diff options
| author | Robert Watson <rwatson@FreeBSD.org> | 2002-08-15 20:55:08 +0000 |
|---|---|---|
| committer | Robert Watson <rwatson@FreeBSD.org> | 2002-08-15 20:55:08 +0000 |
| commit | 9ca435893bcf251039e2d35cd2ffd29603597559 (patch) | |
| tree | 09f20587d6bc57d661c96f87771a6081e65d834f /sys | |
| parent | e2a5fdf9117c50fdd503f405f77381d38ed609b2 (diff) | |
| download | src-9ca435893bcf251039e2d35cd2ffd29603597559.tar.gz src-9ca435893bcf251039e2d35cd2ffd29603597559.zip | |
In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:
- Change fo_read() and fo_write() to accept "active_cred" instead of
"cred", and change the semantics of consumers of fo_read() and
fo_write() to pass the active credential of the thread requesting
an operation rather than the cached file cred. The cached file
cred is still available in fo_read() and fo_write() consumers
via fp->f_cred. These changes largely in sys_generic.c.
For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:
- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
pipe_read/write() now authorize MAC using active_cred rather
than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
VOP_READ/WRITE() with fp->f_cred
Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred. Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not. If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.
Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.
These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.
Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Notes
Notes:
svn path=/head/; revision=101941
Diffstat (limited to 'sys')
31 files changed, 145 insertions, 106 deletions
diff --git a/sys/alpha/alpha/vm_machdep.c b/sys/alpha/alpha/vm_machdep.c index 1a1d7165283e..dc1e52bbbaf2 100644 --- a/sys/alpha/alpha/vm_machdep.c +++ b/sys/alpha/alpha/vm_machdep.c @@ -408,12 +408,12 @@ cpu_coredump(td, vp, cred) /* XXXKSE this is totally bogus! (and insecure) */ error = vn_rdwr(UIO_WRITE, vp, (caddr_t) td->td_proc->p_uarea, ctob(UAREA_PAGES), (off_t)0, - UIO_SYSSPACE, IO_UNIT, cred, (int *)NULL, td); + UIO_SYSSPACE, IO_UNIT, cred, NOCRED, (int *)NULL, td); if (error) return error; error = vn_rdwr(UIO_WRITE, vp, (caddr_t) td->td_kstack, ctob(KSTACK_PAGES), (off_t)ctob(UAREA_PAGES), - UIO_SYSSPACE, IO_UNIT, cred, (int *)NULL, td); + UIO_SYSSPACE, IO_UNIT, cred, NOCRED, (int *)NULL, td); return error; } diff --git a/sys/amd64/amd64/vm_machdep.c b/sys/amd64/amd64/vm_machdep.c index 04742c325c98..9438af55a062 100644 --- a/sys/amd64/amd64/vm_machdep.c +++ b/sys/amd64/amd64/vm_machdep.c @@ -470,7 +470,8 @@ cpu_coredump(td, vp, cred) error = vn_rdwr(UIO_WRITE, vp, (caddr_t) tempuser, ctob(UAREA_PAGES + KSTACK_PAGES), - (off_t)0, UIO_SYSSPACE, IO_UNIT, cred, (int *)NULL, td); + (off_t)0, UIO_SYSSPACE, IO_UNIT, cred, NOCRED, + (int *)NULL, td); free(tempuser, M_TEMP); diff --git a/sys/compat/pecoff/imgact_pecoff.c b/sys/compat/pecoff/imgact_pecoff.c index f7b540cbe977..66d0d7f38d80 100644 --- a/sys/compat/pecoff/imgact_pecoff.c +++ b/sys/compat/pecoff/imgact_pecoff.c @@ -192,14 +192,14 @@ pecoff_coredump(register struct thread * td, register struct vnode * vp, error = vn_rdwr_inchunks(UIO_WRITE, vp, vm->vm_daddr, (int)ctob(vm->vm_dsize), (off_t)ctob((UAREA_PAGES+KSTACK_PAGES)), - UIO_USERSPACE, IO_UNIT, cred, (int *)NULL, td); + UIO_USERSPACE, IO_UNIT, cred, NOCRED, (int *)NULL, td); if (error == 0) error = vn_rdwr_inchunks(UIO_WRITE, vp, (caddr_t)trunc_page(USRSTACK - ctob(vm->vm_ssize)), round_page(ctob(vm->vm_ssize)), (off_t)ctob((UAREA_PAGES+KSTACK_PAGES)) + ctob(vm->vm_dsize), - UIO_USERSPACE, IO_UNIT, cred, (int *)NULL, td); + UIO_USERSPACE, IO_UNIT, cred, NOCRED, (int *)NULL, td); return (error); } @@ -608,7 +608,7 @@ pecoff_read_from(td, vp, pos, buf, siz) size_t resid; error = vn_rdwr(UIO_READ, vp, buf, siz, pos, - UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, + UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, NOCRED, &resid, td); if (error) return error; diff --git a/sys/gnu/ext2fs/ext2_lookup.c b/sys/gnu/ext2fs/ext2_lookup.c index b550540d2dc4..bddc3bbfa084 100644 --- a/sys/gnu/ext2fs/ext2_lookup.c +++ b/sys/gnu/ext2fs/ext2_lookup.c @@ -1011,7 +1011,7 @@ ext2_dirempty(ip, parentino, cred) for (off = 0; off < ip->i_size; off += dp->rec_len) { error = vn_rdwr(UIO_READ, ITOV(ip), (caddr_t)dp, MINDIRSIZ, off, UIO_SYSSPACE, IO_NODELOCKED | IO_NOMACCHECK, cred, - &count, (struct thread *)0); + NOCRED, &count, (struct thread *)0); /* * Since we read MINDIRSIZ, residual must * be 0 unless we're at end of file. @@ -1075,7 +1075,7 @@ ext2_checkpath(source, target, cred) } error = vn_rdwr(UIO_READ, vp, (caddr_t)&dirbuf, sizeof (struct dirtemplate), (off_t)0, UIO_SYSSPACE, - IO_NODELOCKED | IO_NOMACCHECK, cred, (int *)0, + IO_NODELOCKED | IO_NOMACCHECK, cred, NOCRED, (int *)0, (struct thread *)0); if (error != 0) break; diff --git a/sys/gnu/ext2fs/ext2_vnops.c b/sys/gnu/ext2fs/ext2_vnops.c index 915276d60007..8c93c0778cbf 100644 --- a/sys/gnu/ext2fs/ext2_vnops.c +++ b/sys/gnu/ext2fs/ext2_vnops.c @@ -1224,7 +1224,8 @@ abortit: error = vn_rdwr(UIO_READ, fvp, (caddr_t)&dirbuf, sizeof (struct dirtemplate), (off_t)0, UIO_SYSSPACE, IO_NODELOCKED | IO_NOMACCHECK, - tcnp->cn_cred, (int *)0, (struct thread *)0); + tcnp->cn_cred, NOCRED, (int *)0, + (struct thread *)0); if (error == 0) { /* Like ufs little-endian: */ namlen = dirbuf.dotdot_type; @@ -1241,7 +1242,8 @@ abortit: (off_t)0, UIO_SYSSPACE, IO_NODELOCKED | IO_SYNC | IO_NOMACCHECK, tcnp->cn_cred, - (int *)0, (struct thread *)0); + NOCRED, (int *)0, + (struct thread *)0); cache_purge(fdvp); } } @@ -1376,8 +1378,8 @@ ext2_mkdir(ap) dirtemplate.dotdot_reclen = DIRBLKSIZ - 12; error = vn_rdwr(UIO_WRITE, tvp, (caddr_t)&dirtemplate, sizeof (dirtemplate), (off_t)0, UIO_SYSSPACE, - IO_NODELOCKED | IO_SYNC | IO_NOMACCHECK, cnp->cn_cred, (int *)0, - (struct thread *)0); + IO_NODELOCKED | IO_SYNC | IO_NOMACCHECK, cnp->cn_cred, NOCRED, + (int *)0, (struct thread *)0); if (error) { dp->i_nlink--; dp->i_flag |= IN_CHANGE; @@ -1514,7 +1516,7 @@ ext2_symlink(ap) } else error = vn_rdwr(UIO_WRITE, vp, ap->a_target, len, (off_t)0, UIO_SYSSPACE, IO_NODELOCKED | IO_NOMACCHECK, - ap->a_cnp->cn_cred, (int *)0, (struct thread *)0); + ap->a_cnp->cn_cred, NOCRED, (int *)0, (struct thread *)0); if (error) vput(vp); return (error); diff --git a/sys/gnu/fs/ext2fs/ext2_lookup.c b/sys/gnu/fs/ext2fs/ext2_lookup.c index b550540d2dc4..bddc3bbfa084 100644 --- a/sys/gnu/fs/ext2fs/ext2_lookup.c +++ b/sys/gnu/fs/ext2fs/ext2_lookup.c @@ -1011,7 +1011,7 @@ ext2_dirempty(ip, parentino, cred) for (off = 0; off < ip->i_size; off += dp->rec_len) { error = vn_rdwr(UIO_READ, ITOV(ip), (caddr_t)dp, MINDIRSIZ, off, UIO_SYSSPACE, IO_NODELOCKED | IO_NOMACCHECK, cred, - &count, (struct thread *)0); + NOCRED, &count, (struct thread *)0); /* * Since we read MINDIRSIZ, residual must * be 0 unless we're at end of file. @@ -1075,7 +1075,7 @@ ext2_checkpath(source, target, cred) } error = vn_rdwr(UIO_READ, vp, (caddr_t)&dirbuf, sizeof (struct dirtemplate), (off_t)0, UIO_SYSSPACE, - IO_NODELOCKED | IO_NOMACCHECK, cred, (int *)0, + IO_NODELOCKED | IO_NOMACCHECK, cred, NOCRED, (int *)0, (struct thread *)0); if (error != 0) break; diff --git a/sys/gnu/fs/ext2fs/ext2_vnops.c b/sys/gnu/fs/ext2fs/ext2_vnops.c index 915276d60007..8c93c0778cbf 100644 --- a/sys/gnu/fs/ext2fs/ext2_vnops.c +++ b/sys/gnu/fs/ext2fs/ext2_vnops.c @@ -1224,7 +1224,8 @@ abortit: error = vn_rdwr(UIO_READ, fvp, (caddr_t)&dirbuf, sizeof (struct dirtemplate), (off_t)0, UIO_SYSSPACE, IO_NODELOCKED | IO_NOMACCHECK, - tcnp->cn_cred, (int *)0, (struct thread *)0); + tcnp->cn_cred, NOCRED, (int *)0, + (struct thread *)0); if (error == 0) { /* Like ufs little-endian: */ namlen = dirbuf.dotdot_type; @@ -1241,7 +1242,8 @@ abortit: (off_t)0, UIO_SYSSPACE, IO_NODELOCKED | IO_SYNC | IO_NOMACCHECK, tcnp->cn_cred, - (int *)0, (struct thread *)0); + NOCRED, (int *)0, + (struct thread *)0); cache_purge(fdvp); } } @@ -1376,8 +1378,8 @@ ext2_mkdir(ap) dirtemplate.dotdot_reclen = DIRBLKSIZ - 12; error = vn_rdwr(UIO_WRITE, tvp, (caddr_t)&dirtemplate, sizeof (dirtemplate), (off_t)0, UIO_SYSSPACE, - IO_NODELOCKED | IO_SYNC | IO_NOMACCHECK, cnp->cn_cred, (int *)0, - (struct thread *)0); + IO_NODELOCKED | IO_SYNC | IO_NOMACCHECK, cnp->cn_cred, NOCRED, + (int *)0, (struct thread *)0); if (error) { dp->i_nlink--; dp->i_flag |= IN_CHANGE; @@ -1514,7 +1516,7 @@ ext2_symlink(ap) } else error = vn_rdwr(UIO_WRITE, vp, ap->a_target, len, (off_t)0, UIO_SYSSPACE, IO_NODELOCKED | IO_NOMACCHECK, - ap->a_cnp->cn_cred, (int *)0, (struct thread *)0); + ap->a_cnp->cn_cred, NOCRED, (int *)0, (struct thread *)0); if (error) vput(vp); return (error); diff --git a/sys/i386/i386/vm_machdep.c b/sys/i386/i386/vm_machdep.c index 04742c325c98..9438af55a062 100644 --- a/sys/i386/i386/vm_machdep.c +++ b/sys/i386/i386/vm_machdep.c @@ -470,7 +470,8 @@ cpu_coredump(td, vp, cred) error = vn_rdwr(UIO_WRITE, vp, (caddr_t) tempuser, ctob(UAREA_PAGES + KSTACK_PAGES), - (off_t)0, UIO_SYSSPACE, IO_UNIT, cred, (int *)NULL, td); + (off_t)0, UIO_SYSSPACE, IO_UNIT, cred, NOCRED, + (int *)NULL, td); free(tempuser, M_TEMP); diff --git a/sys/ia64/ia64/vm_machdep.c b/sys/ia64/ia64/vm_machdep.c index cdb14b5e099b..bcf3e78305a5 100644 --- a/sys/ia64/ia64/vm_machdep.c +++ b/sys/ia64/ia64/vm_machdep.c @@ -375,12 +375,12 @@ cpu_coredump(td, vp, cred) error = vn_rdwr(UIO_WRITE, vp, (caddr_t) td->td_proc->p_uarea, ctob(UAREA_PAGES), (off_t)0, - UIO_SYSSPACE, IO_UNIT, cred, (int *)NULL, td); + UIO_SYSSPACE, IO_UNIT, cred, NOCRED, (int *)NULL, td); if (error) return error; error = vn_rdwr(UIO_WRITE, vp, (caddr_t) td->td_kstack, ctob(KSTACK_PAGES), (off_t)0, - UIO_SYSSPACE, IO_UNIT, cred, (int *)NULL, td); + UIO_SYSSPACE, IO_UNIT, cred, NOCRED,(int *)NULL, td); return error; } diff --git a/sys/kern/imgact_aout.c b/sys/kern/imgact_aout.c index 48eed907c799..9573928d9fea 100644 --- a/sys/kern/imgact_aout.c +++ b/sys/kern/imgact_aout.c @@ -268,14 +268,14 @@ aout_coredump(td, vp, limit) error = vn_rdwr(UIO_WRITE, vp, vm->vm_daddr, (int)ctob(vm->vm_dsize), (off_t)ctob(UAREA_PAGES + KSTACK_PAGES), UIO_USERSPACE, - IO_UNIT | IO_DIRECT, cred, (int *) NULL, td); + IO_UNIT | IO_DIRECT, cred, NOCRED, (int *) NULL, td); if (error == 0) error = vn_rdwr_inchunks(UIO_WRITE, vp, (caddr_t) trunc_page(USRSTACK - ctob(vm->vm_ssize)), round_page(ctob(vm->vm_ssize)), (off_t)ctob(UAREA_PAGES + KSTACK_PAGES) + ctob(vm->vm_dsize), UIO_USERSPACE, - IO_UNIT | IO_DIRECT, cred, (int *) NULL, td); + IO_UNIT | IO_DIRECT, cred, NOCRED, (int *) NULL, td); return (error); } diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index 7d79c1da53cc..2fd0d7fb1d9f 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -967,7 +967,8 @@ __elfN(coredump)(td, vp, limit) error = vn_rdwr_inchunks(UIO_WRITE, vp, (caddr_t)(uintptr_t)php->p_vaddr, php->p_filesz, offset, UIO_USERSPACE, - IO_UNIT | IO_DIRECT, cred, (int *)NULL, curthread); /* XXXKSE */ + IO_UNIT | IO_DIRECT, cred, NOCRED, (int *)NULL, + curthread); /* XXXKSE */ if (error != 0) break; offset += php->p_filesz; @@ -1131,7 +1132,8 @@ __elfN(corehdr)(td, vp, cred, numsegs, hdr, hdrsize) /* Write it to the core file. */ return vn_rdwr_inchunks(UIO_WRITE, vp, hdr, hdrsize, (off_t)0, - UIO_SYSSPACE, IO_UNIT | IO_DIRECT, cred, NULL, td); /* XXXKSE */ + UIO_SYSSPACE, IO_UNIT | IO_DIRECT, cred, NOCRED, NULL, + td); /* XXXKSE */ } static void diff --git a/sys/kern/kern_acct.c b/sys/kern/kern_acct.c index 071fc10abb8c..6bbf368b1034 100644 --- a/sys/kern/kern_acct.c +++ b/sys/kern/kern_acct.c @@ -267,7 +267,7 @@ acct_process(td) */ VOP_LEASE(vp, td, acctcred, LEASE_WRITE); return (vn_rdwr(UIO_WRITE, vp, (caddr_t)&acct, sizeof (acct), - (off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, acctcred, + (off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, acctcred, NOCRED, (int *)0, td)); } diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c index 30df164090c9..f29142493be9 100644 --- a/sys/kern/kern_descrip.c +++ b/sys/kern/kern_descrip.c @@ -96,9 +96,10 @@ static struct cdevsw fildesc_cdevsw = { /* flags */ 0, }; -static int do_dup(struct filedesc *fdp, int old, int new, register_t *retval, struct thread *td); +static int do_dup(struct filedesc *fdp, int old, int new, register_t *retval, + struct thread *td); static int badfo_readwrite(struct file *fp, struct uio *uio, - struct ucred *cred, int flags, struct thread *td); + struct ucred *active_cred, int flags, struct thread *td); static int badfo_ioctl(struct file *fp, u_long com, void *data, struct thread *td); static int badfo_poll(struct file *fp, int events, @@ -2145,10 +2146,10 @@ struct fileops badfileops = { }; static int -badfo_readwrite(fp, uio, cred, flags, td) +badfo_readwrite(fp, uio, active_cred, flags, td) struct file *fp; struct uio *uio; - struct ucred *cred; + struct ucred *active_cred; struct thread *td; int flags; { diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c index 4c85a2d10187..723565c24956 100644 --- a/sys/kern/kern_event.c +++ b/sys/kern/kern_event.c @@ -57,9 +57,9 @@ static int kqueue_scan(struct file *fp, int maxevents, struct kevent *ulistp, const struct timespec *timeout, struct thread *td); static int kqueue_read(struct file *fp, struct uio *uio, - struct ucred *cred, int flags, struct thread *td); + struct ucred *active_cred, int flags, struct thread *td); static int kqueue_write(struct file *fp, struct uio *uio, - struct ucred *cred, int flags, struct thread *td); + struct ucred *active_cred, int flags, struct thread *td); static int kqueue_ioctl(struct file *fp, u_long com, void *data, struct thread *td); static int kqueue_poll(struct file *fp, int events, struct ucred *cred, @@ -777,7 +777,7 @@ done: */ /*ARGSUSED*/ static int -kqueue_read(struct file *fp, struct uio *uio, struct ucred *cred, +kqueue_read(struct file *fp, struct uio *uio, struct ucred *active_cred, int flags, struct thread *td) { return (ENXIO); @@ -785,7 +785,7 @@ kqueue_read(struct file *fp, struct uio *uio, struct ucred *cred, /*ARGSUSED*/ static int -kqueue_write(struct file *fp, struct uio *uio, struct ucred *cred, +kqueue_write(struct file *fp, struct uio *uio, struct ucred *active_cred, int flags, struct thread *td) { return (ENXIO); diff --git a/sys/kern/kern_linker.c b/sys/kern/kern_linker.c index e30e52c3c563..2952be0a8b57 100644 --- a/sys/kern/kern_linker.c +++ b/sys/kern/kern_linker.c @@ -1464,7 +1464,7 @@ linker_hints_lookup(const char *path, int pathlen, const char *modname, if (hints == NULL) goto bad; error = vn_rdwr(UIO_READ, nd.ni_vp, (caddr_t)hints, vattr.va_size, 0, - UIO_SYSSPACE, IO_NODELOCKED, cred, &reclen, td); + UIO_SYSSPACE, IO_NODELOCKED, cred, NOCRED, &reclen, td); if (error) goto bad; VOP_UNLOCK(nd.ni_vp, 0, td); diff --git a/sys/kern/link_aout.c b/sys/kern/link_aout.c index 5a863bd4d0e7..7a060802c5cd 100644 --- a/sys/kern/link_aout.c +++ b/sys/kern/link_aout.c @@ -211,7 +211,8 @@ link_aout_load_file(linker_class_t lc, const char* filename, linker_file_t* resu * Read the a.out header from the file. */ error = vn_rdwr(UIO_READ, nd.ni_vp, (void*) &header, sizeof header, 0, - UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, &resid, td); + UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, NOCRED, + &resid, td); if (error) goto out; @@ -236,7 +237,8 @@ link_aout_load_file(linker_class_t lc, const char* filename, linker_file_t* resu */ error = vn_rdwr(UIO_READ, nd.ni_vp, (void*) af->address, header.a_text + header.a_data, 0, - UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, &resid, td); + UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, NOCRED, + &resid, td); if (error) goto out; bzero(af->address + header.a_text + header.a_data, header.a_bss); diff --git a/sys/kern/link_elf.c b/sys/kern/link_elf.c index dd594051a998..e9c1516e19e9 100644 --- a/sys/kern/link_elf.c +++ b/sys/kern/link_elf.c @@ -570,7 +570,8 @@ link_elf_load_file(linker_class_t cls, const char* filename, linker_file_t* resu } hdr = (Elf_Ehdr *)firstpage; error = vn_rdwr(UIO_READ, nd.ni_vp, firstpage, PAGE_SIZE, 0, - UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, &resid, td); + UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, NOCRED, + &resid, td); nbytes = PAGE_SIZE - resid; if (error) goto out; @@ -709,7 +710,8 @@ link_elf_load_file(linker_class_t cls, const char* filename, linker_file_t* resu caddr_t segbase = mapbase + segs[i]->p_vaddr - base_vaddr; error = vn_rdwr(UIO_READ, nd.ni_vp, segbase, segs[i]->p_filesz, segs[i]->p_offset, - UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, &resid, td); + UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, NOCRED, + &resid, td); if (error) { goto out; } @@ -769,7 +771,8 @@ link_elf_load_file(linker_class_t cls, const char* filename, linker_file_t* resu } error = vn_rdwr(UIO_READ, nd.ni_vp, (caddr_t)shdr, nbytes, hdr->e_shoff, - UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, &resid, td); + UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, NOCRED, + &resid, td); if (error) goto out; symtabindex = -1; @@ -794,12 +797,14 @@ link_elf_load_file(linker_class_t cls, const char* filename, linker_file_t* resu } error = vn_rdwr(UIO_READ, nd.ni_vp, ef->symbase, symcnt, shdr[symtabindex].sh_offset, - UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, &resid, td); + UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, NOCRED, + &resid, td); if (error) goto out; error = vn_rdwr(UIO_READ, nd.ni_vp, ef->strbase, strcnt, shdr[symstrindex].sh_offset, - UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, &resid, td); + UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, NOCRED, + &resid, td); if (error) goto out; diff --git a/sys/kern/link_elf_obj.c b/sys/kern/link_elf_obj.c index dd594051a998..e9c1516e19e9 100644 --- a/sys/kern/link_elf_obj.c +++ b/sys/kern/link_elf_obj.c @@ -570,7 +570,8 @@ link_elf_load_file(linker_class_t cls, const char* filename, linker_file_t* resu } hdr = (Elf_Ehdr *)firstpage; error = vn_rdwr(UIO_READ, nd.ni_vp, firstpage, PAGE_SIZE, 0, - UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, &resid, td); + UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, NOCRED, + &resid, td); nbytes = PAGE_SIZE - resid; if (error) goto out; @@ -709,7 +710,8 @@ link_elf_load_file(linker_class_t cls, const char* filename, linker_file_t* resu caddr_t segbase = mapbase + segs[i]->p_vaddr - base_vaddr; error = vn_rdwr(UIO_READ, nd.ni_vp, segbase, segs[i]->p_filesz, segs[i]->p_offset, - UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, &resid, td); + UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, NOCRED, + &resid, td); if (error) { goto out; } @@ -769,7 +771,8 @@ link_elf_load_file(linker_class_t cls, const char* filename, linker_file_t* resu } error = vn_rdwr(UIO_READ, nd.ni_vp, (caddr_t)shdr, nbytes, hdr->e_shoff, - UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, &resid, td); + UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, NOCRED, + &resid, td); if (error) goto out; symtabindex = -1; @@ -794,12 +797,14 @@ link_elf_load_file(linker_class_t cls, const char* filename, linker_file_t* resu } error = vn_rdwr(UIO_READ, nd.ni_vp, ef->symbase, symcnt, shdr[symtabindex].sh_offset, - UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, &resid, td); + UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, NOCRED, + &resid, td); if (error) goto out; error = vn_rdwr(UIO_READ, nd.ni_vp, ef->strbase, strcnt, shdr[symstrindex].sh_offset, - UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, &resid, td); + UIO_SYSSPACE, IO_NODELOCKED, td->td_ucred, NOCRED, + &resid, td); if (error) goto out; diff --git a/sys/kern/sys_generic.c b/sys/kern/sys_generic.c index 165284c472ca..ebe61b3e9d22 100644 --- a/sys/kern/sys_generic.c +++ b/sys/kern/sys_generic.c @@ -192,7 +192,7 @@ dofileread(td, fp, fd, buf, nbyte, offset, flags) #endif cnt = nbyte; - if ((error = fo_read(fp, &auio, fp->f_cred, flags, td))) { + if ((error = fo_read(fp, &auio, td->td_ucred, flags, td))) { if (auio.uio_resid != cnt && (error == ERESTART || error == EINTR || error == EWOULDBLOCK)) error = 0; @@ -282,7 +282,7 @@ readv(td, uap) } #endif cnt = auio.uio_resid; - if ((error = fo_read(fp, &auio, fp->f_cred, 0, td))) { + if ((error = fo_read(fp, &auio, td->td_ucred, 0, td))) { if (auio.uio_resid != cnt && (error == ERESTART || error == EINTR || error == EWOULDBLOCK)) error = 0; @@ -416,7 +416,7 @@ dofilewrite(td, fp, fd, buf, nbyte, offset, flags) cnt = nbyte; if (fp->f_type == DTYPE_VNODE) bwillwrite(); - if ((error = fo_write(fp, &auio, fp->f_cred, flags, td))) { + if ((error = fo_write(fp, &auio, td->td_ucred, flags, td))) { if (auio.uio_resid != cnt && (error == ERESTART || error == EINTR || error == EWOULDBLOCK)) error = 0; @@ -518,7 +518,7 @@ writev(td, uap) cnt = auio.uio_resid; if (fp->f_type == DTYPE_VNODE) bwillwrite(); - if ((error = fo_write(fp, &auio, fp->f_cred, 0, td))) { + if ((error = fo_write(fp, &auio, td->td_ucred, 0, td))) { if (auio.uio_resid != cnt && (error == ERESTART || error == EINTR || error == EWOULDBLOCK)) error = 0; diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c index 861a8b611172..cfba2de07d6a 100644 --- a/sys/kern/sys_pipe.c +++ b/sys/kern/sys_pipe.c @@ -95,9 +95,9 @@ * interfaces to the outside world */ static int pipe_read(struct file *fp, struct uio *uio, - struct ucred *cred, int flags, struct thread *td); + struct ucred *active_cred, int flags, struct thread *td); static int pipe_write(struct file *fp, struct uio *uio, - struct ucred *cred, int flags, struct thread *td); + struct ucred *active_cred, int flags, struct thread *td); static int pipe_close(struct file *fp, struct thread *td); static int pipe_poll(struct file *fp, int events, struct ucred *cred, struct thread *td); @@ -449,10 +449,10 @@ pipeselwakeup(cpipe) /* ARGSUSED */ static int -pipe_read(fp, uio, cred, flags, td) +pipe_read(fp, uio, active_cred, flags, td) struct file *fp; struct uio *uio; - struct ucred *cred; + struct ucred *active_cred; struct thread *td; int flags; { @@ -468,7 +468,7 @@ pipe_read(fp, uio, cred, flags, td) goto unlocked_error; #ifdef MAC - error = mac_check_pipe_op(td->td_ucred, rpipe, MAC_OP_PIPE_READ); + error = mac_check_pipe_op(active_cred, rpipe, MAC_OP_PIPE_READ); if (error) goto locked_error; #endif @@ -861,10 +861,10 @@ error1: #endif static int -pipe_write(fp, uio, cred, flags, td) +pipe_write(fp, uio, active_cred, flags, td) struct file *fp; struct uio *uio; - struct ucred *cred; + struct ucred *active_cred; struct thread *td; int flags; { @@ -884,7 +884,7 @@ pipe_write(fp, uio, cred, flags, td) return (EPIPE); } #ifdef MAC - error = mac_check_pipe_op(td->td_ucred, wpipe, MAC_OP_PIPE_WRITE); + error = mac_check_pipe_op(active_cred, wpipe, MAC_OP_PIPE_WRITE); if (error) { PIPE_UNLOCK(rpipe); return (error); diff --git a/sys/kern/sys_socket.c b/sys/kern/sys_socket.c index 6202d8fe1edc..19f4d9b6620d 100644 --- a/sys/kern/sys_socket.c +++ b/sys/kern/sys_socket.c @@ -57,10 +57,10 @@ struct fileops socketops = { /* ARGSUSED */ int -soo_read(fp, uio, cred, flags, td) +soo_read(fp, uio, active_cred, flags, td) struct file *fp; struct uio *uio; - struct ucred *cred; + struct ucred *active_cred; struct thread *td; int flags; { @@ -75,10 +75,10 @@ soo_read(fp, uio, cred, flags, td) /* ARGSUSED */ int -soo_write(fp, uio, cred, flags, td) +soo_write(fp, uio, active_cred, flags, td) struct file *fp; struct uio *uio; - struct ucred *cred; + struct ucred *active_cred; struct thread *td; int flags; { diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index 2191574c0617..4d8d1740c56f 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -1849,10 +1849,15 @@ retry_lookup: */ bsize = vp->v_mount->mnt_stat.f_iosize; vn_lock(vp, LK_SHARED | LK_NOPAUSE | LK_RETRY, td); + /* + * XXXMAC: Because we don't have fp->f_cred here, + * we pass in NOCRED. This is probably wrong, but + * is consistent with our original implementation. + */ error = vn_rdwr(UIO_READ, vp, NULL, MAXBSIZE, trunc_page(off), UIO_NOCOPY, IO_NODELOCKED | IO_VMIO | ((MAXBSIZE / bsize) << 16), - td->td_ucred, &resid, td); + td->td_ucred, NOCRED, &resid, td); VOP_UNLOCK(vp, 0, td); vm_page_lock_queues(); vm_page_flag_clear(pg, PG_ZERO); diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c index 2f65b45da862..fdde26d75d78 100644 --- a/sys/kern/vfs_vnops.c +++ b/sys/kern/vfs_vnops.c @@ -67,13 +67,13 @@ static int vn_closefile(struct file *fp, struct thread *td); static int vn_ioctl(struct file *fp, u_long com, void *data, struct thread *td); static int vn_read(struct file *fp, struct uio *uio, - struct ucred *cred, int flags, struct thread *td); + struct ucred *active_cred, int flags, struct thread *td); static int vn_poll(struct file *fp, int events, struct ucred *cred, struct thread *td); static int vn_kqfilter(struct file *fp, struct knote *kn); static int vn_statfile(struct file *fp, struct stat *sb, struct thread *td); static int vn_write(struct file *fp, struct uio *uio, - struct ucred *cred, int flags, struct thread *td); + struct ucred *active_cred, int flags, struct thread *td); struct fileops vnops = { vn_read, vn_write, vn_ioctl, vn_poll, vn_kqfilter, @@ -355,7 +355,8 @@ sequential_heuristic(struct uio *uio, struct file *fp) * Package up an I/O request on a vnode into a uio and do it. */ int -vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, cred, aresid, td) +vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, active_cred, file_cred, + aresid, td) enum uio_rw rw; struct vnode *vp; caddr_t base; @@ -363,13 +364,15 @@ vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, cred, aresid, td) off_t offset; enum uio_seg segflg; int ioflg; - struct ucred *cred; + struct ucred *active_cred; + struct ucred *file_cred; int *aresid; struct thread *td; { struct uio auio; struct iovec aiov; struct mount *mp; + struct ucred *cred; int error; if ((ioflg & IO_NODELOCKED) == 0) { @@ -398,14 +401,18 @@ vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, cred, aresid, td) #ifdef MAC if ((ioflg & IO_NOMACCHECK) == 0) { if (rw == UIO_READ) - error = mac_check_vnode_op(cred, vp, + error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_READ); else - error = mac_check_vnode_op(cred, vp, + error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_WRITE); } #endif if (error == 0) { + if (file_cred) + cred = file_cred; + else + cred = active_cred; if (rw == UIO_READ) error = VOP_READ(vp, &auio, ioflg, cred); else @@ -433,7 +440,8 @@ vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, cred, aresid, td) * core'ing the same binary, or unrelated processes scanning the directory). */ int -vn_rdwr_inchunks(rw, vp, base, len, offset, segflg, ioflg, cred, aresid, td) +vn_rdwr_inchunks(rw, vp, base, len, offset, segflg, ioflg, active_cred, + file_cred, aresid, td) enum uio_rw rw; struct vnode *vp; caddr_t base; @@ -441,7 +449,8 @@ vn_rdwr_inchunks(rw, vp, base, len, offset, segflg, ioflg, cred, aresid, td) off_t offset; enum uio_seg segflg; int ioflg; - struct ucred *cred; + struct ucred *active_cred; + struct ucred *file_cred; int *aresid; struct thread *td; { @@ -453,7 +462,7 @@ vn_rdwr_inchunks(rw, vp, base, len, offset, segflg, ioflg, cred, aresid, td) if (rw != UIO_READ && vp->v_type == VREG) bwillwrite(); error = vn_rdwr(rw, vp, base, chunk, offset, segflg, - ioflg, cred, aresid, td); + ioflg, active_cred, file_cred, aresid, td); len -= chunk; /* aresid calc already includes length */ if (error) break; @@ -470,10 +479,10 @@ vn_rdwr_inchunks(rw, vp, base, len, offset, segflg, ioflg, cred, aresid, td) * File table vnode read routine. */ static int -vn_read(fp, uio, cred, flags, td) +vn_read(fp, uio, active_cred, flags, td) struct file *fp; struct uio *uio; - struct ucred *cred; + struct ucred *active_cred; struct thread *td; int flags; { @@ -489,7 +498,7 @@ vn_read(fp, uio, cred, flags, td) ioflag |= IO_NDELAY; if (fp->f_flag & O_DIRECT) ioflag |= IO_DIRECT; - VOP_LEASE(vp, td, cred, LEASE_READ); + VOP_LEASE(vp, td, fp->f_cred, LEASE_READ); vn_lock(vp, LK_SHARED | LK_NOPAUSE | LK_RETRY, td); if ((flags & FOF_OFFSET) == 0) uio->uio_offset = fp->f_offset; @@ -497,10 +506,10 @@ vn_read(fp, uio, cred, flags, td) ioflag |= sequential_heuristic(uio, fp); #ifdef MAC - error = mac_check_vnode_op(cred, vp, MAC_OP_VNODE_READ); + error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_READ); if (error == 0) #endif - error = VOP_READ(vp, uio, ioflag, cred); + error = VOP_READ(vp, uio, ioflag, fp->f_cred); if ((flags & FOF_OFFSET) == 0) fp->f_offset = uio->uio_offset; fp->f_nextoff = uio->uio_offset; @@ -513,10 +522,10 @@ vn_read(fp, uio, cred, flags, td) * File table vnode write routine. */ static int -vn_write(fp, uio, cred, flags, td) +vn_write(fp, uio, active_cred, flags, td) struct file *fp; struct uio *uio; - struct ucred *cred; + struct ucred *active_cred; struct thread *td; int flags; { @@ -546,16 +555,16 @@ vn_write(fp, uio, cred, flags, td) mtx_unlock(&Giant); return (error); } - VOP_LEASE(vp, td, cred, LEASE_WRITE); + VOP_LEASE(vp, td, fp->f_cred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); if ((flags & FOF_OFFSET) == 0) uio->uio_offset = fp->f_offset; ioflag |= sequential_heuristic(uio, fp); #ifdef MAC - error = mac_check_vnode_op(cred, vp, MAC_OP_VNODE_WRITE); + error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_WRITE); if (error == 0) #endif - error = VOP_WRITE(vp, uio, ioflag, cred); + error = VOP_WRITE(vp, uio, ioflag, fp->f_cred); if ((flags & FOF_OFFSET) == 0) fp->f_offset = uio->uio_offset; fp->f_nextoff = uio->uio_offset; diff --git a/sys/nfsclient/nfs_lock.c b/sys/nfsclient/nfs_lock.c index 32f9a1d23195..404fce95ffcb 100644 --- a/sys/nfsclient/nfs_lock.c +++ b/sys/nfsclient/nfs_lock.c @@ -168,7 +168,7 @@ nfs_dolock(struct vop_advlock_args *ap) VOP_LEASE(wvp, td, thread0.td_ucred, LEASE_WRITE); error = vn_rdwr(UIO_WRITE, wvp, (caddr_t)&msg, sizeof(msg), 0, - UIO_SYSSPACE, ioflg, thread0.td_ucred, NULL, td); + UIO_SYSSPACE, ioflg, thread0.td_ucred, NOCRED, NULL, td); if (error && (((ioflg & IO_NDELAY) == 0) || error != EAGAIN)) { break; diff --git a/sys/powerpc/aim/vm_machdep.c b/sys/powerpc/aim/vm_machdep.c index 7a9074dbcfa5..f593364bf4c0 100644 --- a/sys/powerpc/aim/vm_machdep.c +++ b/sys/powerpc/aim/vm_machdep.c @@ -240,7 +240,7 @@ cpu_coredump(td, vp, cred) { return (vn_rdwr(UIO_WRITE, vp, (caddr_t)td->td_proc->p_uarea, - ctob(UAREA_PAGES), (off_t)0, UIO_SYSSPACE, IO_UNIT, cred, + ctob(UAREA_PAGES), (off_t)0, UIO_SYSSPACE, IO_UNIT, cred, NOCRED, (int *)NULL, td)); } diff --git a/sys/powerpc/powerpc/vm_machdep.c b/sys/powerpc/powerpc/vm_machdep.c index 7a9074dbcfa5..f593364bf4c0 100644 --- a/sys/powerpc/powerpc/vm_machdep.c +++ b/sys/powerpc/powerpc/vm_machdep.c @@ -240,7 +240,7 @@ cpu_coredump(td, vp, cred) { return (vn_rdwr(UIO_WRITE, vp, (caddr_t)td->td_proc->p_uarea, - ctob(UAREA_PAGES), (off_t)0, UIO_SYSSPACE, IO_UNIT, cred, + ctob(UAREA_PAGES), (off_t)0, UIO_SYSSPACE, IO_UNIT, cred, NOCRED, (int *)NULL, td)); } diff --git a/sys/sys/file.h b/sys/sys/file.h index 640120fcae4e..ca6cc055b916 100644 --- a/sys/sys/file.h +++ b/sys/sys/file.h @@ -81,9 +81,11 @@ struct file { struct ucred *f_cred; /* credentials associated with descriptor */ struct fileops { int (*fo_read)(struct file *fp, struct uio *uio, - struct ucred *cred, int flags, struct thread *td); + struct ucred *active_cred, int flags, + struct thread *td); int (*fo_write)(struct file *fp, struct uio *uio, - struct ucred *cred, int flags, struct thread *td); + struct ucred *active_cred, int flags, + struct thread *td); #define FOF_OFFSET 1 int (*fo_ioctl)(struct file *fp, u_long com, void *data, struct thread *td); @@ -174,9 +176,9 @@ void fputsock(struct socket *sp); } while (0) static __inline int fo_read(struct file *fp, struct uio *uio, - struct ucred *cred, int flags, struct thread *td); + struct ucred *active_cred, int flags, struct thread *td); static __inline int fo_write(struct file *fp, struct uio *uio, - struct ucred *cred, int flags, struct thread *td); + struct ucred *active_cred, int flags, struct thread *td); static __inline int fo_ioctl(struct file *fp, u_long com, void *data, struct thread *td); static __inline int fo_poll(struct file *fp, int events, @@ -188,27 +190,27 @@ static __inline int fo_kqfilter(struct file *fp, struct knote *kn); struct proc; static __inline int -fo_read(fp, uio, cred, flags, td) +fo_read(fp, uio, active_cred, flags, td) struct file *fp; struct uio *uio; - struct ucred *cred; + struct ucred *active_cred; struct thread *td; int flags; { - return ((*fp->f_ops->fo_read)(fp, uio, cred, flags, td)); + return ((*fp->f_ops->fo_read)(fp, uio, active_cred, flags, td)); } static __inline int -fo_write(fp, uio, cred, flags, td) +fo_write(fp, uio, active_cred, flags, td) struct file *fp; struct uio *uio; - struct ucred *cred; + struct ucred *active_cred; struct thread *td; int flags; { - return ((*fp->f_ops->fo_write)(fp, uio, cred, flags, td)); + return ((*fp->f_ops->fo_write)(fp, uio, active_cred, flags, td)); } static __inline int diff --git a/sys/sys/socketvar.h b/sys/sys/socketvar.h index 9d0a220e4323..e5979519ac52 100644 --- a/sys/sys/socketvar.h +++ b/sys/sys/socketvar.h @@ -345,10 +345,10 @@ struct uio; /* * File operations on sockets. */ -int soo_read(struct file *fp, struct uio *uio, struct ucred *cred, - int flags, struct thread *td); -int soo_write(struct file *fp, struct uio *uio, struct ucred *cred, +int soo_read(struct file *fp, struct uio *uio, struct ucred *active_cred, int flags, struct thread *td); +int soo_write(struct file *fp, struct uio *uio, + struct ucred *active_cred, int flags, struct thread *td); int soo_close(struct file *fp, struct thread *td); int soo_ioctl(struct file *fp, u_long cmd, void *data, struct thread *td); diff --git a/sys/sys/vnode.h b/sys/sys/vnode.h index db76e95b1e85..8bd1bacfdfbd 100644 --- a/sys/sys/vnode.h +++ b/sys/sys/vnode.h @@ -719,10 +719,12 @@ void vn_pollgone(struct vnode *vp); int vn_pollrecord(struct vnode *vp, struct thread *p, int events); int vn_rdwr(enum uio_rw rw, struct vnode *vp, caddr_t base, int len, off_t offset, enum uio_seg segflg, int ioflg, - struct ucred *cred, int *aresid, struct thread *td); + struct ucred *active_cred, struct ucred *file_cred, int *aresid, + struct thread *td); int vn_rdwr_inchunks(enum uio_rw rw, struct vnode *vp, caddr_t base, int len, off_t offset, enum uio_seg segflg, int ioflg, - struct ucred *cred, int *aresid, struct thread *td); + struct ucred *active_cred, struct ucred *file_cred, int *aresid, + struct thread *td); int vn_stat(struct vnode *vp, struct stat *sb, struct thread *td); int vn_start_write(struct vnode *vp, struct mount **mpp, int flags); dev_t vn_todev(struct vnode *vp); diff --git a/sys/ufs/ufs/ufs_lookup.c b/sys/ufs/ufs/ufs_lookup.c index 121e975e3bb6..12030b9b892e 100644 --- a/sys/ufs/ufs/ufs_lookup.c +++ b/sys/ufs/ufs/ufs_lookup.c @@ -1153,7 +1153,7 @@ ufs_dirempty(ip, parentino, cred) for (off = 0; off < ip->i_size; off += dp->d_reclen) { error = vn_rdwr(UIO_READ, ITOV(ip), (caddr_t)dp, MINDIRSIZ, off, UIO_SYSSPACE, IO_NODELOCKED | IO_NOMACCHECK, cred, - &count, (struct thread *)0); + NOCRED, &count, (struct thread *)0); /* * Since we read MINDIRSIZ, residual must * be 0 unless we're at end of file. @@ -1225,7 +1225,7 @@ ufs_checkpath(source, target, cred) } error = vn_rdwr(UIO_READ, vp, (caddr_t)&dirbuf, sizeof (struct dirtemplate), (off_t)0, UIO_SYSSPACE, - IO_NODELOCKED | IO_NOMACCHECK, cred, (int *)0, + IO_NODELOCKED | IO_NOMACCHECK, cred, NOCRED, (int *)0, (struct thread *)0); if (error != 0) break; diff --git a/sys/ufs/ufs/ufs_vnops.c b/sys/ufs/ufs/ufs_vnops.c index 35bbbba23308..6ce6d02ae432 100644 --- a/sys/ufs/ufs/ufs_vnops.c +++ b/sys/ufs/ufs/ufs_vnops.c @@ -1822,7 +1822,7 @@ ufs_symlink(ap) } else error = vn_rdwr(UIO_WRITE, vp, ap->a_target, len, (off_t)0, UIO_SYSSPACE, IO_NODELOCKED | IO_NOMACCHECK, - ap->a_cnp->cn_cred, (int *)0, (struct thread *)0); + ap->a_cnp->cn_cred, NOCRED, (int *)0, (struct thread *)0); if (error) vput(vp); return (error); |