if (!mac_vnode_enforce)
return (0);
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return (0);
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_notify_create, cred, mp, mp->mnt_mntlabel,
dvp, dvp->v_label, vp, vp->v_label, cnp);
if (!mac_vnode_enforce)
return;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return;
MAC_PERFORM(vnode_notify_rename, cred, vp, vp->v_label,
dvp, dvp->v_label, cnp);
}
if (!mac_vnode_enforce)
return;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return;
MAC_PERFORM(vnode_notify_open, cred, vp, vp->v_label, acc_flags);
}
if (!mac_vnode_enforce)
return;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return;
MAC_PERFORM(vnode_notify_link, cred, dvp, dvp->v_label, vp, vp->v_label, cnp);
}
if (!mac_vnode_enforce)
return;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return;
MAC_PERFORM(vnode_notify_deleteextattr, cred, vp, vp->v_label, name);
}
if (!mac_vnode_enforce)
return;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return;
MAC_PERFORM(vnode_notify_setacl, cred, vp, vp->v_label, acl);
}
if (!mac_vnode_enforce)
return;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return;
MAC_PERFORM(vnode_notify_setattrlist, cred, vp, vp->v_label, alist);
}
if (!mac_vnode_enforce)
return;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return;
MAC_PERFORM(vnode_notify_setextattr, cred, vp, vp->v_label, name, uio);
}
if (!mac_vnode_enforce)
return;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return;
MAC_PERFORM(vnode_notify_setflags, cred, vp, vp->v_label, flags);
}
if (!mac_vnode_enforce)
return;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return;
MAC_PERFORM(vnode_notify_setmode, cred, vp, vp->v_label, mode);
}
if (!mac_vnode_enforce)
return;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return;
MAC_PERFORM(vnode_notify_setowner, cred, vp, vp->v_label, uid, gid);
}
if (!mac_vnode_enforce)
return;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return;
MAC_PERFORM(vnode_notify_setutimes, cred, vp, vp->v_label, atime, mtime);
}
if (!mac_vnode_enforce)
return;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return;
MAC_PERFORM(vnode_notify_truncate, cred, file_cred, vp, vp->v_label);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_label_vnodes ||
- !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
+ if (!mac_label_vnodes)
return 0;
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_label_store, cred, vp, vp->v_label, intlabel);
return (error);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
/* Convert {R,W,X}_OK values to V{READ,WRITE,EXEC} for entry points */
mask = ACCESS_MODE_TO_VNODE_MASK(acc_mode);
MAC_CHECK(vnode_check_access, cred, vp, vp->v_label, mask);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_chdir, cred, dvp, dvp->v_label);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_chroot, cred, dvp, dvp->v_label, cnp);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_clone, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
return (error);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_create, cred, dvp, dvp->v_label, cnp, vap);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_unlink, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
return (error);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_deleteacl, cred, vp, vp->v_label, type);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_deleteextattr, cred, vp, vp->v_label, name);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_exchangedata, cred, v1, v1->v_label,
v2, v2->v_label);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_getattr, cred, file_cred, vp, vp->v_label, va);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_getattrlist, cred, vp, vp->v_label, alist);
/* Falsify results instead of returning error? */
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_fsgetpath, cred, vp, vp->v_label);
return (error);
}
int
mac_vnode_check_signature(struct vnode *vp, struct cs_blob *cs_blob,
struct image_params *imgp,
- unsigned int *cs_flags, int flags)
+ unsigned int *cs_flags, unsigned int *signer_type,
+ int flags)
{
int error;
char *fatal_failure_desc = NULL;
#endif
MAC_CHECK(vnode_check_signature, vp, vp->v_label, cs_blob,
- cs_flags, flags, &fatal_failure_desc, &fatal_failure_desc_len);
+ cs_flags, signer_type, flags, &fatal_failure_desc, &fatal_failure_desc_len);
if (fatal_failure_desc_len) {
// A fatal code signature validation failure occured, formulate a crash
int reason_error = 0;
int kcdata_error = 0;
- if ((reason_error = os_reason_alloc_buffer(reason, kcdata_estimate_required_buffer_size
+ if ((reason_error = os_reason_alloc_buffer_noblock(reason, kcdata_estimate_required_buffer_size
(1, fatal_failure_desc_len))) == 0 &&
(kcdata_error = kcdata_get_memory_addr(&reason->osr_kcd_descriptor,
EXIT_REASON_USER_DESC, fatal_failure_desc_len,
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_getextattr, cred, vp, vp->v_label,
name, uio);
return (error);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_ioctl, cred, vp, vp->v_label, cmd);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_kqfilter, cred, file_cred, kn, vp,
vp->v_label);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_link, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
return (error);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_listextattr, cred, vp, vp->v_label);
return (error);
}
+int
+mac_vnode_check_lookup_preflight(vfs_context_t ctx, struct vnode *dvp,
+ const char *path, size_t pathlen)
+{
+ kauth_cred_t cred;
+ int error;
+
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_vnode_enforce)
+ return 0;
+#endif
+ cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
+ MAC_CHECK(vnode_check_lookup_preflight, cred, dvp, dvp->v_label, path, pathlen);
+ return (error);
+}
+
int
mac_vnode_check_lookup(vfs_context_t ctx, struct vnode *dvp,
struct componentname *cnp)
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_open, cred, vp, vp->v_label, acc_mode);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_read, cred, file_cred, vp,
vp->v_label);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_readdir, cred, dvp, dvp->v_label);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_readlink, cred, vp, vp->v_label);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_label_update, cred, vp, vp->v_label, newlabel);
return (error);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_rename_from, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_revoke, cred, vp, vp->v_label);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_searchfs, cred, vp, vp->v_label, alist);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_select, cred, vp, vp->v_label, which);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_setacl, cred, vp, vp->v_label, acl);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_setattrlist, cred, vp, vp->v_label, alist);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_setextattr, cred, vp, vp->v_label,
name, uio);
return (error);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_setflags, cred, vp, vp->v_label, flags);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_setmode, cred, vp, vp->v_label, mode);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_setowner, cred, vp, vp->v_label, uid, gid);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_setutimes, cred, vp, vp->v_label, atime,
mtime);
return (error);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_stat, cred, file_cred, vp,
vp->v_label);
return (error);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_truncate, cred, file_cred, vp,
vp->v_label);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_write, cred, file_cred, vp, vp->v_label);
return (error);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_uipc_bind, cred, dvp, dvp->v_label, cnp, vap);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(vnode_check_uipc_connect, cred, vp, vp->v_label, (socket_t) so);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(mount_check_mount, cred, vp, vp->v_label, cnp, vfc_name);
return (error);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(mount_check_snapshot_create, cred, mp, name);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(mount_check_snapshot_delete, cred, mp, name);
return (error);
}
int
-mac_mount_check_remount(vfs_context_t ctx, struct mount *mp)
+mac_mount_check_snapshot_revert(vfs_context_t ctx, struct mount *mp,
+ const char *name)
{
kauth_cred_t cred;
int error;
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
+ cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
+ MAC_CHECK(mount_check_snapshot_revert, cred, mp, name);
+ return (error);
+}
+
+int
+mac_mount_check_remount(vfs_context_t ctx, struct mount *mp)
+{
+ kauth_cred_t cred;
+ int error;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_vnode_enforce)
+ return 0;
+#endif
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(mount_check_remount, cred, mp, mp->mnt_mntlabel);
return (error);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(mount_check_umount, cred, mp, mp->mnt_mntlabel);
return (error);
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(mount_check_getattr, cred, mp, mp->mnt_mntlabel, vfa);
return (error);
}
if (!mac_vnode_enforce)
return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(mount_check_setattr, cred, mp, mp->mnt_mntlabel, vfa);
return (error);
}
int error;
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_vnode_enforce)
- return 0;
+ /* 21167099 - only check if we allow write */
+ if (!mac_vnode_enforce)
+ return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(mount_check_stat, cred, mount, mount->mnt_mntlabel);
return (error);
int error;
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_vnode_enforce)
- return 0;
+ /* 21167099 - only check if we allow write */
+ if (!mac_vnode_enforce)
+ return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(mount_check_label_update, cred, mount, mount->mnt_mntlabel);
return (error);
int error;
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_vnode_enforce)
- return 0;
+ /* 21167099 - only check if we allow write */
+ if (!mac_vnode_enforce)
+ return 0;
#endif
- if (!mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE))
- return 0;
-
cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred))
+ return (0);
MAC_CHECK(mount_check_fsctl, cred, mp, mp->mnt_mntlabel, cmd);
return (error);
const char *fullpath)
{
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_device_enforce)
- return;
+ /* 21167099 - only check if we allow write */
+ if (!mac_device_enforce)
+ return;
#endif
MAC_PERFORM(devfs_label_associate_device, dev, de, de->dn_label,
struct devnode *de, const char *fullpath)
{
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_device_enforce)
- return;
+ /* 21167099 - only check if we allow write */
+ if (!mac_device_enforce)
+ return;
#endif
MAC_PERFORM(devfs_label_associate_directory, dirname, dirnamelen, de,
int error;
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_vnode_enforce)
- return 0;
+ /* 21167099 - only check if we allow write */
+ if (!mac_vnode_enforce)
+ return 0;
#endif
if (!mac_label_vnodes)
return (0);
projects / apple / xnu.git / blobdiff