PERFORCE change 110123 for review

Todd Miller millert at FreeBSD.org
Thu Nov 16 19:14:59 UTC 2006


http://perforce.freebsd.org/chv.cgi?CH=110123

Change 110123 by millert at millert_macbook on 2006/11/16 19:13:40

	Remove mac_file_check_{get,change}_flags and 
	mac_file_check_{get,change}_ofileflags.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_descrip.c#7 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sys_generic.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#16 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_file.c#7 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#19 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#28 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#45 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_descrip.c#7 (text+ko) ====

@@ -410,42 +410,22 @@
 		goto out;
 
 	case F_GETFD:
-#ifdef MAC
-		error = mac_file_check_get_ofileflags(proc_ucred(p),
-		    fp->f_fglob, *pop);
-		if (error == 0)
-#endif
-			*retval = (*pop & UF_EXCLOSE)? 1 : 0;
+		*retval = (*pop & UF_EXCLOSE)? 1 : 0;
+		error = 0;
 		goto out;
 
 	case F_SETFD:
-#ifdef MAC
-		error = mac_file_check_change_ofileflags(proc_ucred(p),
-		    fp->f_fglob, *pop, (*pop &~ UF_EXCLOSE) |
-		    (uap->arg & 1 ? UF_EXCLOSE : 0));
-		if (error == 0)
-#endif
-			*pop = (*pop &~ UF_EXCLOSE) |
-				(uap->arg & 1)? UF_EXCLOSE : 0;
+		*pop = (*pop &~ UF_EXCLOSE) |
+			(uap->arg & 1)? UF_EXCLOSE : 0;
+		error = 0;
 		goto out;
 
 	case F_GETFL:
-#ifdef MAC
-		error = mac_file_check_get_flags(proc_ucred(p), fp->f_fglob,
-		    fp->f_flag);
-		if (error == 0)
-#endif
-			*retval = OFLAGS(fp->f_flag);
+		*retval = OFLAGS(fp->f_flag);
+		error = 0;
 		goto out;
 
 	case F_SETFL:
-#ifdef MAC
-		error = mac_file_check_change_flags(proc_ucred(p),
-		    fp->f_fglob, fp->f_flag, (fp->f_flag & ~FCNTLFLAGS) |
-		    (FFLAGS(CAST_DOWN(int, uap->arg)) & FCNTLFLAGS));
-		if (error)
-			goto out;
-#endif
 		fp->f_flag &= ~FCNTLFLAGS;
 		tmp = CAST_DOWN(int, uap->arg);
 		fp->f_flag |= FFLAGS(tmp) & FCNTLFLAGS;
@@ -2484,12 +2464,6 @@
 	lf.l_len = 0;
 	if (how & LOCK_UN) {
 		lf.l_type = F_UNLCK;
-#ifdef MAC
-		error = mac_file_check_change_flags(proc_ucred(p), fp->f_fglob,
-		    fp->f_flag, fp->f_flag & ~FHASLOCK);
-		if (error)
-			goto out;
-#endif
 		fp->f_flag &= ~FHASLOCK;
 		error = VNOP_ADVLOCK(vp, (caddr_t)fp->f_fglob, F_UNLCK, &lf, F_FLOCK, &context);
 		goto out;
@@ -2503,12 +2477,6 @@
 		goto out;
 	}
 #ifdef MAC
-	error = mac_file_check_change_flags(proc_ucred(p), fp->f_fglob,
-	    fp->f_flag, fp->f_flag | FHASLOCK);
-	if (error)
-		goto out;
-#endif
-#ifdef MAC
 	error = mac_file_check_lock(proc_ucred(p), fp->f_fglob, F_SETLK, &lf);
 	if (error)
 		goto out;

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sys_generic.c#5 (text+ko) ====

@@ -752,7 +752,7 @@
 	if (error)
 		goto out;
 #endif
-		
+
 #if NETAT
 	/*
 	 * ### LD 6/11/97 Hack Alert: this is to get AppleTalk to work
@@ -777,22 +777,12 @@
 
 	switch (com = uap->com) {
 	case FIONCLEX:
-#ifdef MAC
-		error = mac_file_check_change_ofileflags(proc_ucred(p),
-		    fp->f_fglob, *fdflags(p, uap->fd),
-		    *fdflags(p, uap->fd) & ~UF_EXCLOSE);
-		if (error == 0)
-#endif
-			*fdflags(p, uap->fd) &= ~UF_EXCLOSE;
+		*fdflags(p, uap->fd) &= ~UF_EXCLOSE;
+		error =0;
 		goto out;
 	case FIOCLEX:
-#ifdef MAC
-		error = mac_file_check_change_ofileflags(proc_ucred(p),
-		    fp->f_fglob, *fdflags(p, uap->fd),
-		    *fdflags(p, uap->fd) | UF_EXCLOSE);
-		if (error == 0)
-#endif
-			*fdflags(p, uap->fd) |= UF_EXCLOSE;
+		*fdflags(p, uap->fd) |= UF_EXCLOSE;
+		error =0;
 		goto out;
 	}
 
@@ -856,13 +846,6 @@
 	switch (com) {
 
 	case FIONBIO:
-#ifdef MAC
-		error = mac_file_check_change_flags(proc_ucred(p), fp->f_fglob,
-		    fp->f_flag, *(int *)datap ? fp->f_flag | FNONBLOCK :
-		    fp->f_flag & ~FNONBLOCK);
-		if (error)
-			goto out;
-#endif
 		if ( (tmp = *(int *)datap) )
 			fp->f_flag |= FNONBLOCK;
 		else
@@ -871,13 +854,6 @@
 		break;
 
 	case FIOASYNC:
-#ifdef MAC
-		error = mac_file_check_change_flags(proc_ucred(p), fp->f_fglob,
-		    fp->f_flag, *(int *)datap ? fp->f_flag | FASYNC :
-		    fp->f_flag & ~FASYNC);
-		if (error)
-			goto out;
-#endif
 		if ( (tmp = *(int *)datap) )
 			fp->f_flag |= FASYNC;
 		else
@@ -2495,4 +2471,3 @@
 
 	return(0);
 }
-

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#16 (text+ko) ====

@@ -1746,13 +1746,6 @@
 		if ((flags & FNONBLOCK) == 0)
 			type |= F_WAIT;
 #ifdef MAC
-		error = mac_file_check_change_flags(vfs_context_ucred(ctx),
-		    fp->f_fglob, fp->f_fglob->fg_flag,
-		    fp->f_fglob->fg_flag | FHASLOCK);
-		if (error)
-			goto bad;
-#endif
-#ifdef MAC
 		error = mac_file_check_lock(vfs_context_ucred(ctx), fp->f_fglob,
 		    F_SETLK, &lf);
 		if (error)

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_file.c#7 (text+ko) ====

@@ -143,48 +143,6 @@
 }
 
 int
-mac_file_check_get_flags(struct ucred *cred, struct fileglob *fg,
-    u_int flags)
-{
-	int error;
-
-	MAC_CHECK(file_check_get_flags, cred, fg, fg->fg_label, flags);
-	return (error);
-}
-
-int
-mac_file_check_get_ofileflags(struct ucred *cred, struct fileglob *fg,
-    char flags)
-{
-	int error;
-
-	MAC_CHECK(file_check_get_ofileflags, cred, fg, fg->fg_label, flags);
-	return (error);
-}
-
-int
-mac_file_check_change_flags(struct ucred *cred, struct fileglob *fg,
-    u_int oldflags, u_int newflags)
-{
-	int error;
-
-	MAC_CHECK(file_check_change_flags, cred, fg, fg->fg_label, oldflags,
-	    newflags);
-	return (error);
-}
-
-int
-mac_file_check_change_ofileflags(struct ucred *cred, struct fileglob *fg,
-    char oldflags, char newflags)
-{
-	int error;
-
-	MAC_CHECK(file_check_change_ofileflags, cred, fg, fg->fg_label,
-	    oldflags, newflags);
-	return (error);
-}
-
-int
 mac_file_check_get_offset(struct ucred *cred, struct fileglob *fg)
 {
 	int error;

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#19 (text+ko) ====

@@ -122,22 +122,14 @@
 void	mac_devfs_label_update(struct mount *mp, struct devnode *de,
 	    struct vnode *vp);
 int	mac_execve_enter(user_addr_t mac_p, struct label *execlabel);
-int	mac_file_check_change_flags(struct ucred *cred, struct fileglob *fg,
-	    u_int oldflags, u_int newflags);
 int	mac_file_check_change_offset(struct ucred *cred, struct fileglob *fg);
-int	mac_file_check_change_ofileflags(struct ucred *cred,
-	    struct fileglob *fg, char oldflags, char newflags);
 int	mac_file_check_create(struct ucred *cred);
 int	mac_file_check_dup(struct ucred *cred, struct fileglob *fg, int newfd);
 int	mac_file_check_fcntl(struct ucred *cred, struct fileglob *fg, int cmd,
 	    long arg);
 int	mac_file_check_get(struct ucred *cred, struct fileglob *fg,
 	    char *elements, int len);
-int	mac_file_check_get_flags(struct ucred *cred, struct fileglob *fg,
-	    u_int flags);
 int	mac_file_check_get_offset(struct ucred *cred, struct fileglob *fg);
-int	mac_file_check_get_ofileflags(struct ucred *cred, struct fileglob *fg,
-	    char flags);
 int	mac_file_check_inherit(struct ucred *cred, struct fileglob *fg);
 int	mac_file_check_ioctl(struct ucred *cred, struct fileglob *fg,
 	    u_long com, void *data);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#28 (text+ko) ====

@@ -580,48 +580,6 @@
 	struct label *vnodelabel
 );
 /**
-  @brief Access control for changing file descriptor flags
-  @param cred Subject credential
-  @param fg Fileglob structure
-  @param label Policy label for fg
-  @param oldflags Old fd flags
-  @param newflags New fd flags
-
-  Determine whether the subject identified by the credential can
-  change the specified flags for the fileglob structure represented by fg.
-
-  @return Return 0 if access if granted, otherwise an appropriate
-  value for errno should be returned.
-*/
-typedef int mpo_file_check_change_flags_t(
-	struct ucred *cred,
-	struct fileglob *fg,
-	struct label *label,
-	u_int oldflags,
-	u_int newflags
-);
-/**
-  @brief Access control for changing open file flags
-  @param cred Subject credential
-  @param fg Fileglob structure
-  @param label Policy label for fg
-  @param flags Old flags
-  @param flags New flags
-
-  Determine whether the subject identified by the credential can
-  change the open file flags for the fileglob structure represented by fg.
-
-  @return Return 0 if access if granted, otherwise an appropriate
-  value for errno should be returned.
-*/
-typedef int mpo_file_check_change_ofileflags_t(
-	struct ucred *cred,
-	struct fileglob *fg,
-	struct label *label,
-	char oldflags,
-	char newflags
-);
-/**
   @brief Access control for changing the offset of a file descriptor
   @param cred Subject credential
   @param fg Fileglob structure
@@ -710,25 +668,6 @@
 	int len
 );
 /**
-  @brief Access control for getting file descriptor flags
-  @param cred Subject credential
-  @param fg Fileglob structure
-  @param label Policy label for fg
-  @param flags Requested flags
-
-  Determine whether the subject identified by the credential can
-  get the specified flags for the fileglob structure represented by fg.
-
-  @return Return 0 if access if granted, otherwise an appropriate
-  value for errno should be returned.
-*/
-typedef int mpo_file_check_get_flags_t(
-	struct ucred *cred,
-	struct fileglob *fg,
-	struct label *label,
-	u_int flags
-);
-/**
   @brief Access control for getting the offset of a file descriptor
   @param cred Subject credential
   @param fg Fileglob structure
@@ -746,25 +685,6 @@
 	struct label *label
 );
 /**
-  @brief Access control for getting open file flags
-  @param cred Subject credential
-  @param fg Fileglob structure
-  @param label Policy label for fg
-  @param flags Requested flags
-
-  Determine whether the subject identified by the credential can
-  get the open file flags for the fileglob structure represented by fg.
-
-  @return Return 0 if access if granted, otherwise an appropriate
-  value for errno should be returned.
-*/
-typedef int mpo_file_check_get_ofileflags_t(
-	struct ucred *cred,
-	struct fileglob *fg,
-	struct label *label,
-	char flags
-);
-/**
   @brief Access control for inheriting a file descriptor
   @param cred Subject credential
   @param fg Fileglob structure
@@ -5123,15 +5043,11 @@
 	mpo_devfs_label_destroy_t		*mpo_devfs_label_destroy;
 	mpo_devfs_label_init_t			*mpo_devfs_label_init;
 	mpo_devfs_label_update_t		*mpo_devfs_label_update;
-	mpo_file_check_change_flags_t		*mpo_file_check_change_flags;
 	mpo_file_check_change_offset_t		*mpo_file_check_change_offset;
-	mpo_file_check_change_ofileflags_t	*mpo_file_check_change_ofileflags;
 	mpo_file_check_create_t			*mpo_file_check_create;
 	mpo_file_check_dup_t			*mpo_file_check_dup;
 	mpo_file_check_fcntl_t			*mpo_file_check_fcntl;
-	mpo_file_check_get_flags_t		*mpo_file_check_get_flags;
 	mpo_file_check_get_offset_t		*mpo_file_check_get_offset;
-	mpo_file_check_get_ofileflags_t		*mpo_file_check_get_ofileflags;
 	mpo_file_check_get_t			*mpo_file_check_get;
 	mpo_file_check_inherit_t		*mpo_file_check_inherit;
 	mpo_file_check_ioctl_t			*mpo_file_check_ioctl;

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#45 (text+ko) ====

@@ -3146,43 +3146,6 @@
 }
 
 static int
-sebsd_file_check_get_flags(struct ucred *cred, struct fileglob *fg,
-    struct label *fglabel, u_int flags)
-{
-
-	return (file_has_perm(cred, fg, fglabel, 0));
-}
-
-static int
-sebsd_file_check_get_ofileflags(struct ucred *cred, struct fileglob *fg,
-    struct label *fglabel, char flags)
-{
-
-	return (file_has_perm(cred, fg, fglabel, 0));
-}
-
-static int
-sebsd_file_check_change_flags(struct ucred *cred, struct fileglob *fg,
-    struct label *fglabel, u_int oldflags, u_int newflags)
-{
-	u_int32_t av = 0;
-
-	if ((newflags & O_APPEND) && !(oldflags & O_APPEND))
-		av = FILE__WRITE;
-
-	return (file_has_perm(cred, fg, fglabel, av));
-}
-
-static int
-sebsd_file_check_change_ofileflags(struct ucred *cred, struct fileglob *fg,
-    struct label *fglabel, char oldflags, char newflags)
-{
-
-	/* XXX - should set av to something */
-	return (file_has_perm(cred, fg, fglabel, 0));
-}
-
-static int
 sebsd_file_check_get_offset(struct ucred *cred, struct fileglob *fg,
     struct label *fglabel)
 {
@@ -3552,13 +3515,9 @@
 	.mpo_devfs_label_destroy = sebsd_vnode_label_destroy,
 	.mpo_devfs_label_init = sebsd_vnode_label_init,
 	.mpo_devfs_label_update = sebsd_devfs_update,
-	.mpo_file_check_change_flags = sebsd_file_check_change_flags,
 	.mpo_file_check_change_offset = sebsd_file_check_change_offset,
-	.mpo_file_check_change_ofileflags = sebsd_file_check_change_ofileflags,
 	.mpo_file_check_dup = sebsd_file_check_dup,
-	.mpo_file_check_get_flags = sebsd_file_check_get_flags,
 	.mpo_file_check_get_offset = sebsd_file_check_get_offset,
-	.mpo_file_check_get_ofileflags = sebsd_file_check_get_ofileflags,
 	.mpo_file_check_inherit = sebsd_file_check_receive,
 	.mpo_file_check_ioctl = sebsd_file_check_ioctl,
 	.mpo_file_check_lock = sebsd_file_check_lock,


More information about the trustedbsd-cvs mailing list