PERFORCE change 19467 for review
Brian Feldman
green at freebsd.org
Thu Oct 17 17:29:01 GMT 2002
http://perforce.freebsd.org/chv.cgi?CH=19467
Change 19467 by green at green_laptop_2 on 2002/10/17 10:28:43
Add the (not yet documented further) execve_mac(2) system call,
which allows for transitioning by SEBSD. To provide more
information, including the execve_mac(2) label passed in, the
struct image_params *imgp is now passed to all MAC exec entry
points.
Implement internalization for credential labels in SEBSD, so
that execve_mac(2) works properly and setpmac(1) "sorta" works.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/ia64/ia32/syscalls.master#6 edit
.. //depot/projects/trustedbsd/mac/sys/kern/imgact_elf.c#15 edit
.. //depot/projects/trustedbsd/mac/sys/kern/init_sysent.c#38 edit
.. //depot/projects/trustedbsd/mac/sys/kern/kern_exec.c#38 edit
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#312 edit
.. //depot/projects/trustedbsd/mac/sys/kern/syscalls.c#37 edit
.. //depot/projects/trustedbsd/mac/sys/kern/syscalls.master#34 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#134 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#56 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#114 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#85 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#87 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#58 edit
.. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#42 edit
.. //depot/projects/trustedbsd/mac/sys/sys/exec.h#3 edit
.. //depot/projects/trustedbsd/mac/sys/sys/imgact.h#12 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#180 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#141 edit
.. //depot/projects/trustedbsd/mac/sys/sys/syscall.h#38 edit
.. //depot/projects/trustedbsd/mac/sys/sys/syscall.mk#37 edit
.. //depot/projects/trustedbsd/mac/sys/sys/sysproto.h#39 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/ia64/ia32/syscalls.master#6 (text+ko) ====
@@ -585,3 +585,4 @@
412 UNIMPL BSD extattr_set_link
413 UNIMPL BSD extattr_get_link
414 UNIMPL BSD extattr_delete_link
+415 UNIMPL BSD execve_mac
==== //depot/projects/trustedbsd/mac/sys/kern/imgact_elf.c#15 (text+ko) ====
@@ -519,6 +519,7 @@
imgp->firstpage = NULL;
imgp->image_header = (char *)kmem_alloc_wait(exec_map, PAGE_SIZE);
imgp->object = NULL;
+ imgp->execlabel = NULL;
if (imgp->image_header == NULL) {
nd->ni_vp = NULL;
==== //depot/projects/trustedbsd/mac/sys/kern/init_sysent.c#38 (text+ko) ====
@@ -443,4 +443,5 @@
{ AS(extattr_set_link_args), (sy_call_t *)extattr_set_link }, /* 412 = extattr_set_link */
{ AS(extattr_get_link_args), (sy_call_t *)extattr_get_link }, /* 413 = extattr_get_link */
{ AS(extattr_delete_link_args), (sy_call_t *)extattr_delete_link }, /* 414 = extattr_delete_link */
+ { SYF_MPSAFE | AS(execve_mac_args), (sy_call_t *)execve_mac }, /* 415 = execve_mac */
};
==== //depot/projects/trustedbsd/mac/sys/kern/kern_exec.c#38 (text+ko) ====
@@ -136,22 +136,23 @@
static const struct execsw **execsw;
#ifndef _SYS_SYSPROTO_H_
-struct execve_args {
+struct execve_mac_args {
char *fname;
char **argv;
char **envv;
+ struct mac *mac_p;
};
#endif
/*
- * execve() system call.
+ * execve_mac() system call.
*
* MPSAFE
*/
int
-execve(td, uap)
+execve_mac(td, uap)
struct thread *td;
- register struct execve_args *uap;
+ register struct execve_mac_args *uap;
{
struct proc *p = td->td_proc;
struct nameidata nd, *ndp;
@@ -172,6 +173,7 @@
int textset;
#ifdef MAC
struct label interplabel; /* label of the interpreted file */
+ struct label execlabel; /* additional MAC label argument */
int will_transition, interplabelvalid = 0;
#endif
@@ -208,6 +210,7 @@
*/
imgp->proc = p;
imgp->uap = uap;
+ imgp->execlabel = NULL;
imgp->attr = &attr;
imgp->argc = imgp->envc = 0;
imgp->argv0 = NULL;
@@ -222,6 +225,14 @@
imgp->ps_strings = 0;
imgp->auxarg_size = 0;
+#ifdef MAC
+ error = mac_execve_enter(imgp, uap->mac_p, &execlabel);
+ if (error) {
+ mtx_lock(&Giant);
+ goto exec_fail;
+ }
+#endif /* MAC */
+
/*
* Allocate temporary demand zeroed space for argument and
* environment strings
@@ -458,7 +469,7 @@
#ifdef MAC
will_transition = mac_execve_will_transition(oldcred, imgp->vp,
- interplabelvalid ? &interplabel : NULL);
+ interplabelvalid ? &interplabel : NULL, imgp);
credential_changing |= will_transition;
#endif
@@ -506,7 +517,7 @@
#ifdef MAC
if (will_transition) {
mac_execve_transition(oldcred, newcred, imgp->vp,
- interplabelvalid ? &interplabel : NULL);
+ interplabelvalid ? &interplabel : NULL, imgp);
}
#endif
/*
@@ -653,12 +664,18 @@
if (imgp->vmspace_destroyed) {
/* sorry, no more process anymore. exit gracefully */
+#ifdef MAC
+ mac_execve_exit(imgp);
+ if (interplabelvalid)
+ mac_destroy_vnode_label(&interplabel);
+#endif /* MAC */
exit1(td, W_EXITCODE(0, SIGABRT));
/* NOT REACHED */
error = 0;
}
done2:
#ifdef MAC
+ mac_execve_exit(imgp);
if (interplabelvalid)
mac_destroy_vnode_label(&interplabel);
#endif /* MAC */
@@ -666,7 +683,31 @@
return (error);
}
+/*
+ * execve() system call. This is simply a wrapper for execve_mac
+ * which passes in a NULL label argument.
+ *
+ * MPSAFE
+ */
int
+execve(td, uap)
+ struct thread *td;
+ struct execve_args /* {
+ syscallarg(char *) fname;
+ syscallarg(char **) argv;
+ syscallarg(char **) envv;
+ } */ *uap;
+{
+ struct execve_mac_args mac_args;
+
+ mac_args.fname = uap->fname;
+ mac_args.argv = uap->argv;
+ mac_args.envv = uap->envv;
+ mac_args.mac_p = NULL;
+ return (execve_mac(td, &mac_args));
+}
+
+int
exec_map_first_page(imgp)
struct image_params *imgp;
{
@@ -1027,7 +1068,7 @@
td = curthread; /* XXXKSE */
#ifdef MAC
- error = mac_check_vnode_exec(td->td_ucred, imgp->vp);
+ error = mac_check_vnode_exec(td->td_ucred, imgp->vp, imgp);
if (error)
return (error);
#endif
==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#312 (text+ko) ====
@@ -50,6 +50,7 @@
#include <sys/param.h>
#include <sys/extattr.h>
+#include <sys/imgact.h>
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/malloc.h>
@@ -2058,12 +2059,14 @@
void
mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
- struct label *shelllabel)
+ struct label *shelllabel, struct image_params *imgp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_execve_transition");
+ if (!mac_enforce_process && !mac_enforce_fs)
+ return;
error = vn_refreshlabel(vp, old);
if (error) {
printf("mac_execve_transition: vn_refreshlabel returned %d\n",
@@ -2071,22 +2074,26 @@
printf("mac_execve_transition: using old vnode label\n");
}
- MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, shelllabel);
+ MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, shelllabel,
+ imgp);
}
int
mac_execve_will_transition(struct ucred *old, struct vnode *vp,
- struct label *shelllabel)
+ struct label *shelllabel, struct image_params *imgp)
{
int error, result;
+ if (!mac_enforce_process && !mac_enforce_fs)
+ return (0);
+
error = vn_refreshlabel(vp, old);
if (error)
return (error);
result = 0;
MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label,
- shelllabel);
+ shelllabel, imgp);
return (result);
}
@@ -2208,7 +2215,8 @@
}
int
-mac_check_vnode_exec(struct ucred *cred, struct vnode *vp)
+mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
+ struct image_params *imgp)
{
int error;
@@ -2220,7 +2228,7 @@
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
- MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label);
+ MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp);
return (error);
}
@@ -4256,6 +4264,41 @@
return (error);
}
+int
+mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
+ struct label *execlabelstorage)
+{
+ struct mac_element *element_array;
+ struct mac extmac;
+ int error;
+
+ if (mac_p == NULL)
+ return (0);
+ error = copyin(mac_p, &extmac, sizeof(extmac));
+ if (error)
+ return (error);
+ error = mac_copyin_element_array(&extmac, &element_array);
+ if (error)
+ return (error);
+ mac_init_cred_label(execlabelstorage);
+ error = mac_internalize_cred_label(execlabelstorage, &extmac,
+ element_array);
+ mac_free_element_array(element_array);
+ if (error) {
+ mac_destroy_cred_label(execlabelstorage);
+ return (error);
+ }
+ imgp->execlabel = execlabelstorage;
+ return (error);
+}
+
+void
+mac_execve_exit(struct image_params *imgp)
+{
+ if (imgp->execlabel != NULL)
+ mac_destroy_cred_label(imgp->execlabel);
+}
+
SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL);
SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL);
@@ -4331,4 +4374,16 @@
return (ENOSYS);
}
+int
+mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
+ struct label *execlabelstorage)
+{
+
+ return (0);
+}
+
+void
+mac_execve_exit(struct image_params *imgp)
+{
+}
#endif /* !MAC */
==== //depot/projects/trustedbsd/mac/sys/kern/syscalls.c#37 (text+ko) ====
@@ -2,8 +2,8 @@
* System call names.
*
* DO NOT EDIT-- this file is automatically generated.
- * $FreeBSD: src/sys/kern/syscalls.c,v 1.122 2002/10/10 04:08:11 rwatson Exp $
- * created from FreeBSD: src/sys/kern/syscalls.master,v 1.128 2002/10/10 04:02:49 rwatson Exp
+ * $FreeBSD$
+ * created from FreeBSD: src/sys/kern/syscalls.master,v 1.129 2002/10/15 01:36:45 peter Exp
*/
char *syscallnames[] = {
@@ -416,10 +416,11 @@
"ksem_unlink", /* 406 = ksem_unlink */
"ksem_getvalue", /* 407 = ksem_getvalue */
"ksem_destroy", /* 408 = ksem_destroy */
- "#409", /* 409 = __mac_get_pid */
- "#410", /* 410 = __mac_get_link */
- "#411", /* 411 = __mac_set_link */
+ "__mac_get_pid", /* 409 = __mac_get_pid */
+ "__mac_get_link", /* 410 = __mac_get_link */
+ "__mac_set_link", /* 411 = __mac_set_link */
"extattr_set_link", /* 412 = extattr_set_link */
"extattr_get_link", /* 413 = extattr_get_link */
"extattr_delete_link", /* 414 = extattr_delete_link */
+ "execve_mac", /* 415 = execve_mac */
};
==== //depot/projects/trustedbsd/mac/sys/kern/syscalls.master#34 (text+ko) ====
@@ -597,6 +597,8 @@
void *data, size_t nbytes); }
414 STD BSD { int extattr_delete_link(const char *path, \
int attrnamespace, const char *attrname); }
+415 MSTD BSD { int execve_mac(char *fname, char **argv, \
+ char **envv, struct mac *mac_p); }
; Please copy any additions and changes to the following compatability tables:
; sys/ia64/ia32/syscalls.master (take a best guess)
==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#134 (text+ko) ====
@@ -1236,7 +1236,8 @@
static void
mac_biba_execve_transition(struct ucred *old, struct ucred *new,
- struct vnode *vp, struct mac *vnodelabel, struct mac *shellvnodelabel)
+ struct vnode *vp, struct mac *vnodelabel, struct mac *shellvnodelabel,
+ struct image_params *imgp)
{
struct mac_biba *source, *dest;
@@ -1249,7 +1250,8 @@
static int
mac_biba_execve_will_transition(struct ucred *old, struct vnode *vp,
- struct mac *vnodelabel, struct vnode *shellvnodelabel)
+ struct mac *vnodelabel, struct vnode *shellvnodelabel,
+ struct image_params *imgp)
{
return (0);
@@ -1827,7 +1829,7 @@
static int
mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *label, struct image_params *imgp)
{
struct mac_biba *subj, *obj;
==== //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#56 (text+ko) ====
@@ -397,7 +397,7 @@
static int
mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *label, struct image_params *imgp)
{
struct vattr vap;
int error;
==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#114 (text+ko) ====
@@ -1278,7 +1278,8 @@
static void
mac_mls_execve_transition(struct ucred *old, struct ucred *new,
- struct vnode *vp, struct label *vnodelabel, struct label *shellvnodelabel)
+ struct vnode *vp, struct label *vnodelabel, struct label *shellvnodelabel,
+ struct image_params *imgp)
{
struct mac_mls *source, *dest;
@@ -1291,7 +1292,8 @@
static int
mac_mls_execve_will_transition(struct ucred *old, struct vnode *vp,
- struct label *vnodelabel, struct label *shellvnodelabel)
+ struct label *vnodelabel, struct label *shellvnodelabel,
+ struct image_params *imgp)
{
return (0);
@@ -1878,7 +1880,7 @@
static int
mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *label, struct image_params *imgp)
{
struct mac_mls *subj, *obj;
==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#85 (text+ko) ====
@@ -415,14 +415,16 @@
static void
mac_none_execve_transition(struct ucred *old, struct ucred *new,
- struct vnode *vp, struct label *vnodelabel, struct label *shellvnodelabel)
+ struct vnode *vp, struct label *vnodelabel, struct label *shellvnodelabel,
+ struct image_params *imgp)
{
}
static int
mac_none_execve_will_transition(struct ucred *old, struct vnode *vp,
- struct label *vnodelabel, struct label *shellvnodelabel)
+ struct label *vnodelabel, struct label *shellvnodelabel,
+ struct image_params *imgp)
{
return (0);
@@ -669,7 +671,7 @@
static int
mac_none_check_vnode_exec(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *label, struct image_params *imgp)
{
return (0);
==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#87 (text+ko) ====
@@ -1097,7 +1097,7 @@
static int
mac_te_check_exec_vnode(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *label, struct image_params *imgp)
{
return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE,
@@ -1534,7 +1534,8 @@
static void
mac_te_execve_transition(struct ucred *old, struct ucred *new,
- struct vnode *vp, struct label *filelabel, struct label *shellfilelabel)
+ struct vnode *vp, struct label *filelabel, struct label *shellfilelabel,
+ struct image_params *imgp)
{
int rule;
@@ -1566,7 +1567,8 @@
static int
mac_te_execve_will_transition(struct ucred *old, struct vnode *vp,
- struct label *filelabel, struct label *shellfilelabel)
+ struct label *filelabel, struct label *shellfilelabel,
+ struct image_params *imgp)
{
int rule;
==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#58 (text+ko) ====
@@ -794,14 +794,16 @@
static void
mac_test_execve_transition(struct ucred *old, struct ucred *new,
- struct vnode *vp, struct label *filelabel, struct label *shellfilelabel)
+ struct vnode *vp, struct label *filelabel, struct label *shellfilelabel,
+ struct image_params *imgp)
{
}
static int
mac_test_execve_will_transition(struct ucred *old, struct vnode *vp,
- struct label *filelabel, struct label *shellfilelabel)
+ struct label *filelabel, struct label *shellfilelabel,
+ struct image_params *imgp)
{
return (0);
@@ -1065,7 +1067,7 @@
static int
mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *label, struct image_params *imgp)
{
return (0);
==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#42 (text+ko) ====
@@ -37,6 +37,7 @@
#include <sys/types.h>
#include <sys/param.h>
#include <sys/extattr.h>
+#include <sys/imgact.h>
#include <sys/conf.h>
#include <sys/kernel.h>
#include <sys/mac.h>
@@ -298,11 +299,11 @@
static void
sebsd_execve_transition(struct ucred *old, struct ucred *new,
struct vnode *vp, struct label *vnodelabel,
- struct label *shellvnodelabel)
+ struct label *shellvnodelabel,
+ struct image_params *imgp)
{
struct task_security_struct *otask, *ntask;
struct vnode_security_struct *file;
- int rc;
otask = SLOT(&old->cr_label);
ntask = SLOT(&new->cr_label);
@@ -317,10 +318,13 @@
* So just make the transition.
*/
ntask->osid = otask->sid;
- rc = security_transition_sid(otask->sid, file->sid, SECCLASS_PROCESS,
- &ntask->sid);
- if (rc)
- return; /* TBD: what happens if the previous call failed? */
+ if (imgp->execlabel == NULL) {
+ (void)security_transition_sid(otask->sid, file->sid,
+ SECCLASS_PROCESS, &ntask->sid);
+ } else {
+ ntask->sid = ((struct task_security_struct *)
+ SLOT(imgp->execlabel))->sid;
+ }
if (otask->sid != ntask->sid) {
/*
@@ -336,12 +340,12 @@
static int
sebsd_execve_will_transition(struct ucred *old, struct vnode *vp,
struct label *vnodelabel,
- struct label *shellvnodelabel)
+ struct label *shellvnodelabel,
+ struct image_params *imgp)
{
struct task_security_struct *task;
struct vnode_security_struct *file;
security_id_t newsid;
- int rc;
task = SLOT(&old->cr_label);
if (shellvnodelabel != NULL)
@@ -353,10 +357,13 @@
* Should have already checked all the permissions, so just see if
* the SIDS are going to match.
*/
- rc = security_transition_sid(task->sid, file->sid, SECCLASS_PROCESS,
- &newsid);
- if (rc)
- return EACCES;
+ if (imgp->execlabel == NULL) {
+ (void)security_transition_sid(task->sid, file->sid,
+ SECCLASS_PROCESS, &newsid);
+ } else {
+ newsid = ((struct task_security_struct *)
+ SLOT(imgp->execlabel))->sid;
+ }
return (newsid != task->sid);
}
@@ -487,12 +494,11 @@
}
static int
-sebsd_internalize_vnode_label(struct label *label, struct mac *mac,
- struct mac_element *element, int *claimed)
+sebsd_internalize_sid(security_id_t *sidp, struct mac_element *element,
+ int *claimed)
{
char context[128];
size_t context_len;
- struct vnode_security_struct *vsec;
int error;
if (strcmp("sebsd", element->me_name) != 0)
@@ -504,8 +510,27 @@
&context_len);
if (error)
return (error);
+ return (security_context_to_sid(context, context_len, sidp));
+}
+
+static int
+sebsd_internalize_cred_label(struct label *label, struct mac *mac,
+ struct mac_element *element, int *claimed)
+{
+ struct task_security_struct *tsec;
+
+ tsec = SLOT(label);
+ return (sebsd_internalize_sid(&tsec->sid, element, claimed));
+}
+
+static int
+sebsd_internalize_vnode_label(struct label *label, struct mac *mac,
+ struct mac_element *element, int *claimed)
+{
+ struct vnode_security_struct *vsec;
+
vsec = SLOT(label);
- return (security_context_to_sid(context, context_len, &vsec->sid));
+ return (sebsd_internalize_sid(&vsec->sid, element, claimed));
}
static void
@@ -675,7 +700,7 @@
static int
sebsd_check_vnode_exec(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *label, struct image_params *imgp)
{
struct task_security_struct *task;
struct vnode_security_struct *file;
@@ -684,10 +709,15 @@
task = SLOT(&cred->cr_label);
file = SLOT(label);
- rc = security_transition_sid(task->sid, file->sid, SECCLASS_PROCESS,
- &newsid);
- if (rc)
- return EACCES;
+ if (imgp->execlabel == NULL) {
+ rc = security_transition_sid(task->sid, file->sid,
+ SECCLASS_PROCESS, &newsid);
+ if (rc)
+ return EACCES;
+ } else {
+ newsid = ((struct task_security_struct *)
+ SLOT(imgp->execlabel))->sid;
+ }
if (newsid == task->sid) {
rc = avc_has_perm(task->sid, file->sid,
@@ -1128,6 +1158,7 @@
/* In/Out */
{ MAC_EXTERNALIZE_CRED_LABEL, sebsd_externalize_cred_label },
{ MAC_EXTERNALIZE_VNODE_LABEL, sebsd_externalize_vnode_label },
+ { MAC_INTERNALIZE_CRED_LABEL, sebsd_internalize_cred_label },
{ MAC_INTERNALIZE_VNODE_LABEL, sebsd_internalize_vnode_label },
/* Create Labels */
==== //depot/projects/trustedbsd/mac/sys/sys/exec.h#3 (text+ko) ====
==== //depot/projects/trustedbsd/mac/sys/sys/imgact.h#12 (text+ko) ====
@@ -41,10 +41,12 @@
struct sysentvec;
struct thread;
struct vm_object;
+struct label;
struct image_params {
struct proc *proc; /* our process struct */
- struct execve_args *uap; /* syscall arguments */
+ struct execve_mac_args *uap; /* syscall arguments */
+ struct label *execlabel; /* MAC label to compose transition with */
struct vnode *vp; /* pointer to vnode of file to exec */
struct vm_object *object; /* The vm object for this vp */
struct vattr *attr; /* attributes of file */
==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#180 (text+ko) ====
@@ -207,6 +207,7 @@
struct ifnet;
struct ifreq;
struct ipq;
+struct image_params;
struct mbuf;
struct mount;
struct proc;
@@ -311,9 +312,13 @@
*/
void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child);
void mac_execve_transition(struct ucred *old, struct ucred *new,
- struct vnode *vp, struct label *shelllabel);
+ struct vnode *vp, struct label *shelllabel,
+ struct image_params *imgp);
int mac_execve_will_transition(struct ucred *old, struct vnode *vp,
- struct label *shelllabel);
+ struct label *shelllabel, struct image_params *imgp);
+int mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
+ struct label *execlabel);
+void mac_execve_exit(struct image_params *imgp);
void mac_create_proc0(struct ucred *cred);
void mac_create_proc1(struct ucred *cred);
void mac_thread_userret(struct thread *td);
@@ -352,7 +357,8 @@
struct vnode *vp, struct componentname *cnp);
int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
acl_type_t type);
-int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp);
+int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
+ struct image_params *imgp);
int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
acl_type_t type);
int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#141 (text+ko) ====
@@ -252,10 +252,12 @@
struct ucred *child_cred);
void (*mpo_execve_transition)(struct ucred *old, struct ucred *new,
struct vnode *vp, struct label *vnodelabel,
- struct label *shellvnodelabel);
+ struct label *shellvnodelabel,
+ struct image_params *imgp);
int (*mpo_execve_will_transition)(struct ucred *old,
struct vnode *vp, struct label *vnodelabel,
- struct label *shellvnodelabel);
+ struct label *shellvnodelabel,
+ struct image_params *imgp);
void (*mpo_create_proc0)(struct ucred *cred);
void (*mpo_create_proc1)(struct ucred *cred);
void (*mpo_relabel_cred)(struct ucred *cred,
@@ -333,7 +335,7 @@
int (*mpo_check_vnode_deleteacl)(struct ucred *cred,
struct vnode *vp, struct label *label, acl_type_t type);
int (*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp,
- struct label *label);
+ struct label *label, struct image_params *imgp);
int (*mpo_check_vnode_getacl)(struct ucred *cred,
struct vnode *vp, struct label *label, acl_type_t type);
int (*mpo_check_vnode_getextattr)(struct ucred *cred,
==== //depot/projects/trustedbsd/mac/sys/sys/syscall.h#38 (text+ko) ====
@@ -323,4 +323,5 @@
#define SYS_extattr_set_link 412
#define SYS_extattr_get_link 413
#define SYS_extattr_delete_link 414
-#define SYS_MAXSYSCALL 415
+#define SYS_execve_mac 415
+#define SYS_MAXSYSCALL 416
==== //depot/projects/trustedbsd/mac/sys/sys/syscall.mk#37 (text+ko) ====
@@ -271,4 +271,5 @@
__mac_set_link.o \
extattr_set_link.o \
extattr_get_link.o \
- extattr_delete_link.o
+ extattr_delete_link.o \
+ execve_mac.o
==== //depot/projects/trustedbsd/mac/sys/sys/sysproto.h#39 (text+ko) ====
@@ -1189,6 +1189,12 @@
char attrnamespace_l_[PADL_(int)]; int attrnamespace; char attrnamespace_r_[PADR_(int)];
char attrname_l_[PADL_(const char *)]; const char * attrname; char attrname_r_[PADR_(const char *)];
};
+struct execve_mac_args {
+ char fname_l_[PADL_(char *)]; char * fname; char fname_r_[PADR_(char *)];
+ char argv_l_[PADL_(char **)]; char ** argv; char argv_r_[PADR_(char **)];
+ char envv_l_[PADL_(char **)]; char ** envv; char envv_r_[PADR_(char **)];
+ char mac_p_l_[PADL_(struct mac *)]; struct mac * mac_p; char mac_p_r_[PADR_(struct mac *)];
+};
int nosys(struct thread *, struct nosys_args *);
void sys_exit(struct thread *, struct sys_exit_args *);
int fork(struct thread *, struct fork_args *);
@@ -1457,6 +1463,7 @@
int extattr_set_link(struct thread *, struct extattr_set_link_args *);
int extattr_get_link(struct thread *, struct extattr_get_link_args *);
int extattr_delete_link(struct thread *, struct extattr_delete_link_args *);
+int execve_mac(struct thread *, struct execve_mac_args *);
#ifdef COMPAT_43
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list