PERFORCE change 33402 for review
Chris Vance
cvance at FreeBSD.org
Thu Jun 19 20:09:14 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=33402
Change 33402 by cvance at cvance_demo on 2003/06/19 13:08:35
- Implement pipe entry points
- Fix more style issues
Affected files ...
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#6 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_labels.h#3 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#6 (text+ko) ====
@@ -48,6 +48,7 @@
#include <sys/systm.h>
#include <sys/sysproto.h>
#include <sys/vnode.h>
+#include <sys/pipe.h>
#include <sys/dirent.h>
#include <fs/devfs/devfs.h>
@@ -269,13 +270,30 @@
file->sclass = vnode_type_to_security_class(vp->v_type);
if (file->sclass == 0) {
printf("vnode_has_perm:: Giving up\n");
- return 0; /* TBD: debugging */
+ return 1; /* TBD: debugging */
}
}
return avc_has_perm_ref_audit(task->sid, file->sid, file->sclass,
perm, aeref ? aeref : &file->avcr, &ad);
}
+static int
+pipe_has_perm(struct ucred *cred, struct pipe *pipe, access_vector_t perm)
+{
+ struct task_security_struct *task;
+ struct vnode_security_struct *file;
+
+ task = SLOT(&cred->cr_label);
+ file = SLOT(pipe->pipe_label);
+
+ /*
+ * TBD: No audit information yet
+ */
+
+ return(avc_has_perm_ref(task->sid, file->sid, file->sclass,
+ perm, &file->avcr));
+}
+
static void
sebsd_init_cred_label(struct label *label)
{
@@ -316,6 +334,34 @@
SLOT(label) = sbsec;
}
+
+static void
+sebsd_init_network_label(struct label *label)
+{
+ struct network_security_struct *new;
+
+ new = malloc(sizeof(*new), M_SEBSD, M_ZERO | M_WAITOK);
+ new->sid = new->task_sid = SECINITSID_UNLABELED;
+ SLOT(label) = new;
+}
+
+static int
+sebsd_init_network_label_waitcheck(struct label *label, int flag)
+{
+ struct network_security_struct *new;
+
+ new = malloc(sizeof(*new), M_SEBSD, M_ZERO | flag);
+ if (new == NULL) {
+ SLOT(label) = NULL;
+ return (ENOMEM);
+ }
+
+ new->sid = new->task_sid = SECINITSID_UNLABELED;
+ SLOT(label) = new;
+
+ return (0);
+}
+
static void
sebsd_init_vnode_label(struct label *label)
{
@@ -587,6 +633,24 @@
free(path, M_SEBSD);
}
+/*
+ * Use the allocating task SID to label pipes. On Linux, pipes reside
+ * in a pseudo filesystem.
+ */
+static void
+sebsd_create_pipe(struct ucred *cred, struct pipe *pipe,
+ struct label *pipelabel)
+{
+ struct task_security_struct *tsec;
+ struct vnode_security_struct *vsec;
+
+ tsec = SLOT(&cred->cr_label);
+ vsec = SLOT(pipelabel);
+
+ vsec->sid = vsec->task_sid = tsec->sid;
+ vsec->sclass = SECCLASS_FIFO_FILE;
+}
+
static void
sebsd_create_proc0(struct ucred *cred)
{
@@ -779,17 +843,90 @@
}
static int
+sebsd_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
+ struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
+{
+
+ return (pipe_has_perm(cred, pipe, FIFO_FILE__IOCTL));
+}
+
+static int
+sebsd_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
+ struct label *pipelabel)
+{
+
+ return (pipe_has_perm(cred, pipe, FIFO_FILE__POLL));
+}
+
+static int
+sebsd_check_pipe_read(struct ucred *cred, struct pipe *pipe,
+ struct label *pipelabel)
+{
+
+ return (pipe_has_perm(cred, pipe, FIFO_FILE__READ));
+}
+
+static int
+sebsd_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
+ struct label *pipelabel, struct label *newlabel)
+{
+ struct task_security_struct *task;
+ struct vnode_security_struct *file;
+ struct vnode_security_struct *newfile;
+ int rc;
+
+ task = SLOT(&cred->cr_label);
+ file = SLOT(pipelabel);
+ newfile = SLOT(newlabel);
+
+ rc = avc_has_perm_ref(task->sid, file->sid, file->sclass,
+ FIFO_FILE__RELABELFROM, &file->avcr);
+
+ if (rc)
+ return (rc);
+
+ rc = avc_has_perm(task->sid, newfile->sid, file->sclass,
+ FIFO_FILE__RELABELTO);
+
+ /*
+ * TBD: SELinux also check filesystem associate permission:
+ return avc_has_perm_audit(newsid,
+ sbsec->sid,
+ SECCLASS_FILESYSTEM,
+ FILESYSTEM__ASSOCIATE,
+ &ad);
+ */
+ return(rc);
+}
+
+static int
+sebsd_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
+ struct label *pipelabel)
+{
+
+ return (pipe_has_perm(cred, pipe, FIFO_FILE__GETATTR));
+}
+
+static int
+sebsd_check_pipe_write(struct ucred *cred, struct pipe *pipe,
+ struct label *pipelabel)
+{
+
+ return (pipe_has_perm(cred, pipe, FIFO_FILE__WRITE));
+}
+
+static int
sebsd_check_proc_debug(struct ucred *cred, struct proc *proc)
{
- return(cred_has_perm(cred, proc, PROCESS__PTRACE));
+ return (cred_has_perm(cred, proc, PROCESS__PTRACE));
}
static int
sebsd_check_proc_sched(struct ucred *cred, struct proc *proc)
{
- return(cred_has_perm(cred, proc, PROCESS__SETSCHED));
+ return (cred_has_perm(cred, proc, PROCESS__SETSCHED));
}
static int
@@ -812,7 +949,7 @@
break;
}
- return cred_has_perm(cred, proc, perm);
+ return (cred_has_perm(cred, proc, perm));
}
static void
@@ -916,6 +1053,17 @@
}
static int
+sebsd_internalize_network_label(struct label *label, char *element_name,
+ char *element_data, int *claimed)
+{
+ struct network_security_struct *nsec;
+
+ nsec = SLOT(label);
+ return (sebsd_internalize_sid(&nsec->sid, element_name, element_data,
+ claimed));
+}
+
+static int
sebsd_internalize_vnode_label(struct label *label, char *element_name,
char *element_data, int *claimed)
{
@@ -927,6 +1075,27 @@
}
static void
+sebsd_relabel_pipe(struct ucred *cred, struct pipe *pipe,
+ struct label *pipelabel, struct label *newlabel)
+{
+ struct vnode_security_struct *source, *dest;
+
+ source = SLOT(newlabel);
+ dest = SLOT(pipelabel);
+
+ if (!source) {
+ printf("sebsd_relabel_pipe:: source is NULL!\n");
+ return;
+ }
+ if (!dest) {
+ printf("sebsd_relabel_pipe:: dest is NULL!\n");
+ return;
+ }
+
+ dest->sid = source->sid;
+}
+
+static void
sebsd_relabel_vnode(struct ucred *cred, struct vnode *vp,
struct label *vnodelabel, struct label *label)
{
@@ -1492,7 +1661,7 @@
sebsd_check_system_settime(struct ucred *cred)
{
- return (0);
+ return(cred_has_capability(cred, CAPABILITY__SYS_TIME));
}
static int
@@ -1607,6 +1776,17 @@
size, len, claimed));
}
+static int
+sebsd_externalize_network_label(struct label *label, char *element_name,
+ char *element_data, size_t size, size_t *len, int *claimed)
+{
+ struct network_security_struct *nsec;
+
+ nsec = SLOT(label);
+ return (sebsd_externalize_sid(nsec->sid, element_name, element_data,
+ size, len, claimed));
+}
+
static void
sebsd_copy_vnode_label(struct label *src, struct label *dest)
{
@@ -1750,41 +1930,86 @@
static struct mac_policy_ops sebsd_ops = {
/* Init Labels */
.mpo_init = sebsd_init,
+ .mpo_init_bpfdesc_label = sebsd_init_network_label,
.mpo_init_cred_label = sebsd_init_cred_label,
.mpo_init_devfsdirent_label = sebsd_init_vnode_label,
.mpo_init_file_label = sebsd_init_file_label,
+ .mpo_init_ifnet_label = sebsd_init_network_label,
+ .mpo_init_ipq_label = sebsd_init_network_label,
+ .mpo_init_mbuf_label = sebsd_init_network_label_waitcheck,
.mpo_init_mount_label = sebsd_init_mount_label,
.mpo_init_mount_fs_label = sebsd_init_mount_fs_label,
+ .mpo_init_pipe_label = sebsd_init_vnode_label,
+ .mpo_init_socket_label = sebsd_init_network_label_waitcheck,
+ .mpo_init_socket_peer_label = sebsd_init_network_label_waitcheck,
.mpo_init_vnode_label = sebsd_init_vnode_label,
/* Destroy Labels */
.mpo_destroy = sebsd_destroy,
+ .mpo_destroy_bpfdesc_label = sebsd_destroy_label,
.mpo_destroy_cred_label = sebsd_destroy_label,
.mpo_destroy_devfsdirent_label = sebsd_destroy_label,
+ .mpo_destroy_ifnet_label = sebsd_destroy_label,
+ .mpo_destroy_ipq_label = sebsd_destroy_label,
+ .mpo_destroy_mbuf_label = sebsd_destroy_label,
.mpo_destroy_file_label = sebsd_destroy_label,
.mpo_destroy_mount_label = sebsd_destroy_label,
.mpo_destroy_mount_fs_label = sebsd_destroy_label,
+ .mpo_destroy_pipe_label = sebsd_destroy_label,
+ .mpo_destroy_socket_label = sebsd_destroy_label,
+ .mpo_destroy_socket_peer_label = sebsd_destroy_label,
.mpo_destroy_vnode_label = sebsd_destroy_label,
/* Copy labels */
+ .mpo_copy_pipe_label = sebsd_copy_vnode_label,
.mpo_copy_vnode_label = sebsd_copy_vnode_label,
/* In/Out */
.mpo_externalize_cred_label = sebsd_externalize_cred_label,
+ .mpo_externalize_ifnet_label = sebsd_externalize_network_label,
+ .mpo_externalize_pipe_label = sebsd_externalize_vnode_label,
+ .mpo_externalize_socket_label = sebsd_externalize_network_label,
+ .mpo_externalize_socket_peer_label = sebsd_externalize_network_label,
.mpo_externalize_vnode_label = sebsd_externalize_vnode_label,
.mpo_internalize_cred_label = sebsd_internalize_cred_label,
+ .mpo_internalize_ifnet_label = sebsd_internalize_network_label,
+ .mpo_internalize_pipe_label = sebsd_internalize_vnode_label,
+ .mpo_internalize_socket_label = sebsd_internalize_network_label,
.mpo_internalize_vnode_label = sebsd_internalize_vnode_label,
+#ifdef notdef
+ void (*mpo_create_mbuf_from_socket)(struct socket *so,
+ struct label *socketlabel, struct mbuf *m,
+ struct label *mbuflabel);
+ void (*mpo_create_socket)(struct ucred *cred, struct socket *so,
+ struct label *socketlabel);
+ void (*mpo_create_socket_from_socket)(struct socket *oldsocket,
+ struct label *oldsocketlabel, struct socket *newsocket,
+ struct label *newsocketlabel);
+ void (*mpo_relabel_socket)(struct ucred *cred, struct socket *so,
+ struct label *oldlabel, struct label *newlabel);
+ void (*mpo_set_socket_peer_from_mbuf)(struct mbuf *mbuf,
+ struct label *mbuflabel, struct socket *so,
+ struct label *socketpeerlabel);
+ void (*mpo_set_socket_peer_from_socket)(struct socket *oldsocket,
+ struct label *oldsocketlabel, struct socket *newsocket,
+ struct label *newsocketpeerlabel);
+#endif
+
/* Create Labels */
.mpo_create_cred = sebsd_create_cred,
.mpo_create_devfs_device = sebsd_create_devfs_device,
.mpo_create_devfs_directory = sebsd_create_devfs_directory,
.mpo_create_devfs_symlink = sebsd_create_devfs_symlink,
.mpo_create_file = sebsd_create_file,
+ /* .mpo_create_mbuf_from_socket = sebsd_create_mbuf_from_socket, */
+ .mpo_create_mount = sebsd_create_mount,
+ .mpo_create_pipe = sebsd_create_pipe,
.mpo_create_proc0 = sebsd_create_proc0,
.mpo_create_proc1 = sebsd_create_proc1,
- .mpo_create_mount = sebsd_create_mount,
.mpo_create_root_mount = sebsd_create_root_mount,
+ /* .mpo_create_socket = sebsd_create_socket, */
+ /* .mpo_create_socket_from_socket = sebsd_create_socket_from_socket, */
.mpo_create_vnode_extattr = sebsd_create_vnode_extattr,
.mpo_associate_vnode_devfs = sebsd_associate_vnode_devfs,
.mpo_associate_vnode_singlelabel = sebsd_associate_vnode_singlelabel,
@@ -1793,6 +2018,12 @@
/* Check Labels */
.mpo_check_cred_relabel = sebsd_check_cred_relabel,
.mpo_check_file_create = sebsd_check_file_create,
+ /*
+ .mpo_check_file_dup
+ .mpo_check_file_inherit
+ .mpo_check_file_ioctl
+ .mpo_check_file_receive
+ */
.mpo_check_file_get_flags = sebsd_check_file_get_flags,
.mpo_check_file_get_ofileflags = sebsd_check_file_get_ofileflags,
.mpo_check_file_get_offset = sebsd_check_file_get_offset,
@@ -1803,6 +2034,14 @@
.mpo_check_kld_load = sebsd_check_kld_load,
.mpo_check_kld_unload = sebsd_check_kld_unload,
.mpo_check_mount_stat = sebsd_check_mount_stat,
+
+ .mpo_check_pipe_ioctl = sebsd_check_pipe_ioctl,
+ .mpo_check_pipe_poll = sebsd_check_pipe_poll,
+ .mpo_check_pipe_read = sebsd_check_pipe_read,
+ .mpo_check_pipe_relabel = sebsd_check_pipe_relabel,
+ .mpo_check_pipe_stat = sebsd_check_pipe_stat,
+ .mpo_check_pipe_write = sebsd_check_pipe_write,
+
.mpo_check_proc_debug = sebsd_check_proc_debug,
.mpo_check_proc_sched = sebsd_check_proc_sched,
.mpo_check_proc_signal = sebsd_check_proc_signal,
@@ -1849,8 +2088,12 @@
.mpo_execve_transition = sebsd_execve_transition,
.mpo_execve_will_transition = sebsd_execve_will_transition,
.mpo_relabel_cred = sebsd_relabel_cred,
+ .mpo_relabel_pipe = sebsd_relabel_pipe,
+ /* .mpo_relabel_socket = sebsd_relabel_socket, */
.mpo_relabel_vnode = sebsd_relabel_vnode,
.mpo_setlabel_vnode_extattr = sebsd_setlabel_vnode_extattr,
+ /*.mpo_set_socket_peer_from_mbuf = sebsd_set_socket_peer_from_mbuf,*/
+ /*.mpo_set_socket_peer_from_socket = sebsd_set_socket_peer_from_socket,*/
.mpo_syscall = sebsd_syscall,
};
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_labels.h#3 (text+ko) ====
@@ -59,6 +59,12 @@
avc_entry_ref_t avcr;
};
+struct network_security_struct {
+ security_id_t sid;
+ security_id_t task_sid;
+ avc_entry_ref_t avcr;
+};
+
struct mount_security_struct {
security_id_t sid; /* SID of file system */
#ifndef __FreeBSD__
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list