FreeBSD: Remove unused SECLABEL code

SECLABEL is undefined on FreeBSD and should be pruned.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Ryan Moeller <freqlabs@FreeBSD.org>
Closes #10847
This commit is contained in:
Ryan Moeller 2020-08-31 22:52:46 -04:00 committed by GitHub
parent 46b7d53baf
commit 88d19d7cc2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1267,193 +1267,6 @@ zfs_unregister_callbacks(zfsvfs_t *zfsvfs)
dsl_prop_unregister_all(dmu_objset_ds(os), zfsvfs); dsl_prop_unregister_all(dmu_objset_ds(os), zfsvfs);
} }
#ifdef SECLABEL
/*
* Convert a decimal digit string to a uint64_t integer.
*/
static int
str_to_uint64(char *str, uint64_t *objnum)
{
uint64_t num = 0;
while (*str) {
if (*str < '0' || *str > '9')
return (SET_ERROR(EINVAL));
num = num*10 + *str++ - '0';
}
*objnum = num;
return (0);
}
/*
* The boot path passed from the boot loader is in the form of
* "rootpool-name/root-filesystem-object-number'. Convert this
* string to a dataset name: "rootpool-name/root-filesystem-name".
*/
static int
zfs_parse_bootfs(char *bpath, char *outpath)
{
char *slashp;
uint64_t objnum;
int error;
if (*bpath == 0 || *bpath == '/')
return (SET_ERROR(EINVAL));
(void) strcpy(outpath, bpath);
slashp = strchr(bpath, '/');
/* if no '/', just return the pool name */
if (slashp == NULL) {
return (0);
}
/* if not a number, just return the root dataset name */
if (str_to_uint64(slashp+1, &objnum)) {
return (0);
}
*slashp = '\0';
error = dsl_dsobj_to_dsname(bpath, objnum, outpath);
*slashp = '/';
return (error);
}
/*
* Check that the hex label string is appropriate for the dataset being
* mounted into the global_zone proper.
*
* Return an error if the hex label string is not default or
* admin_low/admin_high. For admin_low labels, the corresponding
* dataset must be readonly.
*/
int
zfs_check_global_label(const char *dsname, const char *hexsl)
{
if (strcasecmp(hexsl, ZFS_MLSLABEL_DEFAULT) == 0)
return (0);
if (strcasecmp(hexsl, ADMIN_HIGH) == 0)
return (0);
if (strcasecmp(hexsl, ADMIN_LOW) == 0) {
/* must be readonly */
uint64_t rdonly;
if (dsl_prop_get_integer(dsname,
zfs_prop_to_name(ZFS_PROP_READONLY), &rdonly, NULL))
return (SET_ERROR(EACCES));
return (rdonly ? 0 : EACCES);
}
return (SET_ERROR(EACCES));
}
/*
* Determine whether the mount is allowed according to MAC check.
* by comparing (where appropriate) label of the dataset against
* the label of the zone being mounted into. If the dataset has
* no label, create one.
*
* Returns 0 if access allowed, error otherwise (e.g. EACCES)
*/
static int
zfs_mount_label_policy(vfs_t *vfsp, char *osname)
{
int error, retv;
zone_t *mntzone = NULL;
ts_label_t *mnt_tsl;
bslabel_t *mnt_sl;
bslabel_t ds_sl;
char ds_hexsl[MAXNAMELEN];
retv = EACCES; /* assume the worst */
/*
* Start by getting the dataset label if it exists.
*/
error = dsl_prop_get(osname, zfs_prop_to_name(ZFS_PROP_MLSLABEL),
1, sizeof (ds_hexsl), &ds_hexsl, NULL);
if (error)
return (SET_ERROR(EACCES));
/*
* If labeling is NOT enabled, then disallow the mount of datasets
* which have a non-default label already. No other label checks
* are needed.
*/
if (!is_system_labeled()) {
if (strcasecmp(ds_hexsl, ZFS_MLSLABEL_DEFAULT) == 0)
return (0);
return (SET_ERROR(EACCES));
}
/*
* Get the label of the mountpoint. If mounting into the global
* zone (i.e. mountpoint is not within an active zone and the
* zoned property is off), the label must be default or
* admin_low/admin_high only; no other checks are needed.
*/
mntzone = zone_find_by_any_path(vfsp->vfs_mntpt, B_FALSE);
if (mntzone->zone_id == GLOBAL_ZONEID) {
uint64_t zoned;
zone_rele(mntzone);
if (dsl_prop_get_integer(osname,
zfs_prop_to_name(ZFS_PROP_ZONED), &zoned, NULL))
return (SET_ERROR(EACCES));
if (!zoned)
return (zfs_check_global_label(osname, ds_hexsl));
else
/*
* This is the case of a zone dataset being mounted
* initially, before the zone has been fully created;
* allow this mount into global zone.
*/
return (0);
}
mnt_tsl = mntzone->zone_slabel;
ASSERT(mnt_tsl != NULL);
label_hold(mnt_tsl);
mnt_sl = label2bslabel(mnt_tsl);
if (strcasecmp(ds_hexsl, ZFS_MLSLABEL_DEFAULT) == 0) {
/*
* The dataset doesn't have a real label, so fabricate one.
*/
char *str = NULL;
if (l_to_str_internal(mnt_sl, &str) == 0 &&
dsl_prop_set_string(osname,
zfs_prop_to_name(ZFS_PROP_MLSLABEL),
ZPROP_SRC_LOCAL, str) == 0)
retv = 0;
if (str != NULL)
kmem_free(str, strlen(str) + 1);
} else if (hexstr_to_label(ds_hexsl, &ds_sl) == 0) {
/*
* Now compare labels to complete the MAC check. If the
* labels are equal then allow access. If the mountpoint
* label dominates the dataset label, allow readonly access.
* Otherwise, access is denied.
*/
if (blequal(mnt_sl, &ds_sl))
retv = 0;
else if (bldominates(mnt_sl, &ds_sl)) {
vfs_setmntopt(vfsp, MNTOPT_RO, NULL, 0);
retv = 0;
}
}
label_rele(mnt_tsl);
zone_rele(mntzone);
return (retv);
}
#endif /* SECLABEL */
static int static int
getpoolname(const char *osname, char *poolname) getpoolname(const char *osname, char *poolname)
{ {
@ -1544,12 +1357,6 @@ zfs_mount(vfs_t *vfsp)
goto out; goto out;
} }
#ifdef SECLABEL
error = zfs_mount_label_policy(vfsp, osname);
if (error)
goto out;
#endif
vfsp->vfs_flag |= MNT_NFS4ACLS; vfsp->vfs_flag |= MNT_NFS4ACLS;
/* /*