PERFORCE change 42814 for review

Chris Vance cvance at FreeBSD.org
Thu Nov 20 19:56:36 GMT 2003 

http://perforce.freebsd.org/chv.cgi?CH=42814

Change 42814 by cvance at cvance_osx_laptop on 2003/11/20 11:56:28

	Fix a bunch of small but critical bugs:
	- make sure we free temporary labels in mac_set_{file,link}
	- make sure sebsd_ss_malloc stores the allocated size
	- turn on sebsd code for associate_vnode_extattr and 
	  setlabel_vnode_extattr

Affected files ...

.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#30 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#15 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#30 (text+ko) ====

@@ -4058,6 +4058,7 @@
 	    vput (nd.ni_vp);
 	}
 
+	mac_destroy_vnode_label(&intlabel);
 	return (error);
 }
 
@@ -4112,6 +4113,7 @@
 	    vput (nd.ni_vp);
 	}
 
+	mac_destroy_vnode_label(&intlabel);
 	return (error);
 }
 

==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#15 (text+ko) ====

@@ -99,7 +99,8 @@
 
 void *sebsd_ss_malloc (size_t size, int flags)
 {
-  size_t *v = sebsd_malloc (size + sizeof (size_t), flags);
+  size += sizeof(size_t);
+  size_t *v = sebsd_malloc (size, flags);
   v[0] = size;
   return v+1;
 }
@@ -500,28 +501,33 @@
     struct vnode *vp, struct label *vlabel)
 {
 	struct vnode_security_struct *vsec;
-	/* TBD: Need to limit size of contexts used in extattr labels */
-	/*char context[128];*/
+	/* 
+	 * TBD: static buffers aren't a good idea, and SELinux contexts
+	 * aren't restricted in length.
+	 * 
+	 * This doesn't matter too much, since HFS extattr support
+	 * currently uses a backing file pre-allocated with fixed-size
+	 * attributes.
+	 */
+	char context[256];
 	u_int32_t context_len;
-	const char *context = NULL;
+	struct proc *p = current_proc();
 	int error;
 
 	vsec = SLOT(vlabel);
 
-#ifdef HAS_EXTATTRS
-
 	context_len = sizeof(context); /* TBD: bad fixed length */
 	error = vn_extattr_get(vp, IO_NODELOCKED,
 			       SEBSD_MAC_EXTATTR_NAMESPACE,
 			       SEBSD_MAC_EXTATTR_NAME,
-			       &context_len, context, curthread);
+			       &context_len, context, p);
 	if (error == ENOATTR || error == EOPNOTSUPP) {
 		vsec->sid = SECINITSID_UNLABELED; /* Use the default label */
 
 		/*
 		struct vattr va;
 
-		(void)VOP_GETATTR(vp, &va, curthread->td_ucred, curthread);
+		(void)VOP_GETATTR(vp, &va, p->p_ucred, p);
 		printf("sebsd_update_vnode_from_extattr: no label for "
 		       "inode=%ld, fsid=%d\n", va.va_fileid, va.va_fsid);
 		*/
@@ -532,6 +538,8 @@
 		    " by vn_extattr_get()\n", error);
 		return (error); /* Fail closed */
 	}
+
+#if 0
 	if (sebsd_verbose > 1) {
 		struct vattr va;
 
@@ -541,8 +549,7 @@
 			context, va.va_fileid, va.va_fsid);
 	}
 #endif
-
-	struct proc *p = current_proc();
+	
 	if (p == NULL || vp == NULL || vp->v_op == NULL || vp->v_tag != VT_HFS || vp->v_data == NULL)
 	  goto dosclass;
 
@@ -550,10 +557,6 @@
 	error = VOP_GETATTR (vp, &va, p->p_ucred, p);
 	if (error)
 	  goto dosclass;
-	if (va.va_fileid == 28308)
-	  context = "system_u:object_r:shell_exec_t";
-	else
-	  goto dosclass;
 
 	error = security_context_to_sid(context, strlen(context), &vsec->sid);
 	if (error) {
@@ -1373,7 +1376,6 @@
 	dest->sid = source->sid;
 }
 
-#ifdef HAS_EXTATTRS
 static int
 sebsd_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
     struct label *vlabel, struct label *intlabel)
@@ -1393,11 +1395,10 @@
 	error = vn_extattr_set(vp, IO_NODELOCKED,
 			       SEBSD_MAC_EXTATTR_NAMESPACE,
 			       SEBSD_MAC_EXTATTR_NAME,
-			       context_len, context, curthread);
+			       context_len, context, current_proc());
 	security_free_context(context);
 	return (error);
 }
-#endif
 
 static int
 sebsd_check_vnode_access(struct ucred *cred, struct vnode *vp,
@@ -2242,9 +2243,12 @@
   .mpo_destroy_mount_label = sebsd_destroy_mount_label,
   .mpo_destroy_mount_fs_label = sebsd_destroy_mount_fs_label,
 
+  .mpo_setlabel_vnode_extattr = sebsd_setlabel_vnode_extattr,
+
   .mpo_syscall = sebsd_syscall
 };
 
+
 #if 0
 static struct mac_policy_ops sebsd_ops_o = {
 	/* Init Labels */
@@ -2463,9 +2467,6 @@
 #endif
 	/* .mpo_relabel_socket = sebsd_relabel_socket, */
 	.mpo_relabel_vnode = sebsd_relabel_vnode,
-#ifdef HAS_EXTATTRS
-	.mpo_setlabel_vnode_extattr = sebsd_setlabel_vnode_extattr,
-#endif
 	/*.mpo_set_socket_peer_from_mbuf = sebsd_set_socket_peer_from_mbuf,*/
 	/*.mpo_set_socket_peer_from_socket = sebsd_set_socket_peer_from_socket,*/
 
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list