secmodel_extensions_system_cb() is not mount-specific, even though
KAUTH_SYSTEM_MOUNT happens to be the only option handled here. Put everything into a swith(action). No functional change.
This commit is contained in:
maxv
parent
65028d0320
commit
2e3cbeb9fe
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: secmodel_extensions.c,v 1.6 2014/02/25 18:30:13 pooka Exp $ */
|
||||
/* $NetBSD: secmodel_extensions.c,v 1.7 2015/12/12 14:57:52 maxv Exp $ */
|
||||
/*-
|
||||
* Copyright (c) 2011 Elad Efrat <elad@NetBSD.org>
|
||||
* All rights reserved.
|
||||
@ -27,7 +27,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: secmodel_extensions.c,v 1.6 2014/02/25 18:30:13 pooka Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: secmodel_extensions.c,v 1.7 2015/12/12 14:57:52 maxv Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
@ -330,54 +330,60 @@ secmodel_extensions_system_cb(kauth_cred_t cred, kauth_action_t action,
|
||||
req = (enum kauth_system_req)arg0;
|
||||
result = KAUTH_RESULT_DEFER;
|
||||
|
||||
if (action != KAUTH_SYSTEM_MOUNT || dovfsusermount == 0)
|
||||
return result;
|
||||
|
||||
switch (req) {
|
||||
case KAUTH_REQ_SYSTEM_MOUNT_NEW:
|
||||
vp = (vnode_t *)arg1;
|
||||
mp = vp->v_mount;
|
||||
flags = (u_long)arg2;
|
||||
|
||||
/*
|
||||
* Ensure that the user owns the directory onto which the
|
||||
* mount is attempted.
|
||||
*/
|
||||
vn_lock(vp, LK_SHARED | LK_RETRY);
|
||||
error = VOP_GETATTR(vp, &va, cred);
|
||||
VOP_UNLOCK(vp);
|
||||
if (error)
|
||||
switch (action) {
|
||||
case KAUTH_SYSTEM_MOUNT:
|
||||
if (dovfsusermount == 0)
|
||||
break;
|
||||
switch (req) {
|
||||
case KAUTH_REQ_SYSTEM_MOUNT_NEW:
|
||||
vp = (vnode_t *)arg1;
|
||||
mp = vp->v_mount;
|
||||
flags = (u_long)arg2;
|
||||
|
||||
if (va.va_uid != kauth_cred_geteuid(cred))
|
||||
break;
|
||||
/*
|
||||
* Ensure that the user owns the directory onto which
|
||||
* the mount is attempted.
|
||||
*/
|
||||
vn_lock(vp, LK_SHARED | LK_RETRY);
|
||||
error = VOP_GETATTR(vp, &va, cred);
|
||||
VOP_UNLOCK(vp);
|
||||
if (error)
|
||||
break;
|
||||
|
||||
error = usermount_common_policy(mp, flags);
|
||||
if (error)
|
||||
break;
|
||||
if (va.va_uid != kauth_cred_geteuid(cred))
|
||||
break;
|
||||
|
||||
result = KAUTH_RESULT_ALLOW;
|
||||
error = usermount_common_policy(mp, flags);
|
||||
if (error)
|
||||
break;
|
||||
|
||||
break;
|
||||
|
||||
case KAUTH_REQ_SYSTEM_MOUNT_UNMOUNT:
|
||||
mp = arg1;
|
||||
|
||||
/* Must own the mount. */
|
||||
if (mp->mnt_stat.f_owner == kauth_cred_geteuid(cred))
|
||||
result = KAUTH_RESULT_ALLOW;
|
||||
|
||||
break;
|
||||
break;
|
||||
|
||||
case KAUTH_REQ_SYSTEM_MOUNT_UPDATE:
|
||||
mp = arg1;
|
||||
flags = (u_long)arg2;
|
||||
case KAUTH_REQ_SYSTEM_MOUNT_UNMOUNT:
|
||||
mp = arg1;
|
||||
|
||||
/* Must own the mount. */
|
||||
if (mp->mnt_stat.f_owner == kauth_cred_geteuid(cred) &&
|
||||
usermount_common_policy(mp, flags) == 0)
|
||||
result = KAUTH_RESULT_ALLOW;
|
||||
/* Must own the mount. */
|
||||
if (mp->mnt_stat.f_owner == kauth_cred_geteuid(cred))
|
||||
result = KAUTH_RESULT_ALLOW;
|
||||
|
||||
break;
|
||||
|
||||
case KAUTH_REQ_SYSTEM_MOUNT_UPDATE:
|
||||
mp = arg1;
|
||||
flags = (u_long)arg2;
|
||||
|
||||
/* Must own the mount. */
|
||||
if (mp->mnt_stat.f_owner == kauth_cred_geteuid(cred) &&
|
||||
usermount_common_policy(mp, flags) == 0)
|
||||
result = KAUTH_RESULT_ALLOW;
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
break;
|
||||
|
||||
default:
|
||||
|
||||
Loading…
Reference in New Issue
Block a user