From b614dd131a50263a47300a086844dbff6c58434d Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Sat, 19 Oct 2002 21:25:51 +0000 Subject: [PATCH] Add a new 'NOMACCHECK' flag to namei() NDINIT flags, which permits the caller to indicate that MAC checks are not required for the lookup. Similar to IO_NOMACCHECK for vn_rdwr(), this indicates that the caller has already performed all required protections and that this is an internally generated operation. This will be used by the NFS server code, as we don't currently enforce MAC protections against requests delivered via NFS. While here, add NOCROSSMOUNT to PARAMASK; apparently this was used at one point for name lookup flag checking, but isn't any longer or it would have triggered from the NFS server code passing it to indicate that mountpoints shouldn't be crossed in lookups. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories --- sys/kern/vfs_lookup.c | 17 +++++++++++------ sys/sys/namei.h | 3 ++- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c index db1b34237922..f064b6460ad9 100644 --- a/sys/kern/vfs_lookup.c +++ b/sys/kern/vfs_lookup.c @@ -216,9 +216,12 @@ namei(ndp) break; } #ifdef MAC - error = mac_check_vnode_readlink(td->td_ucred, ndp->ni_vp); - if (error) - break; + if ((cnp->cn_flags & NOMACCHECK) == 0) { + error = mac_check_vnode_readlink(td->td_ucred, + ndp->ni_vp); + if (error) + break; + } #endif if (ndp->ni_pathlen > 1) cp = uma_zalloc(namei_zone, M_WAITOK); @@ -471,9 +474,11 @@ lookup(ndp) */ unionlookup: #ifdef MAC - error = mac_check_vnode_lookup(td->td_ucred, dp, cnp); - if (error) - goto bad; + if ((cnp->cn_flags & NOMACCHECK) == 0) { + error = mac_check_vnode_lookup(td->td_ucred, dp, cnp); + if (error) + goto bad; + } #endif ndp->ni_dvp = dp; ndp->ni_vp = NULL; diff --git a/sys/sys/namei.h b/sys/sys/namei.h index a06a045bc83a..00e76438ad91 100644 --- a/sys/sys/namei.h +++ b/sys/sys/namei.h @@ -144,7 +144,8 @@ struct nameidata { #define ISUNICODE 0x100000 /* current component name is unicode*/ #define PDIRUNLOCK 0x200000 /* filesystem lookup() unlocked parent dir */ #define NOCROSSMOUNT 0x400000 /* do not cross mount points */ -#define PARAMASK 0x3ffe00 /* mask of parameter descriptors */ +#define NOMACCHECK 0x800000 /* do not perform MAC checks */ +#define PARAMASK 0xfffe00 /* mask of parameter descriptors */ /* * Initialization of an nameidata structure.