PERFORCE change 91814 for review
Todd Miller
millert at FreeBSD.org
Wed Feb 15 10:07:13 PST 2006
http://perforce.freebsd.org/chv.cgi?CH=91814
Change 91814 by millert at millert_g4tower on 2006/02/15 18:06:52
Add mac_check_port_receive() entry point to mediate message receipt.
Split off mac_check_port_move_send() from mac_check_port_copy_send().
New mac_check_port_make_send_once(), mac_check_port_move_send_once(),
and mac_check_port_hold_send_once() entry points to differentiate
between "send" and "send once" rights.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mac_policy.h#14 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/ipc/ipc_right.c#6 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_port.c#8 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/av_perm_to_string.h#6 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/av_permissions.h#6 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/flask/access_vectors#7 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd.c#32 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mac_policy.h#14 (text+ko) ====
@@ -1953,11 +1953,11 @@
);
/**
- @brief Access control check for transferring a send right
+ @brief Access control check for copying a send right to another task
@param task Label of the sender task
@param port Label of the affected port
- Access control check for transferring send rights to the port out of the
+ Access control check for copying send rights to the port from the
specified task. A complementary entry point, mpo_check_port_hold_send,
handles the receiving task. check_port_copy_send is called as part of
a group of policy invocations when messages with port rights are sent.
@@ -1974,6 +1974,27 @@
);
/**
+ @brief Access control check for transferring a send right
+ @param task Label of the sender task
+ @param port Label of the affected port
+
+ Access control check for transferring a send right from one task to the
+ task listening to the specified port. A complementary entry point,
+ mpo_check_port_hold_send, handles the receiving task.
+ check_port_move_send is called as part of a group of policy invocations
+ when messages with port rights are sent. All access control checks made
+ for a particular message must be successful for the message to be sent.
+
+ The task label and the port are locked. Sleeping is permitted.
+
+ @return Return 0 if access is granted, non-zero otherwise.
+*/
+typedef int mpo_check_port_move_send_t(
+ struct label *task,
+ struct label *port
+);
+
+/**
@brief Access control check for obtaining a send right
@param task Label of the receiving task
@param port Label of the affected port
@@ -4159,10 +4180,14 @@
mpo_check_port_relabel_t *mpo_check_port_relabel;
mpo_check_port_send_t *mpo_check_port_send;
mpo_check_port_make_send_t *mpo_check_port_make_send;
+ mpo_check_port_make_send_t *mpo_check_port_make_send_once;
mpo_check_port_copy_send_t *mpo_check_port_copy_send;
+ mpo_check_port_move_send_t *mpo_check_port_move_send;
+ mpo_check_port_move_send_t *mpo_check_port_move_send_once;
mpo_check_port_receive_t *mpo_check_port_receive;
mpo_check_port_move_receive_t *mpo_check_port_move_receive;
mpo_check_port_hold_send_t *mpo_check_port_hold_send;
+ mpo_check_port_hold_send_t *mpo_check_port_hold_send_once;
mpo_check_port_hold_receive_t *mpo_check_port_hold_receive;
mpo_check_cred_visible_t *mpo_check_cred_visible;
mpo_check_fcntl_t *mpo_check_fcntl;
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/ipc/ipc_right.c#6 (text+ko) ====
@@ -1333,6 +1333,21 @@
switch (msgt_name) {
case MACH_MSG_TYPE_MAKE_SEND:
+ if ((bits & MACH_PORT_TYPE_RECEIVE) == 0)
+ return FALSE;
+
+#ifdef MAC
+ port = (ipc_port_t) entry->ie_object;
+ ip_lock(port);
+ tasklabel_lock(self);
+ rc = mac_check_port_make_send(&self->maclabel, &port->ip_label);
+ tasklabel_unlock(self);
+ ip_unlock(port);
+ if (rc)
+ return FALSE;
+#endif
+ break;
+
case MACH_MSG_TYPE_MAKE_SEND_ONCE:
if ((bits & MACH_PORT_TYPE_RECEIVE) == 0)
return FALSE;
@@ -1341,7 +1356,7 @@
port = (ipc_port_t) entry->ie_object;
ip_lock(port);
tasklabel_lock(self);
- rc = mac_check_port_make_send(&self->maclabel, &port->ip_label);
+ rc = mac_check_port_make_send_once(&self->maclabel, &port->ip_label);
tasklabel_unlock(self);
ip_unlock(port);
if (rc)
@@ -1384,7 +1399,22 @@
active = ip_active(port);
#ifdef MAC
tasklabel_lock(self);
- rc = mac_check_port_copy_send(&self->maclabel, &port->ip_label);
+ switch (msgt_name) {
+ case MACH_MSG_TYPE_COPY_SEND:
+ rc = mac_check_port_copy_send(&self->maclabel,
+ &port->ip_label);
+ break;
+ case MACH_MSG_TYPE_MOVE_SEND:
+ rc = mac_check_port_move_send(&self->maclabel,
+ &port->ip_label);
+ break;
+ case MACH_MSG_TYPE_MOVE_SEND_ONCE:
+ rc = mac_check_port_move_send_once(&self->maclabel,
+ &port->ip_label);
+ break;
+ default:
+ panic("ipc_right_copyin_check: strange rights");
+ }
tasklabel_unlock(self);
if (rc) {
ip_unlock(port);
@@ -1510,7 +1540,7 @@
#ifdef MAC
tasklabel_lock(self);
- rc = mac_check_port_make_send(&self->maclabel, &port->ip_label);
+ rc = mac_check_port_make_send_once(&self->maclabel, &port->ip_label);
tasklabel_unlock(self);
if (rc) {
ip_unlock(port);
@@ -1664,7 +1694,7 @@
#ifdef MAC
tasklabel_lock(self);
- rc = mac_check_port_copy_send(&self->maclabel, &port->ip_label);
+ rc = mac_check_port_move_send(&self->maclabel, &port->ip_label);
tasklabel_unlock(self);
if (rc) {
ip_unlock(port);
@@ -1742,7 +1772,8 @@
#ifdef MAC
tasklabel_lock(self);
- rc = mac_check_port_copy_send(&self->maclabel, &port->ip_label);
+ rc = mac_check_port_move_send_once(&self->maclabel,
+ &port->ip_label);
tasklabel_unlock(self);
if (rc) {
ip_unlock(port);
@@ -1947,7 +1978,7 @@
#ifdef MAC
tasklabel_lock(self);
- rc = mac_check_port_copy_send(&self->maclabel, &port->ip_label);
+ rc = mac_check_port_move_send(&self->maclabel, &port->ip_label);
tasklabel_unlock(self);
if (rc) {
ip_unlock(port);
@@ -2053,7 +2084,7 @@
#ifdef MAC
if (space->is_task) {
tasklabel_lock(space->is_task);
- rc = mac_check_port_hold_send(&space->is_task->maclabel,
+ rc = mac_check_port_hold_send_once(&space->is_task->maclabel,
&port->ip_label);
tasklabel_unlock(space->is_task);
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_port.c#8 (text+ko) ====
@@ -148,6 +148,16 @@
}
int
+mac_check_port_make_send_once(struct label *task, struct label *port)
+{
+ int error;
+
+ MAC_CHECK(check_port_make_send_once, task, port);
+
+ return (error);
+}
+
+int
mac_check_port_copy_send(struct label *task, struct label *port)
{
int error;
@@ -158,6 +168,26 @@
}
int
+mac_check_port_move_send(struct label *task, struct label *port)
+{
+ int error;
+
+ MAC_CHECK(check_port_move_send, task, port);
+
+ return (error);
+}
+
+int
+mac_check_port_move_send_once(struct label *task, struct label *port)
+{
+ int error;
+
+ MAC_CHECK(check_port_move_send_once, task, port);
+
+ return (error);
+}
+
+int
mac_check_port_move_receive(struct label *task, struct label *port)
{
int error;
@@ -178,6 +208,16 @@
}
int
+mac_check_port_hold_send_once(struct label *task, struct label *port)
+{
+ int error;
+
+ MAC_CHECK(check_port_hold_send_once, task, port);
+
+ return (error);
+}
+
+int
mac_check_port_hold_receive(struct label *task, struct label *port)
{
int error;
==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/av_perm_to_string.h#6 (text+ko) ====
@@ -129,10 +129,16 @@
{ SECCLASS_MACH_PORT, MACH_PORT__SEND, "send" },
{ SECCLASS_MACH_PORT, MACH_PORT__RECV, "recv" },
{ SECCLASS_MACH_PORT, MACH_PORT__MAKE_SEND, "make_send" },
+ { SECCLASS_MACH_PORT, MACH_PORT__MAKE_SEND_ONCE, "make_send_once" },
{ SECCLASS_MACH_PORT, MACH_PORT__COPY_SEND, "copy_send" },
+ { SECCLASS_MACH_PORT, MACH_PORT__MOVE_SEND, "move_send" },
+ { SECCLASS_MACH_PORT, MACH_PORT__MOVE_SEND_ONCE, "move_send_once" },
{ SECCLASS_MACH_PORT, MACH_PORT__MOVE_RECV, "move_recv" },
+ { SECCLASS_MACH_PORT, MACH_PORT__MOVE_RECV_ONCE, "move_recv_once" },
{ SECCLASS_MACH_PORT, MACH_PORT__HOLD_SEND, "hold_send" },
+ { SECCLASS_MACH_PORT, MACH_PORT__HOLD_SEND_ONCE, "hold_send_once" },
{ SECCLASS_MACH_PORT, MACH_PORT__HOLD_RECV, "hold_recv" },
+ { SECCLASS_MACH_PORT, MACH_PORT__HOLD_RECV_ONCE, "hold_recv_once" },
{ SECCLASS_MACH_TASK, MACH_TASK__TERMINATE, "terminate" },
{ SECCLASS_MACH_TASK, MACH_TASK__SET_SPECIAL_PORT, "set_special_port" },
};
==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/av_permissions.h#6 (text+ko) ====
@@ -606,10 +606,16 @@
#define MACH_PORT__SEND 0x0000000000000004UL
#define MACH_PORT__RECV 0x0000000000000008UL
#define MACH_PORT__MAKE_SEND 0x0000000000000010UL
-#define MACH_PORT__COPY_SEND 0x0000000000000020UL
-#define MACH_PORT__MOVE_RECV 0x0000000000000040UL
-#define MACH_PORT__HOLD_SEND 0x0000000000000080UL
-#define MACH_PORT__HOLD_RECV 0x0000000000000100UL
+#define MACH_PORT__MAKE_SEND_ONCE 0x0000000000000020UL
+#define MACH_PORT__COPY_SEND 0x0000000000000040UL
+#define MACH_PORT__MOVE_SEND 0x0000000000000080UL
+#define MACH_PORT__MOVE_SEND_ONCE 0x0000000000000100UL
+#define MACH_PORT__MOVE_RECV 0x0000000000000200UL
+#define MACH_PORT__MOVE_RECV_ONCE 0x0000000000000400UL
+#define MACH_PORT__HOLD_SEND 0x0000000000000800UL
+#define MACH_PORT__HOLD_SEND_ONCE 0x0000000000001000UL
+#define MACH_PORT__HOLD_RECV 0x0000000000002000UL
+#define MACH_PORT__HOLD_RECV_ONCE 0x0000000000004000UL
#define MACH_TASK__TERMINATE 0x0000000000000001UL
#define MACH_TASK__SET_SPECIAL_PORT 0x0000000000000002UL
==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/flask/access_vectors#7 (text+ko) ====
@@ -360,10 +360,16 @@
send
recv
make_send
+ make_send_once
copy_send
+ move_send
+ move_send_once
move_recv
+ move_recv_once
hold_send
+ hold_send_once
hold_recv
+ hold_recv_once
}
class mach_task
==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd.c#32 (text+ko) ====
@@ -116,6 +116,8 @@
int sebsd_verbose = 0;
+static struct label *last_dead_cred_label, *last_dead_task_label, *last_dead_port_label; // XXX - testing
+
static int slot = 1; /* TBD, dynamic */
#define SLOT(l) ((void *)LABEL_TO_SLOT((l), slot).l_ptr)
@@ -483,6 +485,24 @@
static void
sebsd_destroy_cred_label(struct label *label)
{
+ // printk("sebsd_destroy_cred_label(%p)\n", &LABEL_TO_SLOT((label), slot));
+ last_dead_cred_label = label;
+ sebsd_free (SLOT(label));
+ SLOT(label) = NULL;
+}
+
+static void
+sebsd_destroy_task_label(struct label *label)
+{
+ last_dead_task_label = label;
+ sebsd_free (SLOT(label));
+ SLOT(label) = NULL;
+}
+
+static void
+sebsd_destroy_port_label(struct label *label)
+{
+ last_dead_port_label = label;
sebsd_free (SLOT(label));
SLOT(label) = NULL;
}
@@ -1169,9 +1189,13 @@
CHECK_SIMPLE_PERM(msg_send, MACH_PORT, SEND);
CHECK_SIMPLE_PERM(msg_receive, MACH_PORT, RECV);
CHECK_SIMPLE_PERM(port_make_send, MACH_PORT, MAKE_SEND);
+CHECK_SIMPLE_PERM(port_make_send_once, MACH_PORT, MAKE_SEND_ONCE);
CHECK_SIMPLE_PERM(port_copy_send, MACH_PORT, COPY_SEND);
+CHECK_SIMPLE_PERM(port_move_send, MACH_PORT, COPY_SEND);
+CHECK_SIMPLE_PERM(port_move_send_once, MACH_PORT, MOVE_SEND_ONCE);
CHECK_SIMPLE_PERM(port_move_recv, MACH_PORT, MOVE_RECV);
CHECK_SIMPLE_PERM(port_hold_send, MACH_PORT, HOLD_SEND);
+CHECK_SIMPLE_PERM(port_hold_send_once, MACH_PORT, HOLD_SEND_ONCE);
CHECK_SIMPLE_PERM(port_hold_recv, MACH_PORT, HOLD_RECV);
extern struct policydb policydb;
@@ -2339,7 +2363,13 @@
{
struct task_security_struct *task;
- task = SLOT(label);
+ /* XXX - SLOT should not return NULL but there is a signal race */
+ /* XXX - this may be fixed... */
+ if ((task = SLOT(label)) == NULL) {
+ printk("sebsd_externalize_cred_label: SLOT returned NULL!\n");
+ printk("label: %p, last_task: %p, last_cred: %p, last_port: %p\n", label, last_dead_task_label, last_dead_cred_label, last_dead_port_label); // XXX
+ return (ESRCH);
+ }
return (sebsd_externalize_sid(task->sid, element_name, sb));
}
@@ -2635,8 +2665,8 @@
.mpo_destroy = sebsd_destroy,
.mpo_destroy_cred_label = sebsd_destroy_cred_label,
- .mpo_destroy_task_label = sebsd_destroy_cred_label,
- .mpo_destroy_port_label = sebsd_destroy_cred_label,
+ .mpo_destroy_task_label = sebsd_destroy_task_label,
+ .mpo_destroy_port_label = sebsd_destroy_port_label,
.mpo_destroy_vnode_label = sebsd_destroy_vnode_label,
.mpo_destroy_devfsdirent_label = sebsd_destroy_vnode_label,
@@ -2685,9 +2715,13 @@
.mpo_check_port_send = sebsd_check_msg_send,
.mpo_check_port_receive = sebsd_check_msg_receive,
.mpo_check_port_make_send = sebsd_check_port_make_send,
+ .mpo_check_port_make_send_once = sebsd_check_port_make_send_once,
.mpo_check_port_copy_send = sebsd_check_port_copy_send,
+ .mpo_check_port_move_send = sebsd_check_port_move_send,
+ .mpo_check_port_move_send_once = sebsd_check_port_move_send_once,
.mpo_check_port_move_receive = sebsd_check_port_move_recv,
.mpo_check_port_hold_send = sebsd_check_port_hold_send,
+ .mpo_check_port_hold_send_once = sebsd_check_port_hold_send_once,
.mpo_check_port_hold_receive = sebsd_check_port_hold_recv,
.mpo_check_proc_setlcid = sebsd_check_proc_setlcid,
.mpo_check_proc_signal = sebsd_check_proc_signal,
More information about the trustedbsd-cvs
mailing list