PERFORCE change 14834 for review

Wed Jul 24 14:27:11 GMT 2002

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14834

Change 14834 by rwatson at rwatson_paprika on 2002/07/24 07:26:41

	Implement mac_cred_check_vnode_op() for mls and biba, as well
	as correct bugs in the not enabled cases for these policies
	relating to bfeldman's mmap check (disabling the policy broke
	all mmaps for processes that changed their label, like login).

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#67 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#54 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#67 (text+ko) ====

@@ -98,6 +98,12 @@
 TUNABLE_STR("security.mac.biba.trusted_interfaces", trusted_interfaces,
     sizeof(trusted_interfaces));
 
+static int	mac_biba_revocation_enabled = 0;
+SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RW,
+    &mac_biba_revocation_enabled, 0, "Revoke access to objects on relabel");
+TUNABLE_INT("security.mac.biba.revocation_enabled",
+    &mac_biba_revocation_enabled);
+
 static int	mac_biba_slot;
 #define	SLOT(l)	((struct mac_biba *)LABEL_TO_SLOT((l), mac_biba_slot).l_ptr)
 
@@ -1837,8 +1843,8 @@
 	struct mac_biba *subj, *obj;
 	vm_prot_t prot = 0;
 
-	if (!mac_biba_enabled)
-		return (0);
+	if (!mac_biba_enabled || !mac_biba_revocation_enabled)
+		return (VM_PROT_ALL);
 
 	subj = SLOT(&cred->cr_label);
 	obj = SLOT(label);
@@ -1850,6 +1856,37 @@
 	return (prot);
 }
 
+static int
+mac_biba_cred_check_vnode_op(struct ucred *cred, struct vnode *vp,
+    struct label *label, int op)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!mac_biba_enabled || !mac_biba_revocation_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT(label);
+
+	switch (op) {
+	case MAC_OP_VNODE_POLL:
+	case MAC_OP_VNODE_READ:
+		if (!mac_biba_dominate_single(obj, subj))
+			return (EACCES);
+		return (0);
+
+	case MAC_OP_VNODE_WRITE:
+		if (!mac_biba_dominate_single(subj, obj))
+			return (EACCES);
+		return (0);
+
+	default:
+		printf("mac_biba_cred_check_vnode_op: unknown operation %d\n",
+		    op);
+		return (EINVAL);
+	}
+}
+
 static struct mac_policy_op_entry mac_biba_ops[] =
 {
 	{ MAC_DESTROY,
@@ -2048,6 +2085,8 @@
 	    (macop_t)mac_biba_socket_check_receive_mbuf },
 	{ MAC_CRED_CHECK_VNODE_MMAP_PERMS,
 	    (macop_t)mac_biba_cred_check_vnode_mmap_perms },
+	{ MAC_CRED_CHECK_VNODE_OP,
+	    (macop_t)mac_biba_cred_check_vnode_op },
 	{ MAC_OP_LAST, NULL }
 };
 

==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#54 (text+ko) ====

@@ -87,6 +87,12 @@
 SYSCTL_INT(_security_mac_mls, OID_AUTO, destroyed_not_inited, CTLFLAG_RD,
     &destroyed_not_inited, 0, "Count of labels destroyed but not inited");
 
+static int	mac_mls_revocation_enabled = 0;
+SYSCTL_INT(_security_mac_mls, OID_AUTO, revocation_enabled, CTLFLAG_RW,
+    &revocation_enabled, 0, "Revoke access to objects on relabel");
+TUNABLE_INT("security.mac.mls.revocation_enabled",
+    &mac_mls_revocation_enabled);
+
 static int	mac_mls_slot;
 #define	SLOT(l)	((struct mac_mls *)LABEL_TO_SLOT((l), mac_mls_slot).l_ptr)
 
@@ -1776,8 +1782,8 @@
 	struct mac_mls *subj, *obj;
 	vm_prot_t prot = 0;
 
-	if (!mac_mls_enabled)
-		return (0);
+	if (!mac_mls_enabled || !mac_mls_revocation_enabled)
+		return (VM_PROT_ALL);
 
 	subj = SLOT(&cred->cr_label);
 	obj = SLOT(label);
@@ -1789,6 +1795,37 @@
 	return (prot);
 }
 
+static int
+mac_mls_cred_check_vnode_op(struct ucred *cred, struct vnode *vp,
+    struct label *label, int op)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mac_mls_enabled || !mac_mls_revocation_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT(label);
+
+	switch (op) {
+	case MAC_OP_VNODE_POLL:
+	case MAC_OP_VNODE_READ:
+		if (!mac_mls_dominate_single(subj, obj))
+			return (EACCES);
+		return (0);
+
+	case MAC_OP_VNODE_WRITE:
+		if (!mac_mls_dominate_single(obj, subj))
+			return (EACCES);
+		return (0);
+
+	default:
+		printf("mac_mls_cred_check_vnode_op: unknown operation %d\n",
+		    op);
+		return (EINVAL);
+	}
+}
+
 static struct mac_policy_op_entry mac_mls_ops[] =
 {
 	{ MAC_DESTROY,
@@ -1987,6 +2024,8 @@
 	    (macop_t)mac_mls_socket_check_receive_mbuf },
 	{ MAC_CRED_CHECK_VNODE_MMAP_PERMS,
 	    (macop_t)mac_mls_cred_check_vnode_mmap_perms },
+	{ MAC_CRED_CHECK_VNODE_OP,
+	    (macop_t)mac_mls_cred_check_vnode_op },
 	{ MAC_OP_LAST, NULL }
 };
 
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

