| ugidfw_system.c (135039) | ugidfw_system.c (136739) |
|---|---|
| 1/*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2003 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network --- 17 unchanged lines hidden (view full) --- 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * | 1/*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2003 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network --- 17 unchanged lines hidden (view full) --- 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * |
| 34 * $FreeBSD: head/sys/security/mac_bsdextended/mac_bsdextended.c 135039 2004-09-10 15:14:50Z trhodes $ | 34 * $FreeBSD: head/sys/security/mac_bsdextended/mac_bsdextended.c 136739 2004-10-21 11:19:02Z rwatson $ |
| 35 */ 36/* 37 * Developed by the TrustedBSD Project. 38 * "BSD Extended" MAC policy, allowing the administrator to impose 39 * mandatory rules regarding users and some system objects. 40 * 41 * XXX: Much locking support required here. 42 */ --- 74 unchanged lines hidden (view full) --- 117{ 118 119 if ((rule->mbr_subject.mbi_flags | MBI_BITS) != MBI_BITS) 120 return (EINVAL); 121 122 if ((rule->mbr_object.mbi_flags | MBI_BITS) != MBI_BITS) 123 return (EINVAL); 124 | 35 */ 36/* 37 * Developed by the TrustedBSD Project. 38 * "BSD Extended" MAC policy, allowing the administrator to impose 39 * mandatory rules regarding users and some system objects. 40 * 41 * XXX: Much locking support required here. 42 */ --- 74 unchanged lines hidden (view full) --- 117{ 118 119 if ((rule->mbr_subject.mbi_flags | MBI_BITS) != MBI_BITS) 120 return (EINVAL); 121 122 if ((rule->mbr_object.mbi_flags | MBI_BITS) != MBI_BITS) 123 return (EINVAL); 124 |
| 125 if ((rule->mbr_mode | VALLPERM) != VALLPERM) | 125 if ((rule->mbr_mode | MBI_ALLPERM) != MBI_ALLPERM) |
| 126 return (EINVAL); 127 128 return (0); 129} 130 131static int 132sysctl_rule(SYSCTL_HANDLER_ARGS) 133{ --- 169 unchanged lines hidden (view full) --- 303 for (i = 0; i < rule_slots; i++) { 304 if (rules[i] == NULL) 305 continue; 306 307 /* 308 * Since we don't separately handle append, map append to 309 * write. 310 */ | 126 return (EINVAL); 127 128 return (0); 129} 130 131static int 132sysctl_rule(SYSCTL_HANDLER_ARGS) 133{ --- 169 unchanged lines hidden (view full) --- 303 for (i = 0; i < rule_slots; i++) { 304 if (rules[i] == NULL) 305 continue; 306 307 /* 308 * Since we don't separately handle append, map append to 309 * write. 310 */ |
| 311 if (acc_mode & VAPPEND) { 312 acc_mode &= ~VAPPEND; 313 acc_mode |= VWRITE; | 311 if (acc_mode & MBI_APPEND) { 312 acc_mode &= ~MBI_APPEND; 313 acc_mode |= MBI_WRITE; |
| 314 } 315 316 error = mac_bsdextended_rulecheck(rules[i], cred, object_uid, 317 object_gid, acc_mode); 318 if (error == EJUSTRETURN) 319 break; 320 if (error) 321 return (error); --- 10 unchanged lines hidden (view full) --- 332 int error; 333 334 if (!mac_bsdextended_enabled) 335 return (0); 336 337 error = VOP_GETATTR(vp, &vap, cred, curthread); 338 if (error) 339 return (error); | 314 } 315 316 error = mac_bsdextended_rulecheck(rules[i], cred, object_uid, 317 object_gid, acc_mode); 318 if (error == EJUSTRETURN) 319 break; 320 if (error) 321 return (error); --- 10 unchanged lines hidden (view full) --- 332 int error; 333 334 if (!mac_bsdextended_enabled) 335 return (0); 336 337 error = VOP_GETATTR(vp, &vap, cred, curthread); 338 if (error) 339 return (error); |
| 340 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE)); | 340 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 341 MBI_WRITE)); |
| 341} 342 343static int 344mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp, 345 struct label *label, int acc_mode) 346{ 347 struct vattr vap; 348 int error; --- 15 unchanged lines hidden (view full) --- 364 int error; 365 366 if (!mac_bsdextended_enabled) 367 return (0); 368 369 error = VOP_GETATTR(dvp, &vap, cred, curthread); 370 if (error) 371 return (error); | 342} 343 344static int 345mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp, 346 struct label *label, int acc_mode) 347{ 348 struct vattr vap; 349 int error; --- 15 unchanged lines hidden (view full) --- 365 int error; 366 367 if (!mac_bsdextended_enabled) 368 return (0); 369 370 error = VOP_GETATTR(dvp, &vap, cred, curthread); 371 if (error) 372 return (error); |
| 372 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC)); | 373 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 374 MBI_EXEC)); |
| 373} 374 375static int 376mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 377 struct label *dlabel) 378{ 379 struct vattr vap; 380 int error; 381 382 if (!mac_bsdextended_enabled) 383 return (0); 384 385 error = VOP_GETATTR(dvp, &vap, cred, curthread); 386 if (error) 387 return (error); | 375} 376 377static int 378mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 379 struct label *dlabel) 380{ 381 struct vattr vap; 382 int error; 383 384 if (!mac_bsdextended_enabled) 385 return (0); 386 387 error = VOP_GETATTR(dvp, &vap, cred, curthread); 388 if (error) 389 return (error); |
| 388 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC)); | 390 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 391 MBI_EXEC)); |
| 389} 390 391static int 392mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp, 393 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 394{ 395 struct vattr dvap; 396 int error; 397 398 if (!mac_bsdextended_enabled) 399 return (0); 400 401 error = VOP_GETATTR(dvp, &dvap, cred, curthread); 402 if (error) 403 return (error); | 392} 393 394static int 395mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp, 396 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 397{ 398 struct vattr dvap; 399 int error; 400 401 if (!mac_bsdextended_enabled) 402 return (0); 403 404 error = VOP_GETATTR(dvp, &dvap, cred, curthread); 405 if (error) 406 return (error); |
| 404 return (mac_bsdextended_check(cred, dvap.va_uid, dvap.va_gid, VWRITE)); | 407 return (mac_bsdextended_check(cred, dvap.va_uid, dvap.va_gid, 408 MBI_WRITE)); |
| 405} 406 407static int 408mac_bsdextended_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 409 struct label *dlabel, struct vnode *vp, struct label *label, 410 struct componentname *cnp) 411{ 412 struct vattr vap; 413 int error; 414 415 if (!mac_bsdextended_enabled) 416 return (0); 417 418 error = VOP_GETATTR(dvp, &vap, cred, curthread); 419 if (error) 420 return (error); | 409} 410 411static int 412mac_bsdextended_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 413 struct label *dlabel, struct vnode *vp, struct label *label, 414 struct componentname *cnp) 415{ 416 struct vattr vap; 417 int error; 418 419 if (!mac_bsdextended_enabled) 420 return (0); 421 422 error = VOP_GETATTR(dvp, &vap, cred, curthread); 423 if (error) 424 return (error); |
| 421 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); | 425 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 426 MBI_WRITE); |
| 422 if (error) 423 return (error); 424 425 error = VOP_GETATTR(vp, &vap, cred, curthread); 426 if (error) 427 return (error); | 427 if (error) 428 return (error); 429 430 error = VOP_GETATTR(vp, &vap, cred, curthread); 431 if (error) 432 return (error); |
| 428 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE)); | 433 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 434 MBI_WRITE)); |
| 429} 430 431static int 432mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 433 struct label *label, acl_type_t type) 434{ 435 struct vattr vap; 436 int error; 437 438 if (!mac_bsdextended_enabled) 439 return (0); 440 441 error = VOP_GETATTR(vp, &vap, cred, curthread); 442 if (error) 443 return (error); | 435} 436 437static int 438mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 439 struct label *label, acl_type_t type) 440{ 441 struct vattr vap; 442 int error; 443 444 if (!mac_bsdextended_enabled) 445 return (0); 446 447 error = VOP_GETATTR(vp, &vap, cred, curthread); 448 if (error) 449 return (error); |
| 444 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); | 450 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 451 MBI_ADMIN)); |
| 445} 446 447static int 448mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 449 struct label *label, int attrnamespace, const char *name) 450{ 451 struct vattr vap; 452 int error; 453 454 if (!mac_bsdextended_enabled) 455 return (0); 456 457 error = VOP_GETATTR(vp, &vap, cred, curthread); 458 if (error) 459 return (error); | 452} 453 454static int 455mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 456 struct label *label, int attrnamespace, const char *name) 457{ 458 struct vattr vap; 459 int error; 460 461 if (!mac_bsdextended_enabled) 462 return (0); 463 464 error = VOP_GETATTR(vp, &vap, cred, curthread); 465 if (error) 466 return (error); |
| 460 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE)); | 467 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 468 MBI_WRITE)); |
| 461} 462 463static int 464mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp, 465 struct label *label, struct image_params *imgp, 466 struct label *execlabel) 467{ 468 struct vattr vap; 469 int error; 470 471 if (!mac_bsdextended_enabled) 472 return (0); 473 474 error = VOP_GETATTR(vp, &vap, cred, curthread); 475 if (error) 476 return (error); 477 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, | 469} 470 471static int 472mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp, 473 struct label *label, struct image_params *imgp, 474 struct label *execlabel) 475{ 476 struct vattr vap; 477 int error; 478 479 if (!mac_bsdextended_enabled) 480 return (0); 481 482 error = VOP_GETATTR(vp, &vap, cred, curthread); 483 if (error) 484 return (error); 485 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, |
| 478 VREAD|VEXEC)); | 486 MBI_READ|MBI_EXEC)); |
| 479} 480 481static int 482mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 483 struct label *label, acl_type_t type) 484{ 485 struct vattr vap; 486 int error; 487 488 if (!mac_bsdextended_enabled) 489 return (0); 490 491 error = VOP_GETATTR(vp, &vap, cred, curthread); 492 if (error) 493 return (error); | 487} 488 489static int 490mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 491 struct label *label, acl_type_t type) 492{ 493 struct vattr vap; 494 int error; 495 496 if (!mac_bsdextended_enabled) 497 return (0); 498 499 error = VOP_GETATTR(vp, &vap, cred, curthread); 500 if (error) 501 return (error); |
| 494 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VSTAT)); | 502 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 503 MBI_STAT)); |
| 495} 496 497static int 498mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 499 struct label *label, int attrnamespace, const char *name, struct uio *uio) 500{ 501 struct vattr vap; 502 int error; 503 504 if (!mac_bsdextended_enabled) 505 return (0); 506 507 error = VOP_GETATTR(vp, &vap, cred, curthread); 508 if (error) 509 return (error); | 504} 505 506static int 507mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 508 struct label *label, int attrnamespace, const char *name, struct uio *uio) 509{ 510 struct vattr vap; 511 int error; 512 513 if (!mac_bsdextended_enabled) 514 return (0); 515 516 error = VOP_GETATTR(vp, &vap, cred, curthread); 517 if (error) 518 return (error); |
| 510 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD)); | 519 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 520 MBI_READ)); |
| 511} 512 513static int 514mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp, 515 struct label *dlabel, struct vnode *vp, struct label *label, 516 struct componentname *cnp) 517{ 518 struct vattr vap; 519 int error; 520 521 if (!mac_bsdextended_enabled) 522 return (0); 523 524 error = VOP_GETATTR(dvp, &vap, cred, curthread); 525 if (error) 526 return (error); | 521} 522 523static int 524mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp, 525 struct label *dlabel, struct vnode *vp, struct label *label, 526 struct componentname *cnp) 527{ 528 struct vattr vap; 529 int error; 530 531 if (!mac_bsdextended_enabled) 532 return (0); 533 534 error = VOP_GETATTR(dvp, &vap, cred, curthread); 535 if (error) 536 return (error); |
| 527 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); | 537 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 538 MBI_WRITE); |
| 528 if (error) 529 return (error); 530 531 error = VOP_GETATTR(vp, &vap, cred, curthread); 532 if (error) 533 return (error); | 539 if (error) 540 return (error); 541 542 error = VOP_GETATTR(vp, &vap, cred, curthread); 543 if (error) 544 return (error); |
| 534 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); | 545 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 546 MBI_WRITE); |
| 535 if (error) 536 return (error); 537 return (0); 538} 539 540static int 541mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 542 struct label *label, int attrnamespace) 543{ 544 struct vattr vap; 545 int error; 546 547 if (!mac_bsdextended_enabled) 548 return (0); 549 550 error = VOP_GETATTR(vp, &vap, cred, curthread); 551 if (error) 552 return (error); | 547 if (error) 548 return (error); 549 return (0); 550} 551 552static int 553mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 554 struct label *label, int attrnamespace) 555{ 556 struct vattr vap; 557 int error; 558 559 if (!mac_bsdextended_enabled) 560 return (0); 561 562 error = VOP_GETATTR(vp, &vap, cred, curthread); 563 if (error) 564 return (error); |
| 553 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD)); | 565 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 566 MBI_READ)); |
| 554} 555 556static int 557mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 558 struct label *dlabel, struct componentname *cnp) 559{ 560 struct vattr vap; 561 int error; 562 563 if (!mac_bsdextended_enabled) 564 return (0); 565 566 error = VOP_GETATTR(dvp, &vap, cred, curthread); 567 if (error) 568 return (error); | 567} 568 569static int 570mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 571 struct label *dlabel, struct componentname *cnp) 572{ 573 struct vattr vap; 574 int error; 575 576 if (!mac_bsdextended_enabled) 577 return (0); 578 579 error = VOP_GETATTR(dvp, &vap, cred, curthread); 580 if (error) 581 return (error); |
| 569 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC)); | 582 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 583 MBI_EXEC)); |
| 570} 571 572static int 573mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp, 574 struct label *filelabel, int acc_mode) 575{ 576 struct vattr vap; 577 int error; --- 15 unchanged lines hidden (view full) --- 593 int error; 594 595 if (!mac_bsdextended_enabled) 596 return (0); 597 598 error = VOP_GETATTR(dvp, &vap, cred, curthread); 599 if (error) 600 return (error); | 584} 585 586static int 587mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp, 588 struct label *filelabel, int acc_mode) 589{ 590 struct vattr vap; 591 int error; --- 15 unchanged lines hidden (view full) --- 607 int error; 608 609 if (!mac_bsdextended_enabled) 610 return (0); 611 612 error = VOP_GETATTR(dvp, &vap, cred, curthread); 613 if (error) 614 return (error); |
| 601 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD)); | 615 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 616 MBI_READ)); |
| 602} 603 604static int 605mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp, 606 struct label *label) 607{ 608 struct vattr vap; 609 int error; 610 611 if (!mac_bsdextended_enabled) 612 return (0); 613 614 error = VOP_GETATTR(vp, &vap, cred, curthread); 615 if (error) 616 return (error); | 617} 618 619static int 620mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp, 621 struct label *label) 622{ 623 struct vattr vap; 624 int error; 625 626 if (!mac_bsdextended_enabled) 627 return (0); 628 629 error = VOP_GETATTR(vp, &vap, cred, curthread); 630 if (error) 631 return (error); |
| 617 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD)); | 632 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 633 MBI_READ)); |
| 618} 619 620static int 621mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 622 struct label *dlabel, struct vnode *vp, struct label *label, 623 struct componentname *cnp) 624{ 625 struct vattr vap; 626 int error; 627 628 if (!mac_bsdextended_enabled) 629 return (0); 630 631 error = VOP_GETATTR(dvp, &vap, cred, curthread); 632 if (error) 633 return (error); | 634} 635 636static int 637mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 638 struct label *dlabel, struct vnode *vp, struct label *label, 639 struct componentname *cnp) 640{ 641 struct vattr vap; 642 int error; 643 644 if (!mac_bsdextended_enabled) 645 return (0); 646 647 error = VOP_GETATTR(dvp, &vap, cred, curthread); 648 if (error) 649 return (error); |
| 634 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); | 650 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 651 MBI_WRITE); |
| 635 if (error) 636 return (error); 637 error = VOP_GETATTR(vp, &vap, cred, curthread); 638 if (error) 639 return (error); | 652 if (error) 653 return (error); 654 error = VOP_GETATTR(vp, &vap, cred, curthread); 655 if (error) 656 return (error); |
| 640 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); | 657 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 658 MBI_WRITE); |
| 641 642 return (error); 643} 644 645static int 646mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 647 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 648 struct componentname *cnp) 649{ 650 struct vattr vap; 651 int error; 652 653 if (!mac_bsdextended_enabled) 654 return (0); 655 656 error = VOP_GETATTR(dvp, &vap, cred, curthread); 657 if (error) 658 return (error); | 659 660 return (error); 661} 662 663static int 664mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 665 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 666 struct componentname *cnp) 667{ 668 struct vattr vap; 669 int error; 670 671 if (!mac_bsdextended_enabled) 672 return (0); 673 674 error = VOP_GETATTR(dvp, &vap, cred, curthread); 675 if (error) 676 return (error); |
| 659 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); | 677 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 678 MBI_WRITE); |
| 660 if (error) 661 return (error); 662 663 if (vp != NULL) { 664 error = VOP_GETATTR(vp, &vap, cred, curthread); 665 if (error) 666 return (error); 667 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, | 679 if (error) 680 return (error); 681 682 if (vp != NULL) { 683 error = VOP_GETATTR(vp, &vap, cred, curthread); 684 if (error) 685 return (error); 686 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, |
| 668 VWRITE); | 687 MBI_WRITE); |
| 669 } 670 671 return (error); 672} 673 674static int 675mac_bsdextended_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 676 struct label *label) 677{ 678 struct vattr vap; 679 int error; 680 681 if (!mac_bsdextended_enabled) 682 return (0); 683 684 error = VOP_GETATTR(vp, &vap, cred, curthread); 685 if (error) 686 return (error); | 688 } 689 690 return (error); 691} 692 693static int 694mac_bsdextended_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 695 struct label *label) 696{ 697 struct vattr vap; 698 int error; 699 700 if (!mac_bsdextended_enabled) 701 return (0); 702 703 error = VOP_GETATTR(vp, &vap, cred, curthread); 704 if (error) 705 return (error); |
| 687 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); | 706 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 707 MBI_ADMIN)); |
| 688} 689 690static int 691mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp, 692 struct label *label, acl_type_t type, struct acl *acl) 693{ 694 struct vattr vap; 695 int error; 696 697 if (!mac_bsdextended_enabled) 698 return (0); 699 700 error = VOP_GETATTR(vp, &vap, cred, curthread); 701 if (error) 702 return (error); | 708} 709 710static int 711mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp, 712 struct label *label, acl_type_t type, struct acl *acl) 713{ 714 struct vattr vap; 715 int error; 716 717 if (!mac_bsdextended_enabled) 718 return (0); 719 720 error = VOP_GETATTR(vp, &vap, cred, curthread); 721 if (error) 722 return (error); |
| 703 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); | 723 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 724 MBI_ADMIN)); |
| 704} 705 706static int 707mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 708 struct label *label, int attrnamespace, const char *name, struct uio *uio) 709{ 710 struct vattr vap; 711 int error; 712 713 if (!mac_bsdextended_enabled) 714 return (0); 715 716 error = VOP_GETATTR(vp, &vap, cred, curthread); 717 if (error) 718 return (error); | 725} 726 727static int 728mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 729 struct label *label, int attrnamespace, const char *name, struct uio *uio) 730{ 731 struct vattr vap; 732 int error; 733 734 if (!mac_bsdextended_enabled) 735 return (0); 736 737 error = VOP_GETATTR(vp, &vap, cred, curthread); 738 if (error) 739 return (error); |
| 719 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE)); | 740 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 741 MBI_WRITE)); |
| 720} 721 722static int 723mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 724 struct label *label, u_long flags) 725{ 726 struct vattr vap; 727 int error; 728 729 if (!mac_bsdextended_enabled) 730 return (0); 731 732 error = VOP_GETATTR(vp, &vap, cred, curthread); 733 if (error) 734 return (error); | 742} 743 744static int 745mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 746 struct label *label, u_long flags) 747{ 748 struct vattr vap; 749 int error; 750 751 if (!mac_bsdextended_enabled) 752 return (0); 753 754 error = VOP_GETATTR(vp, &vap, cred, curthread); 755 if (error) 756 return (error); |
| 735 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); | 757 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 758 MBI_ADMIN)); |
| 736} 737 738static int 739mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 740 struct label *label, mode_t mode) 741{ 742 struct vattr vap; 743 int error; 744 745 if (!mac_bsdextended_enabled) 746 return (0); 747 748 error = VOP_GETATTR(vp, &vap, cred, curthread); 749 if (error) 750 return (error); | 759} 760 761static int 762mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 763 struct label *label, mode_t mode) 764{ 765 struct vattr vap; 766 int error; 767 768 if (!mac_bsdextended_enabled) 769 return (0); 770 771 error = VOP_GETATTR(vp, &vap, cred, curthread); 772 if (error) 773 return (error); |
| 751 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); | 774 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 775 MBI_ADMIN)); |
| 752} 753 754static int 755mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 756 struct label *label, uid_t uid, gid_t gid) 757{ 758 struct vattr vap; 759 int error; 760 761 if (!mac_bsdextended_enabled) 762 return (0); 763 764 error = VOP_GETATTR(vp, &vap, cred, curthread); 765 if (error) 766 return (error); | 776} 777 778static int 779mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 780 struct label *label, uid_t uid, gid_t gid) 781{ 782 struct vattr vap; 783 int error; 784 785 if (!mac_bsdextended_enabled) 786 return (0); 787 788 error = VOP_GETATTR(vp, &vap, cred, curthread); 789 if (error) 790 return (error); |
| 767 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); | 791 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 792 MBI_ADMIN)); |
| 768} 769 770static int 771mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 772 struct label *label, struct timespec atime, struct timespec utime) 773{ 774 struct vattr vap; 775 int error; 776 777 if (!mac_bsdextended_enabled) 778 return (0); 779 780 error = VOP_GETATTR(vp, &vap, cred, curthread); 781 if (error) 782 return (error); | 793} 794 795static int 796mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 797 struct label *label, struct timespec atime, struct timespec utime) 798{ 799 struct vattr vap; 800 int error; 801 802 if (!mac_bsdextended_enabled) 803 return (0); 804 805 error = VOP_GETATTR(vp, &vap, cred, curthread); 806 if (error) 807 return (error); |
| 783 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); | 808 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 809 MBI_ADMIN)); |
| 784} 785 786static int 787mac_bsdextended_check_vnode_stat(struct ucred *active_cred, 788 struct ucred *file_cred, struct vnode *vp, struct label *label) 789{ 790 struct vattr vap; 791 int error; 792 793 if (!mac_bsdextended_enabled) 794 return (0); 795 796 error = VOP_GETATTR(vp, &vap, active_cred, curthread); 797 if (error) 798 return (error); 799 return (mac_bsdextended_check(active_cred, vap.va_uid, vap.va_gid, | 810} 811 812static int 813mac_bsdextended_check_vnode_stat(struct ucred *active_cred, 814 struct ucred *file_cred, struct vnode *vp, struct label *label) 815{ 816 struct vattr vap; 817 int error; 818 819 if (!mac_bsdextended_enabled) 820 return (0); 821 822 error = VOP_GETATTR(vp, &vap, active_cred, curthread); 823 if (error) 824 return (error); 825 return (mac_bsdextended_check(active_cred, vap.va_uid, vap.va_gid, |
| 800 VSTAT)); | 826 MBI_STAT)); |
| 801} 802 803static struct mac_policy_ops mac_bsdextended_ops = 804{ 805 .mpo_destroy = mac_bsdextended_destroy, 806 .mpo_init = mac_bsdextended_init, 807 .mpo_check_system_swapon = mac_bsdextended_check_system_swapon, 808 .mpo_check_vnode_access = mac_bsdextended_check_vnode_access, --- 29 unchanged lines hidden --- | 827} 828 829static struct mac_policy_ops mac_bsdextended_ops = 830{ 831 .mpo_destroy = mac_bsdextended_destroy, 832 .mpo_init = mac_bsdextended_init, 833 .mpo_check_system_swapon = mac_bsdextended_check_system_swapon, 834 .mpo_check_vnode_access = mac_bsdextended_check_vnode_access, --- 29 unchanged lines hidden --- |