From 2e3cbeb9feb564b5dbd616e1d13151063e4e1794 Mon Sep 17 00:00:00 2001 From: maxv Date: Sat, 12 Dec 2015 14:57:52 +0000 Subject: [PATCH] secmodel_extensions_system_cb() is not mount-specific, even though KAUTH_SYSTEM_MOUNT happens to be the only option handled here. Put everything into a swith(action). No functional change. --- sys/secmodel/extensions/secmodel_extensions.c | 86 ++++++++++--------- 1 file changed, 46 insertions(+), 40 deletions(-) diff --git a/sys/secmodel/extensions/secmodel_extensions.c b/sys/secmodel/extensions/secmodel_extensions.c index 18e33d6b2386..36d00a443cb4 100644 --- a/sys/secmodel/extensions/secmodel_extensions.c +++ b/sys/secmodel/extensions/secmodel_extensions.c @@ -1,4 +1,4 @@ -/* $NetBSD: secmodel_extensions.c,v 1.6 2014/02/25 18:30:13 pooka Exp $ */ +/* $NetBSD: secmodel_extensions.c,v 1.7 2015/12/12 14:57:52 maxv Exp $ */ /*- * Copyright (c) 2011 Elad Efrat * All rights reserved. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: secmodel_extensions.c,v 1.6 2014/02/25 18:30:13 pooka Exp $"); +__KERNEL_RCSID(0, "$NetBSD: secmodel_extensions.c,v 1.7 2015/12/12 14:57:52 maxv Exp $"); #include #include @@ -330,54 +330,60 @@ secmodel_extensions_system_cb(kauth_cred_t cred, kauth_action_t action, req = (enum kauth_system_req)arg0; result = KAUTH_RESULT_DEFER; - if (action != KAUTH_SYSTEM_MOUNT || dovfsusermount == 0) - return result; - - switch (req) { - case KAUTH_REQ_SYSTEM_MOUNT_NEW: - vp = (vnode_t *)arg1; - mp = vp->v_mount; - flags = (u_long)arg2; - - /* - * Ensure that the user owns the directory onto which the - * mount is attempted. - */ - vn_lock(vp, LK_SHARED | LK_RETRY); - error = VOP_GETATTR(vp, &va, cred); - VOP_UNLOCK(vp); - if (error) + switch (action) { + case KAUTH_SYSTEM_MOUNT: + if (dovfsusermount == 0) break; + switch (req) { + case KAUTH_REQ_SYSTEM_MOUNT_NEW: + vp = (vnode_t *)arg1; + mp = vp->v_mount; + flags = (u_long)arg2; - if (va.va_uid != kauth_cred_geteuid(cred)) - break; + /* + * Ensure that the user owns the directory onto which + * the mount is attempted. + */ + vn_lock(vp, LK_SHARED | LK_RETRY); + error = VOP_GETATTR(vp, &va, cred); + VOP_UNLOCK(vp); + if (error) + break; - error = usermount_common_policy(mp, flags); - if (error) - break; + if (va.va_uid != kauth_cred_geteuid(cred)) + break; - result = KAUTH_RESULT_ALLOW; + error = usermount_common_policy(mp, flags); + if (error) + break; - break; - - case KAUTH_REQ_SYSTEM_MOUNT_UNMOUNT: - mp = arg1; - - /* Must own the mount. */ - if (mp->mnt_stat.f_owner == kauth_cred_geteuid(cred)) result = KAUTH_RESULT_ALLOW; - break; + break; - case KAUTH_REQ_SYSTEM_MOUNT_UPDATE: - mp = arg1; - flags = (u_long)arg2; + case KAUTH_REQ_SYSTEM_MOUNT_UNMOUNT: + mp = arg1; - /* Must own the mount. */ - if (mp->mnt_stat.f_owner == kauth_cred_geteuid(cred) && - usermount_common_policy(mp, flags) == 0) - result = KAUTH_RESULT_ALLOW; + /* Must own the mount. */ + if (mp->mnt_stat.f_owner == kauth_cred_geteuid(cred)) + result = KAUTH_RESULT_ALLOW; + break; + + case KAUTH_REQ_SYSTEM_MOUNT_UPDATE: + mp = arg1; + flags = (u_long)arg2; + + /* Must own the mount. */ + if (mp->mnt_stat.f_owner == kauth_cred_geteuid(cred) && + usermount_common_policy(mp, flags) == 0) + result = KAUTH_RESULT_ALLOW; + + break; + + default: + break; + } break; default: