PERFORCE change 20480 for review
Brian Feldman
green at freebsd.org
Thu Oct 31 16:33:35 GMT 2002
http://perforce.freebsd.org/chv.cgi?CH=20480
Change 20480 by green at green_laptop_2 on 2002/10/31 08:32:51
* Synchronize mac_lomac to newer mac operations declarations.
* Add support for using the auxiliary label on executables to
determine the single to switch to before beginning execution.
* Fix locking bugs, etc.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#30 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#30 (text+ko) ====
@@ -62,6 +62,7 @@
#include <sys/socketvar.h>
#include <sys/pipe.h>
#include <sys/sysctl.h>
+#include <sys/syslog.h>
#include <fs/devfs/devfs.h>
@@ -488,11 +489,21 @@
mac_lomac_copy_range(source, dest);
}
+static int mac_lomac_to_string(char *string, size_t size,
+ size_t *caller_len, struct mac_lomac *mac_lomac);
+
static int
-maybe_demote(struct mac_lomac *subjlabel, struct mac_lomac *objlabel)
+maybe_demote(struct mac_lomac *subjlabel, struct mac_lomac *objlabel,
+ const char *actionname, const char *objname)
{
+ static const char xxx[] = "<<XXX>>";
struct mac_lomac_proc *subj = PSLOT(&curthread->td_proc->p_label);
+ char *subjlabeltext, *objlabeltext, *subjtext, *text;
+ struct proc *p;
+ size_t len;
+ pid_t pgid;
+ p = curthread->td_proc;
mtx_lock(&subj->mtx);
if (subj->mac_lomac.ml_flags & MAC_LOMAC_FLAG_UPDATE) {
/*
@@ -500,8 +511,10 @@
* less severe than this one, and keep the more severe.
* This can only happen for a multi-threaded application.
*/
- if (mac_lomac_dominate_single(objlabel, &subj->mac_lomac))
- goto out;
+ if (mac_lomac_dominate_single(objlabel, &subj->mac_lomac)) {
+ mtx_lock(&subj->mtx);
+ return (0);
+ }
}
bzero(&subj->mac_lomac, sizeof(subj->mac_lomac));
/*
@@ -523,8 +536,43 @@
curthread->td_kse->ke_flags |= KEF_ASTPENDING;
curthread->td_proc->p_sflag |= PS_MACPEND;
mtx_unlock_spin(&sched_lock);
-out:
+ subjtext = subjlabeltext = objlabeltext = xxx;
+ if (mac_lomac_to_string(NULL, 0, &len, &subj->mac_lomac) == 0 &&
+ (text = malloc(len + 1, M_MACLOMAC, M_NOWAIT)) != NULL) {
+ if (mac_lomac_to_string(text, len + 1, &len,
+ &subj->mac_lomac) == 0)
+ subjtext = text;
+ else
+ free(text, M_MACLOMAC);
+ }
mtx_unlock(&subj->mtx);
+ if (mac_lomac_to_string(NULL, 0, &len, subjlabel) == 0 &&
+ (text = malloc(len + 1, M_MACLOMAC, M_WAITOK)) != NULL) {
+ if (mac_lomac_to_string(text, len + 1, &len,
+ subjlabel) == 0)
+ subjlabeltext = text;
+ else
+ free(text, M_MACLOMAC);
+ }
+ if (mac_lomac_to_string(NULL, 0, &len, objlabel) == 0 &&
+ (text = malloc(len + 1, M_MACLOMAC, M_WAITOK)) != NULL) {
+ if (mac_lomac_to_string(text, len + 1, &len,
+ objlabel) == 0)
+ objlabeltext = text;
+ else
+ free(text, M_MACLOMAC);
+ }
+ pgid = p->p_pgrp->pg_id; /* XXX could be stale? */
+ log(LOG_INFO, "LOMAC: level-%s subject p%dg%du%d:%s demoted to"
+ " level %s after %s a level-%s %s\n",
+ subjlabeltext, p->p_pid, pgid, curthread->td_ucred->cr_uid,
+ p->p_comm, subjtext, actionname, objlabeltext, objname);
+ if (subjlabeltext != xxx)
+ free(subjlabeltext, M_MACLOMAC);
+ if (objlabeltext != xxx)
+ free(objlabeltext, M_MACLOMAC);
+ if (subjtext != xxx)
+ free(subjtext, M_MACLOMAC);
return (0);
}
@@ -623,78 +671,69 @@
mac_lomac_to_string(char *string, size_t size, size_t *caller_len,
struct mac_lomac *mac_lomac)
{
- size_t left, len;
+ size_t left, len, curlen;
char *curptr;
- bzero(string, size);
+ /*
+ * Also accept NULL string to allow for predetermination of total
+ * string length.
+ */
+ if (string != NULL)
+ bzero(string, size);
+ else if (size != 0)
+ return (EINVAL);
curptr = string;
left = size;
+ curlen = 0;
+#define INCLEN(length, leftover) do { \
+ if (string != NULL) { \
+ if (length >= leftover) \
+ return (EINVAL); \
+ leftover -= length; \
+ curptr += length; \
+ } \
+ curlen += length; \
+} while (0)
if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
len = mac_lomac_element_to_string(curptr, left,
&mac_lomac->ml_single);
- if (len >= left)
- return (EINVAL);
- left -= len;
- curptr += len;
+ INCLEN(len, left);
}
if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_AUX) {
len = snprintf(curptr, left, "[");
- if (len >= left)
- return (EINVAL);
- left -= len;
- curptr += len;
+ INCLEN(len, left);
len = mac_lomac_element_to_string(curptr, left,
&mac_lomac->ml_auxsingle);
- if (len >= left)
- return (EINVAL);
- left -= len;
- curptr += len;
+ INCLEN(len, left);
len = snprintf(curptr, left, "]");
- if (len >= left)
- return (EINVAL);
- left -= len;
- curptr += len;
+ INCLEN(len, left);
}
if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_RANGE) {
len = snprintf(curptr, left, "(");
- if (len >= left)
- return (EINVAL);
- left -= len;
- curptr += len;
+ INCLEN(len, left);
len = mac_lomac_element_to_string(curptr, left,
&mac_lomac->ml_rangelow);
- if (len >= left)
- return (EINVAL);
- left -= len;
- curptr += len;
+ INCLEN(len, left);
len = snprintf(curptr, left, "-");
- if (len >= left)
- return (EINVAL);
- left -= len;
- curptr += len;
+ INCLEN(len, left);
len = mac_lomac_element_to_string(curptr, left,
&mac_lomac->ml_rangehigh);
- if (len >= left)
- return (EINVAL);
- left -= len;
- curptr += len;
+ INCLEN(len, left);
len = snprintf(curptr, left, ")");
- if (len >= left)
- return (EINVAL);
- left -= len;
- curptr += len;
+ INCLEN(len, left);
}
+#undef INCLEN
- *caller_len = strlen(string);
+ *caller_len = curlen;
return (0);
}
@@ -1457,13 +1496,35 @@
struct vnode *vp, struct label *vnodelabel, struct label *shellvnodelabel,
struct image_params *imgp)
{
- struct mac_lomac *source, *dest;
+ struct mac_lomac *source, *dest, *obj, *robj;
source = SLOT(&old->cr_label);
dest = SLOT(&new->cr_label);
+ obj = SLOT(vnodelabel);
+ robj = shellvnodelabel != NULL ? SLOT(shellvnodelabel) : obj;
- mac_lomac_copy_single(source, dest);
- mac_lomac_copy_range(source, dest);
+ mac_lomac_copy(source, dest);
+ /*
+ * If there's an auxiliary label on the real object, respect it
+ * and assume that this level should be assumed immediately if
+ * a higher level is currently in place.
+ */
+ if (robj->ml_flags & MAC_LOMAC_FLAG_AUX &&
+ !mac_lomac_dominate_element(&robj->ml_auxsingle, &dest->ml_single)
+ && mac_lomac_auxsingle_in_range(robj, dest))
+ mac_lomac_set_single(dest, robj->ml_auxsingle.mle_type,
+ robj->ml_auxsingle.mle_grade);
+ /*
+ * Restructuring to use the execve transitioning mechanism
+ * instead of the normal demotion mechanism here would be
+ * difficult, so just copy the label over and perform standard
+ * demotion. This is also non-optimal because it will result
+ * in the intermediate label "new" being created and immediately
+ * recycled.
+ */
+ if (mac_lomac_enabled && revocation_enabled &&
+ !mac_lomac_dominate_single(obj, source))
+ (void)maybe_demote(source, obj, "executing", "file");
}
static int
@@ -1471,8 +1532,19 @@
struct label *vnodelabel, struct label *shellvnodelabel,
struct image_params *imgp)
{
+ struct mac_lomac *subj, *obj, *robj;
+
+ if (!mac_lomac_enabled || !revocation_enabled)
+ return (0);
+
+ subj = SLOT(&old->cr_label);
+ obj = SLOT(vnodelabel);
+ robj = shellvnodelabel != NULL ? SLOT(shellvnodelabel) : obj;
- return (0);
+ return ((robj->ml_flags & MAC_LOMAC_FLAG_AUX &&
+ !mac_lomac_dominate_element(&robj->ml_auxsingle, &subj->ml_single)
+ && mac_lomac_auxsingle_in_range(robj, subj)) ||
+ !mac_lomac_dominate_single(obj, subj));
}
static void
@@ -1694,7 +1766,7 @@
obj = SLOT((pipelabel));
if (!mac_lomac_dominate_single(obj, subj))
- return (maybe_demote(subj, obj));
+ return (maybe_demote(subj, obj, "reading", "pipe"));
return (0);
}
@@ -2076,7 +2148,7 @@
}
if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
if (!mac_lomac_dominate_single(obj, subj))
- return (maybe_demote(subj, obj));
+ return (maybe_demote(subj, obj, "mapping", "file"));
}
return (0);
@@ -2112,7 +2184,7 @@
static void
mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp,
- struct label *label, int *prot)
+ struct label *label, /* XXX vm_prot_t */ int *prot)
{
struct mac_lomac *subj, *obj;
@@ -2164,7 +2236,7 @@
obj = SLOT(label);
if (!mac_lomac_dominate_single(obj, subj))
- return (maybe_demote(subj, obj));
+ return (maybe_demote(subj, obj, "reading", "file"));
return (0);
}
@@ -2529,7 +2601,8 @@
.mpo_update_devfsdirent = mac_lomac_update_devfsdirent,
.mpo_associate_vnode_devfs = mac_lomac_associate_vnode_devfs,
.mpo_associate_vnode_extattr = mac_lomac_associate_vnode_extattr,
- .mpo_associate_vnode_singlelabel = mac_lomac_associate_vnode_singlelabel,
+ .mpo_associate_vnode_singlelabel =
+ mac_lomac_associate_vnode_singlelabel,
.mpo_create_vnode_extattr = mac_lomac_create_vnode_extattr,
.mpo_setlabel_vnode_extattr = mac_lomac_setlabel_vnode_extattr,
.mpo_create_mbuf_from_socket = mac_lomac_create_mbuf_from_socket,
@@ -2539,7 +2612,8 @@
.mpo_relabel_pipe = mac_lomac_relabel_pipe,
.mpo_relabel_socket = mac_lomac_relabel_socket,
.mpo_set_socket_peer_from_mbuf = mac_lomac_set_socket_peer_from_mbuf,
- .mpo_set_socket_peer_from_socket = mac_lomac_set_socket_peer_from_socket,
+ .mpo_set_socket_peer_from_socket =
+ mac_lomac_set_socket_peer_from_socket,
.mpo_create_bpfdesc = mac_lomac_create_bpfdesc,
.mpo_create_datagram_from_ipq = mac_lomac_create_datagram_from_ipq,
.mpo_create_fragment = mac_lomac_create_fragment,
@@ -2549,7 +2623,8 @@
.mpo_create_mbuf_linklayer = mac_lomac_create_mbuf_linklayer,
.mpo_create_mbuf_from_bpfdesc = mac_lomac_create_mbuf_from_bpfdesc,
.mpo_create_mbuf_from_ifnet = mac_lomac_create_mbuf_from_ifnet,
- .mpo_create_mbuf_multicast_encap = mac_lomac_create_mbuf_multicast_encap,
+ .mpo_create_mbuf_multicast_encap =
+ mac_lomac_create_mbuf_multicast_encap,
.mpo_create_mbuf_netlayer = mac_lomac_create_mbuf_netlayer,
.mpo_fragment_match = mac_lomac_fragment_match,
.mpo_relabel_ifnet = mac_lomac_relabel_ifnet,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list