,7 @@
de->de_vnode = vp;
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
- mac_associate_vnode_devfs(mp, de, vp);
+ mac_create_devfs_vnode(de, vp);
#endif
*vpp = vp;
return (0);
==== //depot/projects/trustedbsd/mac/sys/fs/procfs/procfs.c#10 (text+ko) ====
@@ -153,6 +153,7 @@
dir = pfs_create_dir(root, "pid",
&procfs_attr, NULL, PFS_PROCDEP);
+ dir->pn_refreshlabel = &procfs_piddir_refreshlabel;
pfs_create_file(dir, "cmdline", &procfs_doproccmdline,
NULL, NULL, PFS_RD);
pfs_create_file(dir, "ctl", &procfs_doprocctl,
==== //depot/projects/trustedbsd/mac/sys/fs/procfs/procfs.h#9 (text+ko) ====
@@ -61,6 +61,9 @@
/* Attributes */
int procfs_attr(PFS_ATTR_ARGS);
+/* MAC */
+int procfs_piddir_refreshlabel(PFS_REFRESHLABEL_ARGS);
+
/* Visibility */
int procfs_notsystem(PFS_VIS_ARGS);
int procfs_candebug(PFS_VIS_ARGS);
==== //depot/projects/trustedbsd/mac/sys/fs/pseudofs/pseudofs.h#12 (text+ko) ====
@@ -145,6 +145,15 @@
typedef int (*pfs_getextattr_t)(PFS_GETEXTATTR_ARGS);
/*
+ * Getlabel callback
+ */
+#define PFS_REFRESHLABEL_ARGS \
+ struct thread *td, struct proc *p, struct vnode *vp, \
+ struct pfs_node *pn, struct ucred *cred
+struct mac;
+typedef int (*pfs_refreshlabel_t)(PFS_REFRESHLABEL_ARGS);
+
+/*
* Last-close callback
*/
#define PFS_CLOSE_ARGS \
@@ -185,6 +194,7 @@
pfs_attr_t pn_attr;
pfs_vis_t pn_vis;
pfs_getextattr_t pn_getextattr;
+ pfs_refreshlabel_t pn_refreshlabel;
void *pn_data;
int pn_flags;
==== //depot/projects/trustedbsd/mac/sys/fs/pseudofs/pseudofs_vnops.c#19 (text+ko) ====
@@ -28,6 +28,8 @@
* $FreeBSD: src/sys/fs/pseudofs/pseudofs_vnops.c,v 1.31 2002/09/25 02:32:40 jeff Exp $
*/
+#include "opt_mac.h"
+
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/systm.h>
@@ -35,6 +37,7 @@
#include <sys/dirent.h>
#include <sys/fcntl.h>
#include <sys/lock.h>
+#include <sys/mac.h>
#include <sys/mount.h>
#include <sys/mutex.h>
#include <sys/namei.h>
@@ -729,6 +732,50 @@
return (pfs_vncache_free(va->a_vp));
}
+#ifdef MAC
+/*
+ * Refresh the vnode label as appropriate for the pseudo-file system.
+ */
+static int
+pfs_refreshlabel(struct vop_refreshlabel_args *va)
+{
+ struct vnode *vn = va->a_vp;
+ struct pfs_vdata *pvd = (struct pfs_vdata *)vn->v_data;
+ struct pfs_node *pn = pvd->pvd_pn;
+ struct proc *proc = NULL;
+ int error;
+
+ PFS_TRACE((pd->pn_name));
+
+ if (pn->pn_refreshlabel == NULL) {
+ mac_update_vnode_from_mount(vn, vn->v_mount);
+ return (0);
+ }
+
+ /*
+ * This is necessary because either process' privileges may
+ * have changed since the last open() call.
+ */
+ if (!pfs_visible(curthread, pn, pvd->pvd_pid))
+ PFS_RETURN (EIO);
+
+ /* XXX duplicate bits of pfs_visible() */
+ if (pvd->pvd_pid != NO_PID) {
+ if ((proc = pfind(pvd->pvd_pid)) == NULL)
+ PFS_RETURN (EIO);
+ _PHOLD(proc);
+ PROC_UNLOCK(proc);
+ }
+
+ error = (pn->pn_refreshlabel)(curthread, proc, vn, pn, va->a_cred);
+
+ if (proc != NULL)
+ PRELE(proc);
+
+ PFS_RETURN (error);
+}
+#endif
+
/*
* Set attributes
*/
==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#306 (text+ko) ====
@@ -143,12 +143,23 @@
&mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm);
+static int mac_label_size = sizeof(struct oldmac);
+SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD,
+ &mac_label_size, 0, "Pre-compiled MAC label size");
+
static int mac_cache_fslabel_in_vnode = 1;
SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW,
&mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode");
TUNABLE_INT("security.mac.cache_fslabel_in_vnode",
&mac_cache_fslabel_in_vnode);
+static int mac_vnode_label_cache_hits = 0;
+SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD,
+ &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels");
+static int mac_vnode_label_cache_misses = 0;
+SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD,
+ &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels");
+
static int mac_mmap_revocation = 0;
SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW,
&mac_mmap_revocation, 0, "Revoke mmap access to files on subject "
@@ -203,9 +214,12 @@
#endif
static int error_select(int error1, int error2);
+static int mac_externalize_vnode_oldmac(struct label *label,
+ struct oldmac *extmac);
static int mac_policy_register(struct mac_policy_conf *mpc);
static int mac_policy_unregister(struct mac_policy_conf *mpc);
+static int mac_stdcreatevnode_ea(struct vnode *vp);
static void mac_check_vnode_mmap_downgrade(struct ucred *cred,
struct vnode *vp, int *prot);
static void mac_cred_mmapped_drop_perms_recurse(struct thread *td,
@@ -213,9 +227,6 @@
static void mac_destroy_socket_label(struct label *label);
-static int mac_setlabel_vnode_extattr(struct ucred *cred,
- struct vnode *vp, struct label *intlabel);
-
MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector");
MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage");
@@ -577,6 +588,10 @@
mpc->mpc_ops->mpo_externalize_vnode_label =
mpe->mpe_function;
break;
+ case MAC_EXTERNALIZE_VNODE_OLDMAC:
+ mpc->mpc_ops->mpo_externalize_vnode_oldmac =
+ mpe->mpe_function;
+ break;
case MAC_INTERNALIZE_CRED_LABEL:
mpc->mpc_ops->mpo_internalize_cred_label =
mpe->mpe_function;
@@ -617,6 +632,10 @@
mpc->mpc_ops->mpo_stdcreatevnode_ea =
mpe->mpe_function;
break;
+ case MAC_CREATE_VNODE:
+ mpc->mpc_ops->mpo_create_vnode =
+ mpe->mpe_function;
+ break;
case MAC_CREATE_MOUNT:
mpc->mpc_ops->mpo_create_mount =
mpe->mpe_function;
@@ -633,24 +652,20 @@
mpc->mpc_ops->mpo_update_devfsdirent =
mpe->mpe_function;
break;
- case MAC_ASSOCIATE_VNODE_DEVFS:
- mpc->mpc_ops->mpo_associate_vnode_devfs =
+ case MAC_UPDATE_PROCFSVNODE:
+ mpc->mpc_ops->mpo_update_procfsvnode =
mpe->mpe_function;
break;
- case MAC_ASSOCIATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_associate_vnode_extattr =
+ case MAC_UPDATE_VNODE_FROM_EXTATTR:
+ mpc->mpc_ops->mpo_update_vnode_from_extattr =
mpe->mpe_function;
break;
- case MAC_ASSOCIATE_VNODE_SINGLELABEL:
- mpc->mpc_ops->mpo_associate_vnode_singlelabel =
+ case MAC_UPDATE_VNODE_FROM_EXTERNALIZED:
+ mpc->mpc_ops->mpo_update_vnode_from_externalized =
mpe->mpe_function;
break;
- case MAC_CREATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_create_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_SETLABEL_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_setlabel_vnode_extattr =
+ case MAC_UPDATE_VNODE_FROM_MOUNT:
+ mpc->mpc_ops->mpo_update_vnode_from_mount =
mpe->mpe_function;
break;
case MAC_CREATE_MBUF_FROM_SOCKET:
@@ -1683,6 +1698,16 @@
}
static int
+mac_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac)
+{
+ int error;
+
+ MAC_CHECK(externalize_vnode_oldmac, label, extmac);
+
+ return (error);
+}
+
+static int
mac_internalize_cred_label(struct label *label, struct mac *mac,
struct mac_element *element_array)
{
@@ -1786,110 +1811,276 @@
}
void
-mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de,
- struct vnode *vp)
+mac_update_procfsvnode(struct vnode *vp, struct ucred *cred)
{
- MAC_PERFORM(associate_vnode_devfs, mp, &mp->mnt_fslabel, de,
- &de->de_label, vp, &vp->v_label);
+ MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred);
}
-int
-mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp)
+/*
+ * Support callout for policies that manage their own externalization
+ * using extended attributes.
+ */
+static int
+mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp)
{
int error;
- ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr");
+ MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp,
+ &mp->mnt_fslabel);
+
+ return (error);
+}
+
+/*
+ * Given an externalized mac label, internalize it and stamp it on a
+ * vnode.
+ */
+static int
+mac_update_vnode_from_externalized(struct vnode *vp, struct oldmac *extmac)
+{
+ int error;
- MAC_CHECK(associate_vnode_extattr, mp, &mp->mnt_fslabel, vp,
- &vp->v_label);
+ MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac);
return (error);
}
+/*
+ * Call out to individual policies to update the label in a vnode from
+ * the mountpoint.
+ */
void
-mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp)
+mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp)
{
- MAC_PERFORM(associate_vnode_singlelabel, mp, &mp->mnt_fslabel, vp,
- &vp->v_label);
+ MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp,
+ &mp->mnt_fslabel);
+
+ ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount");
+ if (mac_cache_fslabel_in_vnode)
+ vp->v_vflag |= VV_CACHEDLABEL;
}
+/*
+ * Implementation of VOP_REFRESHLABEL() that relies on extended attributes
+ * to store label data. Can be referenced by filesystems supporting
+ * extended attributes.
+ */
int
-mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
- struct vnode *dvp, struct vnode *vp, struct componentname *cnp)
+vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap)
{
- int error;
+ struct vnode *vp = ap->a_vp;
+ struct oldmac extmac;
+ int buflen, error;
- ASSERT_VOP_LOCKED(dvp, "mac_create_vnode_extattr");
- ASSERT_VOP_LOCKED(vp, "mac_create_vnode_extattr");
+ ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea");
- error = VOP_OPENEXTATTR(vp, cred, curthread);
- if (error == EOPNOTSUPP) {
- /* XXX: Optionally abort if transactions not supported. */
- printf("Warning: transactions not supported in EA write.\n");
- } else if (error)
+ /*
+ * Call out to external policies first. Order doesn't really
+ * matter, as long as failure of one assures failure of all.
+ */
+ error = mac_update_vnode_from_extattr(vp, vp->v_mount);
+ if (error)
return (error);
- MAC_CHECK(create_vnode_extattr, cred, mp, &mp->mnt_fslabel,
- dvp, &dvp->v_label, vp, &vp->v_label, cnp);
+ buflen = sizeof(extmac);
+ error = vn_extattr_get(vp, IO_NODELOCKED,
+ FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen,
+ (char *)&extmac, curthread);
+ switch (error) {
+ case 0:
+ /* Got it */
+ break;
+
+ case ENOATTR:
+ /*
+ * Use the label from the mount point.
+ */
+ mac_update_vnode_from_mount(vp, vp->v_mount);
+ return (0);
- if (error) {
- VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
+ case EOPNOTSUPP:
+ default:
+ /* Fail horribly. */
return (error);
}
- error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread);
+ if (buflen != sizeof(extmac))
+ error = EPERM; /* Fail very closed. */
+ if (error == 0)
+ error = mac_update_vnode_from_externalized(vp, &extmac);
+ if (error == 0)
+ vp->v_vflag |= VV_CACHEDLABEL;
+ else {
+ struct vattr va;
- if (error == EOPNOTSUPP)
- error = 0; /* XXX */
+ printf("Corrupted label on %s",
+ vp->v_mount->mnt_stat.f_mntonname);
+ if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0)
+ printf(" inum %ld", va.va_fileid);
+#ifdef MAC_DEBUG
+ if (mac_debug_label_fallback) {
+ printf(", falling back.\n");
+ mac_update_vnode_from_mount(vp, vp->v_mount);
+ error = 0;
+ } else {
+#endif
+ printf(".\n");
+ error = EPERM;
+#ifdef MAC_DEBUG
+ }
+#endif
+ }
return (error);
}
+/*
+ * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle
+ * the labeling activity outselves. Filesystems should be careful not
+ * to change their minds regarding whether they support vop_refreshlabel()
+ * for a vnode or not. Don't cache the vnode here, allow the file
+ * system code to determine if it's safe to cache. If we update from
+ * the mount, don't cache since a change to the mount label should affect
+ * all vnodes.
+ */
static int
-mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
- struct label *intlabel)
+vn_refreshlabel(struct vnode *vp, struct ucred *cred)
{
int error;
- ASSERT_VOP_LOCKED(vp, "mac_setlabel_vnode_extattr");
+ ASSERT_VOP_LOCKED(vp, "vn_refreshlabel");
+
+ if (vp->v_mount == NULL) {
+/*
+ Eventually, we probably want to special-case refreshing
+ of deadfs vnodes, and if there's a lock-free race somewhere,
+ that case might be handled here.
+
+ mac_update_vnode_deadfs(vp);
+ return (0);
+ */
+ /* printf("vn_refreshlabel: null v_mount\n"); */
+ if (vp->v_type != VNON)
+ printf(
+ "vn_refreshlabel: null v_mount with non-VNON\n");
+ return (EBADF);
+ }
- error = VOP_OPENEXTATTR(vp, cred, curthread);
- if (error == EOPNOTSUPP) {
- /* XXX: Optionally abort if transactions not supported. */
- printf("Warning: transactions not supported in EA write.\n");
- } else if (error)
- return (error);
+ if (vp->v_vflag & VV_CACHEDLABEL) {
+ mac_vnode_label_cache_hits++;
+ return (0);
+ } else
+ mac_vnode_label_cache_misses++;
- MAC_CHECK(setlabel_vnode_extattr, cred, vp, &vp->v_label, intlabel);
+ if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) {
+ mac_update_vnode_from_mount(vp, vp->v_mount);
+ return (0);
+ }
- if (error) {
- VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
+ error = VOP_REFRESHLABEL(vp, cred, curthread);
+ switch (error) {
+ case EOPNOTSUPP:
+ /*
+ * If labels are not supported on this vnode, fall back to
+ * the label in the mount and propagate it to the vnode.
+ * There should probably be some sort of policy/flag/decision
+ * about doing this.
+ */
+ mac_update_vnode_from_mount(vp, vp->v_mount);
+ error = 0;
+ default:
return (error);
}
+}
+
+/*
+ * Helper function for file systems using the vop_std*_ea() calls. This
+ * function must be called after EA service is available for the vnode,
+ * but before it's hooked up to the namespace so that the node persists
+ * if there's a crash, or before it can be accessed. On successful
+ * commit of the label to disk (etc), do cache the label.
+ */
+int
+vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred)
+{
+ struct oldmac extmac;
+ int error;
+
+ ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea");
+ if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) {
+ mac_update_vnode_from_mount(tvp, tvp->v_mount);
+ } else {
+ error = vn_refreshlabel(dvp, cred);
+ if (error)
+ return (error);
+
+ /*
+ * Stick the label in the vnode. Then try to write to
+ * disk. If we fail, return a failure to abort the
+ * create operation. Really, this failure shouldn't
+ * happen except in fairly unusual circumstances (out
+ * of disk, etc).
+ */
+ mac_create_vnode(cred, dvp, tvp);
+
+ error = mac_stdcreatevnode_ea(tvp);
+ if (error)
+ return (error);
- error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread);
+ /*
+ * XXX: Eventually this will go away and all policies will
+ * directly manage their extended attributes.
+ */
+ error = mac_externalize_vnode_oldmac(&tvp->v_label, &extmac);
+ if (error)
+ return (error);
- if (error == EOPNOTSUPP)
- error = 0; /* XXX */
+ error = vn_extattr_set(tvp, IO_NODELOCKED,
+ FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME,
+ sizeof(extmac), (char *)&extmac, curthread);
+ if (error == 0)
+ tvp->v_vflag |= VV_CACHEDLABEL;
+ else {
+#if 0
+ /*
+ * In theory, we could have fall-back behavior here.
+ * It would probably be incorrect.
+ */
+#endif
+ return (error);
+ }
+ }
- return (error);
+ return (0);
}
void
mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp)
{
+ int error;
ASSERT_VOP_LOCKED(vp, "mac_execve_transition");
+ error = vn_refreshlabel(vp, old);
+ if (error) {
+ printf("mac_execve_transition: vn_refreshlabel returned %d\n",
+ error);
+ printf("mac_execve_transition: using old vnode label\n");
+ }
+
MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label);
}
int
mac_execve_will_transition(struct ucred *old, struct vnode *vp)
{
- int result;
+ int error, result;
+
+ error = vn_refreshlabel(vp, old);
+ if (error)
+ return (error);
result = 0;
MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label);
@@ -1907,6 +2098,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags);
return (error);
}
@@ -1921,6 +2116,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(dvp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label);
return (error);
}
@@ -1935,6 +2134,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(dvp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label);
return (error);
}
@@ -1950,6 +2153,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(dvp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap);
return (error);
}
@@ -1966,6 +2173,13 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(dvp, cred);
+ if (error)
+ return (error);
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp,
&vp->v_label, cnp);
return (error);
@@ -1982,6 +2196,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type);
return (error);
}
@@ -1996,6 +2214,9 @@
if (!mac_enforce_process && !mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label);
return (error);
@@ -2011,6 +2232,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type);
return (error);
}
@@ -2026,6 +2251,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label,
attrnamespace, name, uio);
return (error);
@@ -2043,6 +2272,14 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(dvp, cred);
+ if (error)
+ return (error);
+
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp,
&vp->v_label, cnp);
return (error);
@@ -2059,6 +2296,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(dvp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp);
return (error);
}
@@ -2073,6 +2314,10 @@
if (!mac_enforce_fs || !mac_enforce_vm)
return (0);
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_mmap, cred, vp, &vp->v_label, prot);
return (error);
}
@@ -2103,6 +2348,10 @@
if (!mac_enforce_fs || !mac_enforce_vm)
return (0);
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_mprotect, cred, vp, &vp->v_label, prot);
return (error);
}
@@ -2117,6 +2366,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
return (error);
}
@@ -2132,6 +2385,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(vp, active_cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
&vp->v_label);
@@ -2149,6 +2406,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(vp, active_cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
&vp->v_label);
@@ -2165,6 +2426,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(dvp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label);
return (error);
}
@@ -2179,6 +2444,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label);
return (error);
}
@@ -2191,6 +2460,10 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel");
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel);
return (error);
@@ -2208,6 +2481,13 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(dvp, cred);
+ if (error)
+ return (error);
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp,
&vp->v_label, cnp);
return (error);
@@ -2225,6 +2505,14 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(dvp, cred);
+ if (error)
+ return (error);
+ if (vp != NULL) {
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+ }
MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp,
vp != NULL ? &vp->v_label : NULL, samedir, cnp);
return (error);
@@ -2240,6 +2528,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label);
return (error);
}
@@ -2255,6 +2547,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl);
return (error);
}
@@ -2270,6 +2566,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label,
attrnamespace, name, uio);
return (error);
@@ -2285,6 +2585,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags);
return (error);
}
@@ -2299,6 +2603,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode);
return (error);
}
@@ -2314,6 +2622,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid);
return (error);
}
@@ -2329,6 +2641,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime,
mtime);
return (error);
@@ -2345,6 +2661,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(vp, active_cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
&vp->v_label);
return (error);
@@ -2361,6 +2681,10 @@
if (!mac_enforce_fs)
return (0);
+ error = vn_refreshlabel(vp, active_cred);
+ if (error)
+ return (error);
+
MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
&vp->v_label);
@@ -3142,6 +3466,16 @@
&de->de_label);
}
+static int
+mac_stdcreatevnode_ea(struct vnode *vp)
+{
+ int error;
+
+ MAC_CHECK(stdcreatevnode_ea, vp, &vp->v_label);
+
+ return (error);
+}
+
void
mac_create_devfs_directory(char *dirname, int dirnamelen,
struct devfs_dirent *de)
@@ -3158,10 +3492,18 @@
mac_create_vnode(struct ucred *cred, struct vnode *parent,
struct vnode *child)
{
+ int error;
ASSERT_VOP_LOCKED(parent, "mac_create_vnode");
ASSERT_VOP_LOCKED(child, "mac_create_vnode");
+ error = vn_refreshlabel(parent, cred);
+ if (error) {
+ printf("mac_create_vnode: vn_refreshlabel returned %d\n",
+ error);
+ printf("mac_create_vnode: using old vnode label\n");
+ }
+
MAC_PERFORM(create_vnode, cred, parent, &parent->v_label, child,
&child->v_label);
}
@@ -3262,19 +3604,35 @@
{
struct vnode *vp = ap->a_vp;
struct label *intlabel = ap->a_label;
+ struct oldmac extmac;
int error;
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list