| mac_vfs.c (166531) | mac_vfs.c (168954) |
|---|---|
| 1/*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2005 McAfee, Inc. | 1/*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2005 McAfee, Inc. |
| 5 * Copyright (c) 2005 SPARTA, Inc. | 5 * Copyright (c) 2005-2006 SPARTA, Inc. |
| 6 * All rights reserved. 7 * 8 * This software was developed by Robert Watson and Ilmar Habibulin for the 9 * TrustedBSD Project. 10 * 11 * This software was developed for the FreeBSD Project in part by McAfee 12 * Research, the Security Research Division of McAfee, Inc. under 13 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA --- 20 unchanged lines hidden (view full) --- 34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 38 * SUCH DAMAGE. 39 */ 40 41#include <sys/cdefs.h> | 6 * All rights reserved. 7 * 8 * This software was developed by Robert Watson and Ilmar Habibulin for the 9 * TrustedBSD Project. 10 * 11 * This software was developed for the FreeBSD Project in part by McAfee 12 * Research, the Security Research Division of McAfee, Inc. under 13 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA --- 20 unchanged lines hidden (view full) --- 34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 38 * SUCH DAMAGE. 39 */ 40 41#include <sys/cdefs.h> |
| 42__FBSDID("$FreeBSD: head/sys/security/mac/mac_vfs.c 166531 2007-02-06 10:59:23Z rwatson $"); | 42__FBSDID("$FreeBSD: head/sys/security/mac/mac_vfs.c 168954 2007-04-22 16:18:10Z rwatson $"); |
| 43 44#include "opt_mac.h" 45 46#include <sys/param.h> 47#include <sys/condvar.h> 48#include <sys/extattr.h> 49#include <sys/imgact.h> 50#include <sys/kernel.h> --- 51 unchanged lines hidden (view full) --- 102{ 103 struct label *label; 104 105 label = mac_labelzone_alloc(M_WAITOK); 106 MAC_PERFORM(init_mount_label, label); 107 return (label); 108} 109 | 43 44#include "opt_mac.h" 45 46#include <sys/param.h> 47#include <sys/condvar.h> 48#include <sys/extattr.h> 49#include <sys/imgact.h> 50#include <sys/kernel.h> --- 51 unchanged lines hidden (view full) --- 102{ 103 struct label *label; 104 105 label = mac_labelzone_alloc(M_WAITOK); 106 MAC_PERFORM(init_mount_label, label); 107 return (label); 108} 109 |
| 110static struct label * 111mac_mount_fs_label_alloc(void) 112{ 113 struct label *label; 114 115 label = mac_labelzone_alloc(M_WAITOK); 116 MAC_PERFORM(init_mount_fs_label, label); 117 return (label); 118} 119 | |
| 120void 121mac_init_mount(struct mount *mp) 122{ 123 | 110void 111mac_init_mount(struct mount *mp) 112{ 113 |
| 124 mp->mnt_mntlabel = mac_mount_label_alloc(); 125 mp->mnt_fslabel = mac_mount_fs_label_alloc(); | 114 mp->mnt_label = mac_mount_label_alloc(); |
| 126} 127 128struct label * 129mac_vnode_label_alloc(void) 130{ 131 struct label *label; 132 133 label = mac_labelzone_alloc(M_WAITOK); --- 27 unchanged lines hidden (view full) --- 161static void 162mac_mount_label_free(struct label *label) 163{ 164 165 MAC_PERFORM(destroy_mount_label, label); 166 mac_labelzone_free(label); 167} 168 | 115} 116 117struct label * 118mac_vnode_label_alloc(void) 119{ 120 struct label *label; 121 122 label = mac_labelzone_alloc(M_WAITOK); --- 27 unchanged lines hidden (view full) --- 150static void 151mac_mount_label_free(struct label *label) 152{ 153 154 MAC_PERFORM(destroy_mount_label, label); 155 mac_labelzone_free(label); 156} 157 |
| 169static void 170mac_mount_fs_label_free(struct label *label) 171{ 172 173 MAC_PERFORM(destroy_mount_fs_label, label); 174 mac_labelzone_free(label); 175} 176 | |
| 177void 178mac_destroy_mount(struct mount *mp) 179{ 180 | 158void 159mac_destroy_mount(struct mount *mp) 160{ 161 |
| 181 mac_mount_fs_label_free(mp->mnt_fslabel); 182 mp->mnt_fslabel = NULL; 183 mac_mount_label_free(mp->mnt_mntlabel); 184 mp->mnt_mntlabel = NULL; | 162 mac_mount_label_free(mp->mnt_label); 163 mp->mnt_label = NULL; |
| 185} 186 187void 188mac_vnode_label_free(struct label *label) 189{ 190 191 MAC_PERFORM(destroy_vnode_label, label); 192 mac_labelzone_free(label); --- 44 unchanged lines hidden (view full) --- 237 vp->v_label); 238} 239 240void 241mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, 242 struct vnode *vp) 243{ 244 | 164} 165 166void 167mac_vnode_label_free(struct label *label) 168{ 169 170 MAC_PERFORM(destroy_vnode_label, label); 171 mac_labelzone_free(label); --- 44 unchanged lines hidden (view full) --- 216 vp->v_label); 217} 218 219void 220mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, 221 struct vnode *vp) 222{ 223 |
| 245 MAC_PERFORM(associate_vnode_devfs, mp, mp->mnt_fslabel, de, | 224 MAC_PERFORM(associate_vnode_devfs, mp, mp->mnt_label, de, |
| 246 de->de_label, vp, vp->v_label); 247} 248 249int 250mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp) 251{ 252 int error; 253 254 ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr"); 255 | 225 de->de_label, vp, vp->v_label); 226} 227 228int 229mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp) 230{ 231 int error; 232 233 ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr"); 234 |
| 256 MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_fslabel, vp, | 235 MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_label, vp, |
| 257 vp->v_label); 258 259 return (error); 260} 261 262void 263mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp) 264{ 265 | 236 vp->v_label); 237 238 return (error); 239} 240 241void 242mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp) 243{ 244 |
| 266 MAC_PERFORM(associate_vnode_singlelabel, mp, mp->mnt_fslabel, vp, | 245 MAC_PERFORM(associate_vnode_singlelabel, mp, mp->mnt_label, vp, |
| 267 vp->v_label); 268} 269 270/* 271 * Functions implementing extended-attribute backed labels for file systems 272 * that support it. 273 * 274 * Where possible, we use EA transactions to make writes to multiple --- 15 unchanged lines hidden (view full) --- 290 if (ea_warn_once == 0) { 291 printf("Warning: transactions not supported " 292 "in EA write.\n"); 293 ea_warn_once = 1; 294 } 295 } else if (error) 296 return (error); 297 | 246 vp->v_label); 247} 248 249/* 250 * Functions implementing extended-attribute backed labels for file systems 251 * that support it. 252 * 253 * Where possible, we use EA transactions to make writes to multiple --- 15 unchanged lines hidden (view full) --- 269 if (ea_warn_once == 0) { 270 printf("Warning: transactions not supported " 271 "in EA write.\n"); 272 ea_warn_once = 1; 273 } 274 } else if (error) 275 return (error); 276 |
| 298 MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel, 299 dvp, dvp->v_label, vp, vp->v_label, cnp); | 277 MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_label, dvp, 278 dvp->v_label, vp, vp->v_label, cnp); |
| 300 301 if (error) { 302 VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); 303 return (error); 304 } 305 306 error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread); 307 if (error == EOPNOTSUPP) --- 475 unchanged lines hidden (view full) --- 783 784 MAC_PERFORM(relabel_vnode, cred, vp, vp->v_label, newlabel); 785} 786 787void 788mac_create_mount(struct ucred *cred, struct mount *mp) 789{ 790 | 279 280 if (error) { 281 VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); 282 return (error); 283 } 284 285 error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread); 286 if (error == EOPNOTSUPP) --- 475 unchanged lines hidden (view full) --- 762 763 MAC_PERFORM(relabel_vnode, cred, vp, vp->v_label, newlabel); 764} 765 766void 767mac_create_mount(struct ucred *cred, struct mount *mp) 768{ 769 |
| 791 MAC_PERFORM(create_mount, cred, mp, mp->mnt_mntlabel, 792 mp->mnt_fslabel); | 770 MAC_PERFORM(create_mount, cred, mp, mp->mnt_label); |
| 793} 794 795int 796mac_check_mount_stat(struct ucred *cred, struct mount *mount) 797{ 798 int error; 799 | 771} 772 773int 774mac_check_mount_stat(struct ucred *cred, struct mount *mount) 775{ 776 int error; 777 |
| 800 MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_mntlabel); | 778 MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_label); |
| 801 802 return (error); 803} 804 805void 806mac_create_devfs_device(struct ucred *cred, struct mount *mp, 807 struct cdev *dev, struct devfs_dirent *de) 808{ --- 108 unchanged lines hidden --- | 779 780 return (error); 781} 782 783void 784mac_create_devfs_device(struct ucred *cred, struct mount *mp, 785 struct cdev *dev, struct devfs_dirent *de) 786{ --- 108 unchanged lines hidden --- |