Add mac_check_vnode_deleteextattr() and mac_check_vnode_listextattr():

explicit access control checks to delete and list extended attributes
on a vnode, rather than implicitly combining with the setextattr and
getextattr checks.  This reflects EA API changes in the kernel made
recently, including the move to explicit VOP's for both of these
operations.

Obtained from:	TrustedBSD PRoject
Sponsored by:	DARPA, Network Associates Laboratories

sys/kern/kern_mac.c

@@ -1613,6 +1613,22 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 	return (error);
 }
 
+int
+mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace, const char *name)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label,
+	    attrnamespace, name);
+	return (error);
+}
+
 int
 mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
     struct image_params *imgp)
@@ -1677,6 +1693,22 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
 	return (error);
 }
 
+int
+mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label,
+	    attrnamespace);
+	return (error);
+}
+
 int
 mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp)

sys/kern/vfs_extattr.c

@@ -4270,8 +4270,8 @@ extattr_delete_vp(struct vnode *vp, int attrnamespace, const char *attrname,
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
 
 #ifdef MAC
-	error = mac_check_vnode_setextattr(td->td_ucred, vp, attrnamespace,
-	    attrname, NULL);
+	error = mac_check_vnode_deleteextattr(td->td_ucred, vp, attrnamespace,
+	    attrname);
 	if (error)
 		goto done;
 #endif
@@ -4418,8 +4418,7 @@ extattr_list_vp(struct vnode *vp, int attrnamespace, void *data,
 		sizep = &size;
 
 #ifdef MAC
-	error = mac_check_vnode_getextattr(td->td_ucred, vp, attrnamespace,
-	    "", &auio);
+	error = mac_check_vnode_listextattr(td->td_ucred, vp, attrnamespace);
 	if (error)
 		goto done;
 #endif

sys/kern/vfs_syscalls.c

@@ -4270,8 +4270,8 @@ extattr_delete_vp(struct vnode *vp, int attrnamespace, const char *attrname,
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
 
 #ifdef MAC
-	error = mac_check_vnode_setextattr(td->td_ucred, vp, attrnamespace,
-	    attrname, NULL);
+	error = mac_check_vnode_deleteextattr(td->td_ucred, vp, attrnamespace,
+	    attrname);
 	if (error)
 		goto done;
 #endif
@@ -4418,8 +4418,7 @@ extattr_list_vp(struct vnode *vp, int attrnamespace, void *data,
 		sizep = &size;
 
 #ifdef MAC
-	error = mac_check_vnode_getextattr(td->td_ucred, vp, attrnamespace,
-	    "", &auio);
+	error = mac_check_vnode_listextattr(td->td_ucred, vp, attrnamespace);
 	if (error)
 		goto done;
 #endif

sys/security/mac/mac_framework.c

@@ -1613,6 +1613,22 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 	return (error);
 }
 
+int
+mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace, const char *name)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label,
+	    attrnamespace, name);
+	return (error);
+}
+
 int
 mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
     struct image_params *imgp)
@@ -1677,6 +1693,22 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
 	return (error);
 }
 
+int
+mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label,
+	    attrnamespace);
+	return (error);
+}
+
 int
 mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp)

sys/security/mac/mac_framework.h

@@ -279,6 +279,8 @@ int	mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
 	    struct vnode *vp, struct componentname *cnp);
 int	mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 	    acl_type_t type);
+int	mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+	    int attrnamespace, const char *name);
 int	mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
 	    struct image_params *imgp);
 int	mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
@@ -287,6 +289,8 @@ int	mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
 	    int attrnamespace, const char *name, struct uio *uio);
 int	mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
 	    struct vnode *vp, struct componentname *cnp);
+int	mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+	    int attrnamespace);
 int	mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
  	    struct componentname *cnp);
 int	mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,

sys/security/mac/mac_internal.h

@@ -1613,6 +1613,22 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 	return (error);
 }
 
+int
+mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace, const char *name)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label,
+	    attrnamespace, name);
+	return (error);
+}
+
 int
 mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
     struct image_params *imgp)
@@ -1677,6 +1693,22 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
 	return (error);
 }
 
+int
+mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label,
+	    attrnamespace);
+	return (error);
+}
+
 int
 mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp)

sys/security/mac/mac_net.c

@@ -1613,6 +1613,22 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 	return (error);
 }
 
+int
+mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace, const char *name)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label,
+	    attrnamespace, name);
+	return (error);
+}
+
 int
 mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
     struct image_params *imgp)
@@ -1677,6 +1693,22 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
 	return (error);
 }
 
+int
+mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label,
+	    attrnamespace);
+	return (error);
+}
+
 int
 mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp)

sys/security/mac/mac_pipe.c

@@ -1613,6 +1613,22 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 	return (error);
 }
 
+int
+mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace, const char *name)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label,
+	    attrnamespace, name);
+	return (error);
+}
+
 int
 mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
     struct image_params *imgp)
@@ -1677,6 +1693,22 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
 	return (error);
 }
 
+int
+mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label,
+	    attrnamespace);
+	return (error);
+}
+
 int
 mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp)

sys/security/mac/mac_policy.h

@@ -359,6 +359,9 @@ struct mac_policy_ops {
 		    struct componentname *cnp);
 	int	(*mpo_check_vnode_deleteacl)(struct ucred *cred,
 		    struct vnode *vp, struct label *label, acl_type_t type);
+	int	(*mpo_check_vnode_deleteextattr)(struct ucred *cred,
+		    struct vnode *vp, struct label *label, int attrnamespace,
+		    const char *name);
 	int	(*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp,
 		    struct label *label, struct image_params *imgp,
 		    struct label *execlabel);
@@ -370,6 +373,8 @@ struct mac_policy_ops {
 	int	(*mpo_check_vnode_link)(struct ucred *cred, struct vnode *dvp,
 		    struct label *dlabel, struct vnode *vp,
 		    struct label *label, struct componentname *cnp);
+	int	(*mpo_check_vnode_listextattr)(struct ucred *cred,
+		    struct vnode *vp, struct label *label, int attrnamespace);
 	int	(*mpo_check_vnode_lookup)(struct ucred *cred,
 		    struct vnode *dvp, struct label *dlabel,
 		    struct componentname *cnp);

sys/security/mac/mac_process.c

@@ -1613,6 +1613,22 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 	return (error);
 }
 
+int
+mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace, const char *name)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label,
+	    attrnamespace, name);
+	return (error);
+}
+
 int
 mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
     struct image_params *imgp)
@@ -1677,6 +1693,22 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
 	return (error);
 }
 
+int
+mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label,
+	    attrnamespace);
+	return (error);
+}
+
 int
 mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp)

sys/security/mac/mac_syscalls.c

@@ -1613,6 +1613,22 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 	return (error);
 }
 
+int
+mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace, const char *name)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label,
+	    attrnamespace, name);
+	return (error);
+}
+
 int
 mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
     struct image_params *imgp)
@@ -1677,6 +1693,22 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
 	return (error);
 }
 
+int
+mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label,
+	    attrnamespace);
+	return (error);
+}
+
 int
 mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp)

sys/security/mac/mac_system.c

@@ -1613,6 +1613,22 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 	return (error);
 }
 
+int
+mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace, const char *name)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label,
+	    attrnamespace, name);
+	return (error);
+}
+
 int
 mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
     struct image_params *imgp)
@@ -1677,6 +1693,22 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
 	return (error);
 }
 
+int
+mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label,
+	    attrnamespace);
+	return (error);
+}
+
 int
 mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp)

sys/security/mac/mac_vfs.c

@@ -1613,6 +1613,22 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 	return (error);
 }
 
+int
+mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace, const char *name)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label,
+	    attrnamespace, name);
+	return (error);
+}
+
 int
 mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
     struct image_params *imgp)
@@ -1677,6 +1693,22 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
 	return (error);
 }
 
+int
+mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+    int attrnamespace)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label,
+	    attrnamespace);
+	return (error);
+}
+
 int
 mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp)

sys/sys/mac.h

@@ -279,6 +279,8 @@ int	mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
 	    struct vnode *vp, struct componentname *cnp);
 int	mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 	    acl_type_t type);
+int	mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+	    int attrnamespace, const char *name);
 int	mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
 	    struct image_params *imgp);
 int	mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
@@ -287,6 +289,8 @@ int	mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
 	    int attrnamespace, const char *name, struct uio *uio);
 int	mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
 	    struct vnode *vp, struct componentname *cnp);
+int	mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+	    int attrnamespace);
 int	mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
  	    struct componentname *cnp);
 int	mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,

sys/sys/mac_policy.h

@@ -359,6 +359,9 @@ struct mac_policy_ops {
 		    struct componentname *cnp);
 	int	(*mpo_check_vnode_deleteacl)(struct ucred *cred,
 		    struct vnode *vp, struct label *label, acl_type_t type);
+	int	(*mpo_check_vnode_deleteextattr)(struct ucred *cred,
+		    struct vnode *vp, struct label *label, int attrnamespace,
+		    const char *name);
 	int	(*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp,
 		    struct label *label, struct image_params *imgp,
 		    struct label *execlabel);
@@ -370,6 +373,8 @@ struct mac_policy_ops {
 	int	(*mpo_check_vnode_link)(struct ucred *cred, struct vnode *dvp,
 		    struct label *dlabel, struct vnode *vp,
 		    struct label *label, struct componentname *cnp);
+	int	(*mpo_check_vnode_listextattr)(struct ucred *cred,
+		    struct vnode *vp, struct label *label, int attrnamespace);
 	int	(*mpo_check_vnode_lookup)(struct ucred *cred,
 		    struct vnode *dvp, struct label *dlabel,
 		    struct componentname *cnp);