Implementations of mpo_check_vnode_deleteextattr() and
mpo_check_vnode_listextattr() for Biba, MLS, and BSD Extended. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
This commit is contained in:
rwatson
parent
40ba5e2b2e
commit
f791d2d3e6
@ -2070,6 +2070,24 @@ mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label, int attrnamespace, const char *name)
|
||||
{
|
||||
struct mac_biba *subj, *obj;
|
||||
|
||||
if (!mac_biba_enabled)
|
||||
return (0);
|
||||
|
||||
subj = SLOT(&cred->cr_label);
|
||||
obj = SLOT(label);
|
||||
|
||||
if (!mac_biba_dominate_single(subj, obj))
|
||||
return (EACCES);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label, struct image_params *imgp,
|
||||
@ -2162,6 +2180,24 @@ mac_biba_check_vnode_link(struct ucred *cred, struct vnode *dvp,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label, int attrnamespace)
|
||||
{
|
||||
struct mac_biba *subj, *obj;
|
||||
|
||||
if (!mac_biba_enabled)
|
||||
return (0);
|
||||
|
||||
subj = SLOT(&cred->cr_label);
|
||||
obj = SLOT(label);
|
||||
|
||||
if (!mac_biba_dominate_single(obj, subj))
|
||||
return (EACCES);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
|
||||
struct label *dlabel, struct componentname *cnp)
|
||||
@ -2683,10 +2719,12 @@ static struct mac_policy_ops mac_biba_ops =
|
||||
.mpo_check_vnode_create = mac_biba_check_vnode_create,
|
||||
.mpo_check_vnode_delete = mac_biba_check_vnode_delete,
|
||||
.mpo_check_vnode_deleteacl = mac_biba_check_vnode_deleteacl,
|
||||
.mpo_check_vnode_deleteextattr = mac_biba_check_vnode_deleteextattr,
|
||||
.mpo_check_vnode_exec = mac_biba_check_vnode_exec,
|
||||
.mpo_check_vnode_getacl = mac_biba_check_vnode_getacl,
|
||||
.mpo_check_vnode_getextattr = mac_biba_check_vnode_getextattr,
|
||||
.mpo_check_vnode_link = mac_biba_check_vnode_link,
|
||||
.mpo_check_vnode_listextattr = mac_biba_check_vnode_listextattr,
|
||||
.mpo_check_vnode_lookup = mac_biba_check_vnode_lookup,
|
||||
.mpo_check_vnode_mmap = mac_biba_check_vnode_mmap,
|
||||
.mpo_check_vnode_mprotect = mac_biba_check_vnode_mmap,
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
/*-
|
||||
* Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
|
||||
* Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed by Robert Watson for the TrustedBSD Project.
|
||||
@ -417,6 +417,22 @@ mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
|
||||
return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
|
||||
}
|
||||
|
||||
static int
|
||||
mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label, int attrnamespace, const char *name)
|
||||
{
|
||||
struct vattr vap;
|
||||
int error;
|
||||
|
||||
if (!mac_bsdextended_enabled)
|
||||
return (0);
|
||||
|
||||
error = VOP_GETATTR(vp, &vap, cred, curthread);
|
||||
if (error)
|
||||
return (error);
|
||||
return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE));
|
||||
}
|
||||
|
||||
static int
|
||||
mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label, struct image_params *imgp,
|
||||
@ -494,6 +510,22 @@ mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label, int attrnamespace)
|
||||
{
|
||||
struct vattr vap;
|
||||
int error;
|
||||
|
||||
if (!mac_bsdextended_enabled)
|
||||
return (0);
|
||||
|
||||
error = VOP_GETATTR(vp, &vap, cred, curthread);
|
||||
if (error)
|
||||
return (error);
|
||||
return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD));
|
||||
}
|
||||
|
||||
static int
|
||||
mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
|
||||
struct label *dlabel, struct componentname *cnp)
|
||||
@ -752,10 +784,12 @@ static struct mac_policy_ops mac_bsdextended_ops =
|
||||
.mpo_check_vnode_create = mac_bsdextended_check_create_vnode,
|
||||
.mpo_check_vnode_delete = mac_bsdextended_check_vnode_delete,
|
||||
.mpo_check_vnode_deleteacl = mac_bsdextended_check_vnode_deleteacl,
|
||||
.mpo_check_vnode_deleteextattr = mac_bsdextended_check_vnode_deleteextattr,
|
||||
.mpo_check_vnode_exec = mac_bsdextended_check_vnode_exec,
|
||||
.mpo_check_vnode_getacl = mac_bsdextended_check_vnode_getacl,
|
||||
.mpo_check_vnode_getextattr = mac_bsdextended_check_vnode_getextattr,
|
||||
.mpo_check_vnode_link = mac_bsdextended_check_vnode_link,
|
||||
.mpo_check_vnode_listextattr = mac_bsdextended_check_vnode_listextattr,
|
||||
.mpo_check_vnode_lookup = mac_bsdextended_check_vnode_lookup,
|
||||
.mpo_check_vnode_open = mac_bsdextended_check_vnode_open,
|
||||
.mpo_check_vnode_readdir = mac_bsdextended_check_vnode_readdir,
|
||||
|
||||
@ -1839,6 +1839,24 @@ mac_mls_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_mls_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label, int attrnamespace, const char *name)
|
||||
{
|
||||
struct mac_mls *subj, *obj;
|
||||
|
||||
if (!mac_mls_enabled)
|
||||
return (0);
|
||||
|
||||
subj = SLOT(&cred->cr_label);
|
||||
obj = SLOT(label);
|
||||
|
||||
if (!mac_mls_dominate_single(obj, subj))
|
||||
return (EACCES);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label, struct image_params *imgp,
|
||||
@ -1930,6 +1948,25 @@ mac_mls_check_vnode_link(struct ucred *cred, struct vnode *dvp,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_mls_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label, int attrnamespace)
|
||||
{
|
||||
|
||||
struct mac_mls *subj, *obj;
|
||||
|
||||
if (!mac_mls_enabled)
|
||||
return (0);
|
||||
|
||||
subj = SLOT(&cred->cr_label);
|
||||
obj = SLOT(label);
|
||||
|
||||
if (!mac_mls_dominate_single(subj, obj))
|
||||
return (EACCES);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
|
||||
struct label *dlabel, struct componentname *cnp)
|
||||
@ -2445,10 +2482,12 @@ static struct mac_policy_ops mac_mls_ops =
|
||||
.mpo_check_vnode_create = mac_mls_check_vnode_create,
|
||||
.mpo_check_vnode_delete = mac_mls_check_vnode_delete,
|
||||
.mpo_check_vnode_deleteacl = mac_mls_check_vnode_deleteacl,
|
||||
.mpo_check_vnode_deleteextattr = mac_mls_check_vnode_deleteextattr,
|
||||
.mpo_check_vnode_exec = mac_mls_check_vnode_exec,
|
||||
.mpo_check_vnode_getacl = mac_mls_check_vnode_getacl,
|
||||
.mpo_check_vnode_getextattr = mac_mls_check_vnode_getextattr,
|
||||
.mpo_check_vnode_link = mac_mls_check_vnode_link,
|
||||
.mpo_check_vnode_listextattr = mac_mls_check_vnode_listextattr,
|
||||
.mpo_check_vnode_lookup = mac_mls_check_vnode_lookup,
|
||||
.mpo_check_vnode_mmap = mac_mls_check_vnode_mmap,
|
||||
.mpo_check_vnode_mprotect = mac_mls_check_vnode_mmap,
|
||||
|
||||
Loading…
Reference in New Issue
Block a user