FreeBSD Bugzilla – Attachment 155932 Details for
Bug 199654
Add additional hooks to MAC framework following vnode lookup and create operations
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch adding hooks to the MAC framework and vnode operations
post-lookup-create-hooks.patch (text/plain), 7.97 KB, created by
Scott Moore
on 2015-04-24 00:45:08 UTC
(
hide
)
Description:
Patch adding hooks to the MAC framework and vnode operations
Filename:
MIME Type:
Creator:
Scott Moore
Created:
2015-04-24 00:45:08 UTC
Size:
7.97 KB
patch
obsolete
>diff --git a/sys/compat/linux/linux_getcwd.c b/sys/compat/linux/linux_getcwd.c >index 1c7080d..bd27bb5 100644 >--- a/sys/compat/linux/linux_getcwd.c >+++ b/sys/compat/linux/linux_getcwd.c >@@ -164,8 +164,12 @@ linux_getcwd_scandir(lvpp, uvpp, bpp, bufp, td) > #ifdef MAC > error = mac_vnode_check_lookup(td->td_ucred, lvp, &cn); > if (error == 0) >-#endif >+#endif /* MAC */ > error = VOP_LOOKUP(lvp, uvpp, &cn); >+#ifdef MAC >+ if (error == 0) >+ mac_vnode_post_lookup(td->td_ucred, lvp, &cn, *uvpp); >+#endif /* MAC */ > if (error) { > vput(lvp); > *lvpp = NULL; >diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c >index ef0b83c..6b187f6 100644 >--- a/sys/kern/uipc_usrreq.c >+++ b/sys/kern/uipc_usrreq.c >@@ -538,6 +538,10 @@ restart: > if (error == 0) > error = VOP_CREATE(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); > NDFREE(&nd, NDF_ONLY_PNBUF); >+#ifdef MAC >+ if (error == 0) >+ mac_vnode_post_create(td->td_ucred, nd.ni_dvp, nd.ni_vp, &nd.ni_cnd, &vattr); >+#endif > vput(nd.ni_dvp); > if (error) { > vn_finished_write(mp); >diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c >index f2ffab2..2064242 100644 >--- a/sys/kern/vfs_lookup.c >+++ b/sys/kern/vfs_lookup.c >@@ -757,6 +757,14 @@ unionlookup: > goto success; > } else > cnp->cn_lkflags = lkflags_save; >+ >+#ifdef MAC >+ if ((cnp->cn_flags & NOMACCHECK) == 0) { >+ mac_vnode_post_lookup(cnp->cn_thread->td_ucred, dp, >+ cnp, ndp->ni_vp); >+ } >+#endif >+ > #ifdef NAMEI_DIAGNOSTIC > printf("found\n"); > #endif >diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c >index 8c8ca31..394c3e3 100644 >--- a/sys/kern/vfs_syscalls.c >+++ b/sys/kern/vfs_syscalls.c >@@ -1334,8 +1334,14 @@ restart: > else { > error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, > &nd.ni_cnd, &vattr); >- if (error == 0) >+ if (error == 0) { >+#ifdef MAC >+ mac_vnode_post_create(td->td_ucred, >+ nd.ni_dvp, nd.ni_vp, >+ &nd.ni_cnd, &vattr); >+#endif > vput(nd.ni_vp); >+ } > } > } > NDFREE(&nd, NDF_ONLY_PNBUF); >@@ -1425,8 +1431,14 @@ restart: > goto out; > #endif > error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); >- if (error == 0) >+ if (error == 0) { >+#ifdef MAC >+ mac_vnode_post_create(td->td_ucred, >+ nd.ni_dvp, nd.ni_vp, >+ &nd.ni_cnd, &vattr); >+#endif > vput(nd.ni_vp); >+ } > #ifdef MAC > out: > #endif >@@ -1694,8 +1706,14 @@ restart: > goto out2; > #endif > error = VOP_SYMLINK(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr, syspath); >- if (error == 0) >+ if (error == 0) { >+#ifdef MAC >+ mac_vnode_post_create(td->td_ucred, >+ nd.ni_dvp, nd.ni_vp, >+ &nd.ni_cnd, &vattr); >+#endif > vput(nd.ni_vp); >+ } > #ifdef MAC > out2: > #endif >@@ -3755,6 +3773,11 @@ restart: > #endif > error = VOP_MKDIR(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); > #ifdef MAC >+ if (error == 0) { >+ mac_vnode_post_create(td->td_ucred, >+ nd.ni_dvp, nd.ni_vp, >+ &nd.ni_cnd, &vattr); >+ } > out: > #endif > NDFREE(&nd, NDF_ONLY_PNBUF); >diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c >index ed4ad4d..f51fc78 100644 >--- a/sys/kern/vfs_vnops.c >+++ b/sys/kern/vfs_vnops.c >@@ -226,6 +226,11 @@ restart: > #endif > error = VOP_CREATE(ndp->ni_dvp, &ndp->ni_vp, > &ndp->ni_cnd, vap); >+#ifdef MAC >+ if (error == 0) >+ mac_vnode_post_create(cred, ndp->ni_dvp, ndp->ni_vp, >+ &ndp->ni_cnd, vap); >+#endif > vput(ndp->ni_dvp); > vn_finished_write(mp); > if (error) { >diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h >index 7068d47..aa2d852 100644 >--- a/sys/security/mac/mac_framework.h >+++ b/sys/security/mac/mac_framework.h >@@ -379,6 +379,9 @@ int mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp); > int mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp); > int mac_vnode_check_create(struct ucred *cred, struct vnode *dvp, > struct componentname *cnp, struct vattr *vap); >+void mac_vnode_post_create(struct ucred *cred, struct vnode *dvp, >+ struct vnode *vp, struct componentname *cnp, >+ struct vattr *vap); > int mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, > acl_type_t type); > int mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, >@@ -395,6 +398,8 @@ int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, > int attrnamespace); > int mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, > struct componentname *cnp); >+void mac_vnode_post_lookup(struct ucred *cred, struct vnode *dvp, >+ struct componentname *cnp, struct vnode *vp); > int mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, > int flags); > int mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, >diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h >index b875e6e..ddf0fd57 100644 >--- a/sys/security/mac/mac_policy.h >+++ b/sys/security/mac/mac_policy.h >@@ -559,6 +559,10 @@ typedef int (*mpo_vnode_check_chroot_t)(struct ucred *cred, > typedef int (*mpo_vnode_check_create_t)(struct ucred *cred, > struct vnode *dvp, struct label *dvplabel, > struct componentname *cnp, struct vattr *vap); >+typedef void (*mpo_vnode_post_create_t)(struct ucred *cred, >+ struct vnode *dvp, struct label *dvplabel, >+ struct vnode *vp, struct label *vplabel, >+ struct componentname *cnp, struct vattr *vap); > typedef int (*mpo_vnode_check_deleteacl_t)(struct ucred *cred, > struct vnode *vp, struct label *vplabel, > acl_type_t type); >@@ -584,6 +588,10 @@ typedef int (*mpo_vnode_check_listextattr_t)(struct ucred *cred, > typedef int (*mpo_vnode_check_lookup_t)(struct ucred *cred, > struct vnode *dvp, struct label *dvplabel, > struct componentname *cnp); >+typedef void (*mpo_vnode_post_lookup_t)(struct ucred *cred, >+ struct vnode *dvp, struct label *dvplabel, >+ struct componentname *cnp, struct vnode *vp, >+ struct label *vplabel); > typedef int (*mpo_vnode_check_mmap_t)(struct ucred *cred, > struct vnode *vp, struct label *label, int prot, > int flags); >@@ -921,6 +929,7 @@ struct mac_policy_ops { > mpo_vnode_check_chdir_t mpo_vnode_check_chdir; > mpo_vnode_check_chroot_t mpo_vnode_check_chroot; > mpo_vnode_check_create_t mpo_vnode_check_create; >+ mpo_vnode_post_create_t mpo_vnode_post_create; > mpo_vnode_check_deleteacl_t mpo_vnode_check_deleteacl; > mpo_vnode_check_deleteextattr_t mpo_vnode_check_deleteextattr; > mpo_vnode_check_exec_t mpo_vnode_check_exec; >@@ -929,6 +938,7 @@ struct mac_policy_ops { > mpo_vnode_check_link_t mpo_vnode_check_link; > mpo_vnode_check_listextattr_t mpo_vnode_check_listextattr; > mpo_vnode_check_lookup_t mpo_vnode_check_lookup; >+ mpo_vnode_post_lookup_t mpo_vnode_post_lookup; > mpo_vnode_check_mmap_t mpo_vnode_check_mmap; > mpo_vnode_check_mmap_downgrade_t mpo_vnode_check_mmap_downgrade; > mpo_vnode_check_mprotect_t mpo_vnode_check_mprotect; >diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c >index 1d08f61..79685ab 100644 >--- a/sys/security/mac/mac_vfs.c >+++ b/sys/security/mac/mac_vfs.c >@@ -434,6 +434,21 @@ mac_vnode_check_create(struct ucred *cred, struct vnode *dvp, > return (error); > } > >+void >+mac_vnode_post_create(struct ucred *cred, struct vnode *dvp, struct vnode *vp, >+ struct componentname *cnp, struct vattr *vap) >+{ >+ ASSERT_VOP_LOCKED(dvp, "mac_vnode_post_create"); >+ ASSERT_VOP_LOCKED(vp, "mac_vnode_post_create"); >+ >+ MAC_POLICY_PERFORM(vnode_post_create, cred, >+ dvp, dvp->v_label, >+ vp, vp->v_label, >+ cnp, vap); >+ >+ return; >+} >+ > MAC_CHECK_PROBE_DEFINE3(vnode_check_deleteacl, "struct ucred *", > "struct vnode *", "acl_type_t"); > >@@ -578,6 +593,19 @@ mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, > return (error); > } > >+void >+mac_vnode_post_lookup(struct ucred *cred, struct vnode *dvp, >+ struct componentname *cnp, struct vnode *vp) >+{ >+ ASSERT_VOP_LOCKED(dvp, "mac_vnode_post_lookup"); >+ ASSERT_VOP_LOCKED(vp, "mac_vnode_post_lookup"); >+ >+ MAC_POLICY_PERFORM(vnode_post_lookup, cred, dvp, dvp->v_label, cnp, >+ vp, vp->v_label); >+ >+ return; >+} >+ > MAC_CHECK_PROBE_DEFINE4(vnode_check_mmap, "struct ucred *", "struct vnode *", > "int", "int"); >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=155932">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 199654
: 155932