PERFORCE change 326099 for review
Robert Watson
rwatson at FreeBSD.org
Wed Aug 14 14:17:44 UTC 2013
http://p4web.freebsd.org/@@326099?ac=10
Change 326099 by rwatson at rwatson_cinnamon on 2013/08/14 14:17:13
Update MAC credential check TESLA assertions to allow exec() checks
to authorise credential changes. Unfortunately, our current TESLA
syntax is not sufficient to allow us to compare the in-hand UID and
GID being changed to with the cached vnode attribute UID and GID.
Hopefully a change to TESLA syntax will make it possible to make
these assertions more specific.
Affected files ...
.. //depot/projects/ctsrd/tesla/src/sys/kern/kern_prot.c#7 edit
Differences ...
==== //depot/projects/ctsrd/tesla/src/sys/kern/kern_prot.c#7 (text+ko) ====
@@ -2150,12 +2150,15 @@
euid = euip->ui_uid;
#ifdef MAC
#ifdef TESLA_MAC
+ /* XXXRW: In the exec() case, really want imgp->attr.uid. */
TESLA_SYSCALL(
previously(mac_cred_check_setuid(ANY(ptr), euid) == 0) ||
previously(mac_cred_check_setreuid(ANY(ptr), ANY(int), euid)
== 0) ||
previously(mac_cred_check_setresuid(ANY(ptr), ANY(int), euid,
- ANY(int)) == 0));
+ ANY(int)) == 0) ||
+ previously(mac_vnode_check_exec(ANY(ptr), ANY(ptr), ANY(ptr))
+ == 0));
#endif
#endif
#ifdef TESLA_PROC
@@ -2181,12 +2184,15 @@
#ifdef MAC
#ifdef TESLA_MAC
+ /* XXXRW: In the exec() case, really want imgp->attr.gid. */
TESLA_SYSCALL(
- previously(mac_cred_check_setgid(ANY(ptr), egid) == 0) ||
+ previously(mac_cred_check_setegid(ANY(ptr), egid) == 0) ||
previously(mac_cred_check_setregid(ANY(ptr), ANY(int), egid)
- == 0) ||
+ == 0) ||
previously(mac_cred_check_setresgid(ANY(ptr), ANY(int), egid,
- ANY(int)) == 0));
+ ANY(int)) == 0) ||
+ previously(mac_vnode_check_exec(ANY(ptr), ANY(ptr), ANY(ptr))
+ == 0));
#endif
#endif
#ifdef TESLA_PROC
@@ -2212,12 +2218,15 @@
uid_t ruid = ruip->ui_uid;
#ifdef MAC
#ifdef TESLA_MAC
+ /* XXXRW: In the exec() case, really want imgp->attr.uid. */
TESLA_SYSCALL(
previously(mac_cred_check_setuid(ANY(ptr), ruid) == 0) ||
previously(mac_cred_check_setreuid(ANY(ptr), ruid, ANY(int))
== 0) ||
previously(mac_cred_check_setresuid(ANY(ptr), ruid, ANY(int),
- ANY(int)) == 0));
+ ANY(int)) == 0) ||
+ previously(mac_vnode_check_exec(ANY(ptr), ANY(ptr), ANY(ptr))
+ == 0));
#endif
#endif
#ifdef TESLA_PROC
@@ -2245,12 +2254,15 @@
#ifdef MAC
#ifdef TESLA_MAC
+ /* XXXRW: In the exec() case, really want imgp->attr.gid. */
TESLA_SYSCALL(
previously(mac_cred_check_setgid(ANY(ptr), rgid) == 0) ||
previously(mac_cred_check_setregid(ANY(ptr), rgid, ANY(int))
== 0) ||
previously(mac_cred_check_setresgid(ANY(ptr), rgid, ANY(int),
- ANY(int)) == 0));
+ ANY(int)) == 0) ||
+ previously(mac_vnode_check_exec(ANY(ptr), ANY(ptr), ANY(ptr))
+ == 0));
#endif
#endif
#ifdef TESLA_PROC
@@ -2273,12 +2285,15 @@
#ifdef MAC
#ifdef TESLA_MAC
+ /* XXXRW: In the exec() case, really want imgp->attr.uid. */
TESLA_SYSCALL(
previously(mac_cred_check_setuid(ANY(ptr), ANY(int)) == 0) ||
previously(mac_cred_check_setreuid(ANY(ptr), ANY(int),
ANY(int)) == 0) ||
previously(mac_cred_check_setresuid(ANY(ptr), ANY(int),
- ANY(int), ANY(int)) == 0));
+ ANY(int), ANY(int)) == 0) ||
+ previously(mac_vnode_check_exec(ANY(ptr), ANY(ptr), ANY(ptr))
+ == 0));
#endif
#endif
#ifdef TESLA_PROC
@@ -2301,12 +2316,15 @@
#ifdef MAC
#ifdef TESLA_MAC
+ /* XXXRW: In the exec() case, really want imgp->attr.gid. */
TESLA_SYSCALL(
previously(mac_cred_check_setgid(ANY(ptr), ANY(int)) == 0) ||
previously(mac_cred_check_setregid(ANY(ptr), ANY(int), ANY(int))
== 0) ||
previously(mac_cred_check_setresgid(ANY(ptr), ANY(int), ANY(int),
- ANY(int)) == 0));
+ ANY(int)) == 0) ||
+ previously(mac_vnode_check_exec(ANY(ptr), ANY(ptr), ANY(ptr))
+ == 0));
#endif
#endif
#ifdef TESLA_PROC
More information about the p4-projects
mailing list