Introduce support for Mandatory Access Control and extensible

kernel access control. Modify pseudofs so that it can support synthetic file systems with the multilabel flag set. In particular, implement vop_refreshlabel() as pn_refreshlabel(). Implement pfs_refreshlabel() to invoke this, and have it fall back to the mount label if the file system does not implement pn_refreshlabel() for the node. Otherwise, permit the file system to determine how the service is provided. Approved by: des Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2026-05-28 04:12:45 -04:00 · 2002-08-01 01:33:12 +00:00 · 2002-08-01 01:33:12 +00:00 · dee93f2c52
commit dee93f2c52
parent b285e7f9a8
3 changed files with 62 additions and 1 deletions
--- a/sys/fs/pseudofs/pseudofs.h
+++ b/sys/fs/pseudofs/pseudofs.h
@ -144,6 +144,15 @@ typedef int (*pfs_ioctl_t)(PFS_IOCTL_ARGS);
 struct ucred;
 typedef int (*pfs_getextattr_t)(PFS_GETEXTATTR_ARGS);

+/*
+ * Getlabel callback
+ */
+#define	PFS_REFRESHLABEL_ARGS \
+	struct thread *td, struct proc *p, struct vnode *vp, \
+	struct pfs_node *pn, struct ucred *cred
+struct mac;
+typedef int (*pfs_refreshlabel_t)(PFS_REFRESHLABEL_ARGS);
+
 /*
 * Last-close callback
 */
@ -185,6 +194,7 @@ struct pfs_node {
 	pfs_attr_t		 pn_attr;
 	pfs_vis_t		 pn_vis;
 	pfs_getextattr_t	 pn_getextattr;
+	pfs_refreshlabel_t	 pn_refreshlabel;
 	void			*pn_data;
 	int			 pn_flags;

--- a/sys/fs/pseudofs/pseudofs_vnops.c
+++ b/sys/fs/pseudofs/pseudofs_vnops.c
@ -28,6 +28,8 @@
 *	$FreeBSD$
 */

+#include "opt_mac.h"
+
 #include <sys/param.h>
 #include <sys/kernel.h>
 #include <sys/systm.h>
@ -35,6 +37,7 @@
 #include <sys/dirent.h>
 #include <sys/fcntl.h>
 #include <sys/lock.h>
+#include <sys/mac.h>
 #include <sys/mount.h>
 #include <sys/mutex.h>
 #include <sys/namei.h>
@ -729,6 +732,50 @@ pfs_reclaim(struct vop_reclaim_args *va)
 	return (pfs_vncache_free(va->a_vp));
 }

+#ifdef MAC
+/*
+ * Refresh the vnode label as appropriate for the pseudo-file system.
+ */
+static int
+pfs_refreshlabel(struct vop_refreshlabel_args *va)
+{
+	struct vnode *vn = va->a_vp;
+	struct pfs_vdata *pvd = (struct pfs_vdata *)vn->v_data;
+	struct pfs_node *pn = pvd->pvd_pn;
+	struct proc *proc = NULL;
+	int error;
+
+	PFS_TRACE((pd->pn_name));
+
+	if (pn->pn_refreshlabel == NULL) {
+		mac_update_vnode_from_mount(vn, vn->v_mount);
+		return (0);
+	}
+
+	/*
+	 * This is necessary because either process' privileges may
+	 * have changed since the last open() call.
+	 */
+	if (!pfs_visible(curthread, pn, pvd->pvd_pid))
+		PFS_RETURN (EIO);
+
+	/* XXX duplicate bits of pfs_visible() */
+	if (pvd->pvd_pid != NO_PID) {
+		if ((proc = pfind(pvd->pvd_pid)) == NULL)
+			PFS_RETURN (EIO);
+		_PHOLD(proc);
+		PROC_UNLOCK(proc);
+	}
+
+	error = (pn->pn_refreshlabel)(curthread, proc, vn, pn, va->a_cred);
+
+	if (proc != NULL)
+		PRELE(proc);
+
+	PFS_RETURN (error);
+}
+#endif
+
 /*
 * Set attributes
 */
@ -821,6 +868,9 @@ static struct vnodeopv_entry_desc pfs_vnodeop_entries[] = {
 	{ &vop_readdir_desc,		(vop_t *)pfs_readdir	},
 	{ &vop_readlink_desc,		(vop_t *)pfs_readlink	},
 	{ &vop_reclaim_desc,		(vop_t *)pfs_reclaim	},
+#ifdef MAC
+	{ &vop_refreshlabel_desc,	(vop_t *)pfs_refreshlabel },
+#endif
 	{ &vop_remove_desc,		(vop_t *)vop_eopnotsupp	},
 	{ &vop_rename_desc,		(vop_t *)vop_eopnotsupp	},
 	{ &vop_rmdir_desc,		(vop_t *)vop_eopnotsupp	},
--- a/sys/modules/pseudofs/Makefile
+++ b/sys/modules/pseudofs/Makefile
@ -3,7 +3,8 @@
 .PATH: ${.CURDIR}/../../fs/pseudofs

 KMOD=	pseudofs
-SRCS=	vnode_if.h \
+SRCS=	opt_mac.h \
+	vnode_if.h \
 	pseudofs.c \
 	pseudofs_fileno.c \
 	pseudofs_vncache.c \