1/*-
2 * Copyright (c) 1999-2006 Robert N. M. Watson
3 * All rights reserved.
4 *
5 * This software was developed by Robert Watson for the TrustedBSD Project.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
--- 19 unchanged lines hidden (view full) ---
28/*
29 * Developed by the TrustedBSD Project.
30 *
31 * ACL system calls and other functions common across different ACL types.
32 * Type-specific routines go into subr_acl_<type>.c.
33 */
34
35#include <sys/cdefs.h>
36__FBSDID("$FreeBSD: head/sys/kern/vfs_acl.c 191266 2009-04-19 09:56:30Z trasz $");
37
38#include "opt_mac.h"
39
40#include <sys/param.h>
41#include <sys/systm.h>
42#include <sys/sysproto.h>
43#include <sys/fcntl.h>
44#include <sys/kernel.h>
--- 6 unchanged lines hidden (view full) ---
51#include <sys/file.h>
52#include <sys/filedesc.h>
53#include <sys/proc.h>
54#include <sys/sysent.h>
55#include <sys/acl.h>
56
57#include <security/mac/mac_framework.h>
58
59static MALLOC_DEFINE(M_ACL, "acl", "Access Control Lists");
60
61static int vacl_set_acl(struct thread *td, struct vnode *vp,
62 acl_type_t type, struct acl *aclp);
63static int vacl_get_acl(struct thread *td, struct vnode *vp,
64 acl_type_t type, struct acl *aclp);
65static int vacl_aclcheck(struct thread *td, struct vnode *vp,
66 acl_type_t type, struct acl *aclp);
67
68/*
69 * These calls wrap the real vnode operations, and are called by the syscall
70 * code once the syscall has converted the path or file descriptor to a vnode
71 * (unlocked). The aclp pointer is assumed still to point to userland, so
72 * this should not be consumed within the kernel except by syscall code.
73 * Other code should directly invoke VOP_{SET,GET}ACL.
74 */
75
76/*
77 * Given a vnode, set its ACL.
78 */
79static int
80vacl_set_acl(struct thread *td, struct vnode *vp, acl_type_t type,
81 struct acl *aclp)
82{
83 struct acl *inkernelacl;
84 struct mount *mp;
85 int error;
86
87 inkernelacl = acl_alloc(M_WAITOK);
88 error = copyin(aclp, inkernelacl, sizeof(struct acl));
89 if (error)
90 goto out;
91 error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
92 if (error != 0)
93 goto out;
94 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
95#ifdef MAC
96 error = mac_vnode_check_setacl(td->td_ucred, vp, type, inkernelacl);
97 if (error != 0)
98 goto out_unlock;
99#endif
100 error = VOP_SETACL(vp, type, inkernelacl, td->td_ucred, td);
101#ifdef MAC
102out_unlock:
103#endif
104 VOP_UNLOCK(vp, 0);
105 vn_finished_write(mp);
106out:
107 acl_free(inkernelacl);
108 return(error);
--- 11 unchanged lines hidden (view full) ---
120
121 inkernelacl = acl_alloc(M_WAITOK);
122 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
123#ifdef MAC
124 error = mac_vnode_check_getacl(td->td_ucred, vp, type);
125 if (error != 0)
126 goto out;
127#endif
128 error = VOP_GETACL(vp, type, inkernelacl, td->td_ucred, td);
129#ifdef MAC
130out:
131#endif
132 VOP_UNLOCK(vp, 0);
133 if (error == 0)
134 error = copyout(inkernelacl, aclp, sizeof(struct acl));
135 acl_free(inkernelacl);
136 return (error);
137}
138
139/*
140 * Given a vnode, delete its ACL.
141 */
142static int
--- 6 unchanged lines hidden (view full) ---
149 if (error)
150 return (error);
151 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
152#ifdef MAC
153 error = mac_vnode_check_deleteacl(td->td_ucred, vp, type);
154 if (error)
155 goto out;
156#endif
157 error = VOP_SETACL(vp, type, 0, td->td_ucred, td);
158#ifdef MAC
159out:
160#endif
161 VOP_UNLOCK(vp, 0);
162 vn_finished_write(mp);
163 return (error);
164}
165
166/*
167 * Given a vnode, check whether an ACL is appropriate for it
168 */
169static int
170vacl_aclcheck(struct thread *td, struct vnode *vp, acl_type_t type,
171 struct acl *aclp)
172{
173 struct acl *inkernelacl;
174 int error;
175
176 inkernelacl = acl_alloc(M_WAITOK);
177 error = copyin(aclp, inkernelacl, sizeof(struct acl));
178 if (error)
179 goto out;
180 error = VOP_ACLCHECK(vp, type, inkernelacl, td->td_ucred, td);
181out:
182 acl_free(inkernelacl);
183 return (error);
184}
185
--- 239 unchanged lines hidden (view full) ---
425}
426
427struct acl *
428acl_alloc(int flags)
429{
430 struct acl *aclp;
431
432 aclp = malloc(sizeof(*aclp), M_ACL, flags);
433
434 return (aclp);
435}
436
437void
438acl_free(struct acl *aclp)
439{
440
441 free(aclp, M_ACL);
442}
2 * Copyright (c) 1999-2006 Robert N. M. Watson
3 * All rights reserved.
4 *
5 * This software was developed by Robert Watson for the TrustedBSD Project.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
--- 19 unchanged lines hidden (view full) ---
28/*
29 * Developed by the TrustedBSD Project.
30 *
31 * ACL system calls and other functions common across different ACL types.
32 * Type-specific routines go into subr_acl_<type>.c.
33 */
34
35#include <sys/cdefs.h>
36__FBSDID("$FreeBSD: head/sys/kern/vfs_acl.c 191266 2009-04-19 09:56:30Z trasz $");
37
38#include "opt_mac.h"
39
40#include <sys/param.h>
41#include <sys/systm.h>
42#include <sys/sysproto.h>
43#include <sys/fcntl.h>
44#include <sys/kernel.h>
--- 6 unchanged lines hidden (view full) ---
51#include <sys/file.h>
52#include <sys/filedesc.h>
53#include <sys/proc.h>
54#include <sys/sysent.h>
55#include <sys/acl.h>
56
57#include <security/mac/mac_framework.h>
58
59static MALLOC_DEFINE(M_ACL, "acl", "Access Control Lists");
60
61static int vacl_set_acl(struct thread *td, struct vnode *vp,
62 acl_type_t type, struct acl *aclp);
63static int vacl_get_acl(struct thread *td, struct vnode *vp,
64 acl_type_t type, struct acl *aclp);
65static int vacl_aclcheck(struct thread *td, struct vnode *vp,
66 acl_type_t type, struct acl *aclp);
67
68/*
69 * These calls wrap the real vnode operations, and are called by the syscall
70 * code once the syscall has converted the path or file descriptor to a vnode
71 * (unlocked). The aclp pointer is assumed still to point to userland, so
72 * this should not be consumed within the kernel except by syscall code.
73 * Other code should directly invoke VOP_{SET,GET}ACL.
74 */
75
76/*
77 * Given a vnode, set its ACL.
78 */
79static int
80vacl_set_acl(struct thread *td, struct vnode *vp, acl_type_t type,
81 struct acl *aclp)
82{
83 struct acl *inkernelacl;
84 struct mount *mp;
85 int error;
86
87 inkernelacl = acl_alloc(M_WAITOK);
88 error = copyin(aclp, inkernelacl, sizeof(struct acl));
89 if (error)
90 goto out;
91 error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
92 if (error != 0)
93 goto out;
94 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
95#ifdef MAC
96 error = mac_vnode_check_setacl(td->td_ucred, vp, type, inkernelacl);
97 if (error != 0)
98 goto out_unlock;
99#endif
100 error = VOP_SETACL(vp, type, inkernelacl, td->td_ucred, td);
101#ifdef MAC
102out_unlock:
103#endif
104 VOP_UNLOCK(vp, 0);
105 vn_finished_write(mp);
106out:
107 acl_free(inkernelacl);
108 return(error);
--- 11 unchanged lines hidden (view full) ---
120
121 inkernelacl = acl_alloc(M_WAITOK);
122 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
123#ifdef MAC
124 error = mac_vnode_check_getacl(td->td_ucred, vp, type);
125 if (error != 0)
126 goto out;
127#endif
128 error = VOP_GETACL(vp, type, inkernelacl, td->td_ucred, td);
129#ifdef MAC
130out:
131#endif
132 VOP_UNLOCK(vp, 0);
133 if (error == 0)
134 error = copyout(inkernelacl, aclp, sizeof(struct acl));
135 acl_free(inkernelacl);
136 return (error);
137}
138
139/*
140 * Given a vnode, delete its ACL.
141 */
142static int
--- 6 unchanged lines hidden (view full) ---
149 if (error)
150 return (error);
151 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
152#ifdef MAC
153 error = mac_vnode_check_deleteacl(td->td_ucred, vp, type);
154 if (error)
155 goto out;
156#endif
157 error = VOP_SETACL(vp, type, 0, td->td_ucred, td);
158#ifdef MAC
159out:
160#endif
161 VOP_UNLOCK(vp, 0);
162 vn_finished_write(mp);
163 return (error);
164}
165
166/*
167 * Given a vnode, check whether an ACL is appropriate for it
168 */
169static int
170vacl_aclcheck(struct thread *td, struct vnode *vp, acl_type_t type,
171 struct acl *aclp)
172{
173 struct acl *inkernelacl;
174 int error;
175
176 inkernelacl = acl_alloc(M_WAITOK);
177 error = copyin(aclp, inkernelacl, sizeof(struct acl));
178 if (error)
179 goto out;
180 error = VOP_ACLCHECK(vp, type, inkernelacl, td->td_ucred, td);
181out:
182 acl_free(inkernelacl);
183 return (error);
184}
185
--- 239 unchanged lines hidden (view full) ---
425}
426
427struct acl *
428acl_alloc(int flags)
429{
430 struct acl *aclp;
431
432 aclp = malloc(sizeof(*aclp), M_ACL, flags);
433
434 return (aclp);
435}
436
437void
438acl_free(struct acl *aclp)
439{
440
441 free(aclp, M_ACL);
442}