Integrate a devfs/MAC fix from the MAC tree: avoid a race condition during
devfs VOP symlink creation by introducing a new entry point to determine the label of the devfs_dirent prior to allocation of a vnode for the symlink. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
This commit is contained in:
rwatson
parent
5846242df8
commit
7b150b70c2
@ -868,12 +868,11 @@ devfs_symlink(ap)
|
||||
MALLOC(de->de_symlink, char *, i, M_DEVFS, M_WAITOK);
|
||||
bcopy(ap->a_target, de->de_symlink, i);
|
||||
lockmgr(&dmp->dm_lock, LK_EXCLUSIVE, 0, curthread);
|
||||
#ifdef MAC
|
||||
mac_create_devfs_symlink(ap->a_cnp->cn_cred, dd, de);
|
||||
#endif
|
||||
TAILQ_INSERT_TAIL(&dd->de_dlist, de, de_list);
|
||||
devfs_allocv(de, ap->a_dvp->v_mount, ap->a_vpp, 0);
|
||||
#ifdef MAC
|
||||
mac_create_vnode(ap->a_cnp->cn_cred, ap->a_dvp, *ap->a_vpp);
|
||||
mac_update_devfsdirent(de, *ap->a_vpp);
|
||||
#endif /* MAC */
|
||||
lockmgr(&dmp->dm_lock, LK_RELEASE, 0, curthread);
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -519,6 +519,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
|
||||
mpc->mpc_ops->mpo_create_devfs_directory =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CREATE_DEVFS_SYMLINK:
|
||||
mpc->mpc_ops->mpo_create_devfs_symlink =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CREATE_DEVFS_VNODE:
|
||||
mpc->mpc_ops->mpo_create_devfs_vnode =
|
||||
mpe->mpe_function;
|
||||
@ -2946,6 +2950,15 @@ mac_create_devfs_device(dev_t dev, struct devfs_dirent *de)
|
||||
MAC_PERFORM(create_devfs_device, dev, de, &de->de_label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
|
||||
struct devfs_dirent *de)
|
||||
{
|
||||
|
||||
MAC_PERFORM(create_devfs_symlink, cred, dd, &dd->de_label, de,
|
||||
&de->de_label);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_stdcreatevnode_ea(struct vnode *vp)
|
||||
{
|
||||
|
||||
@ -519,6 +519,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
|
||||
mpc->mpc_ops->mpo_create_devfs_directory =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CREATE_DEVFS_SYMLINK:
|
||||
mpc->mpc_ops->mpo_create_devfs_symlink =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CREATE_DEVFS_VNODE:
|
||||
mpc->mpc_ops->mpo_create_devfs_vnode =
|
||||
mpe->mpe_function;
|
||||
@ -2946,6 +2950,15 @@ mac_create_devfs_device(dev_t dev, struct devfs_dirent *de)
|
||||
MAC_PERFORM(create_devfs_device, dev, de, &de->de_label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
|
||||
struct devfs_dirent *de)
|
||||
{
|
||||
|
||||
MAC_PERFORM(create_devfs_symlink, cred, dd, &dd->de_label, de,
|
||||
&de->de_label);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_stdcreatevnode_ea(struct vnode *vp)
|
||||
{
|
||||
|
||||
@ -244,6 +244,8 @@ void mac_create_devfs_device(dev_t dev, struct devfs_dirent *de);
|
||||
void mac_create_devfs_directory(char *dirname, int dirnamelen,
|
||||
struct devfs_dirent *de);
|
||||
void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp);
|
||||
void mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
|
||||
struct devfs_dirent *de);
|
||||
void mac_create_vnode(struct ucred *cred, struct vnode *parent,
|
||||
struct vnode *child);
|
||||
void mac_create_mount(struct ucred *cred, struct mount *mp);
|
||||
|
||||
@ -519,6 +519,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
|
||||
mpc->mpc_ops->mpo_create_devfs_directory =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CREATE_DEVFS_SYMLINK:
|
||||
mpc->mpc_ops->mpo_create_devfs_symlink =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CREATE_DEVFS_VNODE:
|
||||
mpc->mpc_ops->mpo_create_devfs_vnode =
|
||||
mpe->mpe_function;
|
||||
@ -2946,6 +2950,15 @@ mac_create_devfs_device(dev_t dev, struct devfs_dirent *de)
|
||||
MAC_PERFORM(create_devfs_device, dev, de, &de->de_label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
|
||||
struct devfs_dirent *de)
|
||||
{
|
||||
|
||||
MAC_PERFORM(create_devfs_symlink, cred, dd, &dd->de_label, de,
|
||||
&de->de_label);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_stdcreatevnode_ea(struct vnode *vp)
|
||||
{
|
||||
|
||||
@ -519,6 +519,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
|
||||
mpc->mpc_ops->mpo_create_devfs_directory =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CREATE_DEVFS_SYMLINK:
|
||||
mpc->mpc_ops->mpo_create_devfs_symlink =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CREATE_DEVFS_VNODE:
|
||||
mpc->mpc_ops->mpo_create_devfs_vnode =
|
||||
mpe->mpe_function;
|
||||
@ -2946,6 +2950,15 @@ mac_create_devfs_device(dev_t dev, struct devfs_dirent *de)
|
||||
MAC_PERFORM(create_devfs_device, dev, de, &de->de_label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
|
||||
struct devfs_dirent *de)
|
||||
{
|
||||
|
||||
MAC_PERFORM(create_devfs_symlink, cred, dd, &dd->de_label, de,
|
||||
&de->de_label);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_stdcreatevnode_ea(struct vnode *vp)
|
||||
{
|
||||
|
||||
@ -519,6 +519,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
|
||||
mpc->mpc_ops->mpo_create_devfs_directory =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CREATE_DEVFS_SYMLINK:
|
||||
mpc->mpc_ops->mpo_create_devfs_symlink =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CREATE_DEVFS_VNODE:
|
||||
mpc->mpc_ops->mpo_create_devfs_vnode =
|
||||
mpe->mpe_function;
|
||||
@ -2946,6 +2950,15 @@ mac_create_devfs_device(dev_t dev, struct devfs_dirent *de)
|
||||
MAC_PERFORM(create_devfs_device, dev, de, &de->de_label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
|
||||
struct devfs_dirent *de)
|
||||
{
|
||||
|
||||
MAC_PERFORM(create_devfs_symlink, cred, dd, &dd->de_label, de,
|
||||
&de->de_label);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_stdcreatevnode_ea(struct vnode *vp)
|
||||
{
|
||||
|
||||
@ -110,6 +110,9 @@ struct mac_policy_ops {
|
||||
struct label *label);
|
||||
void (*mpo_create_devfs_directory)(char *dirname, int dirnamelen,
|
||||
struct devfs_dirent *de, struct label *label);
|
||||
void (*mpo_create_devfs_symlink)(struct ucred *cred,
|
||||
struct devfs_dirent *dd, struct label *ddlabel,
|
||||
struct devfs_dirent *de, struct label *delabel);
|
||||
void (*mpo_create_devfs_vnode)(struct devfs_dirent *de,
|
||||
struct label *direntlabel, struct vnode *vp,
|
||||
struct label *vnodelabel);
|
||||
@ -387,6 +390,7 @@ enum mac_op_constant {
|
||||
MAC_INTERNALIZE,
|
||||
MAC_CREATE_DEVFS_DEVICE,
|
||||
MAC_CREATE_DEVFS_DIRECTORY,
|
||||
MAC_CREATE_DEVFS_SYMLINK,
|
||||
MAC_CREATE_DEVFS_VNODE,
|
||||
MAC_CREATE_VNODE,
|
||||
MAC_CREATE_MOUNT,
|
||||
|
||||
@ -519,6 +519,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
|
||||
mpc->mpc_ops->mpo_create_devfs_directory =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CREATE_DEVFS_SYMLINK:
|
||||
mpc->mpc_ops->mpo_create_devfs_symlink =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CREATE_DEVFS_VNODE:
|
||||
mpc->mpc_ops->mpo_create_devfs_vnode =
|
||||
mpe->mpe_function;
|
||||
@ -2946,6 +2950,15 @@ mac_create_devfs_device(dev_t dev, struct devfs_dirent *de)
|
||||
MAC_PERFORM(create_devfs_device, dev, de, &de->de_label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
|
||||
struct devfs_dirent *de)
|
||||
{
|
||||
|
||||
MAC_PERFORM(create_devfs_symlink, cred, dd, &dd->de_label, de,
|
||||
&de->de_label);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_stdcreatevnode_ea(struct vnode *vp)
|
||||
{
|
||||
|
||||
@ -519,6 +519,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
|
||||
mpc->mpc_ops->mpo_create_devfs_directory =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CREATE_DEVFS_SYMLINK:
|
||||
mpc->mpc_ops->mpo_create_devfs_symlink =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CREATE_DEVFS_VNODE:
|
||||
mpc->mpc_ops->mpo_create_devfs_vnode =
|
||||
mpe->mpe_function;
|
||||
@ -2946,6 +2950,15 @@ mac_create_devfs_device(dev_t dev, struct devfs_dirent *de)
|
||||
MAC_PERFORM(create_devfs_device, dev, de, &de->de_label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
|
||||
struct devfs_dirent *de)
|
||||
{
|
||||
|
||||
MAC_PERFORM(create_devfs_symlink, cred, dd, &dd->de_label, de,
|
||||
&de->de_label);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_stdcreatevnode_ea(struct vnode *vp)
|
||||
{
|
||||
|
||||
@ -519,6 +519,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
|
||||
mpc->mpc_ops->mpo_create_devfs_directory =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CREATE_DEVFS_SYMLINK:
|
||||
mpc->mpc_ops->mpo_create_devfs_symlink =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CREATE_DEVFS_VNODE:
|
||||
mpc->mpc_ops->mpo_create_devfs_vnode =
|
||||
mpe->mpe_function;
|
||||
@ -2946,6 +2950,15 @@ mac_create_devfs_device(dev_t dev, struct devfs_dirent *de)
|
||||
MAC_PERFORM(create_devfs_device, dev, de, &de->de_label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
|
||||
struct devfs_dirent *de)
|
||||
{
|
||||
|
||||
MAC_PERFORM(create_devfs_symlink, cred, dd, &dd->de_label, de,
|
||||
&de->de_label);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_stdcreatevnode_ea(struct vnode *vp)
|
||||
{
|
||||
|
||||
@ -519,6 +519,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
|
||||
mpc->mpc_ops->mpo_create_devfs_directory =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CREATE_DEVFS_SYMLINK:
|
||||
mpc->mpc_ops->mpo_create_devfs_symlink =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CREATE_DEVFS_VNODE:
|
||||
mpc->mpc_ops->mpo_create_devfs_vnode =
|
||||
mpe->mpe_function;
|
||||
@ -2946,6 +2950,15 @@ mac_create_devfs_device(dev_t dev, struct devfs_dirent *de)
|
||||
MAC_PERFORM(create_devfs_device, dev, de, &de->de_label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
|
||||
struct devfs_dirent *de)
|
||||
{
|
||||
|
||||
MAC_PERFORM(create_devfs_symlink, cred, dd, &dd->de_label, de,
|
||||
&de->de_label);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_stdcreatevnode_ea(struct vnode *vp)
|
||||
{
|
||||
|
||||
@ -244,6 +244,8 @@ void mac_create_devfs_device(dev_t dev, struct devfs_dirent *de);
|
||||
void mac_create_devfs_directory(char *dirname, int dirnamelen,
|
||||
struct devfs_dirent *de);
|
||||
void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp);
|
||||
void mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
|
||||
struct devfs_dirent *de);
|
||||
void mac_create_vnode(struct ucred *cred, struct vnode *parent,
|
||||
struct vnode *child);
|
||||
void mac_create_mount(struct ucred *cred, struct mount *mp);
|
||||
|
||||
@ -110,6 +110,9 @@ struct mac_policy_ops {
|
||||
struct label *label);
|
||||
void (*mpo_create_devfs_directory)(char *dirname, int dirnamelen,
|
||||
struct devfs_dirent *de, struct label *label);
|
||||
void (*mpo_create_devfs_symlink)(struct ucred *cred,
|
||||
struct devfs_dirent *dd, struct label *ddlabel,
|
||||
struct devfs_dirent *de, struct label *delabel);
|
||||
void (*mpo_create_devfs_vnode)(struct devfs_dirent *de,
|
||||
struct label *direntlabel, struct vnode *vp,
|
||||
struct label *vnodelabel);
|
||||
@ -387,6 +390,7 @@ enum mac_op_constant {
|
||||
MAC_INTERNALIZE,
|
||||
MAC_CREATE_DEVFS_DEVICE,
|
||||
MAC_CREATE_DEVFS_DIRECTORY,
|
||||
MAC_CREATE_DEVFS_SYMLINK,
|
||||
MAC_CREATE_DEVFS_VNODE,
|
||||
MAC_CREATE_VNODE,
|
||||
MAC_CREATE_MOUNT,
|
||||
|
||||
Loading…
Reference in New Issue
Block a user