PERFORCE change 78926 for review

Andrew Reisse areisse at FreeBSD.org
Fri Jun 24 17:50:37 GMT 2005 

http://perforce.freebsd.org/chv.cgi?CH=78926

Change 78926 by areisse at areisse_ibook on 2005/06/24 17:49:53

	Add a new entry point and kernel call for requesting new object
	labels from policies. Currently, the interface is best suited for
	the Flask policy and its concept of type changes on creation,
	but it is hoped to be adaptable. 
	
	A utility program for using the entry point (compute_label) is
	also included.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mach_cmds/Makefile#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mac_policy.h#6 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/kern/security.c#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/mach/mac.h#5 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/mach/security.defs#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_base.c#4 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd.c#5 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mach_cmds/Makefile#2 (text+ko) ====

@@ -1,7 +1,7 @@
 
 include ../../Makeconfig
 
-all: mgetpmac prboot ca
+all: mgetpmac prboot ca compute_label
 
 VPATH = $(EXPORT_HDRS)/osfmk/mach
 CFLAGS += -g
@@ -18,8 +18,8 @@
 ca: ca.o security.o
 	$(CC) -o $@ security.o ca.o
 
-mlhs: security.o mlhs.o
-	$(CC) -o $@ $^
+compute_label: compute_label.o security.o
+	$(CC) -o $@ security.o compute_label.o
 
 server: server.o security.o
 	$(CC) -o $@ security.o server.o
@@ -28,6 +28,7 @@
 
 install: all
 	install -o $(BINOWN) -g $(BINGRP) -m 755 ca $(DESTDIR)/usr/bin
+	install -o $(BINOWN) -g $(BINGRP) -m 755 compute_label $(DESTDIR)/usr/bin
 	install -o $(BINOWN) -g $(BINGRP) -m 755 mgetpmac $(DESTDIR)/usr/bin
 	install -o $(BINOWN) -g $(BINGRP) -m 755 prboot $(DESTDIR)/usr/bin
 

==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mac_policy.h#6 (text+ko) ====

@@ -267,6 +267,9 @@
 	void	(*mpo_relabel_cred)(struct ucred *cred,
 		    struct label *newlabel);
 
+	int	(*mpo_request_object_label)(struct label *subj, struct label *obj,
+		    const char *serv, struct label *out);
+
 	/*
 	 * Access control checks.
 	 */

==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/kern/security.c#2 (text+ko) ====

@@ -212,3 +212,77 @@
 	ipc_port_multiple_unlock();
 	return KERN_INVALID_ARGUMENT;
 }
+
+kern_return_t
+mac_request_label(
+	ipc_space_t      space,
+	mach_port_name_t sub,
+	mach_port_name_t obj,
+	labelstr_t       serv,
+	mach_port_name_t *outlabel)
+{
+	ipc_entry_t    subi, obji;
+	ipc_object_t   subp, objp;
+	ipc_labelh_t   outlh;
+	ipc_port_t     sport;
+	kern_return_t  kr;
+	struct label  *objl, *subl;
+	int            rc;
+
+	if (space == IS_NULL || space->is_task == NULL)
+		return KERN_INVALID_TASK;
+
+	if (!MACH_PORT_VALID(obj) || !MACH_PORT_VALID(sub))
+		return KERN_INVALID_NAME;
+
+	kr = ipc_right_lookup_two_write(space, obj, &obji, sub, &subi);
+	if (kr != KERN_SUCCESS)
+		return kr;
+
+	objp = obji->ie_object;
+	subp = subi->ie_object;
+
+	outlh = labelh_new();
+
+	ipc_port_multiple_lock(); /* serialize (not necessary for LH, but simpler) */
+	io_lock(objp);
+	io_lock(subp);
+	is_write_unlock (space);
+
+	objl = io_getlabel(objp);
+	if (objl == NULL)
+		goto errout;
+	subl = io_getlabel(subp);
+	if (subl == NULL)
+		goto errout;
+
+	mac_init_port_label(&outlh->lh_label);
+	rc = mac_request_object_label(subl, objl, serv, &outlh->lh_label);
+	io_unlocklabel(subp);
+	io_unlock(subp);
+	io_unlocklabel(objp);
+	io_unlock(objp);
+	ipc_port_multiple_unlock();
+
+	ip_lock(outlh->lh_port);
+	sport = ipc_port_make_send_locked(outlh->lh_port);
+	ip_release(outlh->lh_port);
+	ip_unlock(outlh->lh_port);
+	*outlabel = ipc_port_copyout_send(outlh->lh_port,space);
+
+	if (rc == /*EINVAL*/ 22)
+		return KERN_INVALID_ARGUMENT;
+	else if (rc != 0)
+		return KERN_NO_ACCESS;
+	else
+		return 0;
+
+errout:
+	io_unlocklabel(subp);
+	io_unlock(subp);
+	io_unlocklabel(objp);
+	io_unlock(objp);
+	ipc_port_multiple_unlock();
+	labelh_release(outlh);
+	return KERN_INVALID_ARGUMENT;
+}

==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/mach/mac.h#5 (text+ko) ====

@@ -60,4 +60,8 @@
 
 int mac_check_task_service_access (task_t self, task_t obj, const char *perm);
 
+int mac_request_object_label (struct label *subj, struct label *obj,
+    const char *serv, struct label *out);
+
 void mac_check_ipc_methods (struct label *task, struct label *port, int msgid, msg_access_vector_t *av);
+

==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/mach/security.defs#3 (text+ko) ====

@@ -58,3 +58,9 @@
 routine mac_label_new(task     : ipc_space_t;
 		      out name : mach_port_name_t;
 		      label    : labelstr_t);
+
+routine mac_request_label(task         : ipc_space_t;
+			  subject      : mach_port_name_t;
+			  object       : mach_port_name_t;
+			  service      : labelstr_t;
+			  out newlabel : mach_port_name_t);

==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_base.c#4 (text+ko) ====

@@ -546,6 +546,16 @@
 }
 
 int
+mac_request_object_label(struct label *subj, struct label *obj,
+    const char *s, struct label *out)
+{
+  int error;
+
+  MAC_CHECK (request_object_label, subj, obj, s, out);
+  return error;
+}
+
+int
 mac_check_structmac_consistent(struct mac *mac)
 {
 

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd.c#5 (text+ko) ====

@@ -1251,6 +1251,25 @@
 				 NULL, NULL);
 }
 
+static int
+sebsd_request_label (struct label *subj, struct label *obj, const char *s,
+    struct label *out)
+{
+  struct task_security_struct *tsec, *psec, *osec;
+  struct class_datum  *cld;
+  struct perm_datum   *p;
+
+  psec = SLOT(obj);
+  tsec = SLOT(subj);
+  osec = SLOT(out);
+
+  cld = hashtab_search (policydb.p_classes.table, s);
+  if (cld == NULL)
+    return EINVAL;
+
+  return security_change_sid (tsec->sid, psec->sid, cld->value, &osec->sid);
+}
+
 extern int selinux_enforcing;
 
 static void
@@ -2613,6 +2632,8 @@
   .mpo_associate_vnode_extattr = sebsd_associate_vnode_extattr,
   .mpo_associate_vnode_devfs = sebsd_associate_vnode_devfs,
 
+  .mpo_request_object_label = sebsd_request_label,
+
   /* Transition */
   .mpo_execve_will_transition = sebsd_execve_will_transition,
   .mpo_execve_transition = sebsd_execve_transition,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list