From dee93f2c5273040ecc76e34bcec7152dedeb1555 Mon Sep 17 00:00:00 2001
From: Robert Watson <rwatson@FreeBSD.org>
Date: Thu, 1 Aug 2002 01:33:12 +0000
Subject: Introduce support for Mandatory Access Control and extensible kernel
 access control.

Modify pseudofs so that it can support synthetic file systems with
the multilabel flag set.  In particular, implement vop_refreshlabel()
as pn_refreshlabel().  Implement pfs_refreshlabel() to invoke this,
and have it fall back to the mount label if the file system does
not implement pn_refreshlabel() for the node.  Otherwise, permit
the file system to determine how the service is provided.

Approved by:	des
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
---
 sys/fs/pseudofs/pseudofs.h       | 10 ++++++++
 sys/fs/pseudofs/pseudofs_vnops.c | 50 ++++++++++++++++++++++++++++++++++++++++
 sys/modules/pseudofs/Makefile    |  3 ++-
 3 files changed, 62 insertions(+), 1 deletion(-)

(limited to 'sys')

diff --git a/sys/fs/pseudofs/pseudofs.h b/sys/fs/pseudofs/pseudofs.h
index 69044d0b270a3..05882bfd1f61d 100644
--- a/sys/fs/pseudofs/pseudofs.h
+++ b/sys/fs/pseudofs/pseudofs.h
@@ -144,6 +144,15 @@ typedef int (*pfs_ioctl_t)(PFS_IOCTL_ARGS);
 struct ucred;
 typedef int (*pfs_getextattr_t)(PFS_GETEXTATTR_ARGS);
 
+/*
+ * Getlabel callback
+ */
+#define	PFS_REFRESHLABEL_ARGS \
+	struct thread *td, struct proc *p, struct vnode *vp, \
+	struct pfs_node *pn, struct ucred *cred
+struct mac;
+typedef int (*pfs_refreshlabel_t)(PFS_REFRESHLABEL_ARGS);
+
 /*
  * Last-close callback
  */
@@ -185,6 +194,7 @@ struct pfs_node {
 	pfs_attr_t		 pn_attr;
 	pfs_vis_t		 pn_vis;
 	pfs_getextattr_t	 pn_getextattr;
+	pfs_refreshlabel_t	 pn_refreshlabel;
 	void			*pn_data;
 	int			 pn_flags;
 
diff --git a/sys/fs/pseudofs/pseudofs_vnops.c b/sys/fs/pseudofs/pseudofs_vnops.c
index 0eed8eac4fafc..6298fb98a5d98 100644
--- a/sys/fs/pseudofs/pseudofs_vnops.c
+++ b/sys/fs/pseudofs/pseudofs_vnops.c
@@ -28,6 +28,8 @@
  *	$FreeBSD$
  */
 
+#include "opt_mac.h"
+
 #include <sys/param.h>
 #include <sys/kernel.h>
 #include <sys/systm.h>
@@ -35,6 +37,7 @@
 #include <sys/dirent.h>
 #include <sys/fcntl.h>
 #include <sys/lock.h>
+#include <sys/mac.h>
 #include <sys/mount.h>
 #include <sys/mutex.h>
 #include <sys/namei.h>
@@ -729,6 +732,50 @@ pfs_reclaim(struct vop_reclaim_args *va)
 	return (pfs_vncache_free(va->a_vp));
 }
 
+#ifdef MAC
+/*
+ * Refresh the vnode label as appropriate for the pseudo-file system.
+ */
+static int
+pfs_refreshlabel(struct vop_refreshlabel_args *va)
+{
+	struct vnode *vn = va->a_vp;
+	struct pfs_vdata *pvd = (struct pfs_vdata *)vn->v_data;
+	struct pfs_node *pn = pvd->pvd_pn;
+	struct proc *proc = NULL;
+	int error;
+
+	PFS_TRACE((pd->pn_name));
+
+	if (pn->pn_refreshlabel == NULL) {
+		mac_update_vnode_from_mount(vn, vn->v_mount);
+		return (0);
+	}
+
+	/*
+	 * This is necessary because either process' privileges may
+	 * have changed since the last open() call.
+	 */
+	if (!pfs_visible(curthread, pn, pvd->pvd_pid))
+		PFS_RETURN (EIO);
+
+	/* XXX duplicate bits of pfs_visible() */
+	if (pvd->pvd_pid != NO_PID) {
+		if ((proc = pfind(pvd->pvd_pid)) == NULL)
+			PFS_RETURN (EIO);
+		_PHOLD(proc);
+		PROC_UNLOCK(proc);
+	}
+
+	error = (pn->pn_refreshlabel)(curthread, proc, vn, pn, va->a_cred);
+
+	if (proc != NULL)
+		PRELE(proc);
+
+	PFS_RETURN (error);
+}
+#endif
+
 /*
  * Set attributes
  */
@@ -821,6 +868,9 @@ static struct vnodeopv_entry_desc pfs_vnodeop_entries[] = {
 	{ &vop_readdir_desc,		(vop_t *)pfs_readdir	},
 	{ &vop_readlink_desc,		(vop_t *)pfs_readlink	},
 	{ &vop_reclaim_desc,		(vop_t *)pfs_reclaim	},
+#ifdef MAC
+	{ &vop_refreshlabel_desc,	(vop_t *)pfs_refreshlabel },
+#endif
 	{ &vop_remove_desc,		(vop_t *)vop_eopnotsupp	},
 	{ &vop_rename_desc,		(vop_t *)vop_eopnotsupp	},
 	{ &vop_rmdir_desc,		(vop_t *)vop_eopnotsupp	},
diff --git a/sys/modules/pseudofs/Makefile b/sys/modules/pseudofs/Makefile
index d0c41ceadd2da..e84a6391ae0ae 100644
--- a/sys/modules/pseudofs/Makefile
+++ b/sys/modules/pseudofs/Makefile
@@ -3,7 +3,8 @@
 .PATH: ${.CURDIR}/../../fs/pseudofs
 
 KMOD=	pseudofs
-SRCS=	vnode_if.h \
+SRCS=	opt_mac.h \
+	vnode_if.h \
 	pseudofs.c \
 	pseudofs_fileno.c \
 	pseudofs_vncache.c \
-- 
cgit v1.3