PERFORCE change 95689 for review
Todd Miller
millert at FreeBSD.org
Thu Apr 20 15:47:07 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=95689
Change 95689 by millert at millert_g5tower on 2006/04/20 15:46:01
Convert SEBSDCALL_GETUSERSIDS, SEBSDCALL_GETFILESIDS and
SEBSDCALL_CHANGE_SID to sysctls.
Move struct lp_args definition to sebsd_syscalls.h
Affected files ...
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd_syscall.c#14 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd_syscalls.h#9 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd_sysctl.c#9 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd_syscall.c#14 (text+ko) ====
@@ -51,11 +51,6 @@
#define MAX_UC 510
-struct lp_args {
- void *data;
- size_t len;
-};
-
static int
sys_load_policy(struct proc *td, void *data, size_t len)
{
@@ -98,137 +93,7 @@
return (rc);
}
-/*
- * Lists the SIDs currently available for transition to by a given
- * "context\0username\0"
- *
- * or, lists the SIDs that a given context can relabel files to. (username is ignored)
- */
-static int
-sys_get_sids(int function, char *context, char *username, char *out, int *outlen)
-{
- u_int32_t n, nsids, scontext_len;
- u_int32_t *sids, sid;
- char * scontext;
- int error;
- int olen = 1;
- int ubufsz;
-
- if (copyin(outlen, &ubufsz, sizeof(int))) {
- error = EFAULT;
- goto out;
- }
-
- /*
- * XXX We need POLICY_RDLOCK here, but it's not exported!
- */
- error = security_context_to_sid(context, strlen (context), &sid);
- if (error)
- goto out;
- switch (function) {
- case SEBSDCALL_GETUSERSIDS:
- error = security_get_user_sids(sid, username, &sids, &nsids);
- break;
-
- case SEBSDCALL_GETFILESIDS:
- error = security_get_file_sids(sid, SECCLASS_FILE, &sids,
- &nsids);
- break;
-
- default:
- error = ENOSYS;
- break;
- }
- if (error)
- goto out;
- for (n = 0; n < nsids; n++) {
- error = security_sid_to_context(sids[n], &scontext,
- &scontext_len);
- if (error)
- goto out2;
- if (out && olen + scontext_len <= ubufsz) {
- error = copyout(scontext, out, scontext_len);
- out += scontext_len;
- } else if (out)
- error = ENOMEM;
- olen += scontext_len;
- security_free_context(scontext);
- if (error)
- goto out2;
- }
- error = copyout(&olen, outlen, sizeof(int));
-out2:
- sebsd_free(sids, M_SEBSD);
-out:
- return (error);
-}
-
static int
-sys_change_sid(char *domains, char *sources, char *sclasss, char *out,
- int *outlen)
-{
- u_int32_t domain, source;
- struct class_datum *cld;
- char *outc;
- int error;
- int ubufsz, outclen;
-
- if (copyin(outlen, &ubufsz, sizeof(int)))
- return (EFAULT);
-
- /*
- * XXX We need POLICY_RDLOCK here, but it's not exported!
- */
- error = security_context_to_sid(sources, strlen (sources), &source);
- if (error)
- return (error);
-
- error = security_context_to_sid(domains, strlen (domains), &domain);
- if (error)
- return (error);
-
- cld = hashtab_search(policydb.p_classes.table, sclasss);
- if (cld == NULL)
- return (EINVAL);
-
- error = security_change_sid(domain, source, cld->value, &source);
- if (error)
- return (error);
- error = security_sid_to_context(source, &outc, &outclen);
- if (error)
- return (error);
- if (out) {
- if (outclen > ubufsz) {
- error = ENOMEM;
- goto out;
- }
- error = copyout(outc, out, outclen);
- if (error)
- goto out;
- }
- error = copyout(&outclen, outlen, sizeof(int));
-
-out:
- security_free_context (outc);
- return (error);
-}
-
-struct getsid_args {
- char *ctx;
- char *usr;
- char *out;
- int *outlen;
-};
-
-struct changesid_args {
- char *domain;
- char *source;
- char *sclass;
- char *out;
- int *outlen;
-};
-
-static int
sebsd_get_bools(struct proc *td, struct sebsd_get_bools *gb)
{
char *out = NULL;
@@ -263,74 +128,6 @@
error = sys_load_migscs(td, p.data, p.len);
break;
- case SEBSDCALL_GETUSERSIDS:
- case SEBSDCALL_GETFILESIDS:
- {
- struct getsid_args uap;
- size_t dummy;
- char *ctx, *usr;
-
- error = copyin(args, &uap, sizeof(struct getsid_args));
- if (error)
- return (error);
- ctx = sebsd_malloc(MAX_UC, M_SEBSD, M_WAITOK);
- error = copyinstr(uap.ctx, ctx, MAX_UC, &dummy);
- if (error) {
- sebsd_free(ctx, M_SEBSD);
- return (error);
- }
- usr = sebsd_malloc(MAX_UC, M_SEBSD, M_WAITOK);
- error = copyinstr(uap.usr, usr, MAX_UC, &dummy);
- if (error) {
- sebsd_free(ctx, M_SEBSD);
- sebsd_free(usr, M_SEBSD);
- return (error);
- }
- ctx[MAX_UC-1] = 0;
- usr[MAX_UC-1] = 0;
- error = sys_get_sids(call, ctx, usr, uap.out, uap.outlen);
- sebsd_free(ctx, M_SEBSD);
- sebsd_free(usr, M_SEBSD);
- break;
- }
-
- case SEBSDCALL_CHANGE_SID:
- {
- struct changesid_args uap;
- size_t dummy;
- char *doms, *srcs, *scs;
-
- error = copyin(args, &uap, sizeof(struct changesid_args));
- if (error)
- return (error);
- doms = sebsd_malloc(MAX_UC, M_SEBSD, M_WAITOK);
- error = copyinstr(uap.domain, doms, MAX_UC, &dummy);
- if (error) {
- sebsd_free(doms, M_SEBSD);
- return (error);
- }
- srcs = sebsd_malloc(MAX_UC, M_SEBSD, M_WAITOK);
- error = copyinstr(uap.source, srcs, MAX_UC, &dummy);
- if (error) {
- sebsd_free(doms, M_SEBSD);
- sebsd_free(srcs, M_SEBSD);
- return (error);
- }
- scs = sebsd_malloc(MAX_UC, M_SEBSD, M_WAITOK);
- error = copyinstr(uap.sclass, scs, MAX_UC, &dummy);
- if (error) {
- sebsd_free(doms, M_SEBSD);
- sebsd_free(srcs, M_SEBSD);
- sebsd_free(scs, M_SEBSD);
- return (error);
- }
- error = sys_change_sid(doms, srcs, scs, uap.out, uap.outlen);
- sebsd_free(doms, M_SEBSD);
- sebsd_free(srcs, M_SEBSD);
- sebsd_free(scs, M_SEBSD);
- return (error);
- }
-
case SEBSDCALL_GET_BOOLS:
{
struct sebsd_get_bools gb;
==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd_syscalls.h#9 (text+ko) ====
@@ -12,9 +12,6 @@
#define SEBSDCALL_GET_BOOL 9
#define SEBSDCALL_SET_BOOL 10
#define SEBSDCALL_COMMIT_BOOLS 11
-#define SEBSDCALL_GETUSERSIDS 6
-#define SEBSDCALL_GETFILESIDS 5
-#define SEBSDCALL_CHANGE_SID 4
#define SEBSDCALL_NUM 7
@@ -40,4 +37,9 @@
char *out;
};
+struct lp_args {
+ void *data;
+ size_t len;
+};
+
#endif /* _SEBSD_SYSCALLS_H_ */
==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd_sysctl.c#9 (text+ko) ====
@@ -1,6 +1,6 @@
/*-
* Copyright (c) 2002 Networks Associates Technology, Inc.
- * Copyright (c) 2005, 2006 SPARTA, Inc.
+ * Copyright (c) 2005-2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed for the FreeBSD Project by NAI Labs, the
@@ -55,13 +55,12 @@
extern unsigned int policydb_loaded_version;
-#if 0
/*
* Sysctl handler for security.mac.sebsd.sids
* Lists the SIDs currently active in the security server
*/
static int
-sysctl_list_sids(SYSCTL_HANDLER_ARGS)
+sysctl_list_sids SYSCTL_HANDLER_ARGS
{
const int linesize = 128; /* conservative */
int i, count, error, len;
@@ -71,7 +70,7 @@
char *scontext;
count = sidtab.nel;
- MALLOC(buffer, char *, linesize, M_TEMP, M_WAITOK);
+ buffer = sebsd_malloc(linesize, M_TEMP, M_WAITOK);
len = snprintf(buffer, linesize, "\n SID Context\n");
error = SYSCTL_OUT(req, buffer, len);
if (error)
@@ -98,10 +97,9 @@
}
error = SYSCTL_OUT(req, "", 1);
out:
- FREE(buffer, M_TEMP);
+ sebsd_free(buffer, M_TEMP);
return (error);
}
-#endif
/*
* Sysctl handler for security.mac.sebsd.auditing. Get or set whether the
@@ -167,13 +165,11 @@
return (0);
}
-#if 0
-/*
- * Sysctl handler for security.mac.sebsd.user_sids. Lists the SIDs currently
- * available for transition to by a given "context\0username\0".
- */
+#define SEBSD_GETUSERSIDS 1
+#define SEBSD_GETFILESIDS 2
+
static int
-sysctl_user_sids(SYSCTL_HANDLER_ARGS)
+sebsd_get_sids(int function, struct sysctl_req *req)
{
u_int32_t n, nsids, scontext_len;
u_int32_t *sids, sid;
@@ -193,19 +189,29 @@
error = EINVAL;
goto out;
}
- len = strlen(context);
- if (len + 1 >= req->newlen) {
- error = EINVAL;
- goto out;
- }
- username = context + len + 1;
/*
* XXX We need POLICY_RDLOCK here, but it's not exported!
*/
+ len = strlen(context);
error = security_context_to_sid(context, len + 1, &sid);
if (error)
goto out;
- error = security_get_user_sids(sid, username, &sids, &nsids);
+ switch (function) {
+ case SEBSD_GETUSERSIDS:
+ if (len + 1 >= req->newlen) {
+ error = EINVAL;
+ goto out2;
+ }
+ username = context + len + 1;
+ error = security_get_user_sids(sid, username, &sids, &nsids);
+ break;
+ case SEBSD_GETFILESIDS:
+ error = security_get_file_sids(sid, SECCLASS_FILE, &sids,
+ &nsids);
+ break;
+ default:
+ error = EINVAL;
+ }
if (error)
goto out;
for (n = 0; n < nsids; n++) {
@@ -227,11 +233,33 @@
}
/*
+ * Sysctl handler for security.mac.sebsd.user_sids. Lists the SIDs currently
+ * available for transition to by a given "context\0username\0".
+ */
+static int
+sysctl_user_sids SYSCTL_HANDLER_ARGS
+{
+
+ return (sebsd_get_sids(SEBSD_GETUSERSIDS, req));
+}
+
+/*
+ * Sysctl handler for security.mac.sebsd.file_sids. Lists the file
+ * SIDs available for a given "context\0".
+ */
+static int
+sysctl_file_sids SYSCTL_HANDLER_ARGS
+{
+
+ return (sebsd_get_sids(SEBSD_GETFILESIDS, req));
+}
+
+/*
* Sysctl handler for security.mac.sebsd.change_sid
* Report the SID to relabel to given input "scontext\0tcontext\0",tclass
*/
static int
-sysctl_change_sid(SYSCTL_HANDLER_ARGS)
+sysctl_change_sid SYSCTL_HANDLER_ARGS
{
u_int32_t newcontext_len;
u_int32_t sid, tsid, newsid;
@@ -284,7 +312,7 @@
* given input "scontext\0tcontext\0", tclass, av.
*/
static int
-sysctl_compute_av(SYSCTL_HANDLER_ARGS)
+sysctl_compute_av SYSCTL_HANDLER_ARGS
{
u_int32_t sid, tsid;
u_int16_t tclass;
@@ -333,7 +361,6 @@
sebsd_free(scontext, M_SEBSD);
return (error);
}
-#endif
SYSCTL_DECL(_security_mac);
SYSCTL_NODE(_security_mac, OID_AUTO, sebsd, CTLFLAG_RW, 0,
@@ -341,19 +368,20 @@
SYSCTL_INT(_security_mac_sebsd, OID_AUTO, verbose, CTLFLAG_RW,
&sebsd_verbose, 0, " SEBSD Verbose Debug Stuff");
-#if 0
SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, sids, CTLTYPE_STRING|CTLFLAG_RD,
NULL, 0, sysctl_list_sids, "A", "SEBSD SIDs");
SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, user_sids, CTLTYPE_STRING |
CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_user_sids, "A",
"SEBSD transitionable user SIDs");
+SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, file_sids, CTLTYPE_STRING |
+ CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_file_sids, "A",
+ "SEBSD transitionable file SIDs");
SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, change_sid, CTLTYPE_STRING |
CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_change_sid, "A",
"SEBSD (tty) SID relabel to perform along with transition");
SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_av, CTLTYPE_STRING |
CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_av, "A",
"SEBSD access vector decision query");
-#endif
SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, auditing, CTLTYPE_INT |
CTLFLAG_RW, NULL, 0, sysctl_sebsd_auditing, "I", "SEBSD avc auditing");
SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, enforcing, CTLTYPE_INT |
@@ -367,6 +395,11 @@
{
sysctl_register_oid(&sysctl__security_mac_sebsd);
sysctl_register_oid(&sysctl__security_mac_sebsd_verbose);
+ sysctl_register_oid(&sysctl__security_mac_sebsd_sids);
+ sysctl_register_oid(&sysctl__security_mac_sebsd_user_sids);
+ sysctl_register_oid(&sysctl__security_mac_sebsd_file_sids);
+ sysctl_register_oid(&sysctl__security_mac_sebsd_change_sid);
+ sysctl_register_oid(&sysctl__security_mac_sebsd_compute_av);
sysctl_register_oid(&sysctl__security_mac_sebsd_auditing);
sysctl_register_oid(&sysctl__security_mac_sebsd_enforcing);
sysctl_register_oid(&sysctl__security_mac_sebsd_policyvers);
More information about the p4-projects
mailing list