PERFORCE change 36498 for review

Robert Watson rwatson at FreeBSD.org
Wed Aug 20 18:21:22 GMT 2003


http://perforce.freebsd.org/chv.cgi?CH=36498

Change 36498 by rwatson at rwatson_paprika on 2003/08/20 11:21:18

	Attempt to reduce inter-branch diffs by deleting trailing
	whitespace.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#10 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#10 (text+ko) ====

@@ -88,8 +88,8 @@
 	printf("sebsd:: destroy\n");
 }
 
-/* 
- * Check whether a task is allowed to use a capability. 
+/*
+ * Check whether a task is allowed to use a capability.
  */
 static int
 cred_has_capability(struct ucred *cred, int cap)
@@ -102,7 +102,7 @@
 	AVC_AUDIT_DATA_INIT(&ad, CAP);
 	ad.u.cap = cap;
 
-	return avc_has_perm_audit(task->sid, task->sid, 
+	return avc_has_perm_audit(task->sid, task->sid,
 	    SECCLASS_CAPABILITY, cap, &ad);
 }
 
@@ -114,7 +114,7 @@
 	task = SLOT(&cred->cr_label);
 	target = SLOT(&proc->p_ucred->cr_label);
 
-	return (avc_has_perm_ref(task->sid, target->sid, SECCLASS_PROCESS, 
+	return (avc_has_perm_ref(task->sid, target->sid, SECCLASS_PROCESS,
 	    perm, &target->avcr));
 }
 
@@ -139,7 +139,7 @@
 
 	task = SLOT(&cred->cr_label);
 
-	return (avc_has_perm(task->sid, SECINITSID_KERNEL, 
+	return (avc_has_perm(task->sid, SECINITSID_KERNEL,
 	    SECCLASS_SYSTEM, perm));
 }
 
@@ -150,7 +150,7 @@
 
 	task = SLOT(&cred->cr_label);
 
-	return (avc_has_perm(task->sid, SECINITSID_SECURITY, 
+	return (avc_has_perm(task->sid, SECINITSID_SECURITY,
 	    SECCLASS_SECURITY, perm));
 }
 
@@ -160,16 +160,16 @@
 
 	return (cred_has_system(td->td_proc->p_ucred, perm));
 }
-	      
+
 int
 thread_has_security(struct thread *td, access_vector_t perm)
 {
 
 	return (cred_has_security(td->td_proc->p_ucred, perm));
 }
-	      
+
 static __inline security_class_t
-vnode_type_to_security_class(enum vtype vt) 
+vnode_type_to_security_class(enum vtype vt)
 {
 	switch (vt) {
 	case VREG:
@@ -221,27 +221,27 @@
 }
 
 static __inline access_vector_t
-file_mask_to_av(enum vtype vt, int mask) 
+file_mask_to_av(enum vtype vt, int mask)
 {
 	access_vector_t av = 0;
 
 	if (vt != VDIR) {
-		if (mask & VEXEC) 
+		if (mask & VEXEC)
 			av |= FILE__EXECUTE;
-		if (mask & VREAD) 
+		if (mask & VREAD)
 			av |= FILE__READ;
 
 		if (mask & VAPPEND)
 			av |= FILE__APPEND;
-		else if (mask & VWRITE) 
+		else if (mask & VWRITE)
 			av |= FILE__WRITE;
 
 	} else {
-		if (mask & VEXEC) 
+		if (mask & VEXEC)
 			av |= DIR__SEARCH;
-		if (mask & VWRITE) 
+		if (mask & VWRITE)
 			av |= DIR__WRITE;
-		if (mask & VREAD) 
+		if (mask & VREAD)
 			av |= DIR__READ;
 	}
 
@@ -274,7 +274,7 @@
 			return 1; /* TBD: debugging */
 		}
 	}
-	return avc_has_perm_ref_audit(task->sid, file->sid, file->sclass, 
+	return avc_has_perm_ref_audit(task->sid, file->sid, file->sclass,
 				      perm, aeref ? aeref : &file->avcr, &ad);
 }
 
@@ -287,11 +287,11 @@
 	task = SLOT(&cred->cr_label);
 	file = SLOT(pipe->pipe_label);
 
-	/* 
-	 * TBD: No audit information yet 
+	/*
+	 * TBD: No audit information yet
 	 */
 
-	return(avc_has_perm_ref(task->sid, file->sid, file->sclass, 
+	return(avc_has_perm_ref(task->sid, file->sid, file->sclass,
 	    perm, &file->avcr));
 }
 
@@ -427,14 +427,14 @@
 
 	context_len = sizeof(context); /* TBD: bad fixed length */
 	error = vn_extattr_get(vp, IO_NODELOCKED,
-			       SEBSD_MAC_EXTATTR_NAMESPACE, 
+			       SEBSD_MAC_EXTATTR_NAMESPACE,
 			       SEBSD_MAC_EXTATTR_NAME,
 			       &context_len, context, curthread);
 	if (error == ENOATTR || error == EOPNOTSUPP) {
 		vsec->sid = SECINITSID_UNLABELED; /* Use the default label */
 		struct vattr va;
 
-		/* 
+		/*
 		(void)VOP_GETATTR(vp, &va, curthread->td_ucred, curthread);
 		printf("sebsd_update_vnode_from_extattr: no label for "
 		       "inode=%ld, fsid=%d\n", va.va_fileid, va.va_fsid);
@@ -498,7 +498,7 @@
 	parent = SLOT(&cred_parent->cr_label);
 	task = SLOT(&cred_child->cr_label);
 
-	/* Default to using the attributes from the parent process */ 
+	/* Default to using the attributes from the parent process */
 	task->osid = parent->osid;
 	task->sid = parent->sid;
 	
@@ -534,14 +534,14 @@
 	/* Default to the filesystem SID. */
 	dirent->sid = sbsec->sid;
 	dirent->task_sid = SECINITSID_KERNEL;
-	dirent->sclass = 
+	dirent->sclass =
 	    dirent_type_to_security_class(devfs_dirent->de_dirent->d_type);
 
 	/* Obtain a SID based on the fstype, path, and class. */
 	path = malloc(strlen(fullpath) + 2, M_SEBSD, M_ZERO | M_WAITOK);
 	path[0] = '/';
 	strcpy(&path[1], fullpath);
-	rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, dirent->sclass, 
+	rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, dirent->sclass,
 	    &newsid);
 	if (rc == 0)
 		dirent->sid = newsid;
@@ -579,7 +579,7 @@
 	path = malloc(strlen(fullpath) + 2, M_SEBSD, M_ZERO | M_WAITOK);
 	path[0] = '/';
 	strcpy(&path[1], fullpath);
-	rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, dirent->sclass, 
+	rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, dirent->sclass,
 	    &newsid);
 	if (rc == 0)
 		dirent->sid = newsid;
@@ -587,8 +587,8 @@
 	/* TBD: debugging */
 	if (sebsd_verbose > 1) {
 		printf("%s(%s): sbsid=%d, mountpoint=%s, "
-		    "rc=%d, sclass=%d, computedsid=%d, dirent=%d\n", 
-		    __func__, path, sbsec->sid, mp->mnt_stat.f_mntonname, rc, 
+		    "rc=%d, sclass=%d, computedsid=%d, dirent=%d\n",
+		    __func__, path, sbsec->sid, mp->mnt_stat.f_mntonname, rc,
 		    dirent->sclass, newsid, dirent->sid);
 	}
 	free(path, M_SEBSD);
@@ -622,21 +622,21 @@
 	path = malloc(strlen(fullpath) + 2, M_SEBSD, M_ZERO | M_WAITOK);
 	path[0] = '/';
 	strcpy(&path[1], fullpath);
-	rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, lnksec->sclass, 
+	rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, lnksec->sclass,
 	    &newsid);
 	if (rc == 0)
 		lnksec->sid = newsid;
 
 	if (sebsd_verbose > 1) {
 		printf("%s(%s): sbsid=%d, mountpoint=%s, rc=%d, sclass=%d, "
-		    "computedsid=%d, dirent=%d\n", __func__, path, 
-		    sbsec->sid, mp->mnt_stat.f_mntonname, rc, 
+		    "computedsid=%d, dirent=%d\n", __func__, path,
+		    sbsec->sid, mp->mnt_stat.f_mntonname, rc,
 		    lnksec->sclass, newsid, lnksec->sid);
 	}
 	free(path, M_SEBSD);
 }
 
-/* 
+/*
  * Use the allocating task SID to label pipes.  On Linux, pipes reside
  * in a pseudo filesystem.
  */
@@ -710,14 +710,14 @@
 		   unique and persistent inode numbers. */
 		sbsec->uses_psids = 1;
 
-		/* 
+		/*
 		 * TBD: need to correctly label mountpoint with persistent
 		 * label at this point (currently vnode is unavailable)
 		 */
 
 		break;
 	case SECURITY_FS_USE_TRANS:
-		/* Transition SIDs are used for pseudo filesystems like 
+		/* Transition SIDs are used for pseudo filesystems like
 		   devpts and tmpfs where you want the SID to be derived
 		   from the SID of the creating process and the SID of
 		   the filesystem. */
@@ -736,12 +736,12 @@
 		break;
 	case SECURITY_FS_USE_NONE:
 		/* No labeling support configured for this filesystem type.
-		   Don't appear to require labeling for binfmt_misc, bdev, 
+		   Don't appear to require labeling for binfmt_misc, bdev,
 		   or rootfs. */
 		break;
 	default:
 		printf("%s:  security_fs_use(%s) returned unrecognized "
-		    "behavior %d\n", __FUNCTION__, mp->mnt_vfc->vfc_name, 
+		    "behavior %d\n", __FUNCTION__, mp->mnt_vfc->vfc_name,
 		    behavior);
 		behavior = SECURITY_FS_USE_NONE;
 		break;
@@ -807,7 +807,7 @@
 	vsec->sclass = vnode_type_to_security_class(child->v_type);
 
 	/* store label in vnode */
-	error = security_sid_to_context(vsec->sid, &context, 
+	error = security_sid_to_context(vsec->sid, &context,
 					&context_len);
 	if (error)
 		return (error);
@@ -891,7 +891,7 @@
 	rc = avc_has_perm(task->sid, newfile->sid, file->sclass,
 	    FIFO_FILE__RELABELTO);
 
-	/* 
+	/*
 	 * TBD: SELinux also check filesystem associate permission:
 	        return avc_has_perm_audit(newsid,
 	                                  sbsec->sid,
@@ -1012,7 +1012,7 @@
 
 	/*
 	 * Should have already checked all the permissions, so just see if
-	 * the SIDS are going to match. 
+	 * the SIDS are going to match.
 	 */
 	if (execlabel == NULL) {
 		(void)security_transition_sid(task->sid, file->sid,
@@ -1193,8 +1193,8 @@
 	AVC_AUDIT_DATA_INIT(&ad, FS);
 	ad.u.fs.vp = dvp;
 
-	rc = avc_has_perm_ref_audit(task->sid, dir->sid, SECCLASS_DIR, 
-				    DIR__ADD_NAME | DIR__SEARCH, 
+	rc = avc_has_perm_ref_audit(task->sid, dir->sid, SECCLASS_DIR,
+				    DIR__ADD_NAME | DIR__SEARCH,
 				    &dir->avcr, &ad);
 	if (rc)
 		return rc;
@@ -1214,9 +1214,9 @@
 	 */
 	if (dir->i_sb) {
 		sbsec = dir->i_sb->s_security;
-	rc = avc_has_perm_audit(newsid, sbsec->sid, SECCLASS_FILESYSTEM, 
+	rc = avc_has_perm_audit(newsid, sbsec->sid, SECCLASS_FILESYSTEM,
 				FILESYSTEM__ASSOCIATE, &ad);
-#endif 
+#endif
 	
 	return 0;
 }
@@ -1239,7 +1239,7 @@
 	AVC_AUDIT_DATA_INIT(&ad, FS);
 	ad.u.fs.vp = vp;
 
-	rc = avc_has_perm_ref_audit(task->sid, dir->sid, SECCLASS_DIR, 
+	rc = avc_has_perm_ref_audit(task->sid, dir->sid, SECCLASS_DIR,
 	    DIR__SEARCH | DIR__REMOVE_NAME, &dir->avcr, &ad);
 
 	if (rc)
@@ -1250,7 +1250,7 @@
 	else
 		av = FILE__UNLINK;
 
-	rc = avc_has_perm_ref_audit(task->sid, file->sid, file->sclass, 
+	rc = avc_has_perm_ref_audit(task->sid, file->sid, file->sclass,
 	    av, &file->avcr, &ad);
 
 	return (rc);
@@ -1290,7 +1290,7 @@
 	ad.u.fs.vp = vp;
 
 	if (newsid == task->sid) {
-		rc = avc_has_perm_audit(task->sid, file->sid, SECCLASS_FILE, 
+		rc = avc_has_perm_audit(task->sid, file->sid, SECCLASS_FILE,
 		    FILE__EXECUTE_NO_TRANS, &ad);
 
 		if (rc)
@@ -1304,7 +1304,7 @@
 		if (rc)
 			return EACCES;
 
-		rc = avc_has_perm_audit(newsid, file->sid, SECCLASS_FILE, 
+		rc = avc_has_perm_audit(newsid, file->sid, SECCLASS_FILE,
 		    FILE__ENTRYPOINT, &ad);
 
 		if (rc)
@@ -1313,10 +1313,10 @@
 		/*
 		 * TBD: Check ptrace permission between the parent and
 		 * the new SID for this process if this process is
-		 * being traced. 
+		 * being traced.
 		 */
 
-		/* 
+		/*
 		 * TBD: Check share permission between the old and new
 		 * SIDs of the process if the process will share
 		 * state.
@@ -1359,19 +1359,19 @@
 	AVC_AUDIT_DATA_INIT(&ad, FS);
 	ad.u.fs.vp = vp;
 
-	rc = avc_has_perm_ref_audit(task->sid, dir->sid, SECCLASS_DIR, 
+	rc = avc_has_perm_ref_audit(task->sid, dir->sid, SECCLASS_DIR,
 	    DIR__SEARCH | DIR__ADD_NAME, &dir->avcr, &ad);
 	if (rc)
 		return rc;
 
-	rc = avc_has_perm_ref_audit(task->sid, file->sid, file->sclass, 
+	rc = avc_has_perm_ref_audit(task->sid, file->sid, file->sclass,
 	    FILE__LINK, &file->avcr, &ad);
 
 	return (0);
 }
 
 static int
-sebsd_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 
+sebsd_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
     struct label *dlabel, struct componentname *cnp)
 {
 
@@ -1444,12 +1444,12 @@
 		       old->sid, vp->v_type);
 		return 0; /* TBD: debugging */
 	}
-	rc = avc_has_perm_ref_audit(task->sid, old->sid, old->sclass, 
+	rc = avc_has_perm_ref_audit(task->sid, old->sid, old->sclass,
 				    FILE__RELABELFROM, &old->avcr, &ad);
 	if (rc)
 		return (rc);
 
-	rc = avc_has_perm_audit(task->sid, new->sid, old->sclass, 
+	rc = avc_has_perm_audit(task->sid, new->sid, old->sclass,
 				FILE__RELABELTO, &ad);
 
 	if (rc)
@@ -1465,7 +1465,7 @@
 
 static int
 sebsd_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
-    struct label *dlabel, struct vnode *vp, struct label *label, 
+    struct label *dlabel, struct vnode *vp, struct label *label,
     struct componentname *cnp)
 {
 	struct task_security_struct *task;
@@ -1490,8 +1490,8 @@
 		return 0; /* TBD: debugging */
 	}
 
-	rc = avc_has_perm_ref_audit(task->sid, old_file->sid, 
-				    old_file->sclass, FILE__RENAME, 
+	rc = avc_has_perm_ref_audit(task->sid, old_file->sid,
+				    old_file->sclass, FILE__RENAME,
 				    &old_file->avcr, &ad);
 	if (rc)
 		return (rc);
@@ -1519,7 +1519,7 @@
 	 * test. TBD - find a way!
 	 */
 	if (vp->v_type == VDIR && !samedir) {
-		rc = avc_has_perm_ref(task->sid, old_file->sid, 
+		rc = avc_has_perm_ref(task->sid, old_file->sid,
 				      old_file->sclass, DIR__REPARENT,
 				      &old_file->avcr);
 		if (rc)
@@ -1534,7 +1534,7 @@
 	AVC_AUDIT_DATA_INIT(&ad, FS);
 	ad.u.fs.vp = vp;
 
-	rc = avc_has_perm_ref(task->sid, new_dir->sid, SECCLASS_DIR, 
+	rc = avc_has_perm_ref(task->sid, new_dir->sid, SECCLASS_DIR,
 			      av, &new_dir->avcr);
 	if (rc)
 		return (rc);
@@ -1547,11 +1547,11 @@
 			return 0; /* TBD: debugging */
 		}
 		if (vp->v_type == VDIR) {
-			rc = avc_has_perm_ref(task->sid, new_file->sid, 
+			rc = avc_has_perm_ref(task->sid, new_file->sid,
 					      new_file->sclass,
 					      DIR__RMDIR, &new_file->avcr);
 		} else {
-			rc = avc_has_perm_ref(task->sid, new_file->sid, 
+			rc = avc_has_perm_ref(task->sid, new_file->sid,
 					      new_file->sclass,
 					      FILE__UNLINK, &new_file->avcr);
 		}
@@ -1635,14 +1635,14 @@
 }
 
 static int
-sebsd_check_system_acct(struct ucred *cred, struct vnode *vp, 
+sebsd_check_system_acct(struct ucred *cred, struct vnode *vp,
     struct label *vlabel)
 {
 
 	return(cred_has_capability(cred, CAPABILITY__SYS_PACCT));
 }
 
-/* 
+/*
  * TBD: LSM/SELinux doesn't have a nfsd hook
  */
 static int
@@ -1683,12 +1683,12 @@
 	return vnode_has_perm(cred, vp, FILE__SWAPON, NULL);
 }
 
-/* 
- * TBD: Sysctl access control is not currently implemented 
+/*
+ * TBD: Sysctl access control is not currently implemented
  */
 static int
 sebsd_check_system_sysctl(struct ucred *cred, int *name,
-    u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new, 
+    u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new,
     size_t newlen)
 {
 
@@ -1696,7 +1696,7 @@
 }
 
 static int
-sebsd_check_vnode_write(struct ucred *cred, struct ucred *file_cred, 
+sebsd_check_vnode_write(struct ucred *cred, struct ucred *file_cred,
     struct vnode *vp, struct label *label)
 {
 
@@ -1719,10 +1719,10 @@
 	if (vp) {
 		av = FILE__READ;
 
-		if (newmapping & PROT_WRITE) 
+		if (newmapping & PROT_WRITE)
 			av |= FILE__WRITE;
 
-		if (newmapping & PROT_EXEC) 
+		if (newmapping & PROT_EXEC)
 			av |= FILE__EXECUTE;
 
 		return (vnode_has_perm(cred, vp, av, NULL));
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message



More information about the trustedbsd-cvs mailing list