Implement IO_NOMACCHECK in vn_rdwr() -- perform MAC checks (assuming

'options MAC') as long as IO_NOMACCHECK is not set in the IO flags. If IO_NOMACCHECK is set, bypass MAC checks in vn_rdwr(). This allows vn_rdwr() to be used as a utility function inside of file systems where MAC checks have already been performed, or where the operation is being done on behalf of the kernel not the user. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI LAbs
2002-08-12 16:15:34 +00:00 · 2002-08-12 16:15:34 +00:00 · d14df136e2
commit d14df136e2
parent caa1520317
1 changed files with 17 additions and 4 deletions
--- a/sys/kern/vfs_vnops.c
+++ b/sys/kern/vfs_vnops.c
@ -394,10 +394,23 @@ vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, cred, aresid, td)
 	auio.uio_segflg = segflg;
 	auio.uio_rw = rw;
 	auio.uio_td = td;
-	if (rw == UIO_READ)
-		error = VOP_READ(vp, &auio, ioflg, cred);
-	 else
-		error = VOP_WRITE(vp, &auio, ioflg, cred);
+	error = 0;
+#ifdef MAC
+	if ((ioflg & IO_NOMACCHECK) == 0) {
+		if (rw == UIO_READ)
+			error = mac_check_vnode_op(cred, vp,
+			    MAC_OP_VNODE_READ);
+		else
+			error = mac_check_vnode_op(cred, vp,
+			    MAC_OP_VNODE_WRITE);
+	}
+#endif
+	if (error == 0) {
+		if (rw == UIO_READ)
+			error = VOP_READ(vp, &auio, ioflg, cred);
+		else
+			error = VOP_WRITE(vp, &auio, ioflg, cred);
+	}
 	if (aresid)
 		*aresid = auio.uio_resid;
 	else