PERFORCE change 22999 for review

Tue Dec 31 23:31:05 GMT 2002

http://perforce.freebsd.org/chv.cgi?CH=22999

Change 22999 by green at green_laptop_2 on 2002/12/31 15:30:36

	I'm making a fine mess of perforce logs trying to separate changes,
	so I'll stop.  This completes implementation of tty labelling
	for SEBSD.  This also contains residue which is what the previous
	change should have been.

Affected files ...

.. //depot/projects/trustedbsd/mac/lib/libsebsd/Makefile#5 edit
.. //depot/projects/trustedbsd/mac/lib/libsebsd/sebsd.h#6 edit
.. //depot/projects/trustedbsd/mac/lib/libsebsd/security_get_user_contexts.c#4 edit
.. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd_sysctl.c#5 edit

Differences ...

==== //depot/projects/trustedbsd/mac/lib/libsebsd/Makefile#5 (text+ko) ====

@@ -11,7 +11,7 @@
 NOMAN=
 
 SRCS=	system.c security_get_user_contexts.c get_ordered_context_list.c \
-	getseccontext.c query_user_context.c
+	getseccontext.c query_user_context.c security_change_context.c
 INCS=	sebsd_context.h sebsd_ss.h sebsd_proc.h sebsd_fs.h sebsd.h \
 	sebsd_syscalls.h flask_types.h
 

==== //depot/projects/trustedbsd/mac/lib/libsebsd/sebsd.h#6 (text+ko) ====

@@ -64,5 +64,7 @@
 
 int security_get_user_contexts(const char *fromcontext, const char *username,
 	    char ***retcontexts, size_t *ncontexts);
+int security_change_context(const char *domain, const char *ocontext,
+	    security_class_t oclass, char **newcontext);
 
 #endif /* _SEBSD_H */

==== //depot/projects/trustedbsd/mac/lib/libsebsd/security_get_user_contexts.c#4 (text+ko) ====

@@ -57,8 +57,8 @@
 	size_t contexts_len, n;
 	int error;
 
-	arguments_len = asprintf(&arguments, "%s%c%s%c%c", fromcontext, 0,
-	    username, 0, 0);
+	arguments_len = asprintf(&arguments, "%s%c%s%c", fromcontext, 0,
+	    username, 0);
 	if (arguments_len == -1)
 		return (-1);
 bigger:

==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd_sysctl.c#5 (text+ko) ====

@@ -179,6 +179,57 @@
 	return (error);
 }
 
+/*
+ * Sysctl handler for security.mac.sebsd.change_sid
+ * Report the SID to relabel to given input "scontext\0tcontext\0",tclass
+ */
+static int
+sysctl_change_sid(SYSCTL_HANDLER_ARGS)
+{
+	u_int32_t newcontext_len;
+	security_id_t sid, tsid, newsid;
+	security_context_t newcontext;
+	security_class_t tclass;
+	char *scontext, *tcontext;
+	int error;
+
+	if (req->newlen < 4 + sizeof(tclass))
+		return (EINVAL);
+	if (req->newlen > 512)	/* arbitrary */
+		return (ENAMETOOLONG);
+	scontext = sebsd_malloc(req->newlen, M_SEBSD_SS, M_WAITOK);
+	error = SYSCTL_IN(req, scontext, req->newlen); 
+	if (error)
+		goto out;
+	if (scontext[req->newlen - (1 + sizeof(tclass))] != '\0') {
+		error = EINVAL;
+		goto out;
+	}
+	tcontext = &scontext[strlen(scontext) + 1];
+	if (tcontext >= &scontext[req->newlen - (1 + sizeof(tclass))]) {
+		error = EINVAL;
+		goto out;
+	}
+	bcopy(&scontext[strlen(scontext) + 1], &tclass, sizeof(tclass));
+	error = security_context_to_sid(scontext, strlen(scontext) + 1, &sid);
+	if (error)
+		goto out;
+	error = security_context_to_sid(tcontext, strlen(tcontext) + 1, &tsid);
+	if (error)
+		goto out;
+	error = security_change_sid(sid, tsid, tclass, &newsid);
+	if (error)
+		goto out;
+	error = security_sid_to_context(newsid, &newcontext, &newcontext_len);
+	if (error)
+		goto out;
+	error = SYSCTL_OUT(req, newcontext, newcontext_len);
+	security_free_context(newcontext);
+out:
+	sebsd_free(scontext, M_SEBSD_SS);
+	return (error);
+}
+
 SYSCTL_DECL(_security_mac);
 SYSCTL_NODE(_security_mac, OID_AUTO, sebsd, CTLFLAG_RW, 0,
 	    "Security Enhanced BSD policy controls");
@@ -192,6 +243,9 @@
 SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, user_sids, CTLTYPE_STRING |
  	   CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_user_sids, "A",
 	   "SEBSD transitionable user SIDs");
+SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, change_sid, CTLTYPE_STRING |
+ 	   CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_change_sid, "A",
+	   "SEBSD (tty) SID relabel to perform along with transition");
 
 #if 0
 SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, enforcing, CTLTYPE_INT | CTLFLAG_RW,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

