| mac_pipe.c (105959) | mac_pipe.c (105988) |
|---|---|
| 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 22 unchanged lines hidden (view full) --- 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 22 unchanged lines hidden (view full) --- 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * |
| 39 * $FreeBSD: head/sys/security/mac/mac_pipe.c 105959 2002-10-25 20:45:27Z rwatson $ | 39 * $FreeBSD: head/sys/security/mac/mac_pipe.c 105988 2002-10-26 14:38:24Z rwatson $ |
| 40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 --- 62 unchanged lines hidden (view full) --- 110 111/* 112 * Has the kernel started generating labeled objects yet? All read/write 113 * access to this variable is serialized during the boot process. Following 114 * the end of serialization, we don't update this flag; no locking. 115 */ 116static int mac_late = 0; 117 | 40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 --- 62 unchanged lines hidden (view full) --- 110 111/* 112 * Has the kernel started generating labeled objects yet? All read/write 113 * access to this variable is serialized during the boot process. Following 114 * the end of serialization, we don't update this flag; no locking. 115 */ 116static int mac_late = 0; 117 |
| 118/* 119 * Warn about EA transactions only the first time they happen. 120 * Weak coherency, no locking. 121 */ 122static int ea_warn_once = 0; 123 |
|
| 118static int mac_enforce_fs = 1; 119SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, 120 &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); 121TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); 122 123static int mac_enforce_network = 1; 124SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, 125 &mac_enforce_network, 0, "Enforce MAC policy on network packets"); --- 14 unchanged lines hidden (view full) --- 140 &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); 141TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); 142 143static int mac_enforce_vm = 1; 144SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, 145 &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); 146TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm); 147 | 124static int mac_enforce_fs = 1; 125SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, 126 &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); 127TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); 128 129static int mac_enforce_network = 1; 130SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, 131 &mac_enforce_network, 0, "Enforce MAC policy on network packets"); --- 14 unchanged lines hidden (view full) --- 146 &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); 147TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); 148 149static int mac_enforce_vm = 1; 150SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, 151 &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); 152TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm); 153 |
| 148static int mac_label_size = sizeof(struct oldmac); 149SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, 150 &mac_label_size, 0, "Pre-compiled MAC label size"); 151 | |
| 152static int mac_cache_fslabel_in_vnode = 1; 153SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW, 154 &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode"); 155TUNABLE_INT("security.mac.cache_fslabel_in_vnode", 156 &mac_cache_fslabel_in_vnode); 157 | 154static int mac_cache_fslabel_in_vnode = 1; 155SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW, 156 &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode"); 157TUNABLE_INT("security.mac.cache_fslabel_in_vnode", 158 &mac_cache_fslabel_in_vnode); 159 |
| 158static int mac_vnode_label_cache_hits = 0; 159SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD, 160 &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels"); 161static int mac_vnode_label_cache_misses = 0; 162SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD, 163 &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels"); 164 | |
| 165static int mac_mmap_revocation = 1; 166SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW, 167 &mac_mmap_revocation, 0, "Revoke mmap access to files on subject " 168 "relabel"); 169static int mac_mmap_revocation_via_cow = 0; 170SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, 171 &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " 172 "copy-on-write semantics, or by removing all write access"); --- 36 unchanged lines hidden (view full) --- 209 &nmactemp, 0, "number of temporary labels in use"); 210SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, vnodes, CTLFLAG_RD, 211 &nmacvnodes, 0, "number of vnodes in use"); 212SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD, 213 &nmacdevfsdirents, 0, "number of devfs dirents inuse"); 214#endif 215 216static int error_select(int error1, int error2); | 160static int mac_mmap_revocation = 1; 161SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW, 162 &mac_mmap_revocation, 0, "Revoke mmap access to files on subject " 163 "relabel"); 164static int mac_mmap_revocation_via_cow = 0; 165SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, 166 &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " 167 "copy-on-write semantics, or by removing all write access"); --- 36 unchanged lines hidden (view full) --- 204 &nmactemp, 0, "number of temporary labels in use"); 205SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, vnodes, CTLFLAG_RD, 206 &nmacvnodes, 0, "number of vnodes in use"); 207SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD, 208 &nmacdevfsdirents, 0, "number of devfs dirents inuse"); 209#endif 210 211static int error_select(int error1, int error2); |
| 217static int mac_externalize_vnode_oldmac(struct label *label, 218 struct oldmac *extmac); | |
| 219static int mac_policy_register(struct mac_policy_conf *mpc); 220static int mac_policy_unregister(struct mac_policy_conf *mpc); 221 | 212static int mac_policy_register(struct mac_policy_conf *mpc); 213static int mac_policy_unregister(struct mac_policy_conf *mpc); 214 |
| 222static int mac_stdcreatevnode_ea(struct vnode *vp); | |
| 223static void mac_check_vnode_mmap_downgrade(struct ucred *cred, 224 struct vnode *vp, int *prot); 225static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, 226 struct ucred *cred, struct vm_map *map); 227 228static void mac_destroy_socket_label(struct label *label); 229 | 215static void mac_check_vnode_mmap_downgrade(struct ucred *cred, 216 struct vnode *vp, int *prot); 217static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, 218 struct ucred *cred, struct vm_map *map); 219 220static void mac_destroy_socket_label(struct label *label); 221 |
| 222static int mac_setlabel_vnode_extattr(struct ucred *cred, 223 struct vnode *vp, struct label *intlabel); 224 225 |
|
| 230MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); 231MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); 232MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage"); 233 234/* 235 * mac_policy_list_lock protects the consistency of 'mac_policy_list', 236 * the linked list of attached policy modules. Read-only consumers of 237 * the list must acquire a shared lock for the duration of their use; --- 380 unchanged lines hidden (view full) --- 618 case MAC_EXTERNALIZE_SOCKET_PEER_LABEL: 619 mpc->mpc_ops->mpo_externalize_socket_peer_label = 620 mpe->mpe_function; 621 break; 622 case MAC_EXTERNALIZE_VNODE_LABEL: 623 mpc->mpc_ops->mpo_externalize_vnode_label = 624 mpe->mpe_function; 625 break; | 226MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); 227MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); 228MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage"); 229 230/* 231 * mac_policy_list_lock protects the consistency of 'mac_policy_list', 232 * the linked list of attached policy modules. Read-only consumers of 233 * the list must acquire a shared lock for the duration of their use; --- 380 unchanged lines hidden (view full) --- 614 case MAC_EXTERNALIZE_SOCKET_PEER_LABEL: 615 mpc->mpc_ops->mpo_externalize_socket_peer_label = 616 mpe->mpe_function; 617 break; 618 case MAC_EXTERNALIZE_VNODE_LABEL: 619 mpc->mpc_ops->mpo_externalize_vnode_label = 620 mpe->mpe_function; 621 break; |
| 626 case MAC_EXTERNALIZE_VNODE_OLDMAC: 627 mpc->mpc_ops->mpo_externalize_vnode_oldmac = 628 mpe->mpe_function; 629 break; | |
| 630 case MAC_INTERNALIZE_CRED_LABEL: 631 mpc->mpc_ops->mpo_internalize_cred_label = 632 mpe->mpe_function; 633 break; 634 case MAC_INTERNALIZE_IFNET_LABEL: 635 mpc->mpc_ops->mpo_internalize_ifnet_label = 636 mpe->mpe_function; 637 break; --- 20 unchanged lines hidden (view full) --- 658 case MAC_CREATE_DEVFS_SYMLINK: 659 mpc->mpc_ops->mpo_create_devfs_symlink = 660 mpe->mpe_function; 661 break; 662 case MAC_CREATE_DEVFS_VNODE: 663 mpc->mpc_ops->mpo_create_devfs_vnode = 664 mpe->mpe_function; 665 break; | 622 case MAC_INTERNALIZE_CRED_LABEL: 623 mpc->mpc_ops->mpo_internalize_cred_label = 624 mpe->mpe_function; 625 break; 626 case MAC_INTERNALIZE_IFNET_LABEL: 627 mpc->mpc_ops->mpo_internalize_ifnet_label = 628 mpe->mpe_function; 629 break; --- 20 unchanged lines hidden (view full) --- 650 case MAC_CREATE_DEVFS_SYMLINK: 651 mpc->mpc_ops->mpo_create_devfs_symlink = 652 mpe->mpe_function; 653 break; 654 case MAC_CREATE_DEVFS_VNODE: 655 mpc->mpc_ops->mpo_create_devfs_vnode = 656 mpe->mpe_function; 657 break; |
| 666 case MAC_STDCREATEVNODE_EA: 667 mpc->mpc_ops->mpo_stdcreatevnode_ea = 668 mpe->mpe_function; 669 break; 670 case MAC_CREATE_VNODE: 671 mpc->mpc_ops->mpo_create_vnode = 672 mpe->mpe_function; 673 break; | |
| 674 case MAC_CREATE_MOUNT: 675 mpc->mpc_ops->mpo_create_mount = 676 mpe->mpe_function; 677 break; 678 case MAC_CREATE_ROOT_MOUNT: 679 mpc->mpc_ops->mpo_create_root_mount = 680 mpe->mpe_function; 681 break; 682 case MAC_RELABEL_VNODE: 683 mpc->mpc_ops->mpo_relabel_vnode = 684 mpe->mpe_function; 685 break; 686 case MAC_UPDATE_DEVFSDIRENT: 687 mpc->mpc_ops->mpo_update_devfsdirent = 688 mpe->mpe_function; 689 break; | 658 case MAC_CREATE_MOUNT: 659 mpc->mpc_ops->mpo_create_mount = 660 mpe->mpe_function; 661 break; 662 case MAC_CREATE_ROOT_MOUNT: 663 mpc->mpc_ops->mpo_create_root_mount = 664 mpe->mpe_function; 665 break; 666 case MAC_RELABEL_VNODE: 667 mpc->mpc_ops->mpo_relabel_vnode = 668 mpe->mpe_function; 669 break; 670 case MAC_UPDATE_DEVFSDIRENT: 671 mpc->mpc_ops->mpo_update_devfsdirent = 672 mpe->mpe_function; 673 break; |
| 690 case MAC_UPDATE_PROCFSVNODE: 691 mpc->mpc_ops->mpo_update_procfsvnode = | 674 case MAC_ASSOCIATE_VNODE_DEVFS: 675 mpc->mpc_ops->mpo_associate_vnode_devfs = |
| 692 mpe->mpe_function; 693 break; | 676 mpe->mpe_function; 677 break; |
| 694 case MAC_UPDATE_VNODE_FROM_EXTATTR: 695 mpc->mpc_ops->mpo_update_vnode_from_extattr = | 678 case MAC_ASSOCIATE_VNODE_EXTATTR: 679 mpc->mpc_ops->mpo_associate_vnode_extattr = |
| 696 mpe->mpe_function; 697 break; | 680 mpe->mpe_function; 681 break; |
| 698 case MAC_UPDATE_VNODE_FROM_EXTERNALIZED: 699 mpc->mpc_ops->mpo_update_vnode_from_externalized = | 682 case MAC_ASSOCIATE_VNODE_SINGLELABEL: 683 mpc->mpc_ops->mpo_associate_vnode_singlelabel = |
| 700 mpe->mpe_function; 701 break; | 684 mpe->mpe_function; 685 break; |
| 702 case MAC_UPDATE_VNODE_FROM_MOUNT: 703 mpc->mpc_ops->mpo_update_vnode_from_mount = | 686 case MAC_CREATE_VNODE_EXTATTR: 687 mpc->mpc_ops->mpo_create_vnode_extattr = |
| 704 mpe->mpe_function; 705 break; | 688 mpe->mpe_function; 689 break; |
| 690 case MAC_SETLABEL_VNODE_EXTATTR: 691 mpc->mpc_ops->mpo_setlabel_vnode_extattr = 692 mpe->mpe_function; 693 break; |
|
| 706 case MAC_CREATE_MBUF_FROM_SOCKET: 707 mpc->mpc_ops->mpo_create_mbuf_from_socket = 708 mpe->mpe_function; 709 break; 710 case MAC_CREATE_PIPE: 711 mpc->mpc_ops->mpo_create_pipe = 712 mpe->mpe_function; 713 break; --- 660 unchanged lines hidden (view full) --- 1374 1375 error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); 1376 if (error) 1377 mac_destroy_socket_label(&socket->so_label); 1378 1379 return (error); 1380} 1381 | 694 case MAC_CREATE_MBUF_FROM_SOCKET: 695 mpc->mpc_ops->mpo_create_mbuf_from_socket = 696 mpe->mpe_function; 697 break; 698 case MAC_CREATE_PIPE: 699 mpc->mpc_ops->mpo_create_pipe = 700 mpe->mpe_function; 701 break; --- 660 unchanged lines hidden (view full) --- 1362 1363 error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); 1364 if (error) 1365 mac_destroy_socket_label(&socket->so_label); 1366 1367 return (error); 1368} 1369 |
| 1382static void | 1370void |
| 1383mac_init_vnode_label(struct label *label) 1384{ 1385 1386 mac_init_label(label); 1387 MAC_PERFORM(init_vnode_label, label); 1388#ifdef MAC_DEBUG 1389 atomic_add_int(&nmacvnodes, 1); 1390#endif --- 140 unchanged lines hidden (view full) --- 1531void 1532mac_destroy_socket(struct socket *socket) 1533{ 1534 1535 mac_destroy_socket_label(&socket->so_label); 1536 mac_destroy_socket_peer_label(&socket->so_peerlabel); 1537} 1538 | 1371mac_init_vnode_label(struct label *label) 1372{ 1373 1374 mac_init_label(label); 1375 MAC_PERFORM(init_vnode_label, label); 1376#ifdef MAC_DEBUG 1377 atomic_add_int(&nmacvnodes, 1); 1378#endif --- 140 unchanged lines hidden (view full) --- 1519void 1520mac_destroy_socket(struct socket *socket) 1521{ 1522 1523 mac_destroy_socket_label(&socket->so_label); 1524 mac_destroy_socket_peer_label(&socket->so_peerlabel); 1525} 1526 |
| 1539static void | 1527void |
| 1540mac_destroy_vnode_label(struct label *label) 1541{ 1542 1543 MAC_PERFORM(destroy_vnode_label, label); 1544 mac_destroy_label(label); 1545#ifdef MAC_DEBUG 1546 atomic_subtract_int(&nmacvnodes, 1); 1547#endif --- 8 unchanged lines hidden (view full) --- 1556 1557static void 1558mac_copy_pipe_label(struct label *src, struct label *dest) 1559{ 1560 1561 MAC_PERFORM(copy_pipe_label, src, dest); 1562} 1563 | 1528mac_destroy_vnode_label(struct label *label) 1529{ 1530 1531 MAC_PERFORM(destroy_vnode_label, label); 1532 mac_destroy_label(label); 1533#ifdef MAC_DEBUG 1534 atomic_subtract_int(&nmacvnodes, 1); 1535#endif --- 8 unchanged lines hidden (view full) --- 1544 1545static void 1546mac_copy_pipe_label(struct label *src, struct label *dest) 1547{ 1548 1549 MAC_PERFORM(copy_pipe_label, src, dest); 1550} 1551 |
| 1564static void | 1552void |
| 1565mac_copy_vnode_label(struct label *src, struct label *dest) 1566{ 1567 1568 MAC_PERFORM(copy_vnode_label, src, dest); 1569} 1570 1571static int 1572mac_check_structmac_consistent(struct mac *mac) --- 67 unchanged lines hidden (view full) --- 1640 int error; 1641 1642 MAC_EXTERNALIZE(vnode_label, label, elements, outbuf, outbuflen); 1643 1644 return (error); 1645} 1646 1647static int | 1553mac_copy_vnode_label(struct label *src, struct label *dest) 1554{ 1555 1556 MAC_PERFORM(copy_vnode_label, src, dest); 1557} 1558 1559static int 1560mac_check_structmac_consistent(struct mac *mac) --- 67 unchanged lines hidden (view full) --- 1628 int error; 1629 1630 MAC_EXTERNALIZE(vnode_label, label, elements, outbuf, outbuflen); 1631 1632 return (error); 1633} 1634 1635static int |
| 1648mac_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac) 1649{ 1650 int error; 1651 1652 MAC_CHECK(externalize_vnode_oldmac, label, extmac); 1653 1654 return (error); 1655} 1656 1657static int | |
| 1658mac_internalize_cred_label(struct label *label, char *string) 1659{ 1660 int error; 1661 1662 MAC_INTERNALIZE(cred_label, label, string); 1663 1664 return (error); 1665} --- 82 unchanged lines hidden (view full) --- 1748void 1749mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) 1750{ 1751 1752 MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label); 1753} 1754 1755void | 1636mac_internalize_cred_label(struct label *label, char *string) 1637{ 1638 int error; 1639 1640 MAC_INTERNALIZE(cred_label, label, string); 1641 1642 return (error); 1643} --- 82 unchanged lines hidden (view full) --- 1726void 1727mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) 1728{ 1729 1730 MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label); 1731} 1732 1733void |
| 1756mac_update_procfsvnode(struct vnode *vp, struct ucred *cred) | 1734mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, 1735 struct vnode *vp) |
| 1757{ 1758 | 1736{ 1737 |
| 1759 MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred); | 1738 MAC_PERFORM(associate_vnode_devfs, mp, &mp->mnt_fslabel, de, 1739 &de->de_label, vp, &vp->v_label); |
| 1760} 1761 | 1740} 1741 |
| 1762/* 1763 * Support callout for policies that manage their own externalization 1764 * using extended attributes. 1765 */ 1766static int 1767mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp) | 1742int 1743mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp) |
| 1768{ 1769 int error; 1770 | 1744{ 1745 int error; 1746 |
| 1771 MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp, 1772 &mp->mnt_fslabel); | 1747 ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr"); |
| 1773 | 1748 |
| 1774 return (error); 1775} | 1749 MAC_CHECK(associate_vnode_extattr, mp, &mp->mnt_fslabel, vp, 1750 &vp->v_label); |
| 1776 | 1751 |
| 1777/* 1778 * Given an externalized mac label, internalize it and stamp it on a 1779 * vnode. 1780 */ 1781static int 1782mac_update_vnode_from_externalized(struct vnode *vp, struct oldmac *extmac) 1783{ 1784 int error; 1785 1786 MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac); 1787 | |
| 1788 return (error); 1789} 1790 | 1752 return (error); 1753} 1754 |
| 1791/* 1792 * Call out to individual policies to update the label in a vnode from 1793 * the mountpoint. 1794 */ | |
| 1795void | 1755void |
| 1796mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp) | 1756mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp) |
| 1797{ 1798 | 1757{ 1758 |
| 1799 MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp, 1800 &mp->mnt_fslabel); 1801 1802 ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount"); 1803 if (mac_cache_fslabel_in_vnode) 1804 vp->v_vflag |= VV_CACHEDLABEL; | 1759 MAC_PERFORM(associate_vnode_singlelabel, mp, &mp->mnt_fslabel, vp, 1760 &vp->v_label); |
| 1805} 1806 | 1761} 1762 |
| 1807/* 1808 * Implementation of VOP_REFRESHLABEL() that relies on extended attributes 1809 * to store label data. Can be referenced by filesystems supporting 1810 * extended attributes. 1811 */ | |
| 1812int | 1763int |
| 1813vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap) | 1764mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, 1765 struct vnode *dvp, struct vnode *vp, struct componentname *cnp) |
| 1814{ | 1766{ |
| 1815 struct vnode *vp = ap->a_vp; 1816 struct oldmac extmac; 1817 int buflen, error; | 1767 int error; |
| 1818 | 1768 |
| 1819 ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea"); | 1769 ASSERT_VOP_LOCKED(dvp, "mac_create_vnode_extattr"); 1770 ASSERT_VOP_LOCKED(vp, "mac_create_vnode_extattr"); |
| 1820 | 1771 |
| 1821 /* 1822 * Call out to external policies first. Order doesn't really 1823 * matter, as long as failure of one assures failure of all. 1824 */ 1825 error = mac_update_vnode_from_extattr(vp, vp->v_mount); 1826 if (error) | 1772 error = VOP_OPENEXTATTR(vp, cred, curthread); 1773 if (error == EOPNOTSUPP) { 1774 /* XXX: Optionally abort if transactions not supported. */ 1775 if (ea_warn_once == 0) { 1776 printf("Warning: transactions not supported " 1777 "in EA write.\n"); 1778 ea_warn_once = 1; 1779 } 1780 } else if (error) |
| 1827 return (error); 1828 | 1781 return (error); 1782 |
| 1829 buflen = sizeof(extmac); 1830 error = vn_extattr_get(vp, IO_NODELOCKED, 1831 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen, 1832 (char *)&extmac, curthread); 1833 switch (error) { 1834 case 0: 1835 /* Got it */ 1836 break; | 1783 MAC_CHECK(create_vnode_extattr, cred, mp, &mp->mnt_fslabel, 1784 dvp, &dvp->v_label, vp, &vp->v_label, cnp); |
| 1837 | 1785 |
| 1838 case ENOATTR: 1839 /* 1840 * Use the label from the mount point. 1841 */ 1842 mac_update_vnode_from_mount(vp, vp->v_mount); 1843 return (0); 1844 1845 case EOPNOTSUPP: 1846 default: 1847 /* Fail horribly. */ | 1786 if (error) { 1787 VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); |
| 1848 return (error); 1849 } 1850 | 1788 return (error); 1789 } 1790 |
| 1851 if (buflen != sizeof(extmac)) 1852 error = EPERM; /* Fail very closed. */ 1853 if (error == 0) 1854 error = mac_update_vnode_from_externalized(vp, &extmac); 1855 if (error == 0) 1856 vp->v_vflag |= VV_CACHEDLABEL; 1857 else { 1858 struct vattr va; | 1791 error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread); |
| 1859 | 1792 |
| 1860 printf("Corrupted label on %s", 1861 vp->v_mount->mnt_stat.f_mntonname); 1862 if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0) 1863 printf(" inum %ld", va.va_fileid); 1864#ifdef MAC_DEBUG 1865 if (mac_debug_label_fallback) { 1866 printf(", falling back.\n"); 1867 mac_update_vnode_from_mount(vp, vp->v_mount); 1868 error = 0; 1869 } else { 1870#endif 1871 printf(".\n"); 1872 error = EPERM; 1873#ifdef MAC_DEBUG 1874 } 1875#endif 1876 } | 1793 if (error == EOPNOTSUPP) 1794 error = 0; /* XXX */ |
| 1877 1878 return (error); 1879} 1880 | 1795 1796 return (error); 1797} 1798 |
| 1881/* 1882 * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle 1883 * the labeling activity outselves. Filesystems should be careful not 1884 * to change their minds regarding whether they support vop_refreshlabel() 1885 * for a vnode or not. Don't cache the vnode here, allow the file 1886 * system code to determine if it's safe to cache. If we update from 1887 * the mount, don't cache since a change to the mount label should affect 1888 * all vnodes. 1889 */ | |
| 1890static int | 1799static int |
| 1891vn_refreshlabel(struct vnode *vp, struct ucred *cred) | 1800mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 1801 struct label *intlabel) |
| 1892{ 1893 int error; 1894 | 1802{ 1803 int error; 1804 |
| 1895 ASSERT_VOP_LOCKED(vp, "vn_refreshlabel"); | 1805 ASSERT_VOP_LOCKED(vp, "mac_setlabel_vnode_extattr"); |
| 1896 | 1806 |
| 1897 if (vp->v_mount == NULL) { 1898/* 1899 Eventually, we probably want to special-case refreshing 1900 of deadfs vnodes, and if there's a lock-free race somewhere, 1901 that case might be handled here. | 1807 error = VOP_OPENEXTATTR(vp, cred, curthread); 1808 if (error == EOPNOTSUPP) { 1809 /* XXX: Optionally abort if transactions not supported. */ 1810 if (ea_warn_once == 0) { 1811 printf("Warning: transactions not supported " 1812 "in EA write.\n"); 1813 ea_warn_once = 1; 1814 } 1815 } else if (error) 1816 return (error); |
| 1902 | 1817 |
| 1903 mac_update_vnode_deadfs(vp); 1904 return (0); 1905 */ 1906 /* printf("vn_refreshlabel: null v_mount\n"); */ 1907 if (vp->v_type != VNON) 1908 printf( 1909 "vn_refreshlabel: null v_mount with non-VNON\n"); 1910 return (EBADF); 1911 } | 1818 MAC_CHECK(setlabel_vnode_extattr, cred, vp, &vp->v_label, intlabel); |
| 1912 | 1819 |
| 1913 if (vp->v_vflag & VV_CACHEDLABEL) { 1914 mac_vnode_label_cache_hits++; 1915 return (0); 1916 } else 1917 mac_vnode_label_cache_misses++; 1918 1919 if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { 1920 mac_update_vnode_from_mount(vp, vp->v_mount); 1921 return (0); 1922 } 1923 1924 error = VOP_REFRESHLABEL(vp, cred, curthread); 1925 switch (error) { 1926 case EOPNOTSUPP: 1927 /* 1928 * If labels are not supported on this vnode, fall back to 1929 * the label in the mount and propagate it to the vnode. 1930 * There should probably be some sort of policy/flag/decision 1931 * about doing this. 1932 */ 1933 mac_update_vnode_from_mount(vp, vp->v_mount); 1934 error = 0; 1935 default: | 1820 if (error) { 1821 VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); |
| 1936 return (error); 1937 } | 1822 return (error); 1823 } |
| 1938} | |
| 1939 | 1824 |
| 1940/* 1941 * Helper function for file systems using the vop_std*_ea() calls. This 1942 * function must be called after EA service is available for the vnode, 1943 * but before it's hooked up to the namespace so that the node persists 1944 * if there's a crash, or before it can be accessed. On successful 1945 * commit of the label to disk (etc), do cache the label. 1946 */ 1947int 1948vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred) 1949{ 1950 struct oldmac extmac; 1951 int error; | 1825 error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread); |
| 1952 | 1826 |
| 1953 ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea"); 1954 if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { 1955 mac_update_vnode_from_mount(tvp, tvp->v_mount); 1956 } else { 1957 error = vn_refreshlabel(dvp, cred); 1958 if (error) 1959 return (error); | 1827 if (error == EOPNOTSUPP) 1828 error = 0; /* XXX */ |
| 1960 | 1829 |
| 1961 /* 1962 * Stick the label in the vnode. Then try to write to 1963 * disk. If we fail, return a failure to abort the 1964 * create operation. Really, this failure shouldn't 1965 * happen except in fairly unusual circumstances (out 1966 * of disk, etc). 1967 */ 1968 mac_create_vnode(cred, dvp, tvp); 1969 1970 error = mac_stdcreatevnode_ea(tvp); 1971 if (error) 1972 return (error); 1973 1974 /* 1975 * XXX: Eventually this will go away and all policies will 1976 * directly manage their extended attributes. 1977 */ 1978 error = mac_externalize_vnode_oldmac(&tvp->v_label, &extmac); 1979 if (error) 1980 return (error); 1981 1982 error = vn_extattr_set(tvp, IO_NODELOCKED, 1983 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, 1984 sizeof(extmac), (char *)&extmac, curthread); 1985 if (error == 0) 1986 tvp->v_vflag |= VV_CACHEDLABEL; 1987 else { 1988#if 0 1989 /* 1990 * In theory, we could have fall-back behavior here. 1991 * It would probably be incorrect. 1992 */ 1993#endif 1994 return (error); 1995 } 1996 } 1997 1998 return (0); | 1830 return (error); |
| 1999} 2000 2001void 2002mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp) 2003{ | 1831} 1832 1833void 1834mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp) 1835{ |
| 2004 int error; | |
| 2005 2006 ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); 2007 | 1836 1837 ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); 1838 |
| 2008 error = vn_refreshlabel(vp, old); 2009 if (error) { 2010 printf("mac_execve_transition: vn_refreshlabel returned %d\n", 2011 error); 2012 printf("mac_execve_transition: using old vnode label\n"); 2013 } 2014 | |
| 2015 MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label); 2016} 2017 2018int 2019mac_execve_will_transition(struct ucred *old, struct vnode *vp) 2020{ | 1839 MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label); 1840} 1841 1842int 1843mac_execve_will_transition(struct ucred *old, struct vnode *vp) 1844{ |
| 2021 int error, result; | 1845 int result; |
| 2022 | 1846 |
| 2023 error = vn_refreshlabel(vp, old); 2024 if (error) 2025 return (error); 2026 | |
| 2027 result = 0; 2028 MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); 2029 2030 return (result); 2031} 2032 2033int 2034mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) 2035{ 2036 int error; 2037 2038 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); 2039 2040 if (!mac_enforce_fs) 2041 return (0); 2042 | 1847 result = 0; 1848 MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); 1849 1850 return (result); 1851} 1852 1853int 1854mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) 1855{ 1856 int error; 1857 1858 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); 1859 1860 if (!mac_enforce_fs) 1861 return (0); 1862 |
| 2043 error = vn_refreshlabel(vp, cred); 2044 if (error) 2045 return (error); 2046 | |
| 2047 MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags); 2048 return (error); 2049} 2050 2051int 2052mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) 2053{ 2054 int error; 2055 2056 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); 2057 2058 if (!mac_enforce_fs) 2059 return (0); 2060 | 1863 MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags); 1864 return (error); 1865} 1866 1867int 1868mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) 1869{ 1870 int error; 1871 1872 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); 1873 1874 if (!mac_enforce_fs) 1875 return (0); 1876 |
| 2061 error = vn_refreshlabel(dvp, cred); 2062 if (error) 2063 return (error); 2064 | |
| 2065 MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); 2066 return (error); 2067} 2068 2069int 2070mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) 2071{ 2072 int error; 2073 2074 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); 2075 2076 if (!mac_enforce_fs) 2077 return (0); 2078 | 1877 MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); 1878 return (error); 1879} 1880 1881int 1882mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) 1883{ 1884 int error; 1885 1886 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); 1887 1888 if (!mac_enforce_fs) 1889 return (0); 1890 |
| 2079 error = vn_refreshlabel(dvp, cred); 2080 if (error) 2081 return (error); 2082 | |
| 2083 MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); 2084 return (error); 2085} 2086 2087int 2088mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, 2089 struct componentname *cnp, struct vattr *vap) 2090{ 2091 int error; 2092 2093 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); 2094 2095 if (!mac_enforce_fs) 2096 return (0); 2097 | 1891 MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); 1892 return (error); 1893} 1894 1895int 1896mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, 1897 struct componentname *cnp, struct vattr *vap) 1898{ 1899 int error; 1900 1901 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); 1902 1903 if (!mac_enforce_fs) 1904 return (0); 1905 |
| 2098 error = vn_refreshlabel(dvp, cred); 2099 if (error) 2100 return (error); 2101 | |
| 2102 MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); 2103 return (error); 2104} 2105 2106int 2107mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, 2108 struct componentname *cnp) 2109{ 2110 int error; 2111 2112 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete"); 2113 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete"); 2114 2115 if (!mac_enforce_fs) 2116 return (0); 2117 | 1906 MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); 1907 return (error); 1908} 1909 1910int 1911mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, 1912 struct componentname *cnp) 1913{ 1914 int error; 1915 1916 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete"); 1917 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete"); 1918 1919 if (!mac_enforce_fs) 1920 return (0); 1921 |
| 2118 error = vn_refreshlabel(dvp, cred); 2119 if (error) 2120 return (error); 2121 error = vn_refreshlabel(vp, cred); 2122 if (error) 2123 return (error); 2124 | |
| 2125 MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, 2126 &vp->v_label, cnp); 2127 return (error); 2128} 2129 2130int 2131mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 2132 acl_type_t type) 2133{ 2134 int error; 2135 2136 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); 2137 2138 if (!mac_enforce_fs) 2139 return (0); 2140 | 1922 MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, 1923 &vp->v_label, cnp); 1924 return (error); 1925} 1926 1927int 1928mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 1929 acl_type_t type) 1930{ 1931 int error; 1932 1933 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); 1934 1935 if (!mac_enforce_fs) 1936 return (0); 1937 |
| 2141 error = vn_refreshlabel(vp, cred); 2142 if (error) 2143 return (error); 2144 | |
| 2145 MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); 2146 return (error); 2147} 2148 2149int 2150mac_check_vnode_exec(struct ucred *cred, struct vnode *vp) 2151{ 2152 int error; 2153 2154 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); 2155 2156 if (!mac_enforce_process && !mac_enforce_fs) 2157 return (0); 2158 | 1938 MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); 1939 return (error); 1940} 1941 1942int 1943mac_check_vnode_exec(struct ucred *cred, struct vnode *vp) 1944{ 1945 int error; 1946 1947 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); 1948 1949 if (!mac_enforce_process && !mac_enforce_fs) 1950 return (0); 1951 |
| 2159 error = vn_refreshlabel(vp, cred); 2160 if (error) 2161 return (error); | |
| 2162 MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label); 2163 2164 return (error); 2165} 2166 2167int 2168mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) 2169{ 2170 int error; 2171 2172 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); 2173 2174 if (!mac_enforce_fs) 2175 return (0); 2176 | 1952 MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label); 1953 1954 return (error); 1955} 1956 1957int 1958mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) 1959{ 1960 int error; 1961 1962 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); 1963 1964 if (!mac_enforce_fs) 1965 return (0); 1966 |
| 2177 error = vn_refreshlabel(vp, cred); 2178 if (error) 2179 return (error); 2180 | |
| 2181 MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); 2182 return (error); 2183} 2184 2185int 2186mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 2187 int attrnamespace, const char *name, struct uio *uio) 2188{ 2189 int error; 2190 2191 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); 2192 2193 if (!mac_enforce_fs) 2194 return (0); 2195 | 1967 MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); 1968 return (error); 1969} 1970 1971int 1972mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 1973 int attrnamespace, const char *name, struct uio *uio) 1974{ 1975 int error; 1976 1977 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); 1978 1979 if (!mac_enforce_fs) 1980 return (0); 1981 |
| 2196 error = vn_refreshlabel(vp, cred); 2197 if (error) 2198 return (error); 2199 | |
| 2200 MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, 2201 attrnamespace, name, uio); 2202 return (error); 2203} 2204 2205int 2206mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, 2207 struct vnode *vp, struct componentname *cnp) 2208{ 2209 int error; 2210 2211 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link"); 2212 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link"); 2213 2214 if (!mac_enforce_fs) 2215 return (0); 2216 | 1982 MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, 1983 attrnamespace, name, uio); 1984 return (error); 1985} 1986 1987int 1988mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, 1989 struct vnode *vp, struct componentname *cnp) 1990{ 1991 int error; 1992 1993 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link"); 1994 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link"); 1995 1996 if (!mac_enforce_fs) 1997 return (0); 1998 |
| 2217 error = vn_refreshlabel(dvp, cred); 2218 if (error) 2219 return (error); 2220 2221 error = vn_refreshlabel(vp, cred); 2222 if (error) 2223 return (error); 2224 | |
| 2225 MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp, 2226 &vp->v_label, cnp); 2227 return (error); 2228} 2229 2230int 2231mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 2232 struct componentname *cnp) 2233{ 2234 int error; 2235 2236 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); 2237 2238 if (!mac_enforce_fs) 2239 return (0); 2240 | 1999 MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp, 2000 &vp->v_label, cnp); 2001 return (error); 2002} 2003 2004int 2005mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 2006 struct componentname *cnp) 2007{ 2008 int error; 2009 2010 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); 2011 2012 if (!mac_enforce_fs) 2013 return (0); 2014 |
| 2241 error = vn_refreshlabel(dvp, cred); 2242 if (error) 2243 return (error); 2244 | |
| 2245 MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); 2246 return (error); 2247} 2248 2249int 2250mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot) 2251{ 2252 int error; 2253 2254 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap"); 2255 2256 if (!mac_enforce_fs || !mac_enforce_vm) 2257 return (0); 2258 | 2015 MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); 2016 return (error); 2017} 2018 2019int 2020mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot) 2021{ 2022 int error; 2023 2024 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap"); 2025 2026 if (!mac_enforce_fs || !mac_enforce_vm) 2027 return (0); 2028 |
| 2259 error = vn_refreshlabel(vp, cred); 2260 if (error) 2261 return (error); 2262 | |
| 2263 MAC_CHECK(check_vnode_mmap, cred, vp, &vp->v_label, prot); 2264 return (error); 2265} 2266 2267void 2268mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot) 2269{ 2270 int result = *prot; --- 14 unchanged lines hidden (view full) --- 2285{ 2286 int error; 2287 2288 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mprotect"); 2289 2290 if (!mac_enforce_fs || !mac_enforce_vm) 2291 return (0); 2292 | 2029 MAC_CHECK(check_vnode_mmap, cred, vp, &vp->v_label, prot); 2030 return (error); 2031} 2032 2033void 2034mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot) 2035{ 2036 int result = *prot; --- 14 unchanged lines hidden (view full) --- 2051{ 2052 int error; 2053 2054 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mprotect"); 2055 2056 if (!mac_enforce_fs || !mac_enforce_vm) 2057 return (0); 2058 |
| 2293 error = vn_refreshlabel(vp, cred); 2294 if (error) 2295 return (error); 2296 | |
| 2297 MAC_CHECK(check_vnode_mprotect, cred, vp, &vp->v_label, prot); 2298 return (error); 2299} 2300 2301int 2302mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) 2303{ 2304 int error; 2305 2306 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); 2307 2308 if (!mac_enforce_fs) 2309 return (0); 2310 | 2059 MAC_CHECK(check_vnode_mprotect, cred, vp, &vp->v_label, prot); 2060 return (error); 2061} 2062 2063int 2064mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) 2065{ 2066 int error; 2067 2068 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); 2069 2070 if (!mac_enforce_fs) 2071 return (0); 2072 |
| 2311 error = vn_refreshlabel(vp, cred); 2312 if (error) 2313 return (error); 2314 | |
| 2315 MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); 2316 return (error); 2317} 2318 2319int 2320mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 2321 struct vnode *vp) 2322{ 2323 int error; 2324 2325 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); 2326 2327 if (!mac_enforce_fs) 2328 return (0); 2329 | 2073 MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); 2074 return (error); 2075} 2076 2077int 2078mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 2079 struct vnode *vp) 2080{ 2081 int error; 2082 2083 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); 2084 2085 if (!mac_enforce_fs) 2086 return (0); 2087 |
| 2330 error = vn_refreshlabel(vp, active_cred); 2331 if (error) 2332 return (error); 2333 | |
| 2334 MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, 2335 &vp->v_label); 2336 2337 return (error); 2338} 2339 2340int 2341mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 2342 struct vnode *vp) 2343{ 2344 int error; 2345 2346 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); 2347 2348 if (!mac_enforce_fs) 2349 return (0); 2350 | 2088 MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, 2089 &vp->v_label); 2090 2091 return (error); 2092} 2093 2094int 2095mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 2096 struct vnode *vp) 2097{ 2098 int error; 2099 2100 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); 2101 2102 if (!mac_enforce_fs) 2103 return (0); 2104 |
| 2351 error = vn_refreshlabel(vp, active_cred); 2352 if (error) 2353 return (error); 2354 | |
| 2355 MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, 2356 &vp->v_label); 2357 2358 return (error); 2359} 2360 2361int 2362mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) 2363{ 2364 int error; 2365 2366 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); 2367 2368 if (!mac_enforce_fs) 2369 return (0); 2370 | 2105 MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, 2106 &vp->v_label); 2107 2108 return (error); 2109} 2110 2111int 2112mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) 2113{ 2114 int error; 2115 2116 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); 2117 2118 if (!mac_enforce_fs) 2119 return (0); 2120 |
| 2371 error = vn_refreshlabel(dvp, cred); 2372 if (error) 2373 return (error); 2374 | |
| 2375 MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); 2376 return (error); 2377} 2378 2379int 2380mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) 2381{ 2382 int error; 2383 2384 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); 2385 2386 if (!mac_enforce_fs) 2387 return (0); 2388 | 2121 MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); 2122 return (error); 2123} 2124 2125int 2126mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) 2127{ 2128 int error; 2129 2130 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); 2131 2132 if (!mac_enforce_fs) 2133 return (0); 2134 |
| 2389 error = vn_refreshlabel(vp, cred); 2390 if (error) 2391 return (error); 2392 | |
| 2393 MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); 2394 return (error); 2395} 2396 2397static int 2398mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 2399 struct label *newlabel) 2400{ 2401 int error; 2402 2403 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); 2404 | 2135 MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); 2136 return (error); 2137} 2138 2139static int 2140mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 2141 struct label *newlabel) 2142{ 2143 int error; 2144 2145 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); 2146 |
| 2405 error = vn_refreshlabel(vp, cred); 2406 if (error) 2407 return (error); 2408 | |
| 2409 MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); 2410 2411 return (error); 2412} 2413 2414int 2415mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 2416 struct vnode *vp, struct componentname *cnp) 2417{ 2418 int error; 2419 2420 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); 2421 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); 2422 2423 if (!mac_enforce_fs) 2424 return (0); 2425 | 2147 MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); 2148 2149 return (error); 2150} 2151 2152int 2153mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 2154 struct vnode *vp, struct componentname *cnp) 2155{ 2156 int error; 2157 2158 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); 2159 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); 2160 2161 if (!mac_enforce_fs) 2162 return (0); 2163 |
| 2426 error = vn_refreshlabel(dvp, cred); 2427 if (error) 2428 return (error); 2429 error = vn_refreshlabel(vp, cred); 2430 if (error) 2431 return (error); 2432 | |
| 2433 MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, 2434 &vp->v_label, cnp); 2435 return (error); 2436} 2437 2438int 2439mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 2440 struct vnode *vp, int samedir, struct componentname *cnp) 2441{ 2442 int error; 2443 2444 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); 2445 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); 2446 2447 if (!mac_enforce_fs) 2448 return (0); 2449 | 2164 MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, 2165 &vp->v_label, cnp); 2166 return (error); 2167} 2168 2169int 2170mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 2171 struct vnode *vp, int samedir, struct componentname *cnp) 2172{ 2173 int error; 2174 2175 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); 2176 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); 2177 2178 if (!mac_enforce_fs) 2179 return (0); 2180 |
| 2450 error = vn_refreshlabel(dvp, cred); 2451 if (error) 2452 return (error); 2453 if (vp != NULL) { 2454 error = vn_refreshlabel(vp, cred); 2455 if (error) 2456 return (error); 2457 } | |
| 2458 MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, 2459 vp != NULL ? &vp->v_label : NULL, samedir, cnp); 2460 return (error); 2461} 2462 2463int 2464mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) 2465{ 2466 int error; 2467 2468 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); 2469 2470 if (!mac_enforce_fs) 2471 return (0); 2472 | 2181 MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, 2182 vp != NULL ? &vp->v_label : NULL, samedir, cnp); 2183 return (error); 2184} 2185 2186int 2187mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) 2188{ 2189 int error; 2190 2191 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); 2192 2193 if (!mac_enforce_fs) 2194 return (0); 2195 |
| 2473 error = vn_refreshlabel(vp, cred); 2474 if (error) 2475 return (error); 2476 | |
| 2477 MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); 2478 return (error); 2479} 2480 2481int 2482mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, 2483 struct acl *acl) 2484{ 2485 int error; 2486 2487 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); 2488 2489 if (!mac_enforce_fs) 2490 return (0); 2491 | 2196 MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); 2197 return (error); 2198} 2199 2200int 2201mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, 2202 struct acl *acl) 2203{ 2204 int error; 2205 2206 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); 2207 2208 if (!mac_enforce_fs) 2209 return (0); 2210 |
| 2492 error = vn_refreshlabel(vp, cred); 2493 if (error) 2494 return (error); 2495 | |
| 2496 MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); 2497 return (error); 2498} 2499 2500int 2501mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 2502 int attrnamespace, const char *name, struct uio *uio) 2503{ 2504 int error; 2505 2506 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); 2507 2508 if (!mac_enforce_fs) 2509 return (0); 2510 | 2211 MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); 2212 return (error); 2213} 2214 2215int 2216mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 2217 int attrnamespace, const char *name, struct uio *uio) 2218{ 2219 int error; 2220 2221 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); 2222 2223 if (!mac_enforce_fs) 2224 return (0); 2225 |
| 2511 error = vn_refreshlabel(vp, cred); 2512 if (error) 2513 return (error); 2514 | |
| 2515 MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, 2516 attrnamespace, name, uio); 2517 return (error); 2518} 2519 2520int 2521mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) 2522{ 2523 int error; 2524 2525 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); 2526 2527 if (!mac_enforce_fs) 2528 return (0); 2529 | 2226 MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, 2227 attrnamespace, name, uio); 2228 return (error); 2229} 2230 2231int 2232mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) 2233{ 2234 int error; 2235 2236 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); 2237 2238 if (!mac_enforce_fs) 2239 return (0); 2240 |
| 2530 error = vn_refreshlabel(vp, cred); 2531 if (error) 2532 return (error); 2533 | |
| 2534 MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); 2535 return (error); 2536} 2537 2538int 2539mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) 2540{ 2541 int error; 2542 2543 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); 2544 2545 if (!mac_enforce_fs) 2546 return (0); 2547 | 2241 MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); 2242 return (error); 2243} 2244 2245int 2246mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) 2247{ 2248 int error; 2249 2250 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); 2251 2252 if (!mac_enforce_fs) 2253 return (0); 2254 |
| 2548 error = vn_refreshlabel(vp, cred); 2549 if (error) 2550 return (error); 2551 | |
| 2552 MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); 2553 return (error); 2554} 2555 2556int 2557mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, 2558 gid_t gid) 2559{ 2560 int error; 2561 2562 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); 2563 2564 if (!mac_enforce_fs) 2565 return (0); 2566 | 2255 MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); 2256 return (error); 2257} 2258 2259int 2260mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, 2261 gid_t gid) 2262{ 2263 int error; 2264 2265 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); 2266 2267 if (!mac_enforce_fs) 2268 return (0); 2269 |
| 2567 error = vn_refreshlabel(vp, cred); 2568 if (error) 2569 return (error); 2570 | |
| 2571 MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); 2572 return (error); 2573} 2574 2575int 2576mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 2577 struct timespec atime, struct timespec mtime) 2578{ 2579 int error; 2580 2581 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); 2582 2583 if (!mac_enforce_fs) 2584 return (0); 2585 | 2270 MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); 2271 return (error); 2272} 2273 2274int 2275mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 2276 struct timespec atime, struct timespec mtime) 2277{ 2278 int error; 2279 2280 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); 2281 2282 if (!mac_enforce_fs) 2283 return (0); 2284 |
| 2586 error = vn_refreshlabel(vp, cred); 2587 if (error) 2588 return (error); 2589 | |
| 2590 MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, 2591 mtime); 2592 return (error); 2593} 2594 2595int 2596mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 2597 struct vnode *vp) 2598{ 2599 int error; 2600 2601 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); 2602 2603 if (!mac_enforce_fs) 2604 return (0); 2605 | 2285 MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, 2286 mtime); 2287 return (error); 2288} 2289 2290int 2291mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 2292 struct vnode *vp) 2293{ 2294 int error; 2295 2296 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); 2297 2298 if (!mac_enforce_fs) 2299 return (0); 2300 |
| 2606 error = vn_refreshlabel(vp, active_cred); 2607 if (error) 2608 return (error); 2609 | |
| 2610 MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, 2611 &vp->v_label); 2612 return (error); 2613} 2614 2615int 2616mac_check_vnode_swapon(struct ucred *cred, struct vnode *vp) 2617{ 2618 int error; 2619 2620 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_swapon"); 2621 2622 if (!mac_enforce_fs) 2623 return (0); 2624 | 2301 MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, 2302 &vp->v_label); 2303 return (error); 2304} 2305 2306int 2307mac_check_vnode_swapon(struct ucred *cred, struct vnode *vp) 2308{ 2309 int error; 2310 2311 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_swapon"); 2312 2313 if (!mac_enforce_fs) 2314 return (0); 2315 |
| 2625 error = vn_refreshlabel(vp, cred); 2626 if (error) 2627 return (error); 2628 | |
| 2629 MAC_CHECK(check_vnode_swapon, cred, vp, &vp->v_label); 2630 return (error); 2631} 2632 2633int 2634mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, 2635 struct vnode *vp) 2636{ 2637 int error; 2638 2639 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); 2640 2641 if (!mac_enforce_fs) 2642 return (0); 2643 | 2316 MAC_CHECK(check_vnode_swapon, cred, vp, &vp->v_label); 2317 return (error); 2318} 2319 2320int 2321mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, 2322 struct vnode *vp) 2323{ 2324 int error; 2325 2326 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); 2327 2328 if (!mac_enforce_fs) 2329 return (0); 2330 |
| 2644 error = vn_refreshlabel(vp, active_cred); 2645 if (error) 2646 return (error); 2647 | |
| 2648 MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, 2649 &vp->v_label); 2650 2651 return (error); 2652} 2653 2654/* 2655 * When relabeling a process, call out to the policies for the maximum --- 683 unchanged lines hidden (view full) --- 3339 if (error) 3340 return (error); 3341 3342 error = mac_check_structmac_consistent(&mac); 3343 if (error) 3344 return (error); 3345 3346 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); | 2331 MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, 2332 &vp->v_label); 2333 2334 return (error); 2335} 2336 2337/* 2338 * When relabeling a process, call out to the policies for the maximum --- 683 unchanged lines hidden (view full) --- 3022 if (error) 3023 return (error); 3024 3025 error = mac_check_structmac_consistent(&mac); 3026 if (error) 3027 return (error); 3028 3029 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); |
| 3347 | |
| 3348 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 3349 if (error) { 3350 free(elements, M_MACTEMP); 3351 return (error); 3352 } 3353 3354 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); | 3030 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 3031 if (error) { 3032 free(elements, M_MACTEMP); 3033 return (error); 3034 } 3035 3036 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); |
| 3355 | |
| 3356 error = mac_externalize_ifnet_label(&ifnet->if_label, elements, 3357 buffer, mac.m_buflen, M_WAITOK); 3358 if (error == 0) 3359 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 3360 3361 free(buffer, M_MACTEMP); 3362 free(elements, M_MACTEMP); 3363 --- 13 unchanged lines hidden (view full) --- 3377 if (error) 3378 return (error); 3379 3380 error = mac_check_structmac_consistent(&mac); 3381 if (error) 3382 return (error); 3383 3384 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); | 3037 error = mac_externalize_ifnet_label(&ifnet->if_label, elements, 3038 buffer, mac.m_buflen, M_WAITOK); 3039 if (error == 0) 3040 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 3041 3042 free(buffer, M_MACTEMP); 3043 free(elements, M_MACTEMP); 3044 --- 13 unchanged lines hidden (view full) --- 3058 if (error) 3059 return (error); 3060 3061 error = mac_check_structmac_consistent(&mac); 3062 if (error) 3063 return (error); 3064 3065 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); |
| 3385 | |
| 3386 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 3387 if (error) { 3388 free(buffer, M_MACTEMP); 3389 return (error); 3390 } 3391 3392 mac_init_ifnet_label(&intlabel); 3393 error = mac_internalize_ifnet_label(&intlabel, buffer); --- 45 unchanged lines hidden (view full) --- 3439mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd, 3440 struct devfs_dirent *de) 3441{ 3442 3443 MAC_PERFORM(create_devfs_symlink, cred, dd, &dd->de_label, de, 3444 &de->de_label); 3445} 3446 | 3066 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 3067 if (error) { 3068 free(buffer, M_MACTEMP); 3069 return (error); 3070 } 3071 3072 mac_init_ifnet_label(&intlabel); 3073 error = mac_internalize_ifnet_label(&intlabel, buffer); --- 45 unchanged lines hidden (view full) --- 3119mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd, 3120 struct devfs_dirent *de) 3121{ 3122 3123 MAC_PERFORM(create_devfs_symlink, cred, dd, &dd->de_label, de, 3124 &de->de_label); 3125} 3126 |
| 3447static int 3448mac_stdcreatevnode_ea(struct vnode *vp) 3449{ 3450 int error; 3451 3452 MAC_CHECK(stdcreatevnode_ea, vp, &vp->v_label); 3453 3454 return (error); 3455} 3456 | |
| 3457void 3458mac_create_devfs_directory(char *dirname, int dirnamelen, 3459 struct devfs_dirent *de) 3460{ 3461 3462 MAC_PERFORM(create_devfs_directory, dirname, dirnamelen, de, 3463 &de->de_label); 3464} 3465 | 3127void 3128mac_create_devfs_directory(char *dirname, int dirnamelen, 3129 struct devfs_dirent *de) 3130{ 3131 3132 MAC_PERFORM(create_devfs_directory, dirname, dirnamelen, de, 3133 &de->de_label); 3134} 3135 |
| 3466/* 3467 * When a new vnode is created, this call will initialize its label. 3468 */ 3469void 3470mac_create_vnode(struct ucred *cred, struct vnode *parent, 3471 struct vnode *child) 3472{ 3473 int error; 3474 3475 ASSERT_VOP_LOCKED(parent, "mac_create_vnode"); 3476 ASSERT_VOP_LOCKED(child, "mac_create_vnode"); 3477 3478 error = vn_refreshlabel(parent, cred); 3479 if (error) { 3480 printf("mac_create_vnode: vn_refreshlabel returned %d\n", 3481 error); 3482 printf("mac_create_vnode: using old vnode label\n"); 3483 } 3484 3485 MAC_PERFORM(create_vnode, cred, parent, &parent->v_label, child, 3486 &child->v_label); 3487} 3488 | |
| 3489int 3490mac_setsockopt_label_set(struct ucred *cred, struct socket *so, 3491 struct mac *mac) 3492{ 3493 struct label intlabel; 3494 char *buffer; 3495 int error; 3496 3497 error = mac_check_structmac_consistent(mac); 3498 if (error) 3499 return (error); 3500 3501 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); | 3136int 3137mac_setsockopt_label_set(struct ucred *cred, struct socket *so, 3138 struct mac *mac) 3139{ 3140 struct label intlabel; 3141 char *buffer; 3142 int error; 3143 3144 error = mac_check_structmac_consistent(mac); 3145 if (error) 3146 return (error); 3147 3148 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); |
| 3502 | |
| 3503 error = copyinstr(mac->m_string, buffer, mac->m_buflen, NULL); 3504 if (error) { 3505 free(buffer, M_MACTEMP); 3506 return (error); 3507 } 3508 3509 mac_init_socket_label(&intlabel, M_WAITOK); 3510 error = mac_internalize_socket_label(&intlabel, buffer); --- 38 unchanged lines hidden (view full) --- 3549 char *buffer, *elements; 3550 int error; 3551 3552 error = mac_check_structmac_consistent(mac); 3553 if (error) 3554 return (error); 3555 3556 elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); | 3149 error = copyinstr(mac->m_string, buffer, mac->m_buflen, NULL); 3150 if (error) { 3151 free(buffer, M_MACTEMP); 3152 return (error); 3153 } 3154 3155 mac_init_socket_label(&intlabel, M_WAITOK); 3156 error = mac_internalize_socket_label(&intlabel, buffer); --- 38 unchanged lines hidden (view full) --- 3195 char *buffer, *elements; 3196 int error; 3197 3198 error = mac_check_structmac_consistent(mac); 3199 if (error) 3200 return (error); 3201 3202 elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); |
| 3557 | |
| 3558 error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL); 3559 if (error) { 3560 free(elements, M_MACTEMP); 3561 return (error); 3562 } 3563 3564 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); | 3203 error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL); 3204 if (error) { 3205 free(elements, M_MACTEMP); 3206 return (error); 3207 } 3208 3209 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); |
| 3565 | |
| 3566 error = mac_externalize_socket_label(&so->so_label, elements, 3567 buffer, mac->m_buflen, M_WAITOK); 3568 if (error == 0) 3569 error = copyout(buffer, mac->m_string, strlen(buffer)+1); 3570 3571 free(buffer, M_MACTEMP); 3572 free(elements, M_MACTEMP); 3573 --- 7 unchanged lines hidden (view full) --- 3581 char *elements, *buffer; 3582 int error; 3583 3584 error = mac_check_structmac_consistent(mac); 3585 if (error) 3586 return (error); 3587 3588 elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); | 3210 error = mac_externalize_socket_label(&so->so_label, elements, 3211 buffer, mac->m_buflen, M_WAITOK); 3212 if (error == 0) 3213 error = copyout(buffer, mac->m_string, strlen(buffer)+1); 3214 3215 free(buffer, M_MACTEMP); 3216 free(elements, M_MACTEMP); 3217 --- 7 unchanged lines hidden (view full) --- 3225 char *elements, *buffer; 3226 int error; 3227 3228 error = mac_check_structmac_consistent(mac); 3229 if (error) 3230 return (error); 3231 3232 elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); |
| 3589 | |
| 3590 error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL); 3591 if (error) { 3592 free(elements, M_MACTEMP); 3593 return (error); 3594 } 3595 3596 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); | 3233 error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL); 3234 if (error) { 3235 free(elements, M_MACTEMP); 3236 return (error); 3237 } 3238 3239 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); |
| 3597 | |
| 3598 error = mac_externalize_socket_peer_label(&so->so_peerlabel, 3599 elements, buffer, mac->m_buflen, M_WAITOK); 3600 if (error == 0) 3601 error = copyout(buffer, mac->m_string, strlen(buffer)+1); 3602 3603 free(buffer, M_MACTEMP); 3604 free(elements, M_MACTEMP); 3605 --- 5 unchanged lines hidden (view full) --- 3611 * to store label data. Can be referenced by filesystems supporting 3612 * extended attributes. 3613 */ 3614int 3615vop_stdsetlabel_ea(struct vop_setlabel_args *ap) 3616{ 3617 struct vnode *vp = ap->a_vp; 3618 struct label *intlabel = ap->a_label; | 3240 error = mac_externalize_socket_peer_label(&so->so_peerlabel, 3241 elements, buffer, mac->m_buflen, M_WAITOK); 3242 if (error == 0) 3243 error = copyout(buffer, mac->m_string, strlen(buffer)+1); 3244 3245 free(buffer, M_MACTEMP); 3246 free(elements, M_MACTEMP); 3247 --- 5 unchanged lines hidden (view full) --- 3253 * to store label data. Can be referenced by filesystems supporting 3254 * extended attributes. 3255 */ 3256int 3257vop_stdsetlabel_ea(struct vop_setlabel_args *ap) 3258{ 3259 struct vnode *vp = ap->a_vp; 3260 struct label *intlabel = ap->a_label; |
| 3619 struct oldmac extmac; | |
| 3620 int error; 3621 3622 ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea"); 3623 | 3261 int error; 3262 3263 ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea"); 3264 |
| 3624 /* 3625 * XXX: Eventually call out to EA check/set calls here. 3626 * Be particularly careful to avoid race conditions, 3627 * consistency problems, and stability problems when 3628 * dealing with multiple EAs. In particular, we require 3629 * the ability to write multiple EAs on the same file in 3630 * a single transaction, which the current EA interface 3631 * does not provide. 3632 */ | 3265 if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) 3266 return (EOPNOTSUPP); |
| 3633 | 3267 |
| 3634 error = mac_externalize_vnode_oldmac(intlabel, &extmac); | 3268 error = mac_setlabel_vnode_extattr(ap->a_cred, vp, intlabel); |
| 3635 if (error) 3636 return (error); 3637 | 3269 if (error) 3270 return (error); 3271 |
| 3638 error = vn_extattr_set(vp, IO_NODELOCKED, 3639 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, 3640 sizeof(extmac), (char *)&extmac, curthread); 3641 if (error) 3642 return (error); 3643 | |
| 3644 mac_relabel_vnode(ap->a_cred, vp, intlabel); 3645 | 3272 mac_relabel_vnode(ap->a_cred, vp, intlabel); 3273 |
| 3646 vp->v_vflag |= VV_CACHEDLABEL; 3647 | |
| 3648 return (0); 3649} 3650 3651static int 3652vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) 3653{ 3654 int error; 3655 --- 60 unchanged lines hidden (view full) --- 3716 error = p_cansee(td, tproc); 3717 if (error == 0) 3718 tcred = crhold(tproc->p_ucred); 3719 PROC_UNLOCK(tproc); 3720 if (error) 3721 return (error); 3722 3723 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); | 3274 return (0); 3275} 3276 3277static int 3278vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) 3279{ 3280 int error; 3281 --- 60 unchanged lines hidden (view full) --- 3342 error = p_cansee(td, tproc); 3343 if (error == 0) 3344 tcred = crhold(tproc->p_ucred); 3345 PROC_UNLOCK(tproc); 3346 if (error) 3347 return (error); 3348 3349 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); |
| 3724 | |
| 3725 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 3726 if (error) { 3727 free(elements, M_MACTEMP); 3728 crfree(tcred); 3729 return (error); 3730 } 3731 3732 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); | 3350 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 3351 if (error) { 3352 free(elements, M_MACTEMP); 3353 crfree(tcred); 3354 return (error); 3355 } 3356 3357 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); |
| 3733 | |
| 3734 error = mac_externalize_cred_label(&tcred->cr_label, elements, 3735 buffer, mac.m_buflen, M_WAITOK); 3736 if (error == 0) 3737 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 3738 3739 free(buffer, M_MACTEMP); 3740 free(elements, M_MACTEMP); 3741 crfree(tcred); --- 14 unchanged lines hidden (view full) --- 3756 if (error) 3757 return (error); 3758 3759 error = mac_check_structmac_consistent(&mac); 3760 if (error) 3761 return (error); 3762 3763 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); | 3358 error = mac_externalize_cred_label(&tcred->cr_label, elements, 3359 buffer, mac.m_buflen, M_WAITOK); 3360 if (error == 0) 3361 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 3362 3363 free(buffer, M_MACTEMP); 3364 free(elements, M_MACTEMP); 3365 crfree(tcred); --- 14 unchanged lines hidden (view full) --- 3380 if (error) 3381 return (error); 3382 3383 error = mac_check_structmac_consistent(&mac); 3384 if (error) 3385 return (error); 3386 3387 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); |
| 3764 | |
| 3765 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 3766 if (error) { 3767 free(elements, M_MACTEMP); 3768 return (error); 3769 } 3770 3771 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); | 3388 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 3389 if (error) { 3390 free(elements, M_MACTEMP); 3391 return (error); 3392 } 3393 3394 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); |
| 3772 | |
| 3773 error = mac_externalize_cred_label(&td->td_ucred->cr_label, 3774 elements, buffer, mac.m_buflen, M_WAITOK); 3775 if (error == 0) 3776 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 3777 3778 free(buffer, M_MACTEMP); 3779 free(elements, M_MACTEMP); 3780 return (error); --- 16 unchanged lines hidden (view full) --- 3797 if (error) 3798 return (error); 3799 3800 error = mac_check_structmac_consistent(&mac); 3801 if (error) 3802 return (error); 3803 3804 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); | 3395 error = mac_externalize_cred_label(&td->td_ucred->cr_label, 3396 elements, buffer, mac.m_buflen, M_WAITOK); 3397 if (error == 0) 3398 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 3399 3400 free(buffer, M_MACTEMP); 3401 free(elements, M_MACTEMP); 3402 return (error); --- 16 unchanged lines hidden (view full) --- 3419 if (error) 3420 return (error); 3421 3422 error = mac_check_structmac_consistent(&mac); 3423 if (error) 3424 return (error); 3425 3426 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); |
| 3805 | |
| 3806 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 3807 if (error) { 3808 free(buffer, M_MACTEMP); 3809 return (error); 3810 } 3811 3812 mac_init_cred_label(&intlabel); 3813 error = mac_internalize_cred_label(&intlabel, buffer); --- 61 unchanged lines hidden (view full) --- 3875 if (error) 3876 return (error); 3877 3878 error = mac_check_structmac_consistent(&mac); 3879 if (error) 3880 return (error); 3881 3882 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); | 3427 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 3428 if (error) { 3429 free(buffer, M_MACTEMP); 3430 return (error); 3431 } 3432 3433 mac_init_cred_label(&intlabel); 3434 error = mac_internalize_cred_label(&intlabel, buffer); --- 61 unchanged lines hidden (view full) --- 3496 if (error) 3497 return (error); 3498 3499 error = mac_check_structmac_consistent(&mac); 3500 if (error) 3501 return (error); 3502 3503 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); |
| 3883 | |
| 3884 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 3885 if (error) { 3886 free(elements, M_MACTEMP); 3887 return (error); 3888 } 3889 3890 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); | 3504 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 3505 if (error) { 3506 free(elements, M_MACTEMP); 3507 return (error); 3508 } 3509 3510 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); |
| 3891 | |
| 3892 mtx_lock(&Giant); /* VFS */ 3893 error = fget(td, SCARG(uap, fd), &fp); 3894 if (error) 3895 goto out; 3896 3897 label_type = fp->f_type; 3898 switch (fp->f_type) { 3899 case DTYPE_FIFO: 3900 case DTYPE_VNODE: 3901 vp = (struct vnode *)fp->f_data; 3902 3903 mac_init_vnode_label(&intlabel); 3904 3905 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); | 3511 mtx_lock(&Giant); /* VFS */ 3512 error = fget(td, SCARG(uap, fd), &fp); 3513 if (error) 3514 goto out; 3515 3516 label_type = fp->f_type; 3517 switch (fp->f_type) { 3518 case DTYPE_FIFO: 3519 case DTYPE_VNODE: 3520 vp = (struct vnode *)fp->f_data; 3521 3522 mac_init_vnode_label(&intlabel); 3523 3524 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); |
| 3906 error = vn_refreshlabel(vp, td->td_ucred); 3907 if (error == 0) 3908 mac_copy_vnode_label(&vp->v_label, &intlabel); | 3525 mac_copy_vnode_label(&vp->v_label, &intlabel); |
| 3909 VOP_UNLOCK(vp, 0, td); 3910 3911 break; 3912 case DTYPE_PIPE: 3913 pipe = (struct pipe *)fp->f_data; 3914 3915 mac_init_pipe_label(&intlabel); 3916 --- 52 unchanged lines hidden (view full) --- 3969 if (error) 3970 return (error); 3971 3972 error = mac_check_structmac_consistent(&mac); 3973 if (error) 3974 return (error); 3975 3976 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); | 3526 VOP_UNLOCK(vp, 0, td); 3527 3528 break; 3529 case DTYPE_PIPE: 3530 pipe = (struct pipe *)fp->f_data; 3531 3532 mac_init_pipe_label(&intlabel); 3533 --- 52 unchanged lines hidden (view full) --- 3586 if (error) 3587 return (error); 3588 3589 error = mac_check_structmac_consistent(&mac); 3590 if (error) 3591 return (error); 3592 3593 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); |
| 3977 | |
| 3978 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 3979 if (error) { 3980 free(elements, M_MACTEMP); 3981 return (error); 3982 } 3983 3984 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); | 3594 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 3595 if (error) { 3596 free(elements, M_MACTEMP); 3597 return (error); 3598 } 3599 3600 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); |
| 3985 | |
| 3986 mtx_lock(&Giant); /* VFS */ 3987 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, uap->path_p, 3988 td); 3989 error = namei(&nd); 3990 if (error) 3991 goto out; 3992 3993 mac_init_vnode_label(&intlabel); | 3601 mtx_lock(&Giant); /* VFS */ 3602 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, uap->path_p, 3603 td); 3604 error = namei(&nd); 3605 if (error) 3606 goto out; 3607 3608 mac_init_vnode_label(&intlabel); |
| 3994 error = vn_refreshlabel(nd.ni_vp, td->td_ucred); 3995 if (error == 0) 3996 mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); 3997 if (error == 0) 3998 error = mac_externalize_vnode_label(&intlabel, elements, 3999 buffer, mac.m_buflen, M_WAITOK); | 3609 mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); 3610 error = mac_externalize_vnode_label(&intlabel, elements, buffer, 3611 mac.m_buflen, M_WAITOK); |
| 4000 4001 NDFREE(&nd, 0); 4002 mac_destroy_vnode_label(&intlabel); 4003 4004 if (error == 0) 4005 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 4006 4007out: --- 21 unchanged lines hidden (view full) --- 4029 if (error) 4030 return (error); 4031 4032 error = mac_check_structmac_consistent(&mac); 4033 if (error) 4034 return (error); 4035 4036 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); | 3612 3613 NDFREE(&nd, 0); 3614 mac_destroy_vnode_label(&intlabel); 3615 3616 if (error == 0) 3617 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 3618 3619out: --- 21 unchanged lines hidden (view full) --- 3641 if (error) 3642 return (error); 3643 3644 error = mac_check_structmac_consistent(&mac); 3645 if (error) 3646 return (error); 3647 3648 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); |
| 4037 | |
| 4038 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 4039 if (error) { 4040 free(elements, M_MACTEMP); 4041 return (error); 4042 } 4043 4044 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); | 3649 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 3650 if (error) { 3651 free(elements, M_MACTEMP); 3652 return (error); 3653 } 3654 3655 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); |
| 4045 | |
| 4046 mtx_lock(&Giant); /* VFS */ 4047 NDINIT(&nd, LOOKUP, LOCKLEAF | NOFOLLOW, UIO_USERSPACE, uap->path_p, 4048 td); 4049 error = namei(&nd); 4050 if (error) 4051 goto out; 4052 4053 mac_init_vnode_label(&intlabel); | 3656 mtx_lock(&Giant); /* VFS */ 3657 NDINIT(&nd, LOOKUP, LOCKLEAF | NOFOLLOW, UIO_USERSPACE, uap->path_p, 3658 td); 3659 error = namei(&nd); 3660 if (error) 3661 goto out; 3662 3663 mac_init_vnode_label(&intlabel); |
| 4054 error = vn_refreshlabel(nd.ni_vp, td->td_ucred); 4055 if (error == 0) 4056 mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); 4057 if (error == 0) 4058 error = mac_externalize_vnode_label(&intlabel, elements, 4059 buffer, mac.m_buflen, M_WAITOK); | 3664 mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); 3665 error = mac_externalize_vnode_label(&intlabel, elements, buffer, 3666 mac.m_buflen, M_WAITOK); |
| 4060 NDFREE(&nd, 0); 4061 mac_destroy_vnode_label(&intlabel); 4062 4063 if (error == 0) 4064 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 4065 4066out: 4067 mtx_unlock(&Giant); /* VFS */ --- 23 unchanged lines hidden (view full) --- 4091 if (error) 4092 return (error); 4093 4094 error = mac_check_structmac_consistent(&mac); 4095 if (error) 4096 return (error); 4097 4098 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); | 3667 NDFREE(&nd, 0); 3668 mac_destroy_vnode_label(&intlabel); 3669 3670 if (error == 0) 3671 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 3672 3673out: 3674 mtx_unlock(&Giant); /* VFS */ --- 23 unchanged lines hidden (view full) --- 3698 if (error) 3699 return (error); 3700 3701 error = mac_check_structmac_consistent(&mac); 3702 if (error) 3703 return (error); 3704 3705 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); |
| 4099 | |
| 4100 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 4101 if (error) { 4102 free(buffer, M_MACTEMP); 4103 return (error); 4104 } 4105 4106 mtx_lock(&Giant); /* VFS */ 4107 --- 70 unchanged lines hidden (view full) --- 4178 if (error) 4179 return (error); 4180 4181 error = mac_check_structmac_consistent(&mac); 4182 if (error) 4183 return (error); 4184 4185 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); | 3706 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 3707 if (error) { 3708 free(buffer, M_MACTEMP); 3709 return (error); 3710 } 3711 3712 mtx_lock(&Giant); /* VFS */ 3713 --- 70 unchanged lines hidden (view full) --- 3784 if (error) 3785 return (error); 3786 3787 error = mac_check_structmac_consistent(&mac); 3788 if (error) 3789 return (error); 3790 3791 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); |
| 4186 | |
| 4187 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 4188 if (error) { 4189 free(buffer, M_MACTEMP); 4190 return (error); 4191 } 4192 4193 mac_init_vnode_label(&intlabel); 4194 error = mac_internalize_vnode_label(&intlabel, buffer); --- 40 unchanged lines hidden (view full) --- 4235 if (error) 4236 return (error); 4237 4238 error = mac_check_structmac_consistent(&mac); 4239 if (error) 4240 return (error); 4241 4242 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); | 3792 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 3793 if (error) { 3794 free(buffer, M_MACTEMP); 3795 return (error); 3796 } 3797 3798 mac_init_vnode_label(&intlabel); 3799 error = mac_internalize_vnode_label(&intlabel, buffer); --- 40 unchanged lines hidden (view full) --- 3840 if (error) 3841 return (error); 3842 3843 error = mac_check_structmac_consistent(&mac); 3844 if (error) 3845 return (error); 3846 3847 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); |
| 4243 | |
| 4244 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 4245 if (error) { 4246 free(buffer, M_MACTEMP); 4247 return (error); 4248 } 4249 4250 mac_init_vnode_label(&intlabel); 4251 error = mac_internalize_vnode_label(&intlabel, buffer); --- 132 unchanged lines hidden --- | 3848 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 3849 if (error) { 3850 free(buffer, M_MACTEMP); 3851 return (error); 3852 } 3853 3854 mac_init_vnode_label(&intlabel); 3855 error = mac_internalize_vnode_label(&intlabel, buffer); --- 132 unchanged lines hidden --- |