socsvn commit: r223991 - in soc2011/aalvarez/pbmac: lib/libugidfw sys/security/mac_bsdextended usr.sbin/ugidfw

aalvarez at FreeBSD.org aalvarez at FreeBSD.org
Wed Jul 6 05:48:29 UTC 2011 

Author: aalvarez
Date: Wed Jul  6 05:48:27 2011
New Revision: 223991
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=223991

Log:
  Only store filepath and make checks against it with the help of vn_fullpath_global

Modified:
  soc2011/aalvarez/pbmac/lib/libugidfw/ugidfw.c
  soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c
  soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h
  soc2011/aalvarez/pbmac/usr.sbin/ugidfw/ugidfw.c

Modified: soc2011/aalvarez/pbmac/lib/libugidfw/ugidfw.c
==============================================================================
--- soc2011/aalvarez/pbmac/lib/libugidfw/ugidfw.c	Wed Jul  6 00:50:54 2011	(r223990)
+++ soc2011/aalvarez/pbmac/lib/libugidfw/ugidfw.c	Wed Jul  6 05:48:27 2011	(r223991)
@@ -351,9 +351,9 @@
 			left -= len;
 			cur += len;
 		}
-		if (rule->mbr_object.mbo_flags & MBO_FSID_DEFINED) {
+		if (rule->mbr_object.mbo_flags & MBO_FPATH_DEFINED) {
 			len = snprintf(cur, left, "filepath %s ",
-			    rule->mbr_object.mbo_fpath);
+			    rule->mbr_object.mbo_fpath ? rule->mbr_object.mbo_fpath : "???");
 			if (len < 0 || len > left)
 				goto truncated;
 			left -= len;
@@ -804,16 +804,9 @@
 {
 	size_t len;
 
-	len = strlen(spec);
-	*fpath = malloc(len * sizeof(*spec));
-
-	if (*fpath == NULL) {
-		len = snprintf(errstr, buflen, "Unable to allocate memory for filepath %s: %s",
-		    spec, strerror(errno));
-		return (-1);
-	}
-		
-	strncpy(*fpath, spec, len);
+	*fpath = realpath(spec, NULL);
+	if (*fpath == NULL)
+		len = snprintf(errstr, buflen, "%s", strerror(errno));
 
 	return (0);
 }

Modified: soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c
==============================================================================
--- soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c	Wed Jul  6 00:50:54 2011	(r223990)
+++ soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c	Wed Jul  6 05:48:27 2011	(r223991)
@@ -137,53 +137,13 @@
 }
 
 static int
-ugidfw_rslv_fpath(struct mac_bsdextended_rule *ruleptr, struct mac_bsdextended_rule *temprule, struct thread *td)
-{
-	struct nameidata nd;
-	int error;
-	struct vnode* vp;
-	struct vattr vap;
-	/* Check empty paths */
-	if (temprule->mbr_object.mbo_fpath_len < 1)
-		return EINVAL;
-
-	ruleptr->mbr_object.mbo_fpath_len = temprule->mbr_object.mbo_fpath_len;
-	ruleptr->mbr_object.mbo_fpath = malloc(sizeof(char)*(ruleptr->mbr_object.mbo_fpath_len+1),
-	    M_MACBSDEXTENDED, M_WAITOK);
-
-	KASSERT(ruleptr == NULL, ("sysctl_rule: ruleptr != NULL"));
-	memcpy(ruleptr->mbr_object.mbo_fpath, temprule->mbr_object.mbo_fpath, 
-	    ruleptr->mbr_object.mbo_fpath_len+1);
-	
-	/* Resolve path to fsid and fileid */
-	NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_SYSSPACE, ruleptr->mbr_object.mbo_fpath, td);
-	error = namei(&nd);
-	if (error)
-		goto out;
-
-	vp = nd.ni_vp;
-	error = VOP_GETATTR(vp, &vap, td->td_proc->p_ucred);
-	if (error)
-		goto out;
-
-	ruleptr->mbr_object.mbo_fsid = vp->v_mount->mnt_stat.f_fsid;
-	ruleptr->mbr_object.mbo_fid = vap.va_fileid; 
-
-out:
-	NDFREE(&nd, 0);
-	if (error)
-		KMBRFREE((*ruleptr), M_MACBSDEXTENDED);
-
-	return error;
-}
-
-static int
 sysctl_rule(SYSCTL_HANDLER_ARGS)
 {
 	struct mac_bsdextended_rule temprule, *ruleptr;
 	u_int namelen;
 	int error, index, *name;
-
+	char * fpath = NULL;
+	
 	error = 0;
 	name = (int *)arg1;
 	namelen = arg2;
@@ -200,10 +160,13 @@
 			return (error);
 		ruleptr = malloc(sizeof(*ruleptr), M_MACBSDEXTENDED,
 		    M_WAITOK | M_ZERO);
+
+		fpath = malloc(sizeof(*fpath)*temprule.mbr_object.mbo_fpath_len, 
+		    M_MACBSDEXTENDED, M_WAITOK | M_ZERO);
 	}
 
 	mtx_lock(&ugidfw_mtx);
-	if (req->oldptr) { /* Modify rule request */
+	if (req->oldptr) { /* Get rule request */
 		if (index < 0 || index > rule_slots + 1) {
 			error = ENOENT;
 			goto out;
@@ -229,23 +192,32 @@
 			goto out;
 		if (rules[index] == NULL) {
 			*ruleptr = temprule;
-			if (ruleptr->mbr_object.mbo_flags & MBO_FPATH_DEFINED) {
-				error = ugidfw_rslv_fpath(ruleptr, &temprule, req->td);
-				if (error)
-					goto out;
-			}
 			rules[index] = ruleptr;
 			ruleptr = NULL;
 			if (index + 1 > rule_slots)
 				rule_slots = index + 1;
 			rule_count++;
-		} else
+		} else {
+			if (rules[index]->mbr_object.mbo_fpath != NULL)
+				free(rules[index]->mbr_object.mbo_fpath, M_MACBSDEXTENDED);
+
 			*rules[index] = temprule;
+		}
+
+		/* If there's a filepath, make a copy */
+		if (temprule.mbr_object.mbo_flags & MBO_FPATH_DEFINED &&
+		    temprule.mbr_object.mbo_fpath != NULL) {
+			copyinstr(temprule.mbr_object.mbo_fpath, fpath,
+			    temprule.mbr_object.mbo_fpath_len, NULL);
+			rules[index]->mbr_object.mbo_fpath = fpath;
+		}
 	}
 out:
 	mtx_unlock(&ugidfw_mtx);
-	if (ruleptr != NULL)
+	if (ruleptr != NULL) {
+		KMBRFREE((*ruleptr), M_MACBSDEXTENDED);
 		free(ruleptr, M_MACBSDEXTENDED);
+	}
 	if (req->oldptr && error == 0)
 		error = SYSCTL_OUT(req, &temprule, sizeof(temprule));
 	return (error);
@@ -277,7 +249,7 @@
 
 static int
 ugidfw_rulecheck(struct mac_bsdextended_rule *rule,
-    struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode)
+    struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode, char *fpath_hint)
 {
 	int mac_granted, match, priv_granted;
 	int i;
@@ -361,12 +333,8 @@
 			return (0);
 	}
 
-	if (rule->mbr_object.mbo_flags & MBO_FPATH_DEFINED) {
-		match = (bcmp(&(vp->v_mount->mnt_stat.f_fsid),
-		    &(rule->mbr_object.mbo_fsid),
-		    sizeof(rule->mbr_object.mbo_fsid)) == 0 &&
-		    bcmp(&(vap->va_fileid), &(rule->mbr_object.mbo_fid),
-		        sizeof(rule->mbr_object.mbo_fid)) == 0);
+	if (rule->mbr_object.mbo_flags & MBO_FPATH_DEFINED && fpath_hint != NULL) {
+		match = strcmp(fpath_hint, rule->mbr_object.mbo_fpath);
 
 		if (rule->mbr_object.mbo_neg & MBO_FPATH_DEFINED)
 			match = !match;
@@ -491,6 +459,8 @@
     int acc_mode)
 {
 	int error, i;
+	char * fullpath, *freepath;
+	fullpath = freepath = NULL;
 
 	/*
 	 * Since we do not separately handle append, map append to write.
@@ -503,8 +473,16 @@
 	for (i = 0; i < rule_slots; i++) {
 		if (rules[i] == NULL)
 			continue;
+
+		if (rules[i]->mbr_object.mbo_flags & MBO_FPATH_DEFINED && fullpath == NULL) {
+			mtx_unlock(&ugidfw_mtx);
+			vn_fullpath_global(curthread, vp, &fullpath, &freepath);
+			mtx_lock(&ugidfw_mtx);
+		}
+
 		error = ugidfw_rulecheck(rules[i], cred,
-		    vp, vap, acc_mode);
+		    vp, vap, acc_mode, fullpath);
+
 		if (error == EJUSTRETURN)
 			break;
 		if (error) {
@@ -513,6 +491,10 @@
 		}
 	}
 	mtx_unlock(&ugidfw_mtx);
+
+	if (freepath)
+		free(freepath, M_TEMP);
+
 	return (0);
 }
 
@@ -569,7 +551,7 @@
 	.mpo_vnode_check_getextattr = ugidfw_vnode_check_getextattr,
 	.mpo_vnode_check_link = ugidfw_vnode_check_link,
 	.mpo_vnode_check_listextattr = ugidfw_vnode_check_listextattr,
-	.mpo_vnode_check_lookup = ugidfw_vnode_check_lookup,
+	/* .mpo_vnode_check_lookup = ugidfw_vnode_check_lookup, */
 	.mpo_vnode_check_open = ugidfw_vnode_check_open,
 	.mpo_vnode_check_readdir = ugidfw_vnode_check_readdir,
 	.mpo_vnode_check_readlink = ugidfw_vnode_check_readdlink,

Modified: soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h
==============================================================================
--- soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h	Wed Jul  6 00:50:54 2011	(r223990)
+++ soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h	Wed Jul  6 05:48:27 2011	(r223991)
@@ -104,7 +104,6 @@
 	gid_t	mbo_gid_max;
 	struct fsid mbo_fsid;
 	int	mbo_type;
-	long 	mbo_fid;
 	size_t	mbo_fpath_len;
 	char*	mbo_fpath;
 };

Modified: soc2011/aalvarez/pbmac/usr.sbin/ugidfw/ugidfw.c
==============================================================================
--- soc2011/aalvarez/pbmac/usr.sbin/ugidfw/ugidfw.c	Wed Jul  6 00:50:54 2011	(r223990)
+++ soc2011/aalvarez/pbmac/usr.sbin/ugidfw/ugidfw.c	Wed Jul  6 05:48:27 2011	(r223991)
@@ -78,19 +78,20 @@
 	error = bsde_parse_rule(argc, argv, &rule, BUFSIZ, errstr);
 	if (error) {
 		warnx("%s", errstr);
-		return;
+		goto out;
 	}
 
 	error = bsde_add_rule(&rulenum, &rule, BUFSIZ, errstr);
 	if (error) {
 		warnx("%s", errstr);
-		return;
+		goto out;
 	}
 	if (bsde_rule_to_string(&rule, charstr, BUFSIZ) == -1)
 		warnx("Added rule, but unable to print string.");
 	else
 		printf("%d %s\n", rulenum, charstr);
 
+out:
 	MBRFREE(rule);
 }
 
@@ -131,8 +132,6 @@
 		else
 			printf("%d %s\n", i, charstr);
 	}
-
-	MBRFREE(rule);
 }
 
 void

More information about the svn-soc-all mailing list