PERFORCE change 43936 for review

[Chris Vance]

http://perforce.freebsd.org/chv.cgi?CH=43936

Change 43936 by cvance at cvance_release on 2003/12/14 17:40:25

	Add file ioctl entry point and SEBSD implementation...

Affected files ...

.. //depot/projects/trustedbsd/sebsd/sys/kern/sys_generic.c#8 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_file.c#4 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#29 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/sys/kern/sys_generic.c#8 (text+ko) ====

@@ -584,6 +584,14 @@
 		mtx_unlock(&Giant);
 		return (EBADF);
 	}
+#ifdef MAC
+	error = mac_check_file_ioctl(td->td_ucred, fp, uap->com);
+	if (error) {
+		fdrop(fp, td);
+		mtx_unlock(&Giant);
+		return (error);
+	}
+#endif
 	fdp = td->td_proc->p_fd;
 	switch (com = uap->com) {
 	case FIONCLEX:

==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_file.c#4 (text+ko) ====


==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#29 (text+ko) ====

@@ -49,6 +49,7 @@
 #include <sys/systm.h>
 #include <sys/sysproto.h>
 #include <sys/vnode.h>
+#include <sys/file.h>
 #include <sys/pipe.h>
 #include <sys/dirent.h>
 #include <sys/capability.h>
@@ -511,7 +512,6 @@
 static void
 sebsd_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
 {
-	int rc;
 	struct task_security_struct *parent, *task;
 
 	parent = SLOT(cred_parent->cr_label);
@@ -1971,6 +1971,27 @@
 	    FD__CREATE, NULL));
 }
 
+static int
+sebsd_check_file_ioctl(struct ucred *cred, struct file *fp,
+    struct label *fplabel, u_long com)
+{
+	struct task_security_struct *tsec;
+	struct file_security_struct *fsec;
+	int error;
+
+	tsec = SLOT(cred->cr_label);
+	fsec = SLOT(fplabel);
+
+	error = avc_has_perm_audit(tsec->sid, fsec->sid, SECCLASS_FD,
+	    FD__USE, NULL);
+	if (error)
+		return (error);
+	if (fp->f_type != DTYPE_VNODE)
+		return (0);
+
+	return (vnode_has_perm(cred, fp->f_vnode, FILE__IOCTL, NULL));
+}
+
 /*
  * Simplify all other fd permissions to just "use" for now.  The ones we
  * implement in SEBSD roughly correlate to the SELinux FD__USE permissions,
@@ -2442,10 +2463,11 @@
 	.mpo_check_cap = sebsd_check_cap,
 	.mpo_check_cred_relabel = sebsd_check_cred_relabel,
 	.mpo_check_file_create = sebsd_check_file_create,
+	.mpo_check_file_ioctl = sebsd_check_file_ioctl,
+
 	/*
 	.mpo_check_file_dup
 	.mpo_check_file_inherit
-	.mpo_check_file_ioctl
 	.mpo_check_file_receive
 	*/
 	.mpo_check_file_get_flags = sebsd_check_file_get_flags,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message