d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Pass active_cred and file_cred into the MAC framework explicitly

Browse Source 
for mac_check_vnode_{poll,read,stat,write}().  Pass in fp->f_cred
when calling these checks with a struct file available.  Otherwise,
pass NOCRED.  All currently MAC policies use active_cred, but
could now offer the cached credential semantic used for the base
system security model.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
This commit is contained in:
rwatson 2002-08-19 19:04:53 +00:00
parent 32d992cd39
commit a1cb1e3bed
24 changed files with 302 additions and 196 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sys/kern/kern_ktrace.c
View File

@ -771,7 +771,7 @@ ktr_writerequest(struct ktr_request *req)
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
(void)VOP_LEASE(vp, td, cred, LEASE_WRITE);
#ifdef MAC
error = mac_check_vnode_write(cred, vp);
error = mac_check_vnode_write(cred, NOCRED, vp);
if (error == 0)
#endif
error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred);

32
sys/kern/kern_mac.c
View File

@ -1804,7 +1804,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
}
int
mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -1813,17 +1814,19 @@ mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -1832,11 +1835,12 @@ mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
@ -2076,7 +2080,8 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
}
int
mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -2085,16 +2090,18 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
int
mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -2103,11 +2110,12 @@ mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}

11
sys/kern/tty_tty.c
View File

@ -104,6 +104,7 @@ cttyopen(dev, flag, mode, td)
return (error);
}
#endif
/* XXX: Shouldn't this cred be td->td_ucred not NOCRED? */
error = VOP_OPEN(ttyvp, flag, NOCRED, td);
VOP_UNLOCK(ttyvp, 0, td);
return (error);
@ -130,10 +131,10 @@ cttyread(dev, uio, flag)
return (EIO);
vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
/* XXX: Shouldn't the cred below be td->td_ucred not NOCRED? */
error = mac_check_vnode_read(td->td_ucred, ttyvp);
error = mac_check_vnode_read(td->td_ucred, NOCRED, ttyvp);
if (error == 0)
#endif
/* XXX: Shouldn't this cred be td->td_ucred not NOCRED? */
error = VOP_READ(ttyvp, uio, flag, NOCRED);
VOP_UNLOCK(ttyvp, 0, td);
return (error);
@ -165,10 +166,10 @@ cttywrite(dev, uio, flag)
return (error);
vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
/* XXX: shouldn't the cred below be td->td_ucred not NOCRED? */
error = mac_check_vnode_write(td->td_ucred, ttyvp);
error = mac_check_vnode_write(td->td_ucred, NOCRED, ttyvp);
if (error == 0)
#endif
/* XXX: shouldn't this cred be td->td_ucred not NOCRED? */
error = VOP_WRITE(ttyvp, uio, flag, NOCRED);
VOP_UNLOCK(ttyvp, 0, td);
vn_finished_write(mp);
@ -236,7 +237,7 @@ cttypoll(dev, events, td)
return (seltrue(dev, events, td));
#ifdef MAC
vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td);
error = mac_check_vnode_poll(td->td_ucred, ttyvp);
error = mac_check_vnode_poll(td->td_ucred, NOCRED, ttyvp);
VOP_UNLOCK(ttyvp, 0, td);
if (error)
return (error);

15
sys/kern/vfs_extattr.c
View File

@ -734,7 +734,7 @@ open(td, uap)
vat.va_size = 0;
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
error = mac_check_vnode_write(td->td_ucred, vp);
error = mac_check_vnode_write(td->td_ucred, fp->f_cred, vp);
if (error == 0)
#endif
error = VOP_SETATTR(vp, &vat, td->td_ucred, td);
@ -2367,7 +2367,8 @@ truncate(td, uap)
if (vp->v_type == VDIR)
error = EISDIR;
#ifdef MAC
else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {}
else if ((error = mac_check_vnode_write(td->td_ucred, NOCRED, vp))) {
}
#endif
else if ((error = vn_writechk(vp)) == 0 &&
(error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td)) == 0) {
@ -2424,7 +2425,9 @@ ftruncate(td, uap)
if (vp->v_type == VDIR)
error = EISDIR;
#ifdef MAC
else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {}
else if ((error = mac_check_vnode_write(td->td_ucred, fp->f_cred,
vp))) {
}
#endif
else if ((error = vn_writechk(vp)) == 0) {
VATTR_NULL(&vattr);
@ -3342,7 +3345,11 @@ fhopen(td, uap)
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); /* XXX */
#ifdef MAC
error = mac_check_vnode_write(td->td_ucred, vp);
/*
* We don't yet have fp->f_cred, so use td->td_ucred, which
* should be right.
*/
error = mac_check_vnode_write(td->td_ucred, td->td_ucred, vp);
if (error == 0) {
#endif
VATTR_NULL(vap);

15
sys/kern/vfs_syscalls.c
View File

@ -734,7 +734,7 @@ open(td, uap)
vat.va_size = 0;
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
error = mac_check_vnode_write(td->td_ucred, vp);
error = mac_check_vnode_write(td->td_ucred, fp->f_cred, vp);
if (error == 0)
#endif
error = VOP_SETATTR(vp, &vat, td->td_ucred, td);
@ -2367,7 +2367,8 @@ truncate(td, uap)
if (vp->v_type == VDIR)
error = EISDIR;
#ifdef MAC
else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {}
else if ((error = mac_check_vnode_write(td->td_ucred, NOCRED, vp))) {
}
#endif
else if ((error = vn_writechk(vp)) == 0 &&
(error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td)) == 0) {
@ -2424,7 +2425,9 @@ ftruncate(td, uap)
if (vp->v_type == VDIR)
error = EISDIR;
#ifdef MAC
else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {}
else if ((error = mac_check_vnode_write(td->td_ucred, fp->f_cred,
vp))) {
}
#endif
else if ((error = vn_writechk(vp)) == 0) {
VATTR_NULL(&vattr);
@ -3342,7 +3345,11 @@ fhopen(td, uap)
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); /* XXX */
#ifdef MAC
error = mac_check_vnode_write(td->td_ucred, vp);
/*
* We don't yet have fp->f_cred, so use td->td_ucred, which
* should be right.
*/
error = mac_check_vnode_write(td->td_ucred, td->td_ucred, vp);
if (error == 0) {
#endif
VATTR_NULL(vap);

14
sys/kern/vfs_vnops.c
View File

@ -402,9 +402,11 @@ vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, active_cred, file_cred,
#ifdef MAC
if ((ioflg & IO_NOMACCHECK) == 0) {
if (rw == UIO_READ)
error = mac_check_vnode_read(active_cred, vp);
error = mac_check_vnode_read(active_cred, file_cred,
vp);
else
error = mac_check_vnode_write(active_cred, vp);
error = mac_check_vnode_write(active_cred, file_cred,
vp);
}
#endif
if (error == 0) {
@ -505,7 +507,7 @@ vn_read(fp, uio, active_cred, flags, td)
ioflag |= sequential_heuristic(uio, fp);
#ifdef MAC
error = mac_check_vnode_read(active_cred, vp);
error = mac_check_vnode_read(active_cred, fp->f_cred, vp);
if (error == 0)
#endif
error = VOP_READ(vp, uio, ioflag, fp->f_cred);
@ -560,7 +562,7 @@ vn_write(fp, uio, active_cred, flags, td)
uio->uio_offset = fp->f_offset;
ioflag |= sequential_heuristic(uio, fp);
#ifdef MAC
error = mac_check_vnode_write(active_cred, vp);
error = mac_check_vnode_write(active_cred, fp->f_cred, vp);
if (error == 0)
#endif
error = VOP_WRITE(vp, uio, ioflag, fp->f_cred);
@ -610,7 +612,7 @@ vn_stat(vp, sb, active_cred, file_cred, td)
u_short mode;
#ifdef MAC
error = mac_check_vnode_stat(active_cred, vp);
error = mac_check_vnode_stat(active_cred, file_cred, vp);
if (error)
return (error);
#endif
@ -805,7 +807,7 @@ vn_poll(fp, events, active_cred, td)
vp = (struct vnode *)fp->f_data;
#ifdef MAC
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
error = mac_check_vnode_poll(active_cred, vp);
error = mac_check_vnode_poll(active_cred, fp->f_cred, vp);
VOP_UNLOCK(vp, 0, td);
if (error)
return (error);

32
sys/security/mac/mac_framework.c
View File

@ -1804,7 +1804,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
}
int
mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -1813,17 +1814,19 @@ mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -1832,11 +1835,12 @@ mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
@ -2076,7 +2080,8 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
}
int
mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -2085,16 +2090,18 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
int
mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -2103,11 +2110,12 @@ mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}

12
sys/security/mac/mac_framework.h
View File

@ -338,8 +338,10 @@ u_char mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp,
int newmapping);
int mac_check_vnode_open(struct ucred *cred, struct vnode *vp,
mode_t acc_mode);
int mac_check_vnode_poll(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_read(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_poll(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
int mac_check_vnode_read(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
int mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
@ -359,8 +361,10 @@ int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
uid_t uid, gid_t gid);
int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
struct timespec atime, struct timespec mtime);
int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_write(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_stat(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
int mac_check_vnode_write(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
int mac_getsockopt_label_get(struct ucred *cred, struct socket *so,
struct mac *extmac);
int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so,

32
sys/security/mac/mac_internal.h
View File

@ -1804,7 +1804,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
}
int
mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -1813,17 +1814,19 @@ mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -1832,11 +1835,12 @@ mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
@ -2076,7 +2080,8 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
}
int
mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -2085,16 +2090,18 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
int
mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -2103,11 +2110,12 @@ mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}

32
sys/security/mac/mac_net.c
View File

@ -1804,7 +1804,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
}
int
mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -1813,17 +1814,19 @@ mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -1832,11 +1835,12 @@ mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
@ -2076,7 +2080,8 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
}
int
mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -2085,16 +2090,18 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
int
mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -2103,11 +2110,12 @@ mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}

32
sys/security/mac/mac_pipe.c
View File

@ -1804,7 +1804,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
}
int
mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -1813,17 +1814,19 @@ mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -1832,11 +1835,12 @@ mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
@ -2076,7 +2080,8 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
}
int
mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -2085,16 +2090,18 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
int
mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -2103,11 +2110,12 @@ mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}

12
sys/security/mac/mac_policy.h
View File

@ -301,9 +301,11 @@ struct mac_policy_ops {
struct vnode *vp, struct label *label, int newmapping);
int (*mpo_check_vnode_open)(struct ucred *cred, struct vnode *vp,
struct label *label, mode_t acc_mode);
int (*mpo_check_vnode_poll)(struct ucred *cred, struct vnode *vp,
int (*mpo_check_vnode_poll)(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp,
struct label *label);
int (*mpo_check_vnode_read)(struct ucred *cred, struct vnode *vp,
int (*mpo_check_vnode_read)(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp,
struct label *label);
int (*mpo_check_vnode_readdir)(struct ucred *cred,
struct vnode *dvp, struct label *dlabel);
@ -337,9 +339,11 @@ struct mac_policy_ops {
int (*mpo_check_vnode_setutimes)(struct ucred *cred,
struct vnode *vp, struct label *label,
struct timespec atime, struct timespec mtime);
int (*mpo_check_vnode_stat)(struct ucred *cred, struct vnode *vp,
int (*mpo_check_vnode_stat)(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp,
struct label *label);
int (*mpo_check_vnode_write)(struct ucred *cred, struct vnode *vp,
int (*mpo_check_vnode_write)(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp,
struct label *label);
};

32
sys/security/mac/mac_process.c
View File

@ -1804,7 +1804,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
}
int
mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -1813,17 +1814,19 @@ mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -1832,11 +1835,12 @@ mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
@ -2076,7 +2080,8 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
}
int
mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -2085,16 +2090,18 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
int
mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -2103,11 +2110,12 @@ mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}

32
sys/security/mac/mac_syscalls.c
View File

@ -1804,7 +1804,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
}
int
mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -1813,17 +1814,19 @@ mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -1832,11 +1835,12 @@ mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
@ -2076,7 +2080,8 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
}
int
mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -2085,16 +2090,18 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
int
mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -2103,11 +2110,12 @@ mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}

32
sys/security/mac/mac_system.c
View File

@ -1804,7 +1804,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
}
int
mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -1813,17 +1814,19 @@ mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -1832,11 +1835,12 @@ mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
@ -2076,7 +2080,8 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
}
int
mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -2085,16 +2090,18 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
int
mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -2103,11 +2110,12 @@ mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}

32
sys/security/mac/mac_vfs.c
View File

@ -1804,7 +1804,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
}
int
mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -1813,17 +1814,19 @@ mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -1832,11 +1835,12 @@ mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
@ -2076,7 +2080,8 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
}
int
mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -2085,16 +2090,18 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}
int
mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
@ -2103,11 +2110,12 @@ mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
error = vn_refreshlabel(vp, active_cred);
if (error)
return (error);
MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
&vp->v_label);
return (error);
}

24
sys/security/mac_biba/mac_biba.c
View File

@ -1731,15 +1731,15 @@ mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp,
}
static int
mac_biba_check_vnode_poll(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_biba_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
{
struct mac_biba *subj, *obj;
if (!mac_biba_enabled || !mac_biba_revocation_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(&active_cred->cr_label);
obj = SLOT(label);
if (!mac_biba_dominate_single(obj, subj))
@ -1749,15 +1749,15 @@ mac_biba_check_vnode_poll(struct ucred *cred, struct vnode *vp,
}
static int
mac_biba_check_vnode_read(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_biba_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
{
struct mac_biba *subj, *obj;
if (!mac_biba_enabled || !mac_biba_revocation_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(&active_cred->cr_label);
obj = SLOT(label);
if (!mac_biba_dominate_single(obj, subj))
@ -2016,15 +2016,15 @@ mac_biba_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
}
static int
mac_biba_check_vnode_stat(struct ucred *cred, struct vnode *vp,
struct label *vnodelabel)
mac_biba_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *vnodelabel)
{
struct mac_biba *subj, *obj;
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(&active_cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_biba_dominate_single(obj, subj))
@ -2034,15 +2034,15 @@ mac_biba_check_vnode_stat(struct ucred *cred, struct vnode *vp,
}
static int
mac_biba_check_vnode_write(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_biba_check_vnode_write(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp, struct label *label)
{
struct mac_biba *subj, *obj;
if (!mac_biba_enabled || !mac_biba_revocation_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(&active_cred->cr_label);
obj = SLOT(label);
if (!mac_biba_dominate_single(subj, obj))

9
sys/security/mac_bsdextended/mac_bsdextended.c
View File

@ -675,8 +675,8 @@ mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_vnode_stat(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_bsdextended_check_vnode_stat(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp, struct label *label)
{
struct vattr vap;
int error;
@ -684,10 +684,11 @@ mac_bsdextended_check_vnode_stat(struct ucred *cred, struct vnode *vp,
if (!mac_bsdextended_enabled)
return (0);
error = VOP_GETATTR(vp, &vap, cred, curthread);
error = VOP_GETATTR(vp, &vap, active_cred, curthread);
if (error)
return (error);
return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VSTAT));
return (mac_bsdextended_check(active_cred, vap.va_uid, vap.va_gid,
VSTAT));
}
static struct mac_policy_op_entry mac_bsdextended_ops[] =

24
sys/security/mac_mls/mac_mls.c
View File

@ -1681,15 +1681,15 @@ mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp,
}
static int
mac_mls_check_vnode_poll(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_mls_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
{
struct mac_mls *subj, *obj;
if (!mac_mls_enabled || !mac_mls_revocation_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(&active_cred->cr_label);
obj = SLOT(label);
if (!mac_mls_dominate_single(subj, obj))
@ -1699,15 +1699,15 @@ mac_mls_check_vnode_poll(struct ucred *cred, struct vnode *vp,
}
static int
mac_mls_check_vnode_read(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_mls_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
{
struct mac_mls *subj, *obj;
if (!mac_mls_enabled || !mac_mls_revocation_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(&active_cred->cr_label);
obj = SLOT(label);
if (!mac_mls_dominate_single(subj, obj))
@ -1967,15 +1967,15 @@ mac_mls_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
}
static int
mac_mls_check_vnode_stat(struct ucred *cred, struct vnode *vp,
struct label *vnodelabel)
mac_mls_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *vnodelabel)
{
struct mac_mls *subj, *obj;
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(&active_cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_mls_dominate_single(subj, obj))
@ -1985,15 +1985,15 @@ mac_mls_check_vnode_stat(struct ucred *cred, struct vnode *vp,
}
static int
mac_mls_check_vnode_write(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_mls_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
{
struct mac_mls *subj, *obj;
if (!mac_mls_enabled || !mac_mls_revocation_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(&active_cred->cr_label);
obj = SLOT(label);
if (!mac_mls_dominate_single(obj, subj))

16
sys/security/mac_none/mac_none.c
View File

@ -799,16 +799,16 @@ mac_none_check_vnode_open(struct ucred *cred, struct vnode *vp,
}
static int
mac_none_check_vnode_poll(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_none_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
{
return (0);
}
static int
mac_none_check_vnode_read(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_none_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
{
return (0);
@ -913,16 +913,16 @@ mac_none_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
}
static int
mac_none_check_vnode_stat(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_none_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
{
return (0);
}
static int
mac_none_check_vnode_write(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_none_check_vnode_write(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp, struct label *label)
{
return (0);

16
sys/security/mac_stub/mac_stub.c
View File

@ -799,16 +799,16 @@ mac_none_check_vnode_open(struct ucred *cred, struct vnode *vp,
}
static int
mac_none_check_vnode_poll(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_none_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
{
return (0);
}
static int
mac_none_check_vnode_read(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_none_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
{
return (0);
@ -913,16 +913,16 @@ mac_none_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
}
static int
mac_none_check_vnode_stat(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_none_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
{
return (0);
}
static int
mac_none_check_vnode_write(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_none_check_vnode_write(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp, struct label *label)
{
return (0);

16
sys/security/mac_test/mac_test.c
View File

@ -1007,16 +1007,16 @@ mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp,
}
static int
mac_test_check_vnode_poll(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
{
return (0);
}
static int
mac_test_check_vnode_read(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
{
return (0);
@ -1121,16 +1121,16 @@ mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
}
static int
mac_test_check_vnode_stat(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
{
return (0);
}
static int
mac_test_check_vnode_write(struct ucred *cred, struct vnode *vp,
struct label *label)
mac_test_check_vnode_write(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp, struct label *label)
{
return (0);

12
sys/sys/mac.h
View File

@ -338,8 +338,10 @@ u_char mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp,
int newmapping);
int mac_check_vnode_open(struct ucred *cred, struct vnode *vp,
mode_t acc_mode);
int mac_check_vnode_poll(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_read(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_poll(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
int mac_check_vnode_read(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
int mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
@ -359,8 +361,10 @@ int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
uid_t uid, gid_t gid);
int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
struct timespec atime, struct timespec mtime);
int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_write(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_stat(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
int mac_check_vnode_write(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
int mac_getsockopt_label_get(struct ucred *cred, struct socket *so,
struct mac *extmac);
int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so,

12
sys/sys/mac_policy.h
View File

@ -301,9 +301,11 @@ struct mac_policy_ops {
struct vnode *vp, struct label *label, int newmapping);
int (*mpo_check_vnode_open)(struct ucred *cred, struct vnode *vp,
struct label *label, mode_t acc_mode);
int (*mpo_check_vnode_poll)(struct ucred *cred, struct vnode *vp,
int (*mpo_check_vnode_poll)(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp,
struct label *label);
int (*mpo_check_vnode_read)(struct ucred *cred, struct vnode *vp,
int (*mpo_check_vnode_read)(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp,
struct label *label);
int (*mpo_check_vnode_readdir)(struct ucred *cred,
struct vnode *dvp, struct label *dlabel);
@ -337,9 +339,11 @@ struct mac_policy_ops {
int (*mpo_check_vnode_setutimes)(struct ucred *cred,
struct vnode *vp, struct label *label,
struct timespec atime, struct timespec mtime);
int (*mpo_check_vnode_stat)(struct ucred *cred, struct vnode *vp,
int (*mpo_check_vnode_stat)(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp,
struct label *label);
int (*mpo_check_vnode_write)(struct ucred *cred, struct vnode *vp,
int (*mpo_check_vnode_write)(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp,
struct label *label);
};