mac_internal.h (102123) | mac_internal.h (102129) |
---|---|
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 22 unchanged lines hidden (view full) --- 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 22 unchanged lines hidden (view full) --- 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * |
39 * $FreeBSD: head/sys/security/mac/mac_internal.h 102123 2002-08-19 17:59:48Z rwatson $ | 39 * $FreeBSD: head/sys/security/mac/mac_internal.h 102129 2002-08-19 19:04:53Z rwatson $ |
40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 --- 1751 unchanged lines hidden (view full) --- 1799 if (error) 1800 return (error); 1801 1802 MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); 1803 return (error); 1804} 1805 1806int | 40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 --- 1751 unchanged lines hidden (view full) --- 1799 if (error) 1800 return (error); 1801 1802 MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); 1803 return (error); 1804} 1805 1806int |
1807mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) | 1807mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 1808 struct vnode *vp) |
1808{ 1809 int error; 1810 1811 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); 1812 1813 if (!mac_enforce_fs) 1814 return (0); 1815 | 1809{ 1810 int error; 1811 1812 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); 1813 1814 if (!mac_enforce_fs) 1815 return (0); 1816 |
1816 error = vn_refreshlabel(vp, cred); | 1817 error = vn_refreshlabel(vp, active_cred); |
1817 if (error) 1818 return (error); 1819 | 1818 if (error) 1819 return (error); 1820 |
1820 MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); | 1821 MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, 1822 &vp->v_label); |
1821 1822 return (error); 1823} 1824 1825int | 1823 1824 return (error); 1825} 1826 1827int |
1826mac_check_vnode_read(struct ucred *cred, struct vnode *vp) | 1828mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 1829 struct vnode *vp) |
1827{ 1828 int error; 1829 1830 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); 1831 1832 if (!mac_enforce_fs) 1833 return (0); 1834 | 1830{ 1831 int error; 1832 1833 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); 1834 1835 if (!mac_enforce_fs) 1836 return (0); 1837 |
1835 error = vn_refreshlabel(vp, cred); | 1838 error = vn_refreshlabel(vp, active_cred); |
1836 if (error) 1837 return (error); 1838 | 1839 if (error) 1840 return (error); 1841 |
1839 MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); | 1842 MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, 1843 &vp->v_label); |
1840 1841 return (error); 1842} 1843 1844int 1845mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) 1846{ 1847 int error; --- 223 unchanged lines hidden (view full) --- 2071 return (error); 2072 2073 MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, 2074 mtime); 2075 return (error); 2076} 2077 2078int | 1844 1845 return (error); 1846} 1847 1848int 1849mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) 1850{ 1851 int error; --- 223 unchanged lines hidden (view full) --- 2075 return (error); 2076 2077 MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, 2078 mtime); 2079 return (error); 2080} 2081 2082int |
2079mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) | 2083mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 2084 struct vnode *vp) |
2080{ 2081 int error; 2082 2083 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); 2084 2085 if (!mac_enforce_fs) 2086 return (0); 2087 | 2085{ 2086 int error; 2087 2088 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); 2089 2090 if (!mac_enforce_fs) 2091 return (0); 2092 |
2088 error = vn_refreshlabel(vp, cred); | 2093 error = vn_refreshlabel(vp, active_cred); |
2089 if (error) 2090 return (error); 2091 | 2094 if (error) 2095 return (error); 2096 |
2092 MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); | 2097 MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, 2098 &vp->v_label); |
2093 return (error); 2094} 2095 2096int | 2099 return (error); 2100} 2101 2102int |
2097mac_check_vnode_write(struct ucred *cred, struct vnode *vp) | 2103mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, 2104 struct vnode *vp) |
2098{ 2099 int error; 2100 2101 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); 2102 2103 if (!mac_enforce_fs) 2104 return (0); 2105 | 2105{ 2106 int error; 2107 2108 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); 2109 2110 if (!mac_enforce_fs) 2111 return (0); 2112 |
2106 error = vn_refreshlabel(vp, cred); | 2113 error = vn_refreshlabel(vp, active_cred); |
2107 if (error) 2108 return (error); 2109 | 2114 if (error) 2115 return (error); 2116 |
2110 MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); | 2117 MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, 2118 &vp->v_label); |
2111 2112 return (error); 2113} 2114 2115 2116/* 2117 * When relabeling a process, call out to the policies for the maximum 2118 * permission allowed for each object type we know about in its --- 1183 unchanged lines hidden --- | 2119 2120 return (error); 2121} 2122 2123 2124/* 2125 * When relabeling a process, call out to the policies for the maximum 2126 * permission allowed for each object type we know about in its --- 1183 unchanged lines hidden --- |