PERFORCE change 104070 for review
Todd Miller
millert at FreeBSD.org
Tue Aug 15 17:44:34 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=104070
Change 104070 by millert at millert_macbook on 2006/08/15 17:44:17
Add security.mac.sebsd.compute.create,
security.mac.sebsd.compute.member, and
security.mac.sebsd.canon.context sysctls
for use by libselinux.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd_sysctl.c#2 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd_sysctl.c#2 (text+ko) ====
@@ -366,7 +366,169 @@
return (error);
}
+/*
+ * Sysctl handler for security.mac.sebsd.canon_context.
+ * Check sid validity, returns canonical name of context.
+ */
+static int
+sysctl_canon_context SYSCTL_HANDLER_ARGS
+{
+ u_int32_t sid, len;
+ char *context, *canon;
+ int error;
+
+#ifdef SECURITY__COMPUTE_CHECK
+ error = cred_has_security(kauth_cred_get(), SECURITY__COMPUTE_CHECK);
+ if (error)
+ return (error);
+#endif
+
+ if (req->newlen < 2)
+ return (EINVAL);
+ if (req->newlen > 512) /* arbitrary */
+ return (ENAMETOOLONG);
+ context = sebsd_malloc(req->newlen, M_SEBSD, M_WAITOK);
+ error = SYSCTL_IN(req, context, req->newlen);
+ if (error)
+ goto out;
+ if (context[req->newlen - 1] != '\0') {
+ error = EINVAL;
+ goto out;
+ }
+ /*
+ * XXX We need POLICY_RDLOCK here, but it's not exported!
+ */
+ error = security_context_to_sid(context, strlen(context) + 1, &sid);
+ if (error)
+ goto out;
+
+ error = security_sid_to_context(sid, &canon, &len);
+ if (error == 0) {
+ error = SYSCTL_OUT(req, canon, len);
+ sebsd_free(canon, M_SEBSD);
+ }
+out:
+ sebsd_free(context, M_SEBSD);
+ return (error);
+}
+
+/*
+ * Sysctl handler for security.mac.sebsd.compute_create. Create new sid
+ * given input "scontext\0tcontext\0", tclass.
+ */
+static int
+sysctl_compute_create SYSCTL_HANDLER_ARGS
+{
+ u_int32_t sid, tsid, newsid, len;
+ u_int16_t tclass;
+ char *scontext, *tcontext, *newcontext;
+ int error;
+
+ error = cred_has_security(kauth_cred_get(), SECURITY__COMPUTE_CREATE);
+ if (error)
+ return (error);
+
+ if (req->newlen < 4 + sizeof(tclass))
+ return (EINVAL);
+ if (req->newlen > 512) /* arbitrary */
+ return (ENAMETOOLONG);
+ scontext = sebsd_malloc(req->newlen, M_SEBSD, M_WAITOK);
+ error = SYSCTL_IN(req, scontext, req->newlen);
+ if (error)
+ goto out;
+ if (scontext[req->newlen - (1 + sizeof(tclass))] != '\0') {
+ error = EINVAL;
+ goto out;
+ }
+ tcontext = &scontext[strlen(scontext) + 1];
+ if (tcontext >= &scontext[req->newlen - (1 + sizeof(tclass))]) {
+ error = EINVAL;
+ goto out;
+ }
+ bcopy(&tcontext[strlen(tcontext) + 1], &tclass, sizeof(tclass));
+ /*
+ * XXX We need POLICY_RDLOCK here, but it's not exported!
+ */
+ error = security_context_to_sid(scontext, strlen(scontext) + 1, &sid);
+ if (error)
+ goto out;
+ error = security_context_to_sid(tcontext, strlen(tcontext) + 1, &tsid);
+ if (error)
+ goto out;
+
+ error = security_transition_sid(sid, tsid, tclass, &newsid);
+ if (error)
+ goto out;
+
+ error = security_sid_to_context(newsid, &newcontext, &len);
+ if (error == 0) {
+ error = SYSCTL_OUT(req, newcontext, len);
+ sebsd_free(newcontext, M_SEBSD);
+ }
+out:
+ sebsd_free(scontext, M_SEBSD);
+ return (error);
+}
+
+/*
+ * Sysctl handler for security.mac.sebsd.compute_member. Compute member sid
+ * given input "scontext\0tcontext\0", tclass.
+ */
static int
+sysctl_compute_member SYSCTL_HANDLER_ARGS
+{
+ u_int32_t sid, tsid, newsid, len;
+ u_int16_t tclass;
+ char *scontext, *tcontext, *newcontext;
+ int error;
+
+ error = cred_has_security(kauth_cred_get(), SECURITY__COMPUTE_MEMBER);
+ if (error)
+ return (error);
+
+ if (req->newlen < 4 + sizeof(tclass))
+ return (EINVAL);
+ if (req->newlen > 512) /* arbitrary */
+ return (ENAMETOOLONG);
+ scontext = sebsd_malloc(req->newlen, M_SEBSD, M_WAITOK);
+ error = SYSCTL_IN(req, scontext, req->newlen);
+ if (error)
+ goto out;
+ if (scontext[req->newlen - (1 + sizeof(tclass))] != '\0') {
+ error = EINVAL;
+ goto out;
+ }
+ tcontext = &scontext[strlen(scontext) + 1];
+ if (tcontext >= &scontext[req->newlen - (1 + sizeof(tclass))]) {
+ error = EINVAL;
+ goto out;
+ }
+ bcopy(&tcontext[strlen(tcontext) + 1], &tclass, sizeof(tclass));
+ /*
+ * XXX We need POLICY_RDLOCK here, but it's not exported!
+ */
+ error = security_context_to_sid(scontext, strlen(scontext) + 1, &sid);
+ if (error)
+ goto out;
+ error = security_context_to_sid(tcontext, strlen(tcontext) + 1, &tsid);
+ if (error)
+ goto out;
+
+ error = security_member_sid(sid, tsid, tclass, &newsid);
+ if (error)
+ goto out;
+
+ error = security_sid_to_context(newsid, &newcontext, &len);
+ if (error == 0) {
+ error = SYSCTL_OUT(req, newcontext, len);
+ sebsd_free(newcontext, M_SEBSD);
+ }
+out:
+ sebsd_free(scontext, M_SEBSD);
+ return (error);
+}
+
+static int
sysctl_sebsd_policypath SYSCTL_HANDLER_ARGS
{
void *path;
@@ -412,6 +574,15 @@
SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_av, CTLTYPE_STRING |
CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_av, "A",
"SEBSD access vector decision query");
+SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, canon_context, CTLTYPE_STRING |
+ CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_canon_context, "A",
+ "SEBSD context verification query");
+SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_create, CTLTYPE_STRING |
+ CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_create, "A",
+ "SEBSD context computation query");
+SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_member, CTLTYPE_STRING |
+ CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_member, "A",
+ "SEBSD context member query");
SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, auditing, CTLTYPE_INT |
CTLFLAG_RW, NULL, 0, sysctl_sebsd_auditing, "I", "SEBSD avc auditing");
SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, enforcing, CTLTYPE_INT |
@@ -436,6 +607,9 @@
sysctl_register_oid(&sysctl__security_mac_sebsd_file_sids);
sysctl_register_oid(&sysctl__security_mac_sebsd_change_sid);
sysctl_register_oid(&sysctl__security_mac_sebsd_compute_av);
+ sysctl_register_oid(&sysctl__security_mac_sebsd_compute_create);
+ sysctl_register_oid(&sysctl__security_mac_sebsd_compute_member);
+ sysctl_register_oid(&sysctl__security_mac_sebsd_canon_context);
sysctl_register_oid(&sysctl__security_mac_sebsd_auditing);
sysctl_register_oid(&sysctl__security_mac_sebsd_enforcing);
sysctl_register_oid(&sysctl__security_mac_sebsd_policyvers);
More information about the trustedbsd-cvs
mailing list