PERFORCE change 18664 for review

Fri Oct 4 14:58:06 GMT 2002

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=18664

Change 18664 by green at green_laptop_2 on 2002/10/04 07:57:55

	Fix up an error message; implement kernel-side externalization
	so that e.g. ps(1) works to show the processes' contexts.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#29 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#29 (text+ko) ====

@@ -131,7 +131,7 @@
 	if (file->sclass == 0) {
 		struct vattr va;
 		VOP_GETATTR(vp, &va, curthread->td_ucred, curthread);
-		printf("vnode_has_perm:: ERROR, sid=%d, sclass=0, v_type=%d"
+		printf("vnode_has_perm:: ERROR, sid=%d, sclass=0, v_type=%d,"
 		       " inode=%ld, fsid=%d\n",
 		       file->sid, vp->v_type, va.va_fileid, va.va_fsid);
 		file->sclass = vnode_type_to_security_class(vp->v_type);
@@ -937,6 +937,7 @@
 	return (VM_PROT_ALL);
 }
 
+#if 0
 static int
 sebsd_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac)
 {
@@ -949,7 +950,55 @@
 
 	return 0;
 }
+#endif
 
+static int
+sebsd_externalize_sid(security_id_t sid, struct mac_element *element,
+    int *claimed)
+{
+	security_context_t context;
+	u_int32_t context_len;
+        int error;
+
+        if (strcmp("sebsd", element->me_name) == 0) {
+                (*claimed)++;
+		error = security_sid_to_context(sid, &context,
+		    &context_len);
+                if (error)
+                        return (error);
+                if (element->me_databuflen < context_len) {
+			security_free_context(context);
+                        return (EINVAL);
+		}
+                error = copyout(context, element->me_data, context_len);
+		security_free_context(context);
+                if (error)
+                        return (error);
+                element->me_datalen = context_len;
+        }
+        return (0);
+}
+
+static int
+sebsd_externalize_cred_label(struct label *label, struct mac *mac,
+    struct mac_element *element, int *claimed)
+{
+	struct task_security_struct *tsec;
+
+	tsec = SLOT(label);
+	return (sebsd_externalize_sid(tsec->sid, element, claimed));
+}
+
+static int
+sebsd_externalize_vnode_label(struct label *label, struct mac *mac,
+    struct mac_element *element, int *claimed)
+{
+	struct vnode_security_struct *vsec;
+
+	vsec = SLOT(label);
+	return (sebsd_externalize_sid(vsec->sid, element, claimed));
+}
+
 /*
  * Initialize the SEBSD security server after the root partition has
  * been mounted; policy is located on root partition.
@@ -983,14 +1032,12 @@
 	    (macop_t)sebsd_destroy_vnode_label },
 
 	/* In/Out */
+	{ MAC_EXTERNALIZE_CRED_LABEL, sebsd_externalize_cred_label },
+	{ MAC_EXTERNALIZE_VNODE_LABEL, sebsd_externalize_vnode_label },
 #if 0
-	{ MAC_EXTERNALIZE,
-	    (macop_t)sebsd_externalize },
-	{ MAC_EXTERNALIZE_PID,
-	    (macop_t)sebsd_externalize_pid },
-#endif
 	{ MAC_EXTERNALIZE_VNODE_OLDMAC,
 	    (macop_t)sebsd_externalize_vnode_oldmac },
+#endif
 
 	/* Create Labels */
 	{ MAC_CREATE_CRED, 
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

