PERFORCE change 22143 for review
Brian Feldman
green at freebsd.org
Tue Dec 10 20:43:13 GMT 2002
http://perforce.freebsd.org/chv.cgi?CH=22143
Change 22143 by green at green_laptop_2 on 2002/12/10 12:42:31
Provide the full devfs path for a given object being created
to any policies that request it. Bring policies incl. SEBSD in
line with reality.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_devs.c#11 edit
.. //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_vfsops.c#15 edit
.. //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_vnops.c#38 edit
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#369 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#191 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#48 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#152 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#113 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#89 edit
.. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#62 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#223 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#177 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_devs.c#11 (text+ko) ====
@@ -335,7 +335,8 @@
de = devfs_vmkdir(s, q - s, dd);
#ifdef MAC
mac_create_devfs_directory(
- dm->dm_mount, s, q - s, de);
+ dm->dm_mount, s, q - s, de,
+ dev->si_name);
#endif
de->de_inode = dm->dm_inode++;
TAILQ_INSERT_TAIL(&dd->de_dlist, de, de_list);
@@ -363,7 +364,8 @@
de->de_dirent->d_type = DT_CHR;
}
#ifdef MAC
- mac_create_devfs_device(dm->dm_mount, dev, de);
+ mac_create_devfs_device(dm->dm_mount, dev, de,
+ dev->si_name);
#endif
*dep = de;
de->de_dir = dd;
==== //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_vfsops.c#15 (text+ko) ====
@@ -97,7 +97,7 @@
fmp->dm_rootdir = devfs_vmkdir("(root)", 6, NULL);
fmp->dm_rootdir->de_inode = 2;
#ifdef MAC
- mac_create_devfs_directory(mp, "", 0, fmp->dm_rootdir);
+ mac_create_devfs_directory(mp, "", 0, fmp->dm_rootdir, "");
#endif
fmp->dm_basedir = fmp->dm_rootdir;
devfs_rules_newmount(fmp, td);
==== //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_vnops.c#38 (text+ko) ====
@@ -90,21 +90,17 @@
* Construct the fully qualified path name relative to the mountpoint
*/
static char *
-devfs_fqpn(char *buf, struct vnode *dvp, struct componentname *cnp)
+devfs_fqpn(char *buf, ssize_t buflen, struct devfs_mount *dmp,
+ struct devfs_dirent *de, const char *name, size_t namelen)
{
int i;
- struct devfs_dirent *de, *dd;
- struct devfs_mount *dmp;
- dmp = VFSTODEVFS(dvp->v_mount);
- dd = dvp->v_data;
- i = SPECNAMELEN;
+ i = buflen - 1;
buf[i] = '\0';
- i -= cnp->cn_namelen;
+ i -= namelen;
if (i < 0)
return (NULL);
- bcopy(cnp->cn_nameptr, buf + i, cnp->cn_namelen);
- de = dd;
+ bcopy(name, buf + i, namelen);
while (de != dmp->dm_basedir) {
i--;
if (i < 0)
@@ -366,7 +362,8 @@
* OK, we didn't have an entry for the name we were asked for
* so we try to see if anybody can create it on demand.
*/
- pname = devfs_fqpn(specname, dvp, cnp);
+ pname = devfs_fqpn(specname, sizeof(specname), dmp, de,
+ cnp->cn_nameptr, cnp->cn_namelen);
if (pname == NULL)
goto notfound;
@@ -852,10 +849,17 @@
struct devfs_dirent *dd;
struct devfs_dirent *de;
struct devfs_mount *dmp;
+#ifdef MAC
+ char *specname;
+#endif
error = suser(ap->a_cnp->cn_thread);
if (error)
- return(error);
+ return (error);
+#ifdef MAC
+ specname = malloc(SPECNAMELEN + ap->a_cnp->cn_namelen + 1, M_DEVFS,
+ M_WAITOK);
+#endif
dmp = VFSTODEVFS(ap->a_dvp->v_mount);
dd = ap->a_dvp->v_data;
de = devfs_newdirent(ap->a_cnp->cn_nameptr, ap->a_cnp->cn_namelen);
@@ -869,7 +873,10 @@
bcopy(ap->a_target, de->de_symlink, i);
lockmgr(&dmp->dm_lock, LK_EXCLUSIVE, 0, curthread);
#ifdef MAC
- mac_create_devfs_symlink(ap->a_cnp->cn_cred, dmp->dm_mount, dd, de);
+ mac_create_devfs_symlink(ap->a_cnp->cn_cred, dmp->dm_mount, dd, de,
+ devfs_fqpn(specname, SPECNAMELEN + ap->a_cnp->cn_namelen + 1,
+ dmp, de, ap->a_cnp->cn_nameptr, ap->a_cnp->cn_namelen));
+ free(specname, M_DEVFS);
#endif
TAILQ_INSERT_TAIL(&dd->de_dlist, de, de_list);
devfs_allocv(de, ap->a_dvp->v_mount, ap->a_vpp, 0);
==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#369 (text+ko) ====
@@ -2803,28 +2803,30 @@
}
void
-mac_create_devfs_device(struct mount *mp, dev_t dev, struct devfs_dirent *de)
+mac_create_devfs_device(struct mount *mp, dev_t dev, struct devfs_dirent *de,
+ const char *fullpath)
{
- MAC_PERFORM(create_devfs_device, mp, dev, de, &de->de_label);
+ MAC_PERFORM(create_devfs_device, mp, dev, de, &de->de_label,
+ fullpath);
}
void
mac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
- struct devfs_dirent *dd, struct devfs_dirent *de)
+ struct devfs_dirent *dd, struct devfs_dirent *de, const char *fullpath)
{
MAC_PERFORM(create_devfs_symlink, cred, mp, dd, &dd->de_label, de,
- &de->de_label);
+ &de->de_label, fullpath);
}
void
mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen,
- struct devfs_dirent *de)
+ struct devfs_dirent *de, const char *fullpath)
{
MAC_PERFORM(create_devfs_directory, mp, dirname, dirnamelen, de,
- &de->de_label);
+ &de->de_label, fullpath);
}
int
==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#191 (text+ko) ====
@@ -828,20 +828,21 @@
*/
static void
mac_biba_create_devfs_device(struct mount *mp, dev_t dev,
- struct devfs_dirent *devfs_dirent, struct label *label)
+ struct devfs_dirent *devfs_dirent, struct label *label,
+ const char *fullpath)
{
struct mac_biba *mac_biba;
int biba_type;
mac_biba = SLOT(label);
- if (strcmp(dev->si_name, "null") == 0 ||
- strcmp(dev->si_name, "zero") == 0 ||
- strcmp(dev->si_name, "random") == 0 ||
- strncmp(dev->si_name, "fd/", strlen("fd/")) == 0)
+ if (strcmp(fullpath, "null") == 0 ||
+ strcmp(fullpath, "zero") == 0 ||
+ strcmp(fullpath, "random") == 0 ||
+ strncmp(fullpath, "fd/", strlen("fd/")) == 0)
biba_type = MAC_BIBA_TYPE_EQUAL;
else if (ptys_equal &&
- (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
- strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
+ (strncmp(fullpath, "ttyp", strlen("ttyp")) == 0 ||
+ strncmp(fullpath, "ptyp", strlen("ptyp")) == 0))
biba_type = MAC_BIBA_TYPE_EQUAL;
else
biba_type = MAC_BIBA_TYPE_HIGH;
@@ -850,7 +851,8 @@
static void
mac_biba_create_devfs_directory(struct mount *mp, char *dirname,
- int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
+ int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label,
+ const char *fullpath)
{
struct mac_biba *mac_biba;
@@ -861,7 +863,7 @@
static void
mac_biba_create_devfs_symlink(struct ucred *cred, struct mount *mp,
struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
- struct label *delabel)
+ struct label *delabel, const char *fullpath)
{
struct mac_biba *source, *dest;
==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#48 (text+ko) ====
@@ -953,21 +953,22 @@
*/
static void
mac_lomac_create_devfs_device(struct mount *mp, dev_t dev,
- struct devfs_dirent *devfs_dirent, struct label *label)
+ struct devfs_dirent *devfs_dirent, struct label *label,
+ const char *fullpath)
{
struct mac_lomac *mac_lomac;
int lomac_type;
mac_lomac = SLOT(label);
- if (strcmp(dev->si_name, "null") == 0 ||
- strcmp(dev->si_name, "zero") == 0 ||
- strcmp(dev->si_name, "random") == 0 ||
- strncmp(dev->si_name, "fd/", strlen("fd/")) == 0 ||
- strncmp(dev->si_name, "ttyv", strlen("ttyv")) == 0)
+ if (strcmp(fullpath, "null") == 0 ||
+ strcmp(fullpath, "zero") == 0 ||
+ strcmp(fullpath, "random") == 0 ||
+ strncmp(fullpath, "fd/", strlen("fd/")) == 0 ||
+ strncmp(fullpath, "ttyv", strlen("ttyv")) == 0)
lomac_type = MAC_LOMAC_TYPE_EQUAL;
else if (ptys_equal &&
- (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
- strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
+ (strncmp(fullpath, "ttyp", strlen("ttyp")) == 0 ||
+ strncmp(fullpath, "ptyp", strlen("ptyp")) == 0))
lomac_type = MAC_LOMAC_TYPE_EQUAL;
else
lomac_type = MAC_LOMAC_TYPE_HIGH;
@@ -976,7 +977,8 @@
static void
mac_lomac_create_devfs_directory(struct mount *mp, char *dirname,
- int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
+ int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label,
+ const char *fullpath)
{
struct mac_lomac *mac_lomac;
@@ -987,7 +989,7 @@
static void
mac_lomac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
- struct label *delabel)
+ struct label *delabel, const char *fullpath)
{
struct mac_lomac *source, *dest;
==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#152 (text+ko) ====
@@ -795,23 +795,24 @@
*/
static void
mac_mls_create_devfs_device(struct mount *mp, dev_t dev,
- struct devfs_dirent *devfs_dirent, struct label *label)
+ struct devfs_dirent *devfs_dirent, struct label *label,
+ const char *fullpath)
{
struct mac_mls *mac_mls;
int mls_type;
mac_mls = SLOT(label);
- if (strcmp(dev->si_name, "null") == 0 ||
- strcmp(dev->si_name, "zero") == 0 ||
- strcmp(dev->si_name, "random") == 0 ||
- strncmp(dev->si_name, "fd/", strlen("fd/")) == 0)
+ if (strcmp(fullpath, "null") == 0 ||
+ strcmp(fullpath, "zero") == 0 ||
+ strcmp(fullpath, "random") == 0 ||
+ strncmp(fullpath, "fd/", strlen("fd/")) == 0)
mls_type = MAC_MLS_TYPE_EQUAL;
- else if (strcmp(dev->si_name, "kmem") == 0 ||
- strcmp(dev->si_name, "mem") == 0)
+ else if (strcmp(fullpath, "kmem") == 0 ||
+ strcmp(fullpath, "mem") == 0)
mls_type = MAC_MLS_TYPE_HIGH;
else if (ptys_equal &&
- (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
- strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
+ (strncmp(fullpath, "ttyp", strlen("ttyp")) == 0 ||
+ strncmp(fullpath, "ptyp", strlen("ptyp")) == 0))
mls_type = MAC_MLS_TYPE_EQUAL;
else
mls_type = MAC_MLS_TYPE_LOW;
@@ -820,7 +821,8 @@
static void
mac_mls_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen,
- struct devfs_dirent *devfs_dirent, struct label *label)
+ struct devfs_dirent *devfs_dirent, struct label *label,
+ const char *fullpath)
{
struct mac_mls *mac_mls;
@@ -831,7 +833,7 @@
static void
mac_mls_create_devfs_symlink(struct ucred *cred, struct mount *mp,
struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
- struct label *delabel)
+ struct label *delabel, const char *fullpath)
{
struct mac_mls *source, *dest;
==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#113 (text+ko) ====
@@ -170,14 +170,16 @@
static void
mac_none_create_devfs_device(struct mount *mp, dev_t dev,
- struct devfs_dirent *devfs_dirent, struct label *label)
+ struct devfs_dirent *devfs_dirent, struct label *label,
+ const char *fullpath)
{
}
static void
mac_none_create_devfs_directory(struct mount *mp, char *dirname,
- int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
+ int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label,
+ const char *fullpath)
{
}
@@ -185,7 +187,7 @@
static void
mac_none_create_devfs_symlink(struct ucred *cred, struct mount *mp,
struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
- struct label *delabel)
+ struct label *delabel, const char *fullpath)
{
}
==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#89 (text+ko) ====
@@ -548,14 +548,16 @@
static void
mac_test_create_devfs_device(struct mount *mp, dev_t dev,
- struct devfs_dirent *devfs_dirent, struct label *label)
+ struct devfs_dirent *devfs_dirent, struct label *label,
+ const char *fullpath)
{
}
static void
mac_test_create_devfs_directory(struct mount *mp, char *dirname,
- int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
+ int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label,
+ const char *fullpath)
{
}
@@ -563,7 +565,7 @@
static void
mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp,
struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
- struct label *delabel)
+ struct label *delabel, const char *fullpath)
{
}
==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#62 (text+ko) ====
@@ -401,7 +401,8 @@
static void
sebsd_create_devfs_device(struct mount *mp, dev_t dev,
- struct devfs_dirent *devfs_dirent, struct label *label)
+ struct devfs_dirent *devfs_dirent, struct label *label,
+ const char *fullpath)
{
char *path;
int rc;
@@ -419,9 +420,9 @@
dirent_type_to_security_class(devfs_dirent->de_dirent->d_type);
/* Obtain a SID based on the fstype, path, and class. */
- path = malloc(strlen(dev->si_name) + 2, M_SEBSD, M_ZERO | M_WAITOK);
+ path = malloc(strlen(fullpath) + 2, M_SEBSD, M_ZERO | M_WAITOK);
path[0] = '/';
- strcpy(&path[1], dev->si_name);
+ strcpy(&path[1], fullpath);
rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, dirent->sclass,
&newsid);
if (rc == 0)
@@ -439,7 +440,8 @@
static void
sebsd_create_devfs_directory(struct mount *mp, char *dirname,
- int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
+ int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label,
+ const char *fullpath)
{
char *path;
int rc;
@@ -456,10 +458,9 @@
dirent->sclass = SECCLASS_DIR;
/* Obtain a SID based on the fstype, path, and class. */
- path = malloc(dirnamelen + 2, M_SEBSD, M_ZERO | M_WAITOK);
+ path = malloc(strlen(fullpath) + 2, M_SEBSD, M_ZERO | M_WAITOK);
path[0] = '/';
- strncpy(&path[1], dirname, dirnamelen);
- path[dirnamelen+1] = '\0';
+ strcpy(&path[1], fullpath);
rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, dirent->sclass,
&newsid);
if (rc == 0)
@@ -478,18 +479,19 @@
static void
sebsd_create_devfs_symlink(struct ucred *cred, struct mount *mp,
struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
- struct label *delabel)
+ struct label *delabel, const char *fullpath)
{
-#if 0
+#ifdef FULLY
/* TBD: path info not available (and the code below is broken) */
char *path;
+#endif
int rc;
security_id_t newsid;
struct vnode_security_struct *lnksec;
struct vnode_security_struct *dirsec;
- dirsec= SLOT(ddlabel);
+ dirsec = SLOT(ddlabel);
lnksec = SLOT(delabel);
/* Default to the filesystem SID. */
@@ -497,13 +499,6 @@
lnksec->task_sid = SECINITSID_KERNEL;
lnksec->sclass = SECCLASS_LNK_FILE;
- printf("%s: dirsec->sid=%d, de->de_symlink=%s\n",
- __func__, dirsec->sid, de->de_symlink?de->de_symlink:"NULL");
-
- if (dd->de_dirent) {
- printf("%s: dd->de_dirent->d_name=%s\n",
- __func__, dd->de_dirent->d_name?dd->de_dirent->d_name:"NULL");
- }
#ifdef FLUFFY
/* Obtain a SID based on the fstype, path, and class. */
path = malloc(strlen(dd->si_name) + 2, M_SEBSD, M_ZERO | M_WAITOK);
@@ -523,7 +518,6 @@
}
free(path, M_SEBSD);
#endif /* FLUFFY */
-#endif /* 0 */
}
static void
==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#223 (text+ko) ====
@@ -172,11 +172,12 @@
int mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp);
void mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp);
void mac_create_devfs_device(struct mount *mp, dev_t dev,
- struct devfs_dirent *de);
+ struct devfs_dirent *de, const char *fullpath);
void mac_create_devfs_directory(struct mount *mp, char *dirname,
- int dirnamelen, struct devfs_dirent *de);
+ int dirnamelen, struct devfs_dirent *de, const char *fullpath);
void mac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
- struct devfs_dirent *dd, struct devfs_dirent *de);
+ struct devfs_dirent *dd, struct devfs_dirent *de,
+ const char *fullpath);
int mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
struct vnode *dvp, struct vnode *vp, struct componentname *cnp);
void mac_create_mount(struct ucred *cred, struct mount *mp);
==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#177 (text+ko) ====
@@ -143,14 +143,15 @@
struct label *fslabel, struct vnode *vp,
struct label *vlabel);
void (*mpo_create_devfs_device)(struct mount *mp, dev_t dev,
- struct devfs_dirent *de, struct label *label);
+ struct devfs_dirent *de, struct label *label,
+ const char *fullpath);
void (*mpo_create_devfs_directory)(struct mount *mp, char *dirname,
int dirnamelen, struct devfs_dirent *de,
- struct label *label);
+ struct label *label, const char *fullpath);
void (*mpo_create_devfs_symlink)(struct ucred *cred,
struct mount *mp, struct devfs_dirent *dd,
struct label *ddlabel, struct devfs_dirent *de,
- struct label *delabel);
+ struct label *delabel, const char *fullpath);
int (*mpo_create_vnode_extattr)(struct ucred *cred,
struct mount *mp, struct label *fslabel,
struct vnode *dvp, struct label *dlabel,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list