d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge implementation of mpo_check_vnode_link() for various appropriate

Browse Source 
file-system aware MAC policies.  Sync to MAC tree.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
This commit is contained in:
Robert Watson 2002-10-05 18:25:48 +00:00
parent 0a69419678
commit c27b50f5b4
6 changed files with 113 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
sys/security/mac_biba/mac_biba.c
View File

@ -1509,6 +1509,30 @@ mac_biba_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
return (0); return (0);
} }
static int
mac_biba_check_vnode_link(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct vnode *vp, struct label *label,
struct componentname *cnp)
{
struct mac_biba *subj, *obj;
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(dlabel);
if (!mac_biba_dominate_single(subj, obj))
return (EACCES);
obj = SLOT(label);
if (!mac_biba_dominate_single(subj, obj))
return (EACCES);
return (0);
}
static int static int
mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct componentname *cnp) struct label *dlabel, struct componentname *cnp)
@ -2087,6 +2111,8 @@ static struct mac_policy_op_entry mac_biba_ops[] =
(macop_t)mac_biba_check_vnode_getacl }, (macop_t)mac_biba_check_vnode_getacl },
{ MAC_CHECK_VNODE_GETEXTATTR, { MAC_CHECK_VNODE_GETEXTATTR,
(macop_t)mac_biba_check_vnode_getextattr }, (macop_t)mac_biba_check_vnode_getextattr },
{ MAC_CHECK_VNODE_LINK,
(macop_t)mac_biba_check_vnode_link },
{ MAC_CHECK_VNODE_LOOKUP, { MAC_CHECK_VNODE_LOOKUP,
(macop_t)mac_biba_check_vnode_lookup }, (macop_t)mac_biba_check_vnode_lookup },
{ MAC_CHECK_VNODE_OPEN, { MAC_CHECK_VNODE_OPEN,

29
sys/security/mac_bsdextended/mac_bsdextended.c
View File

@ -444,6 +444,33 @@ mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD)); return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD));
} }
static int
mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct vnode *vp, struct label *label,
struct componentname *cnp)
{
struct vattr vap;
int error;
if (!mac_bsdextended_enabled)
return (0);
error = VOP_GETATTR(dvp, &vap, cred, curthread);
if (error)
return (error);
error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
if (error)
return (error);
error = VOP_GETATTR(vp, &vap, cred, curthread);
if (error)
return (error);
error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
if (error)
return (error);
return (0);
}
static int static int
mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct componentname *cnp) struct label *dlabel, struct componentname *cnp)
@ -715,6 +742,8 @@ static struct mac_policy_op_entry mac_bsdextended_ops[] =
(macop_t)mac_bsdextended_check_vnode_getacl }, (macop_t)mac_bsdextended_check_vnode_getacl },
{ MAC_CHECK_VNODE_GETEXTATTR, { MAC_CHECK_VNODE_GETEXTATTR,
(macop_t)mac_bsdextended_check_vnode_getextattr }, (macop_t)mac_bsdextended_check_vnode_getextattr },
{ MAC_CHECK_VNODE_LINK,
(macop_t)mac_bsdextended_check_vnode_link },
{ MAC_CHECK_VNODE_LOOKUP, { MAC_CHECK_VNODE_LOOKUP,
(macop_t)mac_bsdextended_check_vnode_lookup }, (macop_t)mac_bsdextended_check_vnode_lookup },
{ MAC_CHECK_VNODE_OPEN, { MAC_CHECK_VNODE_OPEN,

25
sys/security/mac_mls/mac_mls.c
View File

@ -1471,6 +1471,29 @@ mac_mls_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
return (0); return (0);
} }
static int
mac_mls_check_vnode_link(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct vnode *vp, struct label *label,
struct componentname *cnp)
{
struct mac_mls *subj, *obj;
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(dlabel);
if (!mac_mls_dominate_single(obj, subj))
return (EACCES);
obj = SLOT(dlabel);
if (!mac_mls_dominate_single(obj, subj))
return (EACCES);
return (0);
}
static int static int
mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct componentname *cnp) struct label *dlabel, struct componentname *cnp)
@ -2050,6 +2073,8 @@ static struct mac_policy_op_entry mac_mls_ops[] =
(macop_t)mac_mls_check_vnode_getacl }, (macop_t)mac_mls_check_vnode_getacl },
{ MAC_CHECK_VNODE_GETEXTATTR, { MAC_CHECK_VNODE_GETEXTATTR,
(macop_t)mac_mls_check_vnode_getextattr }, (macop_t)mac_mls_check_vnode_getextattr },
{ MAC_CHECK_VNODE_LINK,
(macop_t)mac_mls_check_vnode_link },
{ MAC_CHECK_VNODE_LOOKUP, { MAC_CHECK_VNODE_LOOKUP,
(macop_t)mac_mls_check_vnode_lookup }, (macop_t)mac_mls_check_vnode_lookup },
{ MAC_CHECK_VNODE_OPEN, { MAC_CHECK_VNODE_OPEN,

11
sys/security/mac_none/mac_none.c
View File

@ -669,6 +669,15 @@ mac_none_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
return (0); return (0);
} }
static int
mac_none_check_vnode_link(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct vnode *vp, struct label *label,
struct componentname *cnp)
{
return (0);
}
static int static int
mac_none_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, mac_none_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct componentname *cnp) struct label *dlabel, struct componentname *cnp)
@ -1019,6 +1028,8 @@ static struct mac_policy_op_entry mac_none_ops[] =
(macop_t)mac_none_check_vnode_getacl }, (macop_t)mac_none_check_vnode_getacl },
{ MAC_CHECK_VNODE_GETEXTATTR, { MAC_CHECK_VNODE_GETEXTATTR,
(macop_t)mac_none_check_vnode_getextattr }, (macop_t)mac_none_check_vnode_getextattr },
{ MAC_CHECK_VNODE_LINK,
(macop_t)mac_none_check_vnode_link },
{ MAC_CHECK_VNODE_LOOKUP, { MAC_CHECK_VNODE_LOOKUP,
(macop_t)mac_none_check_vnode_lookup }, (macop_t)mac_none_check_vnode_lookup },
{ MAC_CHECK_VNODE_OPEN, { MAC_CHECK_VNODE_OPEN,

11
sys/security/mac_stub/mac_stub.c
View File

@ -669,6 +669,15 @@ mac_none_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
return (0); return (0);
} }
static int
mac_none_check_vnode_link(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct vnode *vp, struct label *label,
struct componentname *cnp)
{
return (0);
}
static int static int
mac_none_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, mac_none_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct componentname *cnp) struct label *dlabel, struct componentname *cnp)
@ -1019,6 +1028,8 @@ static struct mac_policy_op_entry mac_none_ops[] =
(macop_t)mac_none_check_vnode_getacl }, (macop_t)mac_none_check_vnode_getacl },
{ MAC_CHECK_VNODE_GETEXTATTR, { MAC_CHECK_VNODE_GETEXTATTR,
(macop_t)mac_none_check_vnode_getextattr }, (macop_t)mac_none_check_vnode_getextattr },
{ MAC_CHECK_VNODE_LINK,
(macop_t)mac_none_check_vnode_link },
{ MAC_CHECK_VNODE_LOOKUP, { MAC_CHECK_VNODE_LOOKUP,
(macop_t)mac_none_check_vnode_lookup }, (macop_t)mac_none_check_vnode_lookup },
{ MAC_CHECK_VNODE_OPEN, { MAC_CHECK_VNODE_OPEN,

11
sys/security/mac_test/mac_test.c
View File

@ -1045,6 +1045,15 @@ mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
return (0); return (0);
} }
static int
mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct vnode *vp, struct label *label,
struct componentname *cnp)
{
return (0);
}
static int static int
mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct componentname *cnp) struct label *dlabel, struct componentname *cnp)
@ -1393,6 +1402,8 @@ static struct mac_policy_op_entry mac_test_ops[] =
(macop_t)mac_test_check_vnode_getacl }, (macop_t)mac_test_check_vnode_getacl },
{ MAC_CHECK_VNODE_GETEXTATTR, { MAC_CHECK_VNODE_GETEXTATTR,
(macop_t)mac_test_check_vnode_getextattr }, (macop_t)mac_test_check_vnode_getextattr },
{ MAC_CHECK_VNODE_LINK,
(macop_t)mac_test_check_vnode_link },
{ MAC_CHECK_VNODE_LOOKUP, { MAC_CHECK_VNODE_LOOKUP,
(macop_t)mac_test_check_vnode_lookup }, (macop_t)mac_test_check_vnode_lookup },
{ MAC_CHECK_VNODE_OPEN, { MAC_CHECK_VNODE_OPEN,