PERFORCE change 109955 for review
Todd Miller
millert at FreeBSD.org
Tue Nov 14 18:48:25 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=109955
Change 109955 by millert at millert_g5tower on 2006/11/14 18:47:59
Add an mprotect check. Doesn't really do anything at the
moment since there is no label to check. Could be useful
for preventing a process from making its stack executable
but apparently only mac-on-intel has no-exec stack. As a
result, this will likely get changed significantly in the
future or simply removed.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_mman.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#13 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#21 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#11 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#16 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/sorted-policynames.vim#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#11 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#19 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#35 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/vanity/vanity.c#8 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_mman.c#5 (text+ko) ====
@@ -634,13 +634,16 @@
}
int
-mprotect(__unused struct proc *p, struct mprotect_args *uap, __unused register_t *retval)
+mprotect(struct proc *p, struct mprotect_args *uap, __unused register_t *retval)
{
register vm_prot_t prot;
mach_vm_offset_t user_addr;
mach_vm_size_t user_size;
kern_return_t result;
vm_map_t user_map;
+#ifdef MAC
+ int error;
+#endif
AUDIT_ARG(addr, uap->addr);
AUDIT_ARG(len, uap->len);
@@ -667,13 +670,19 @@
#ifdef MAC
/*
- * There is no MAC check for mprotect for 2 reasons:
+ * The MAC check for mprotect is of limited use for 2 reasons:
* Without mmap revocation, the caller could have asked for the max
* protections initially instead of a reduced set, so a mprotect
* check would offer no new security.
- * It is nontrivial to extract the vnode from the pager object(s)
+ * It is not possible to extract the vnode from the pager object(s)
* of the target memory range.
+ * However, the MAC check may be used to prevent a process from,
+ * e.g., making the stack executable.
*/
+ error = mac_proc_check_mprotect(proc_ucred(p), p, (void *)user_addr,
+ (size_t)user_size, prot);
+ if (error)
+ return (error);
#endif
result = mach_vm_protect(user_map, user_addr, user_size,
FALSE, prot);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#13 (text+ko) ====
@@ -411,8 +411,8 @@
int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp);
int mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp);
-int mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp,
- int prot);
+int mac_proc_check_mprotect(struct ucred *cred, struct proc *proc,
+ void *addr, size_t size, int prot);
int mac_vnode_check_open(struct ucred *cred, struct vnode *vp,
int acc_mode);
int mac_vnode_check_read(struct ucred *active_cred,
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#21 (text+ko) ====
@@ -3596,6 +3596,29 @@
);
/**
+ @brief Access control check for setting memory protections
+ @param cred Subject credential
+ @param proc User process requesting the change
+ @param addr Start address of the memory range
+ @param size Length address of the memory range
+ @param prot Memory protections, see mmap(2)
+
+ Determine whether the subject identified by the credential should
+ be allowed to set the specified memory protections on memory mapped
+ in the process proc.
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned.
+*/
+typedef int mpo_proc_check_mprotect_t(
+ struct ucred *cred,
+ struct proc *proc,
+ void *addr,
+ size_t size,
+ int prot
+);
+
+/**
@brief Access control check for setting the Login Context
@param p0 Calling process
@param p Effected process
@@ -4679,27 +4702,6 @@
);
/**
- @brief Access control check for setting memory protections
- @param cred Subject credential
- @param vp Mapped vnode
- @param label Policy label associated with vp
- @param prot Memory protections, see mmap(2)
-
- Determine whether the subject identified by the credential should
- be allowed to set the specified memory protections on memory mapped
- from the vnode vp.
-
- @return Return 0 if access is granted, otherwise an appropriate value for
- errno should be returned.
-*/
-typedef int mpo_vnode_check_mprotect_t(
- struct ucred *cred,
- struct vnode *vp,
- struct label *label,
- int prot
-);
-
-/**
@brief Access control check for open
@param cred Subject credential
@param vp Object vnode
@@ -5573,6 +5575,7 @@
mpo_proc_check_getaudit_t *mpo_proc_check_getaudit;
mpo_proc_check_getauid_t *mpo_proc_check_getauid;
mpo_proc_check_getlcid_t *mpo_proc_check_getlcid;
+ mpo_proc_check_mprotect_t *mpo_proc_check_mprotect;
mpo_proc_check_sched_t *mpo_proc_check_sched;
mpo_proc_check_setaudit_t *mpo_proc_check_setaudit;
mpo_proc_check_setauid_t *mpo_proc_check_setauid;
@@ -5615,7 +5618,6 @@
mpo_vnode_check_link_t *mpo_vnode_check_link;
mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr;
mpo_vnode_check_lookup_t *mpo_vnode_check_lookup;
- mpo_vnode_check_mprotect_t *mpo_vnode_check_mprotect;
mpo_vnode_check_open_t *mpo_vnode_check_open;
mpo_vnode_check_read_t *mpo_vnode_check_read;
mpo_vnode_check_readdir_t *mpo_vnode_check_readdir;
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#11 (text+ko) ====
@@ -392,3 +392,14 @@
return (error);
}
#endif /* LCTX */
+
+int
+mac_proc_check_mprotect(struct ucred *cred, struct proc *proc,
+ void *addr, size_t size, int prot)
+{
+ int error;
+
+ MAC_CHECK(proc_check_mprotect, cred, proc, addr, size, prot);
+ return (error);
+}
+
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#16 (text+ko) ====
@@ -514,15 +514,6 @@
}
int
-mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot)
-{
- int error;
-
- MAC_CHECK(vnode_check_mprotect, cred, vp, vp->v_label, prot);
- return (error);
-}
-
-int
mac_vnode_check_open(struct ucred *cred, struct vnode *vp, int acc_mode)
{
int error;
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/sorted-policynames.vim#3 (text+ko) ====
@@ -117,6 +117,7 @@
typedef mpo_proc_check_getaudit_t(
typedef mpo_proc_check_getauid_t(
typedef mpo_proc_check_getlcid_t(
+typedef mpo_proc_check_mprotect_t(
typedef mpo_proc_check_sched_t(
typedef mpo_proc_check_setaudit_t(
typedef mpo_proc_check_setauid_t(
@@ -212,7 +213,6 @@
typedef mpo_vnode_check_link_t(
typedef mpo_vnode_check_listextattr_t(
typedef mpo_vnode_check_lookup_t(
-typedef mpo_vnode_check_mprotect_t(
typedef mpo_vnode_check_open_t(
typedef mpo_vnode_check_read_t(
typedef mpo_vnode_check_readdir_t(
==== //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#11 (text+ko) ====
@@ -518,11 +518,11 @@
}
static int
-color_vnode_check_mprotect(struct ucred *cred, struct vnode *vp,
- struct label *label, int prot)
+color_proc_check_mprotect(struct ucred *cred, struct proc *proc,
+ void *addr, size_t size, int prot)
{
- return (co_maybe_promote_process(cred, label));
+ // Nothing yet
}
static int
@@ -709,6 +709,7 @@
.mpo_lctx_notify_leave = color_lctx_notify_leave,
.mpo_lctx_label_update = color_lctx_label_update,
.mpo_proc_check_signal = color_proc_check_signal,
+ .mpo_proc_check_mprotect = color_proc_check_mprotect,
.mpo_vnode_check_access = color_vnode_check_access,
.mpo_vnode_check_chdir = color_vnode_check_chdir,
@@ -724,7 +725,6 @@
.mpo_vnode_check_link = color_vnode_check_link,
.mpo_vnode_check_listextattr = color_vnode_check_listextattr,
.mpo_vnode_check_lookup = color_vnode_check_lookup,
- .mpo_vnode_check_mprotect = color_vnode_check_mprotect,
.mpo_vnode_check_open = color_vnode_check_open,
.mpo_vnode_check_read = color_vnode_check_read,
.mpo_vnode_check_readdir = color_vnode_check_readdir,
==== //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#19 (text+ko) ====
@@ -3498,24 +3498,14 @@
}
static int
-mac_mls_vnode_check_mprotect(struct ucred *cred, struct vnode *vp,
- struct label *vlabel, int prot)
+mac_mls_proc_check_mprotect(struct ucred *cred, struct proc *proc,
+ void *addr, size_t size, int prot)
{
- struct mac_mls *subj, *obj;
- int r, w;
if (!mac_mls_enabled)
return (0);
- subj = SLOT(cred->cr_label);
- obj = SLOT(vlabel);
- r = mac_mls_dominate_effective(subj, obj);
- w = mac_mls_dominate_effective(obj, subj);
-
- if (!r && ((prot & VM_PROT_READ) || (prot & VM_PROT_EXECUTE)))
- return (EACCES);
- if (!w && (prot & VM_PROT_WRITE))
- return (EACCES);
+#warning Implement mac_mls_proc_check_mprotect()
return (0);
}
@@ -4090,7 +4080,7 @@
.mpo_vnode_check_lookup = mac_mls_vnode_check_lookup,
.mpo_file_check_mmap = mac_mls_file_check_mmap,
.mpo_file_check_mmap_downgrade = mac_mls_file_check_mmap_downgrade,
- .mpo_vnode_check_mprotect = mac_mls_vnode_check_mprotect,
+ .mpo_proc_check_mprotect = mac_mls_proc_check_mprotect,
.mpo_vnode_check_open = mac_mls_vnode_check_open,
.mpo_vnode_check_read = mac_mls_vnode_check_read,
.mpo_vnode_check_readdir = mac_mls_vnode_check_readdir,
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#35 (text+ko) ====
@@ -2940,9 +2940,11 @@
}
static int
-sebsd_vnode_check_mprotect(struct ucred *cred, struct vnode *vp,
- struct label *label, int prot)
+sebsd_proc_check_mprotect(struct ucred *cred, struct proc *proc,
+ void *addr, size_t size, int prot)
{
+ /* XXX - check that stack is not being made executable */
+#ifdef notyet
u_int32_t av;
/*
@@ -2959,6 +2961,7 @@
return (vnode_has_perm(cred, vp, NULL, av));
}
+#endif
return (0);
}
@@ -3634,6 +3637,7 @@
.mpo_port_check_hold_receive = sebsd_port_check_hold_recv,
.mpo_proc_check_debug = sebsd_proc_check_debug,
.mpo_proc_check_getaudit = sebsd_proc_check_getaudit,
+ .mpo_proc_check_mprotect = sebsd_proc_check_mprotect,
.mpo_proc_check_sched = sebsd_proc_check_sched,
.mpo_proc_check_setaudit = sebsd_proc_check_setaudit,
.mpo_proc_check_setlcid = sebsd_proc_check_setlcid,
@@ -3678,7 +3682,6 @@
// .mpo_vnode_check_kqfilter = sebsd_vnode_check_kqfilter,
.mpo_vnode_check_link = sebsd_vnode_check_link,
.mpo_vnode_check_lookup = sebsd_vnode_check_lookup,
- .mpo_vnode_check_mprotect = sebsd_vnode_check_mprotect,
.mpo_vnode_check_open = sebsd_vnode_check_open,
.mpo_vnode_check_read = sebsd_vnode_check_read,
.mpo_vnode_check_readdir = sebsd_vnode_check_readdir,
==== //depot/projects/trustedbsd/sedarwin8/policies/vanity/vanity.c#8 (text+ko) ====
@@ -333,13 +333,6 @@
}
static int
-vanity_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, struct label *label, int prot)
-{
- VANITY(vp);
- return (0);
-}
-
-static int
vanity_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *label, int acc_mode)
{
VANITY(vp);
@@ -508,7 +501,6 @@
.mpo_vnode_check_link = vanity_vnode_check_link,
.mpo_vnode_check_listextattr = vanity_vnode_check_listextattr,
.mpo_vnode_check_lookup = vanity_vnode_check_lookup,
- .mpo_vnode_check_mprotect = vanity_vnode_check_mprotect,
.mpo_vnode_check_open = vanity_vnode_check_open,
.mpo_vnode_check_read = vanity_vnode_check_read,
.mpo_vnode_check_readdir = vanity_vnode_check_readdir,
More information about the trustedbsd-cvs
mailing list