| mac_framework.c (122454) | mac_framework.c (122524) |
|---|---|
| 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 28 unchanged lines hidden (view full) --- 37/*- 38 * Framework for extensible kernel access control. This file contains 39 * Kernel and userland interface to the framework, policy registration 40 * and composition. Per-object interfaces, controls, and labeling may be 41 * found in src/sys/mac/. Sample policies may be found in src/sys/mac*. 42 */ 43 44#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 28 unchanged lines hidden (view full) --- 37/*- 38 * Framework for extensible kernel access control. This file contains 39 * Kernel and userland interface to the framework, policy registration 40 * and composition. Per-object interfaces, controls, and labeling may be 41 * found in src/sys/mac/. Sample policies may be found in src/sys/mac*. 42 */ 43 44#include <sys/cdefs.h> |
| 45__FBSDID("$FreeBSD: head/sys/security/mac/mac_framework.c 122454 2003-11-11 03:40:04Z rwatson $"); | 45__FBSDID("$FreeBSD: head/sys/security/mac/mac_framework.c 122524 2003-11-12 03:14:31Z rwatson $"); |
| 46 47#include "opt_mac.h" 48#include "opt_devfs.h" 49 50#include <sys/param.h> 51#include <sys/condvar.h> 52#include <sys/extattr.h> 53#include <sys/imgact.h> --- 197 unchanged lines hidden (view full) --- 251 * Initialize the MAC subsystem, including appropriate SMP locks. 252 */ 253static void 254mac_init(void) 255{ 256 257 LIST_INIT(&mac_static_policy_list); 258 LIST_INIT(&mac_policy_list); | 46 47#include "opt_mac.h" 48#include "opt_devfs.h" 49 50#include <sys/param.h> 51#include <sys/condvar.h> 52#include <sys/extattr.h> 53#include <sys/imgact.h> --- 197 unchanged lines hidden (view full) --- 251 * Initialize the MAC subsystem, including appropriate SMP locks. 252 */ 253static void 254mac_init(void) 255{ 256 257 LIST_INIT(&mac_static_policy_list); 258 LIST_INIT(&mac_policy_list); |
| 259 mac_labelzone_init(); |
|
| 259 260 mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF); 261 cv_init(&mac_policy_cv, "mac_policy_cv"); 262} 263 264/* 265 * For the purposes of modules that want to know if they were loaded 266 * "early", set the mac_late flag once we've processed modules either --- 293 unchanged lines hidden (view full) --- 560 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 561 if (error) { 562 free(elements, M_MACTEMP); 563 crfree(tcred); 564 return (error); 565 } 566 567 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); | 260 261 mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF); 262 cv_init(&mac_policy_cv, "mac_policy_cv"); 263} 264 265/* 266 * For the purposes of modules that want to know if they were loaded 267 * "early", set the mac_late flag once we've processed modules either --- 293 unchanged lines hidden (view full) --- 561 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 562 if (error) { 563 free(elements, M_MACTEMP); 564 crfree(tcred); 565 return (error); 566 } 567 568 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); |
| 568 error = mac_externalize_cred_label(&tcred->cr_label, elements, | 569 error = mac_externalize_cred_label(tcred->cr_label, elements, |
| 569 buffer, mac.m_buflen); 570 if (error == 0) 571 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 572 573 free(buffer, M_MACTEMP); 574 free(elements, M_MACTEMP); 575 crfree(tcred); 576 return (error); --- 20 unchanged lines hidden (view full) --- 597 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 598 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 599 if (error) { 600 free(elements, M_MACTEMP); 601 return (error); 602 } 603 604 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); | 570 buffer, mac.m_buflen); 571 if (error == 0) 572 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 573 574 free(buffer, M_MACTEMP); 575 free(elements, M_MACTEMP); 576 crfree(tcred); 577 return (error); --- 20 unchanged lines hidden (view full) --- 598 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 599 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 600 if (error) { 601 free(elements, M_MACTEMP); 602 return (error); 603 } 604 605 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); |
| 605 error = mac_externalize_cred_label(&td->td_ucred->cr_label, | 606 error = mac_externalize_cred_label(td->td_ucred->cr_label, |
| 606 elements, buffer, mac.m_buflen); 607 if (error == 0) 608 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 609 610 free(buffer, M_MACTEMP); 611 free(elements, M_MACTEMP); 612 return (error); 613} 614 615/* 616 * MPSAFE 617 */ 618int 619__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) 620{ 621 struct ucred *newcred, *oldcred; | 607 elements, buffer, mac.m_buflen); 608 if (error == 0) 609 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 610 611 free(buffer, M_MACTEMP); 612 free(elements, M_MACTEMP); 613 return (error); 614} 615 616/* 617 * MPSAFE 618 */ 619int 620__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) 621{ 622 struct ucred *newcred, *oldcred; |
| 622 struct label intlabel; | 623 struct label *intlabel; |
| 623 struct proc *p; 624 struct mac mac; 625 char *buffer; 626 int error; 627 628 error = copyin(uap->mac_p, &mac, sizeof(mac)); 629 if (error) 630 return (error); --- 4 unchanged lines hidden (view full) --- 635 636 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 637 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 638 if (error) { 639 free(buffer, M_MACTEMP); 640 return (error); 641 } 642 | 624 struct proc *p; 625 struct mac mac; 626 char *buffer; 627 int error; 628 629 error = copyin(uap->mac_p, &mac, sizeof(mac)); 630 if (error) 631 return (error); --- 4 unchanged lines hidden (view full) --- 636 637 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 638 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 639 if (error) { 640 free(buffer, M_MACTEMP); 641 return (error); 642 } 643 |
| 643 mac_init_cred_label(&intlabel); 644 error = mac_internalize_cred_label(&intlabel, buffer); | 644 intlabel = mac_cred_label_alloc(); 645 error = mac_internalize_cred_label(intlabel, buffer); |
| 645 free(buffer, M_MACTEMP); | 646 free(buffer, M_MACTEMP); |
| 646 if (error) { 647 mac_destroy_cred_label(&intlabel); 648 return (error); 649 } | 647 if (error) 648 goto out; |
| 650 651 newcred = crget(); 652 653 p = td->td_proc; 654 PROC_LOCK(p); 655 oldcred = p->p_ucred; 656 | 649 650 newcred = crget(); 651 652 p = td->td_proc; 653 PROC_LOCK(p); 654 oldcred = p->p_ucred; 655 |
| 657 error = mac_check_cred_relabel(oldcred, &intlabel); | 656 error = mac_check_cred_relabel(oldcred, intlabel); |
| 658 if (error) { 659 PROC_UNLOCK(p); 660 crfree(newcred); 661 goto out; 662 } 663 664 setsugid(p); 665 crcopy(newcred, oldcred); | 657 if (error) { 658 PROC_UNLOCK(p); 659 crfree(newcred); 660 goto out; 661 } 662 663 setsugid(p); 664 crcopy(newcred, oldcred); |
| 666 mac_relabel_cred(newcred, &intlabel); | 665 mac_relabel_cred(newcred, intlabel); |
| 667 p->p_ucred = newcred; 668 669 /* 670 * Grab additional reference for use while revoking mmaps, prior 671 * to releasing the proc lock and sharing the cred. 672 */ 673 crhold(newcred); 674 PROC_UNLOCK(p); 675 676 if (mac_enforce_vm) { 677 mtx_lock(&Giant); 678 mac_cred_mmapped_drop_perms(td, newcred); 679 mtx_unlock(&Giant); 680 } 681 682 crfree(newcred); /* Free revocation reference. */ 683 crfree(oldcred); 684 685out: | 666 p->p_ucred = newcred; 667 668 /* 669 * Grab additional reference for use while revoking mmaps, prior 670 * to releasing the proc lock and sharing the cred. 671 */ 672 crhold(newcred); 673 PROC_UNLOCK(p); 674 675 if (mac_enforce_vm) { 676 mtx_lock(&Giant); 677 mac_cred_mmapped_drop_perms(td, newcred); 678 mtx_unlock(&Giant); 679 } 680 681 crfree(newcred); /* Free revocation reference. */ 682 crfree(oldcred); 683 684out: |
| 686 mac_destroy_cred_label(&intlabel); | 685 mac_cred_label_free(intlabel); |
| 687 return (error); 688} 689 690/* 691 * MPSAFE 692 */ 693int 694__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) 695{ 696 char *elements, *buffer; | 686 return (error); 687} 688 689/* 690 * MPSAFE 691 */ 692int 693__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) 694{ 695 char *elements, *buffer; |
| 697 struct label intlabel; | 696 struct label *intlabel; |
| 698 struct file *fp; 699 struct mac mac; 700 struct vnode *vp; 701 struct pipe *pipe; 702 short label_type; 703 int error; 704 705 error = copyin(uap->mac_p, &mac, sizeof(mac)); --- 18 unchanged lines hidden (view full) --- 724 goto out; 725 726 label_type = fp->f_type; 727 switch (fp->f_type) { 728 case DTYPE_FIFO: 729 case DTYPE_VNODE: 730 vp = fp->f_vnode; 731 | 697 struct file *fp; 698 struct mac mac; 699 struct vnode *vp; 700 struct pipe *pipe; 701 short label_type; 702 int error; 703 704 error = copyin(uap->mac_p, &mac, sizeof(mac)); --- 18 unchanged lines hidden (view full) --- 723 goto out; 724 725 label_type = fp->f_type; 726 switch (fp->f_type) { 727 case DTYPE_FIFO: 728 case DTYPE_VNODE: 729 vp = fp->f_vnode; 730 |
| 732 mac_init_vnode_label(&intlabel); | 731 intlabel = mac_vnode_label_alloc(); |
| 733 734 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); | 732 733 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); |
| 735 mac_copy_vnode_label(&vp->v_label, &intlabel); | 734 mac_copy_vnode_label(vp->v_label, intlabel); |
| 736 VOP_UNLOCK(vp, 0, td); 737 738 break; 739 case DTYPE_PIPE: 740 pipe = fp->f_data; 741 | 735 VOP_UNLOCK(vp, 0, td); 736 737 break; 738 case DTYPE_PIPE: 739 pipe = fp->f_data; 740 |
| 742 mac_init_pipe_label(&intlabel); | 741 intlabel = mac_pipe_label_alloc(); |
| 743 744 PIPE_LOCK(pipe); | 742 743 PIPE_LOCK(pipe); |
| 745 mac_copy_pipe_label(pipe->pipe_label, &intlabel); | 744 mac_copy_pipe_label(pipe->pipe_label, intlabel); |
| 746 PIPE_UNLOCK(pipe); 747 break; 748 default: 749 error = EINVAL; 750 fdrop(fp, td); 751 goto out; 752 } 753 fdrop(fp, td); 754 755 switch (label_type) { 756 case DTYPE_FIFO: 757 case DTYPE_VNODE: 758 if (error == 0) | 745 PIPE_UNLOCK(pipe); 746 break; 747 default: 748 error = EINVAL; 749 fdrop(fp, td); 750 goto out; 751 } 752 fdrop(fp, td); 753 754 switch (label_type) { 755 case DTYPE_FIFO: 756 case DTYPE_VNODE: 757 if (error == 0) |
| 759 error = mac_externalize_vnode_label(&intlabel, | 758 error = mac_externalize_vnode_label(intlabel, |
| 760 elements, buffer, mac.m_buflen); | 759 elements, buffer, mac.m_buflen); |
| 761 mac_destroy_vnode_label(&intlabel); | 760 mac_vnode_label_free(intlabel); |
| 762 break; 763 case DTYPE_PIPE: | 761 break; 762 case DTYPE_PIPE: |
| 764 error = mac_externalize_pipe_label(&intlabel, elements, | 763 error = mac_externalize_pipe_label(intlabel, elements, |
| 765 buffer, mac.m_buflen); | 764 buffer, mac.m_buflen); |
| 766 mac_destroy_pipe_label(&intlabel); | 765 mac_pipe_label_free(intlabel); |
| 767 break; 768 default: 769 panic("__mac_get_fd: corrupted label_type"); 770 } 771 772 if (error == 0) 773 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 774 --- 8 unchanged lines hidden (view full) --- 783/* 784 * MPSAFE 785 */ 786int 787__mac_get_file(struct thread *td, struct __mac_get_file_args *uap) 788{ 789 char *elements, *buffer; 790 struct nameidata nd; | 766 break; 767 default: 768 panic("__mac_get_fd: corrupted label_type"); 769 } 770 771 if (error == 0) 772 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 773 --- 8 unchanged lines hidden (view full) --- 782/* 783 * MPSAFE 784 */ 785int 786__mac_get_file(struct thread *td, struct __mac_get_file_args *uap) 787{ 788 char *elements, *buffer; 789 struct nameidata nd; |
| 791 struct label intlabel; | 790 struct label *intlabel; |
| 792 struct mac mac; 793 int error; 794 795 error = copyin(uap->mac_p, &mac, sizeof(mac)); 796 if (error) 797 return (error); 798 799 error = mac_check_structmac_consistent(&mac); --- 10 unchanged lines hidden (view full) --- 810 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 811 mtx_lock(&Giant); /* VFS */ 812 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, uap->path_p, 813 td); 814 error = namei(&nd); 815 if (error) 816 goto out; 817 | 791 struct mac mac; 792 int error; 793 794 error = copyin(uap->mac_p, &mac, sizeof(mac)); 795 if (error) 796 return (error); 797 798 error = mac_check_structmac_consistent(&mac); --- 10 unchanged lines hidden (view full) --- 809 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 810 mtx_lock(&Giant); /* VFS */ 811 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, uap->path_p, 812 td); 813 error = namei(&nd); 814 if (error) 815 goto out; 816 |
| 818 mac_init_vnode_label(&intlabel); 819 mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); 820 error = mac_externalize_vnode_label(&intlabel, elements, buffer, | 817 intlabel = mac_vnode_label_alloc(); 818 mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); 819 error = mac_externalize_vnode_label(intlabel, elements, buffer, |
| 821 mac.m_buflen); 822 823 NDFREE(&nd, 0); | 820 mac.m_buflen); 821 822 NDFREE(&nd, 0); |
| 824 mac_destroy_vnode_label(&intlabel); | 823 mac_vnode_label_free(intlabel); |
| 825 826 if (error == 0) 827 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 828 829out: 830 mtx_unlock(&Giant); /* VFS */ 831 832 free(buffer, M_MACTEMP); --- 5 unchanged lines hidden (view full) --- 838/* 839 * MPSAFE 840 */ 841int 842__mac_get_link(struct thread *td, struct __mac_get_link_args *uap) 843{ 844 char *elements, *buffer; 845 struct nameidata nd; | 824 825 if (error == 0) 826 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 827 828out: 829 mtx_unlock(&Giant); /* VFS */ 830 831 free(buffer, M_MACTEMP); --- 5 unchanged lines hidden (view full) --- 837/* 838 * MPSAFE 839 */ 840int 841__mac_get_link(struct thread *td, struct __mac_get_link_args *uap) 842{ 843 char *elements, *buffer; 844 struct nameidata nd; |
| 846 struct label intlabel; | 845 struct label *intlabel; |
| 847 struct mac mac; 848 int error; 849 850 error = copyin(uap->mac_p, &mac, sizeof(mac)); 851 if (error) 852 return (error); 853 854 error = mac_check_structmac_consistent(&mac); --- 10 unchanged lines hidden (view full) --- 865 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 866 mtx_lock(&Giant); /* VFS */ 867 NDINIT(&nd, LOOKUP, LOCKLEAF | NOFOLLOW, UIO_USERSPACE, uap->path_p, 868 td); 869 error = namei(&nd); 870 if (error) 871 goto out; 872 | 846 struct mac mac; 847 int error; 848 849 error = copyin(uap->mac_p, &mac, sizeof(mac)); 850 if (error) 851 return (error); 852 853 error = mac_check_structmac_consistent(&mac); --- 10 unchanged lines hidden (view full) --- 864 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 865 mtx_lock(&Giant); /* VFS */ 866 NDINIT(&nd, LOOKUP, LOCKLEAF | NOFOLLOW, UIO_USERSPACE, uap->path_p, 867 td); 868 error = namei(&nd); 869 if (error) 870 goto out; 871 |
| 873 mac_init_vnode_label(&intlabel); 874 mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); 875 error = mac_externalize_vnode_label(&intlabel, elements, buffer, | 872 intlabel = mac_vnode_label_alloc(); 873 mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); 874 error = mac_externalize_vnode_label(intlabel, elements, buffer, |
| 876 mac.m_buflen); 877 NDFREE(&nd, 0); | 875 mac.m_buflen); 876 NDFREE(&nd, 0); |
| 878 mac_destroy_vnode_label(&intlabel); | 877 mac_vnode_label_free(intlabel); |
| 879 880 if (error == 0) 881 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 882 883out: 884 mtx_unlock(&Giant); /* VFS */ 885 886 free(buffer, M_MACTEMP); 887 free(elements, M_MACTEMP); 888 889 return (error); 890} 891 892/* 893 * MPSAFE 894 */ 895int 896__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) 897{ | 878 879 if (error == 0) 880 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 881 882out: 883 mtx_unlock(&Giant); /* VFS */ 884 885 free(buffer, M_MACTEMP); 886 free(elements, M_MACTEMP); 887 888 return (error); 889} 890 891/* 892 * MPSAFE 893 */ 894int 895__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) 896{ |
| 898 struct label intlabel; | 897 struct label *intlabel; |
| 899 struct pipe *pipe; 900 struct file *fp; 901 struct mount *mp; 902 struct vnode *vp; 903 struct mac mac; 904 char *buffer; 905 int error; 906 --- 16 unchanged lines hidden (view full) --- 923 924 error = fget(td, uap->fd, &fp); 925 if (error) 926 goto out; 927 928 switch (fp->f_type) { 929 case DTYPE_FIFO: 930 case DTYPE_VNODE: | 898 struct pipe *pipe; 899 struct file *fp; 900 struct mount *mp; 901 struct vnode *vp; 902 struct mac mac; 903 char *buffer; 904 int error; 905 --- 16 unchanged lines hidden (view full) --- 922 923 error = fget(td, uap->fd, &fp); 924 if (error) 925 goto out; 926 927 switch (fp->f_type) { 928 case DTYPE_FIFO: 929 case DTYPE_VNODE: |
| 931 mac_init_vnode_label(&intlabel); 932 error = mac_internalize_vnode_label(&intlabel, buffer); | 930 intlabel = mac_vnode_label_alloc(); 931 error = mac_internalize_vnode_label(intlabel, buffer); |
| 933 if (error) { | 932 if (error) { |
| 934 mac_destroy_vnode_label(&intlabel); | 933 mac_vnode_label_free(intlabel); |
| 935 break; 936 } 937 938 vp = fp->f_vnode; 939 error = vn_start_write(vp, &mp, V_WAIT | PCATCH); 940 if (error != 0) { | 934 break; 935 } 936 937 vp = fp->f_vnode; 938 error = vn_start_write(vp, &mp, V_WAIT | PCATCH); 939 if (error != 0) { |
| 941 mac_destroy_vnode_label(&intlabel); | 940 mac_vnode_label_free(intlabel); |
| 942 break; 943 } 944 945 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); | 941 break; 942 } 943 944 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); |
| 946 error = vn_setlabel(vp, &intlabel, td->td_ucred); | 945 error = vn_setlabel(vp, intlabel, td->td_ucred); |
| 947 VOP_UNLOCK(vp, 0, td); 948 vn_finished_write(mp); 949 | 946 VOP_UNLOCK(vp, 0, td); 947 vn_finished_write(mp); 948 |
| 950 mac_destroy_vnode_label(&intlabel); | 949 mac_vnode_label_free(intlabel); |
| 951 break; 952 953 case DTYPE_PIPE: | 950 break; 951 952 case DTYPE_PIPE: |
| 954 mac_init_pipe_label(&intlabel); 955 error = mac_internalize_pipe_label(&intlabel, buffer); | 953 intlabel = mac_pipe_label_alloc(); 954 error = mac_internalize_pipe_label(intlabel, buffer); |
| 956 if (error == 0) { 957 pipe = fp->f_data; 958 PIPE_LOCK(pipe); 959 error = mac_pipe_label_set(td->td_ucred, pipe, | 955 if (error == 0) { 956 pipe = fp->f_data; 957 PIPE_LOCK(pipe); 958 error = mac_pipe_label_set(td->td_ucred, pipe, |
| 960 &intlabel); | 959 intlabel); |
| 961 PIPE_UNLOCK(pipe); 962 } 963 | 960 PIPE_UNLOCK(pipe); 961 } 962 |
| 964 mac_destroy_pipe_label(&intlabel); | 963 mac_pipe_label_free(intlabel); |
| 965 break; 966 967 default: 968 error = EINVAL; 969 } 970 971 fdrop(fp, td); 972out: --- 5 unchanged lines hidden (view full) --- 978} 979 980/* 981 * MPSAFE 982 */ 983int 984__mac_set_file(struct thread *td, struct __mac_set_file_args *uap) 985{ | 964 break; 965 966 default: 967 error = EINVAL; 968 } 969 970 fdrop(fp, td); 971out: --- 5 unchanged lines hidden (view full) --- 977} 978 979/* 980 * MPSAFE 981 */ 982int 983__mac_set_file(struct thread *td, struct __mac_set_file_args *uap) 984{ |
| 986 struct label intlabel; | 985 struct label *intlabel; |
| 987 struct nameidata nd; 988 struct mount *mp; 989 struct mac mac; 990 char *buffer; 991 int error; 992 993 error = copyin(uap->mac_p, &mac, sizeof(mac)); 994 if (error) --- 5 unchanged lines hidden (view full) --- 1000 1001 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 1002 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 1003 if (error) { 1004 free(buffer, M_MACTEMP); 1005 return (error); 1006 } 1007 | 986 struct nameidata nd; 987 struct mount *mp; 988 struct mac mac; 989 char *buffer; 990 int error; 991 992 error = copyin(uap->mac_p, &mac, sizeof(mac)); 993 if (error) --- 5 unchanged lines hidden (view full) --- 999 1000 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 1001 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 1002 if (error) { 1003 free(buffer, M_MACTEMP); 1004 return (error); 1005 } 1006 |
| 1008 mac_init_vnode_label(&intlabel); 1009 error = mac_internalize_vnode_label(&intlabel, buffer); | 1007 intlabel = mac_vnode_label_alloc(); 1008 error = mac_internalize_vnode_label(intlabel, buffer); |
| 1010 free(buffer, M_MACTEMP); | 1009 free(buffer, M_MACTEMP); |
| 1011 if (error) { 1012 mac_destroy_vnode_label(&intlabel); 1013 return (error); 1014 } | 1010 if (error) 1011 goto out; |
| 1015 1016 mtx_lock(&Giant); /* VFS */ 1017 1018 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, uap->path_p, 1019 td); 1020 error = namei(&nd); 1021 if (error == 0) { 1022 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); 1023 if (error == 0) | 1012 1013 mtx_lock(&Giant); /* VFS */ 1014 1015 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, uap->path_p, 1016 td); 1017 error = namei(&nd); 1018 if (error == 0) { 1019 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); 1020 if (error == 0) |
| 1024 error = vn_setlabel(nd.ni_vp, &intlabel, | 1021 error = vn_setlabel(nd.ni_vp, intlabel, |
| 1025 td->td_ucred); 1026 vn_finished_write(mp); 1027 } 1028 1029 NDFREE(&nd, 0); 1030 mtx_unlock(&Giant); /* VFS */ | 1022 td->td_ucred); 1023 vn_finished_write(mp); 1024 } 1025 1026 NDFREE(&nd, 0); 1027 mtx_unlock(&Giant); /* VFS */ |
| 1031 mac_destroy_vnode_label(&intlabel); 1032 | 1028out: 1029 mac_vnode_label_free(intlabel); |
| 1033 return (error); 1034} 1035 1036/* 1037 * MPSAFE 1038 */ 1039int 1040__mac_set_link(struct thread *td, struct __mac_set_link_args *uap) 1041{ | 1030 return (error); 1031} 1032 1033/* 1034 * MPSAFE 1035 */ 1036int 1037__mac_set_link(struct thread *td, struct __mac_set_link_args *uap) 1038{ |
| 1042 struct label intlabel; | 1039 struct label *intlabel; |
| 1043 struct nameidata nd; 1044 struct mount *mp; 1045 struct mac mac; 1046 char *buffer; 1047 int error; 1048 1049 error = copyin(uap->mac_p, &mac, sizeof(mac)); 1050 if (error) --- 5 unchanged lines hidden (view full) --- 1056 1057 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 1058 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 1059 if (error) { 1060 free(buffer, M_MACTEMP); 1061 return (error); 1062 } 1063 | 1040 struct nameidata nd; 1041 struct mount *mp; 1042 struct mac mac; 1043 char *buffer; 1044 int error; 1045 1046 error = copyin(uap->mac_p, &mac, sizeof(mac)); 1047 if (error) --- 5 unchanged lines hidden (view full) --- 1053 1054 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 1055 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 1056 if (error) { 1057 free(buffer, M_MACTEMP); 1058 return (error); 1059 } 1060 |
| 1064 mac_init_vnode_label(&intlabel); 1065 error = mac_internalize_vnode_label(&intlabel, buffer); | 1061 intlabel = mac_vnode_label_alloc(); 1062 error = mac_internalize_vnode_label(intlabel, buffer); |
| 1066 free(buffer, M_MACTEMP); | 1063 free(buffer, M_MACTEMP); |
| 1067 if (error) { 1068 mac_destroy_vnode_label(&intlabel); 1069 return (error); 1070 } | 1064 if (error) 1065 goto out; |
| 1071 1072 mtx_lock(&Giant); /* VFS */ 1073 1074 NDINIT(&nd, LOOKUP, LOCKLEAF | NOFOLLOW, UIO_USERSPACE, uap->path_p, 1075 td); 1076 error = namei(&nd); 1077 if (error == 0) { 1078 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); 1079 if (error == 0) | 1066 1067 mtx_lock(&Giant); /* VFS */ 1068 1069 NDINIT(&nd, LOOKUP, LOCKLEAF | NOFOLLOW, UIO_USERSPACE, uap->path_p, 1070 td); 1071 error = namei(&nd); 1072 if (error == 0) { 1073 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); 1074 if (error == 0) |
| 1080 error = vn_setlabel(nd.ni_vp, &intlabel, | 1075 error = vn_setlabel(nd.ni_vp, intlabel, |
| 1081 td->td_ucred); 1082 vn_finished_write(mp); 1083 } 1084 1085 NDFREE(&nd, 0); 1086 mtx_unlock(&Giant); /* VFS */ | 1076 td->td_ucred); 1077 vn_finished_write(mp); 1078 } 1079 1080 NDFREE(&nd, 0); 1081 mtx_unlock(&Giant); /* VFS */ |
| 1087 mac_destroy_vnode_label(&intlabel); 1088 | 1082out: 1083 mac_vnode_label_free(intlabel); |
| 1089 return (error); 1090} 1091 1092/* 1093 * MPSAFE 1094 */ 1095int 1096mac_syscall(struct thread *td, struct mac_syscall_args *uap) --- 110 unchanged lines hidden --- | 1084 return (error); 1085} 1086 1087/* 1088 * MPSAFE 1089 */ 1090int 1091mac_syscall(struct thread *td, struct mac_syscall_args *uap) --- 110 unchanged lines hidden --- |