PERFORCE change 42683 for review

Andrew Reisse areisse at FreeBSD.org
Mon Nov 17 19:48:04 GMT 2003 

http://perforce.freebsd.org/chv.cgi?CH=42683

Change 42683 by areisse at areisse_ibook on 2003/11/17 11:47:30

	another copyinstr...
	allow cred relabels in sebsd. A further permission check for this
	operation may need to be introduced in the future.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#28 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#13 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#28 (text+ko) ====

@@ -3615,6 +3615,7 @@
 	struct mac mac;
 	char *buffer;
 	int error;
+	size_t dummy;
 
 	error = copyin(uap->mac_p, &mac, sizeof(mac));
 	if (error)
@@ -3625,7 +3626,7 @@
 		return (error);
 
 	MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
-	error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
+	error = copyinstr(mac.m_string, buffer, mac.m_buflen, &dummy);
 	if (error) {
 		FREE(buffer, M_MACTEMP);
 		return (error);

==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#13 (text+ko) ====

@@ -460,8 +460,9 @@
 static void
 sebsd_relabel_cred(struct ucred *cred, struct label *newlabel)
 {
-
-	printf("sebsd_relabel_cred:: This does nothing\n");
+  struct task_security_struct *task = SLOT(&cred->cr_label);
+  struct task_security_struct *nsec = SLOT(newlabel);
+  task->sid = nsec->sid;
 }
 
 static void
@@ -956,11 +957,28 @@
 sebsd_check_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 	struct task_security_struct *nsec, *tsec;
+	int rc;
 
 	nsec = SLOT(newlabel);
 	tsec = SLOT(&cred->cr_label);
+
+	if (nsec == NULL)
+	  return 0;
+	  
+	rc = avc_has_perm_ref_audit(tsec->sid, tsec->sid, SECCLASS_PROCESS,
+				    FILE__RELABELFROM, NULL, NULL);
+	if (rc)
+	  return (rc);
+
+	rc = avc_has_perm_audit(tsec->sid, nsec->sid, SECCLASS_PROCESS,
+				FILE__RELABELTO, NULL);
+	if (rc)
+	  return (rc);
+
+	/*
 	if (nsec != NULL && nsec->sid != tsec->sid)
 		return EPERM;
+	*/
 	return 0;
 }
 
@@ -2139,6 +2157,7 @@
   .mpo_internalize_vnode_label = sebsd_internalize_vnode_label,
   .mpo_externalize_vnode_label = sebsd_externalize_vnode_label,
 
+  .mpo_relabel_cred = sebsd_relabel_cred,
   .mpo_relabel_vnode = sebsd_relabel_vnode,
 
   /* Create Labels */
@@ -2158,6 +2177,7 @@
   .mpo_execve_transition = sebsd_execve_transition,
 
   /* Checks */
+  .mpo_check_cred_relabel = sebsd_check_cred_relabel,
   .mpo_check_proc_signal = sebsd_check_proc_signal,
   .mpo_check_vnode_access = sebsd_check_vnode_access,
   .mpo_check_vnode_chdir = sebsd_check_vnode_chdir,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list