PERFORCE change 14791 for review

Robert Watson rwatson at freebsd.org
Tue Jul 23 21:46:49 GMT 2002


http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14791

Change 14791 by rwatson at rwatson_tislabs on 2002/07/23 14:46:35

	First pass at implementing access control checks for vnode read,
	write, and poll operations using a mac_cred_check_vnode_op()
	interface.  It may be it makes sense simply to move them to
	their own entry points, but it's not yet entirely clear.  This
	implementation is modeled on amigus's pipe access control
	checks.  No policy implementations yet: caution, if you enable
	this in policies without meaning to, a fair amount of
	suffering is to be had (revocation of tty access, etc).

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/kern/kern_ktrace.c#9 edit
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#190 edit
.. //depot/projects/trustedbsd/mac/sys/kern/tty_tty.c#5 edit
.. //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#61 edit
.. //depot/projects/trustedbsd/mac/sys/kern/vfs_vnops.c#26 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#120 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#85 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/kern_ktrace.c#9 (text+ko) ====

@@ -769,9 +769,10 @@
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
 	(void)VOP_LEASE(vp, td, cred, LEASE_WRITE);
 #ifdef MAC
-	/* XXXMAC: Write authorization checks here. */
+	error = mac_cred_check_vnode_op(cred, vp, MAC_OP_VNODE_WRITE);
+	if (error == 0)
 #endif
-	error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred);
+		error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred);
 	if (error == 0 && uio != NULL) {
 		(void)VOP_LEASE(vp, td, cred, LEASE_WRITE);
 		error = VOP_WRITE(vp, uio, IO_UNIT | IO_APPEND, cred);

==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#190 (text+ko) ====

@@ -782,6 +782,10 @@
 			mpc->mpc_ops->mpo_cred_check_vnode_mmap_perms =
 			    mpe->mpe_function;
 			break;
+		case MAC_CRED_CHECK_VNODE_OP:
+			mpc->mpc_ops->mpo_cred_check_vnode_op =
+			    mpe->mpe_function;
+			break;
 		case MAC_IFNET_CHECK_SEND_MBUF:
 			mpc->mpc_ops->mpo_ifnet_check_send_mbuf =
 			    mpe->mpe_function;
@@ -2567,6 +2571,26 @@
 
 	return (error);
 }
+
+int
+mac_cred_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
+{
+	int error;
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	ASSERT_VOP_LOCKED(vp, "mac_cred_check_vnode_op");
+
+	error = vn_refreshlabel(vp, cred);
+	if (error)
+		return (error);
+
+	MAC_CHECK(cred_check_vnode_op, cred, vp, &vp->v_label, op);
+
+	return (error);
+}
+
 int
 mac_setsockopt_label_set(struct ucred *cred, struct socket *so,
     struct mac *extmac)

==== //depot/projects/trustedbsd/mac/sys/kern/tty_tty.c#5 (text+ko) ====

@@ -160,9 +160,12 @@
 		return (error);
 	vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td);
 #ifdef MAC
-	/* XXXMAC: Write authorization check here. */
+	/* XXX: shouldn't the cred below be td->td_ucred not NOCRED? */
+	error = mac_cred_check_vnode_op(td->td_ucred, ttyvp,
+	    MAC_OP_VNODE_WRITE);
+	if (error == 0)
 #endif
-	error = VOP_WRITE(ttyvp, uio, flag, NOCRED);
+		error = VOP_WRITE(ttyvp, uio, flag, NOCRED);
 	VOP_UNLOCK(ttyvp, 0, td);
 	vn_finished_write(mp);
 	return (error);
@@ -204,6 +207,7 @@
 	}
 #ifdef MAC
 	/* XXXMAC: Ioctl authorization check here. */
+	/* XXX: Should this be td->td_ucred below? */
 #endif
 	return (VOP_IOCTL(ttyvp, cmd, addr, flag, NOCRED, td));
 }
@@ -216,6 +220,7 @@
 	struct thread *td;
 {
 	struct vnode *ttyvp;
+	int error;
 
 	PROC_LOCK(td->td_proc);
 	SESS_LOCK(td->td_proc->p_session);
@@ -227,7 +232,12 @@
 		/* try operation to get EOF/failure */
 		return (seltrue(dev, events, td));
 #ifdef MAC
-	/* XXXMAC: Poll authorization check here. */
+	vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td);
+	error = mac_cred_check_vnode_op(td->td_ucred, ttyvp,
+	    MAC_OP_VNODE_POLL);
+	VOP_UNLOCK(ttyvp, 0, td);
+	if (error)
+		return (error);
 #endif
 	return (VOP_POLL(ttyvp, events, td->td_ucred, td));
 }

==== //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#61 (text+ko) ====

@@ -1801,9 +1801,11 @@
 		vat.va_size = 0;
 		vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
 #ifdef MAC
-		/* XXXMAC: Truncation check here. */
+		error = mac_cred_check_vnode_op(td->td_ucred, vp,
+		    MAC_OP_VNODE_WRITE);
+		if (error == 0)
 #endif
-		error = VOP_SETATTR(vp, &vat, td->td_ucred, td);
+			error = VOP_SETATTR(vp, &vat, td->td_ucred, td);
 		VOP_UNLOCK(vp, 0, td);
 		vn_finished_write(mp);
 		if (error)
@@ -3469,13 +3471,8 @@
 	if (vp->v_type == VDIR)
 		error = EISDIR;
 #ifdef MAC
-	/*
-	 * XXXMAC: Temporarily, use the 'open' check, although eventually
-	 * the 'write' check will be used.
-	 */
-	else if ((error = mac_cred_check_open_vnode(td->td_ucred, vp, VWRITE))
-	    != 0) {
-	}
+	else if ((error = mac_cred_check_vnode_op(td->td_ucred, vp,
+	    MAC_OP_VNODE_WRITE))) {}
 #endif
 	else if ((error = vn_writechk(vp)) == 0 &&
 	    (error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td)) == 0) {
@@ -4492,7 +4489,12 @@
 		VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
 		vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);	/* XXX */
 #ifdef MAC
-		/* XXXMAC: Truncation check here. */
+		error = mac_cred_check_vnode_op(td->td_ucred, vp,
+		    MAC_OP_VNODE_WRITE);
+		if (error) {
+			vn_finished_write(mp);
+			goto bad;
+		}
 #endif
 		VATTR_NULL(vap);
 		vap->va_size = 0;

==== //depot/projects/trustedbsd/mac/sys/kern/vfs_vnops.c#26 (text+ko) ====

@@ -398,14 +398,16 @@
 	auio.uio_td = td;
 	if (rw == UIO_READ) {
 #ifdef MAC
-		/* XXXMAC: Read authorization check here. */
+		error = mac_cred_check_vnode_op(cred, vp, MAC_OP_VNODE_READ);
+		if (error == 0)
 #endif
-		error = VOP_READ(vp, &auio, ioflg, cred);
+			error = VOP_READ(vp, &auio, ioflg, cred);
 	} else {
 #ifdef MAC
-		/* XXXMAC: Write authorization check here. */
+		error = mac_cred_check_vnode_op(cred, vp, MAC_OP_VNODE_WRITE);
+		if (error == 0)
 #endif
-		error = VOP_WRITE(vp, &auio, ioflg, cred);
+			error = VOP_WRITE(vp, &auio, ioflg, cred);
 	}
 	if (aresid)
 		*aresid = auio.uio_resid;
@@ -493,9 +495,10 @@
 	ioflag |= sequential_heuristic(uio, fp);
 
 #ifdef MAC
-	/* XXXMAC: Read authorization check here. */
+	error = mac_cred_check_vnode_op(cred, vp, MAC_OP_VNODE_READ);
+	if (error == 0)
 #endif
-	error = VOP_READ(vp, uio, ioflag, cred);
+		error = VOP_READ(vp, uio, ioflag, cred);
 	if ((flags & FOF_OFFSET) == 0)
 		fp->f_offset = uio->uio_offset;
 	fp->f_nextoff = uio->uio_offset;
@@ -547,9 +550,10 @@
 		uio->uio_offset = fp->f_offset;
 	ioflag |= sequential_heuristic(uio, fp);
 #ifdef MAC
-	/* XXXMAC: Write authorization check here. */
+	error = mac_cred_check_vnode_op(cred, vp, MAC_OP_VNODE_WRITE);
+	if (error == 0)
 #endif
-	error = VOP_WRITE(vp, uio, ioflag, cred);
+		error = VOP_WRITE(vp, uio, ioflag, cred);
 	if ((flags & FOF_OFFSET) == 0)
 		fp->f_offset = uio->uio_offset;
 	fp->f_nextoff = uio->uio_offset;
@@ -779,12 +783,17 @@
 	struct ucred *cred;
 	struct thread *td;
 {
+	struct vnode *vp;
+	int error;
 
+	vp = (struct vnode *)fp->f_data;
 #ifdef MAC
-	/* XXXMAC: Poll authorization check here. */
+	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
+	error = mac_cred_check_vnode_op(cred, vp, MAC_OP_VNODE_POLL);
+	if (error)
+		return (error);
 #endif
-
-	return (VOP_POLL(((struct vnode *)fp->f_data), events, cred, td));
+	return (VOP_POLL(vp, events, cred, td));
 }
 
 /*

==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#120 (text+ko) ====

@@ -191,6 +191,10 @@
  */
 extern int	mac_debug_label_fallback;
 
+#define	MAC_OP_VNODE_READ	1
+#define	MAC_OP_VNODE_WRITE	2
+#define	MAC_OP_VNODE_POLL	3
+
 /*
  * Kernel functions to manage and evaluate labels.
  */
@@ -288,6 +292,7 @@
 int	mac_cred_check_readlink_vnode(struct ucred *cred, struct vnode *vp);
 int	mac_cred_check_revoke_vnode(struct ucred *cred, struct vnode *vp);
 int	mac_cred_check_statfs(struct ucred *cred, struct mount *mp);
+int	mac_cred_check_vnode_op(struct ucred *cred, struct vnode *vp, int op);
 int	mac_getsockopt_label_get(struct ucred *cred, struct socket *so,
 	    struct mac *extmac);
 int	mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so,

==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#85 (text+ko) ====

@@ -316,6 +316,8 @@
 	/* XXX should be vm_prot_t, not u_char directly */
 	u_char	(*mpo_cred_check_vnode_mmap_perms)(struct ucred *cred,
 		    struct vnode *vp, struct label *label);
+	int	(*mpo_cred_check_vnode_op)(struct ucred *cred,
+		    struct vnode *vp, struct label *label, int op);
 	int	(*mpo_ifnet_check_send_mbuf)(struct ifnet *ifnet,
 		    struct label *ifnetlabel, struct mbuf *mbuf,
 		    struct label *mbuflabel);
@@ -429,6 +431,7 @@
 	MAC_CRED_CHECK_SIGNAL_PROC,
 	MAC_CRED_CHECK_STAT_VNODE,
 	MAC_CRED_CHECK_VNODE_MMAP_PERMS,
+	MAC_CRED_CHECK_VNODE_OP,
 	MAC_IFNET_CHECK_SEND_MBUF,
 	MAC_SOCKET_CHECK_RECEIVE_MBUF,
 };
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message



More information about the trustedbsd-cvs mailing list