PERFORCE change 87602 for review
Todd Miller
millert at FreeBSD.org
Thu Dec 1 21:17:50 GMT 2005
http://perforce.freebsd.org/chv.cgi?CH=87602
Change 87602 by millert at millert_g4tower on 2005/12/01 21:17:10
Update login context code from DSEP and implement
sebsd_check_proc_setlcid() for SEDarwin.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/Makefile#5 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/libmac/mac_get.c#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/libmac/mac_set.c#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/getlcmac/Makefile#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/getlcmac/getlcmac.8#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/getlcmac/getlcmac.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/lcs/Makefile#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/lcs/lcs.8#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/lcs/lcs.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setlcmac/Makefile#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setlcmac/setlcmac.8#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setlcmac/setlcmac.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam/pam.d/login#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam/pam.d/sshd#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/PAMModule.defs#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/pam_lctx/GNUmakefile#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/pam_lctx/Makefile#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/pam_lctx/lctx.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/pam_lctx/pam_lctx.8#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/pam_lctx/pam_lctx.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/init_sysent.c#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_bsm_klib.c#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_exit.c#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_fork.c#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_proc.c#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_prot.c#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_sysctl.c#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/syscalls.c#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/sysctl_init.c#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/Makefile#4 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/lctx.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mac.h#5 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mac_policy.h#11 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/proc.h#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/syscall.h#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/sysctl.h#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_base.c#6 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_internal.h#5 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_process.c#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd.c#23 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/Makefile#5 (text+ko) ====
@@ -19,6 +19,7 @@
cd mach_cmds && gnumake
cd top && make
cd bsm/bsm/lib && gnumake
+ cd pam_modules/pam_lctx && gnumake
cd system_cmds/mach_init.tproj && gnumake
install:
@@ -38,6 +39,7 @@
cd mach_cmds && gnumake install
cd top && make install
cd bsm/bsm/lib && gnumake install
+ cd pam_modules/pam_lctx && gnumake DSTROOT=$(DESTDIR) install
cd system_cmds/mach_init.tproj && gnumake install
clean:
@@ -57,6 +59,6 @@
cd mach_cmds && gnumake clean
cd top && make clean
cd bsm/bsm/lib && gnumake clean
+ cd pam_modules/pam_lctx && gnumake clean
cd system_cmds/mach_init.tproj && gnumake clean
rm -rf build/obj
-
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/libmac/mac_get.c#3 (text+ko) ====
@@ -52,6 +52,20 @@
}
int
+mac_get_lcid(pid_t lcid, struct mac *label)
+{
+
+ return (syscall(SYS___mac_get_lcid, lcid, label));
+}
+
+int
+mac_get_lctx(struct mac *label)
+{
+
+ return (syscall(SYS___mac_get_lctx, label));
+}
+
+int
mac_get_link(const char *path, struct mac *label)
{
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/libmac/mac_set.c#3 (text+ko) ====
@@ -51,6 +51,13 @@
}
int
+mac_set_lctx(struct mac *label)
+{
+
+ return (syscall(SYS___mac_set_lctx, label));
+}
+
+int
mac_set_link(const char *path, struct mac *label)
{
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/Makefile#3 (text+ko) ====
@@ -1,22 +1,27 @@
include ../../Makeconfig
+SUBDIR= getfmac getlcmac getpmac mexec setfsmac setlcmac setpmac lcs
+
all:
- cd getfmac && gnumake
- cd getpmac && gnumake
- cd mexec && gnumake
- cd setfsmac && gnumake
- cd setpmac && gnumake
+ @for dir in $(SUBDIR); do \
+ gnumake -C $$dir ; \
+ if [ $$? -ne 0 ] ; then \
+ exit 1 ; \
+ fi ; \
+ done
install:
- cd getfmac && gnumake install
- cd getpmac && gnumake install
- cd mexec && gnumake install
- cd setfsmac && gnumake install
- cd setpmac && gnumake install
+ @for dir in $(SUBDIR); do \
+ gnumake -C $$dir install ; \
+ if [ $$? -ne 0 ] ; then \
+ exit 1 ; \
+ fi ; \
+ done
clean:
- cd getfmac && gnumake clean
- cd getpmac && gnumake clean
- cd mexec && gnumake clean
- cd setfsmac && gnumake clean
- cd setpmac && gnumake clean
+ @for dir in $(SUBDIR); do \
+ gnumake -C $$dir clean ; \
+ if [ $$? -ne 0 ] ; then \
+ exit 1 ; \
+ fi ; \
+ done
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/pam/pam.d/login#3 (text+ko) ====
@@ -6,3 +6,4 @@
account required pam_permit.so
password required pam_deny.so
session required pam_uwtmp.so
+session required pam_lctx.so
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/pam/pam.d/sshd#3 (text+ko) ====
@@ -6,3 +6,4 @@
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
+session required pam_lctx.so
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/PAMModule.defs#3 (text+ko) ====
@@ -24,8 +24,8 @@
Sources = .
endif
-Extra_CC_Flags += -Ddarwin -no-cpp-precomp -Wall -I/usr/include/pam -arch i386 -arch ppc
-Extra_LD_Libraries += -lpam -arch i386 -arch ppc
+Extra_CC_Flags += -Ddarwin -no-cpp-precomp -Wall -I/usr/include/pam -arch ppc
+Extra_LD_Libraries += -lpam -arch ppc
include $(CoreOSMakefiles)/Standard/Standard.make
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/init_sysent.c#3 (text+ko) ====
@@ -378,6 +378,9 @@
int getlcid();
int setlcid();
+int __mac_get_lcid();
+int __mac_get_lctx();
+int __mac_set_lctx();
/*
* System call switch table.
@@ -907,6 +910,9 @@
syss(getlcid,1), /* 404 = getlcid */
sysp(setlcid,2), /* 405 = setlcid */
+ syss(__mac_get_lcid,2), /* 406 = __mac_get_lcid */
+ syss(__mac_get_lctx,1), /* 407 = __mac_get_lctx */
+ syss(__mac_set_lctx,1), /* 408 = __mac_set_lctx */
/*
* N.B.
* The argument count numbers in this table are actually
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_bsm_klib.c#3 (text+ko) ====
@@ -468,7 +468,11 @@
* XXXMAC We may wish to add audit to these later
*/
AUE_NULL, /* 404 = getlcid */
- AUE_NULL /* 405 = setlcid */
+ AUE_NULL, /* 405 = setlcid */
+ AUE_NULL, /* 406 = __mac_get_lcid */
+ AUE_NULL, /* 407 = __mac_get_lctx */
+ AUE_NULL, /* 408 = __mac_set_lctx */
+
};
int nsys_au_event = sizeof(sys_au_event) / sizeof(sys_au_event[0]);
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_exit.c#3 (text+ko) ====
@@ -669,6 +669,12 @@
wakeup(&p->p_stat);
return (0);
}
+#ifdef LCTX
+ PROC_LOCK(p);
+ leavelctx(p);
+ PROC_UNLOCK(p);
+#endif
+
p->p_xstat = 0;
if (p->p_ru) {
ruadd(&q->p_stats->p_cru, p->p_ru);
@@ -715,9 +721,7 @@
* Unlink it from its process group and free it.
*/
leavepgrp(p);
-#ifdef LCTX
- leavelctx(p);
-#endif
+
LIST_REMOVE(p, p_list); /* off zombproc */
LIST_REMOVE(p, p_sibling);
p->p_flag &= ~P_WAITING;
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_fork.c#3 (text+ko) ====
@@ -582,8 +582,8 @@
p2->p_lctx = NULL;
/* Add new process to login context (if any). */
if (p1->p_lctx != NULL) {
- p2->p_lctx = p1->p_lctx;
- LIST_INSERT_AFTER(p1, p2, p_lclist);
+ LCTX_LOCK(p1->p_lctx);
+ enterlctx(p2, p1->p_lctx, 0);
}
#endif
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_proc.c#3 (text+ko) ====
@@ -81,10 +81,12 @@
#include <ufs/ufs/quota.h>
#include <sys/uio.h>
#include <sys/malloc.h>
+#include <sys/mac.h>
#include <sys/mbuf.h>
#include <sys/ioctl.h>
#include <sys/tty.h>
#include <sys/signalvar.h>
+#include <sys/sysctl.h>
#include <sys/syslog.h>
/*
@@ -110,7 +112,11 @@
struct proclist zombproc;
#ifdef LCTX
-static pid_t lastlcid = 1;
+static pid_t lastlcid = 1;
+static int alllctx_cnt;
+
+#define LCID_MAX 8192 /* Does this really need to be large? */
+static int maxlcid = LCID_MAX;
LIST_HEAD(lctxlist, lctx);
static struct lctxlist alllctx;
@@ -132,6 +138,7 @@
LIST_INIT(&zombproc);
#ifdef LCTX
LIST_INIT(&alllctx);
+ alllctx_cnt = 0;
#endif
pidhashtbl = hashinit(maxproc / 4, M_PROC, &pidhash);
pgrphashtbl = hashinit(maxproc / 4, M_PROC, &pgrphash);
@@ -260,34 +267,76 @@
struct lctx *
lcfind(pid_t lcid)
{
- struct lctx *lc;
+ struct lctx *l;
- LIST_FOREACH(lc, &alllctx, lc_list)
- if (lc->lc_id == lcid)
+ ALLLCTX_LOCK;
+ LIST_FOREACH(l, &alllctx, lc_list) {
+ if (l->lc_id == lcid) {
+ LCTX_LOCK(l);
break;
- return (lc);
+ }
+ }
+ ALLLCTX_UNLOCK;
+ return (l);
}
-#define LCID_MAX 8192 /* Does this really need to be large? */
+#define LCID_INC \
+ do { \
+ lastlcid++; \
+ if (lastlcid > maxlcid) \
+ lastlcid = 1; \
+ } while (0) \
+
struct lctx *
lccreate(void)
{
- struct lctx *lc;
+ struct lctx *l;
/* Not very efficient but this isn't a common operation. */
- while ((lc = lcfind(lastlcid)) != NULL) {
- lastlcid++;
- if (lastlcid > LCID_MAX)
- lastlcid = 1;
+ while ((l = lcfind(lastlcid)) != NULL) {
+ LCTX_UNLOCK(l);
+ LCID_INC;
}
/* Possible race condition with lastlcid here? */
- MALLOC(lc, struct lctx *, sizeof(struct lctx), M_LCTX, M_WAITOK|M_ZERO);
- lc->lc_id = lastlcid;
- lastlcid++;
- LIST_INIT(&lc->lc_members);
- LIST_INSERT_HEAD(&alllctx, lc, lc_list);
- return (lc);
+ MALLOC(l, struct lctx *, sizeof(struct lctx), M_LCTX, M_WAITOK|M_ZERO);
+ l->lc_id = lastlcid;
+ LCID_INC;
+ LIST_INIT(&l->lc_members);
+#ifdef MAC
+ l->lc_label = mac_lctx_label_alloc();
+#endif
+ ALLLCTX_LOCK;
+ LIST_INSERT_HEAD(&alllctx, l, lc_list);
+ alllctx_cnt++;
+ ALLLCTX_UNLOCK;
+
+ return (l);
+}
+
+/*
+ * Call with proc and lctx locked.
+ * Will unlock lctx on return.
+ */
+void
+enterlctx (struct proc *p, struct lctx *l, int create)
+{
+ if (l == NULL)
+ return;
+
+ p->p_lctx = l;
+ LIST_INSERT_HEAD(&l->lc_members, p, p_lclist);
+ l->lc_mc++;
+
+#ifdef MAC
+ if (create)
+ mac_proc_create_lctx(p, l);
+ else
+ mac_proc_join_lctx(p, l);
+#endif
+ LCTX_UNLOCK(l);
+
+ return;
}
/*
@@ -296,15 +345,32 @@
void
leavelctx (struct proc *p)
{
+ struct lctx *l;
+
if (p->p_lctx == NULL)
return;
+ LCTX_LOCK(p->p_lctx);
+ l = p->p_lctx;
+ p->p_lctx = NULL;
LIST_REMOVE(p, p_lclist);
- if (LIST_EMPTY(&p->p_lctx->lc_members)) {
- LIST_REMOVE(p->p_lctx, lc_list);
- FREE(p->p_lctx, M_LCTX);
- }
- p->p_lctx = NULL;
+ l->lc_mc--;
+#ifdef MAC
+ mac_proc_leave_lctx(p, l);
+#endif
+ if (LIST_EMPTY(&l->lc_members)) {
+ ALLLCTX_LOCK;
+ LIST_REMOVE(l, lc_list);
+ alllctx_cnt--;
+ ALLLCTX_UNLOCK;
+ LCTX_UNLOCK(l);
+#ifdef MAC
+ mac_lctx_label_free(l->lc_label);
+#endif
+ FREE(l, M_LCTX);
+ } else
+ LCTX_UNLOCK(l);
+
return;
}
#endif /* LCTX */
@@ -605,3 +671,79 @@
FREE(temp, M_TEMP);
return (NULL);
}
+
+#ifdef LCTX
+
+static int
+sysctl_kern_lctx SYSCTL_HANDLER_ARGS
+{
+ int *name = (int*) arg1;
+ u_int namelen = arg2;
+ struct kinfo_lctx kil;
+ struct lctx *l;
+ int error;
+
+ error = 0;
+
+ switch (oidp->oid_number) {
+ case KERN_LCTX_ALL:
+ ALLLCTX_LOCK;
+ /* Request for size. */
+ if (!req->oldptr) {
+ error = SYSCTL_OUT(req, 0,
+ sizeof(struct kinfo_lctx) * (alllctx_cnt + 1));
+ goto out;
+ }
+ break;
+
+ case KERN_LCTX_LCID:
+ /* No space */
+ if (req->oldlen < sizeof(struct kinfo_lctx))
+ return (ENOMEM);
+ /* No argument */
+ if (namelen != 1)
+ return (EINVAL);
+ /* No login context */
+ l = lcfind((pid_t)name[0]);
+ if (l == NULL)
+ return (ENOENT);
+ kil.id = l->lc_id;
+ kil.mc = l->lc_mc;
+ LCTX_UNLOCK(l);
+ return (SYSCTL_OUT(req, (caddr_t)&kil, sizeof(kil)));
+
+ default:
+ return (EINVAL);
+ }
+
+ /* Provided buffer is too small. */
+ if (req->oldlen < (sizeof(struct kinfo_lctx) * alllctx_cnt)) {
+ error = ENOMEM;
+ goto out;
+ }
+
+ LIST_FOREACH(l, &alllctx, lc_list) {
+ LCTX_LOCK(l);
+ kil.id = l->lc_id;
+ kil.mc = l->lc_mc;
+ LCTX_UNLOCK(l);
+ error = SYSCTL_OUT(req, (caddr_t)&kil, sizeof(kil));
+ if (error)
+ break;
+ }
+out:
+ ALLLCTX_UNLOCK;
+
+ return (error);
+}
+SYSCTL_NODE(_kern, KERN_LCTX, lctx, CTLFLAG_RD, 0, "Login Context");
+SYSCTL_PROC(_kern_lctx, KERN_LCTX_ALL, all, CTLFLAG_RD|CTLTYPE_STRUCT,
+ 0, 0, sysctl_kern_lctx, "S,lctx",
+ "Return entire login context table");
+SYSCTL_NODE(_kern_lctx, KERN_LCTX_LCID, lcid, CTLFLAG_RD,
+ sysctl_kern_lctx, "Login Context Table");
+SYSCTL_INT(_kern_lctx, OID_AUTO, last, CTLFLAG_RD, &lastlcid, 0, "");
+SYSCTL_INT(_kern_lctx, OID_AUTO, count, CTLFLAG_RD, &alllctx_cnt, 0, "");
+SYSCTL_INT(_kern_lctx, OID_AUTO, max, CTLFLAG_RW, &maxlcid, 0, "");
+
+#endif /* LCTX */
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_prot.c#3 (text+ko) ====
@@ -86,6 +86,7 @@
#include <sys/malloc.h>
#include <bsm/audit_kernel.h>
+#include <sys/lctx.h>
#include <sys/mac.h>
#include <sys/mount.h>
@@ -140,10 +141,6 @@
#ifdef LCTX
-#define LCID_PROC_SELF (0)
-#define LCID_REMOVE (-1)
-#define LCID_CREATE (0)
-
/*
* Set Login Context ID
*/
@@ -158,40 +155,53 @@
*/
/* ARGSUSED */
int
-setlcid(struct proc *td, struct setlcid_args *uap, register_t *retval)
+setlcid(struct proc *p0, struct setlcid_args *uap, register_t *retval)
{
struct proc *p;
- struct lctx *lc;
-
- /* XXXMAC: need check here? */
+ struct lctx *l;
+ int error;
if (uap->pid == LCID_PROC_SELF) { /* Create/Join/Leave */
- p = td;
+ p = p0;
+ PROC_LOCK(p);
} else { /* Adopt/Orphan */
p = pfind(uap->pid);
if (p == NULL)
return (ESRCH);
#if 0 /* XXX: we probably need the Darwin version of this... */
- if (p_cansee(td, p))
+ if (p_cansee(p0, p)) {
+ PROC_UNLOCK(p);
return (EPERM);
+ }
#endif
}
+#ifdef MAC
+ error = mac_check_proc_setlcid(p0, p, uap->pid, uap->lcid);
+ if (error) {
+ PROC_UNLOCK(p);
+ return (error);
+ }
+#endif
+
switch (uap->lcid) {
/* Leave/Orphan */
case LCID_REMOVE:
- /* XXXMAC: need check here? */
/* Only root may Leave/Orphan. */
- if (!is_suser1())
+ if (!is_suser1()) {
+ PROC_UNLOCK(p);
return (EPERM);
+ }
/* Process not in login context. */
- if (p->p_lctx == NULL)
+ if (p->p_lctx == NULL) {
+ PROC_UNLOCK(p);
return (ENOATTR);
+ }
- lc = NULL;
+ l = NULL;
break;
@@ -199,42 +209,48 @@
case LCID_CREATE:
/* Create only valid for self! */
- if (uap->pid != 0)
+ if (uap->pid != LCID_PROC_SELF) {
+ PROC_UNLOCK(p);
return (EPERM);
+ }
/* Already in a login context. */
- if (p->p_lctx != NULL)
+ if (p->p_lctx != NULL) {
+ PROC_UNLOCK(p);
return (EPERM);
+ }
- lc = lccreate();
- if (lc == NULL)
+ l = lccreate();
+ if (l == NULL) {
+ PROC_UNLOCK(p);
return (ENOMEM);
+ }
+ LCTX_LOCK(l);
break;
/* Join/Adopt */
default:
- /* XXXMAC: need check here? */
/* Only root may Join/Adopt. */
- if (!is_suser1())
+ if (!is_suser1()) {
+ PROC_UNLOCK(p);
return (EPERM);
+ }
- lc = lcfind(uap->lcid);
- if (lc == NULL)
+ l = lcfind(uap->lcid);
+ if (l == NULL) {
+ PROC_UNLOCK(p);
return (ENOATTR);
+ }
break;
}
leavelctx(p);
+ enterlctx(p, l, (uap->lcid == LCID_CREATE) ? 1 : 0);
- /* Add process to login context. */
- if (lc != NULL) {
- p->p_lctx = lc;
- LIST_INSERT_HEAD(&lc->lc_members, p, p_lclist);
- }
-
+ PROC_UNLOCK(p);
return (0);
}
@@ -251,26 +267,37 @@
*/
/* ARGSUSED */
int
-getlcid(struct proc *td, struct getlcid_args *uap, register_t *retval)
+getlcid(struct proc *p0, struct getlcid_args *uap, register_t *retval)
{
struct proc *p;
+ int error;
- /* XXXMAC: need check here? */
-
- if (uap->pid == 0) {
- p = td;
+ if (uap->pid == LCID_PROC_SELF) {
+ p = p0;
+ PROC_LOCK(p);
} else {
p = pfind(uap->pid);
if (p == NULL)
return (ESRCH);
#if 0 /* XXX: we probably need the Darwin version of this... */
- if (p_cansee(td, p))
+ if (p_cansee(p0, p)) {
+ PROC_UNLOCK(p);
return (EPERM);
+ }
#endif
}
+#ifdef MAC
+ error = mac_check_proc_getlcid(p0, p, uap->pid);
+ if (error) {
+ PROC_UNLOCK(p);
+ return (error);
+ }
+#endif
if (p->p_lctx == NULL)
return (ENOATTR);
*retval = p->p_lctx->lc_id;
+
+ PROC_UNLOCK(p);
return (0);
}
#endif /* LCTX */
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_sysctl.c#3 (text+ko) ====
@@ -501,7 +501,8 @@
|| name[0] == KERN_SYSV
|| name[0] == KERN_AFFINITY
|| name[0] == KERN_CLASSIC
- || name[0] == KERN_PANICINFO)
+ || name[0] == KERN_PANICINFO
+ || name[0] == KERN_LCTX)
)
return (ENOTDIR); /* overloaded */
@@ -1483,7 +1484,6 @@
return (0);
}
-
/*
* Validate parameters and get old / set new parameters
* for max number of concurrent aio requests. Makes sure
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/syscalls.c#3 (text+ko) ====
@@ -441,5 +441,8 @@
"__mac_set_fd", /* 402 = __mac_set_fd */
"__mac_get_pid", /* 403 = __mac_get_pid */
"getlcid", /* 404 = getlcid */
- "setlcid" /* 405 = setlcid */
+ "setlcid", /* 405 = setlcid */
+ "__mac_get_lcid", /* 406 = __mac_get_lcid */
+ "__mac_get_lctx", /* 407 = __mac_get_lctx */
+ "__mac_set_lctx", /* 408 = __mac_set_lctx */
};
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/sysctl_init.c#3 (text+ko) ====
@@ -99,6 +99,13 @@
extern struct sysctl_oid sysctl__kern_ipc_sosendminchain;
extern struct sysctl_oid sysctl__kern_ipc_sorecvmincopy;
extern struct sysctl_oid sysctl__kern_ipc_maxsockets;
+
+extern struct sysctl_oid sysctl__kern_lctx_all;
+extern struct sysctl_oid sysctl__kern_lctx_lcid;
+extern struct sysctl_oid sysctl__kern_lctx_last;
+extern struct sysctl_oid sysctl__kern_lctx_count;
+extern struct sysctl_oid sysctl__kern_lctx_max;
+
extern struct sysctl_oid sysctl__net_inet_icmp_icmplim;
extern struct sysctl_oid sysctl__net_inet_icmp_maskrepl;
extern struct sysctl_oid sysctl__net_inet_icmp_timestamp;
@@ -270,6 +277,7 @@
extern struct sysctl_oid sysctl__kern_ipc;
extern struct sysctl_oid sysctl__kern_sysv;
+extern struct sysctl_oid sysctl__kern_lctx;
extern struct sysctl_oid sysctl__net_inet;
@@ -462,6 +470,11 @@
,&sysctl__kern_ipc_sosendminchain
,&sysctl__kern_ipc_sorecvmincopy
,&sysctl__kern_ipc_maxsockets
+ ,&sysctl__kern_lctx_all
+ ,&sysctl__kern_lctx_lcid
+ ,&sysctl__kern_lctx_last
+ ,&sysctl__kern_lctx_count
+ ,&sysctl__kern_lctx_max
,&sysctl__hw_machine
,&sysctl__hw_model
@@ -666,6 +679,7 @@
,&sysctl__vfs_generic_nfs_client
,&sysctl__vfs_generic_nfs_client_initialdowndelay
,&sysctl__vfs_generic_nfs_client_nextdowndelay
+ ,&sysctl__kern_lctx
,&sysctl__kern_ipc
,&sysctl__kern_sysv
,&sysctl__net_inet
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/Makefile#4 (text+ko) ====
@@ -25,7 +25,7 @@
dir.h dirent.h disk.h disklabel.h disktab.h dkstat.h dmap.h domain.h \
errno.h ev.h event.h eventvar.h exec.h extattr.h fcntl.h file.h filedesc.h filio.h gmon.h ioccom.h ioctl.h \
ioctl_compat.h ipc.h kernel.h kern_event.h ktrace.h libkern.h loadable_fs.h lock.h lockf.h mach_swapon.h malloc.h \
- kdebug.h linker_set.h md5.h kern_control.h \
+ kdebug.h lctx.h linker_set.h md5.h kern_control.h \
mac.h mac_policy.h \
mbuf.h mman.h mount.h msgbuf.h mtio.h namei.h netport.h param.h paths.h \
proc.h protosw.h ptrace.h queue.h quota.h random.h reboot.h resource.h resourcevar.h \
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mac.h#5 (text+ko) ====
@@ -84,6 +84,8 @@
int mac_from_text(mac_t *_label, const char *_text);
int mac_get_fd(int _fd, mac_t _label);
int mac_get_file(const char *_path, mac_t _label);
+int mac_get_lcid(pid_t _lcid, mac_t _label);
+int mac_get_lctx(mac_t _label);
int mac_get_link(const char *_path, mac_t _label);
int mac_get_pid(pid_t _pid, mac_t _label);
int mac_get_proc(mac_t _label);
@@ -96,6 +98,7 @@
int mac_prepare_process_label(mac_t *_label);
int mac_set_fd(int _fildes, const mac_t _label);
int mac_set_file(const char *_path, mac_t _label);
+int mac_set_lctx(mac_t _label);
int mac_set_link(const char *_path, mac_t _label);
int mac_set_proc(const mac_t _label);
int mac_syscall(const char *_policyname, int _call, void *_arg);
@@ -111,6 +114,7 @@
struct attrlist;
struct componentname;
struct devnode;
+struct lctx;
struct mount;
struct pseminfo;
struct pshminfo;
@@ -167,6 +171,8 @@
void mac_vnode_label_free(struct label *label);
int mac_get_vnode_audit_labels(struct vnode *vp,
struct mac *mac);
+struct label *mac_lctx_label_alloc(void);
+void mac_lctx_label_free(struct label *label);
#define mac_update_task_from_cred(cred, task) \
mac_update_task_label(((cred)->cr_label), task)
@@ -256,6 +262,8 @@
void mac_thread_userret(struct uthread *td);
#endif
+void mac_relabel_lctx(struct lctx *l, struct label *newlabel);
+
/*
* Label cleanup operation: This is the inverse complement for the mac_create
* and associate type of hooks. This hook lets the policy module(s) perform
@@ -274,6 +282,7 @@
const char *serv, const char *perm);
int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel);
int mac_check_cred_visible(struct ucred *u1, struct ucred *u2);
+int mac_check_lctx_relabel(struct lctx *l, struct label *newlabel);
int mac_check_posix_sem_create(struct ucred *cred, const char *name);
int mac_check_posix_sem_open(struct ucred *cred, struct pseminfo *ps);
int mac_check_posix_sem_post(struct ucred *cred, struct pseminfo *ps);
@@ -326,6 +335,8 @@
int mac_check_proc_signal(struct ucred *cred, struct proc *proc,
int signum);
int mac_check_proc_wait(struct ucred *cred, struct proc *proc);
+int mac_check_proc_setlcid(struct proc *, struct proc *, pid_t, pid_t);
+int mac_check_proc_getlcid(struct proc *, struct proc *, pid_t);
int mac_check_set_fd(struct ucred *cred, struct file *fp, char *buf,
int buflen);
int mac_check_socket_accept(struct ucred *cred, struct socket *so,
@@ -430,6 +441,10 @@
int mac_audit_postselect(struct ucred *cred, unsigned short syscode,
void *args, int error, int retval, int mac_forced);
+void mac_proc_create_lctx(struct proc *, struct lctx *);
+void mac_proc_join_lctx(struct proc *, struct lctx *);
+void mac_proc_leave_lctx(struct proc *, struct lctx *);
+
/*
* Calls to help various file systems implement labeling functionality
* using their existing EA implementation.
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mac_policy.h#11 (text+ko) ====
@@ -55,6 +55,7 @@
struct ifnet;
struct ipq;
struct label;
+struct lctx;
struct mac_policy_conf;
struct mbuf;
struct mount;
@@ -219,6 +220,14 @@
);
/**
+ @brief Initialize Login Context label
+ @param label New label to initialize
+*/
+typedef void mpo_init_lctx_label_t(
+ struct label *label
+);
+
+/**
@brief Initialize devfs label
@param label New label to initialize
@@ -489,6 +498,14 @@
);
/**
+ @brief Destroy Login Context label
+ @param label The label to be destroyed
+*/
+typedef void mpo_destroy_lctx_label_t(
+ struct label *label
+);
+
+/**
@brief Destroy devfs label
@param label The label to be destroyed
@@ -830,6 +847,29 @@
);
/**
+ @brief Externalize a Login Context label
+ @param label Label to be externalized
+ @param element_name Name of the label namespace for which labels should be
+ externalized
+ @param sb String buffer to be filled with a text representation of the label
+
+ Produce an external representation of the label on a Login Context.
+ An externalized label consists of a text representation
+ of the label contents that can be used with user applications.
+ Policy-agnostic user space tools will display this externalized
+ version.
+
+ @return 0 on success, return non-zero if an error occurs while
+ externalizing the label data.
+
+*/
+typedef int mpo_externalize_lctx_label_t(
+ struct label *label,
+ char *element_name,
+ struct sbuf *sb
+);
+
+/**
@brief Externalize a vnode label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
@@ -901,6 +941,32 @@
);
/**
+ @brief Internalize a Login Context label
+ @param label Label to be internalized
+ @param element_name Name of the label namespace for which the label should
+ be internalized
+ @param element_data Text data to be internalized
+
+ Produce a Login Context label from an external representation. An
+ externalized label consists of a text representation of the label
+ contents that can be used with user applications. Policy-agnostic
+ user space tools will forward text version to the kernel for
+ processing by individual policy modules.
+
+ The policy's internalize entry points will be called only if the
+ policy has registered interest in the label namespace.
+
+ @return 0 on success, Otherwise, return non-zero if an error occurs
+ while internalizing the label data.
+
+*/
+typedef int mpo_internalize_lctx_label_t(
+ struct label *label,
+ char *element_name,
+ char *element_data
+);
+
+/**
@brief Internalize a vnode label
@param label Label to be internalized
@param element_name Name of the label namespace for which the label should
@@ -1708,6 +1774,50 @@
/*@}*/
/**
+ @brief A process has created a login context
+ @param p Subject
+ @param l Login Context
+*/
+typedef void mpo_proc_create_lctx_t(
+ struct proc *p,
+ struct lctx *l
+);
+
+/**
+ @brief A process has joined a login context
+ @param p Subject
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list