Map VAPPEND to VWRITE since the ugidfw rule syntax doesn't specifically

address the append access mode. Reported by: "Daniel C. Sobral" <dcs@newsguy.com> Obtained from: TrustedBSD Project Sponosred by: DARPA, Network Associates Laboratories MFC Candidate.
2002-12-28 23:41:18 +00:00 · 2002-12-28 23:41:18 +00:00 · 7892c5c36d
commit 7892c5c36d
parent 954749368b
1 changed files with 9 additions and 0 deletions
--- a/sys/security/mac_bsdextended/mac_bsdextended.c
+++ b/sys/security/mac_bsdextended/mac_bsdextended.c
@ -279,6 +279,15 @@ mac_bsdextended_check(struct ucred *cred, uid_t object_uid, gid_t object_gid,
 		if (rules[i] == NULL)
 			continue;

+		/*
+		 * Since we don't separately handle append, map append to
+		 * write.
+		 */
+		if (acc_mode & VAPPEND) {
+			acc_mode &= ~VAPPEND;
+			acc_mode |= VWRITE;
+		}
+
 		error = mac_bsdextended_rulecheck(rules[i], cred, object_uid,
 		    object_gid, acc_mode);
 		if (error)