PERFORCE change 107181 for review
Todd Miller
millert at FreeBSD.org
Tue Oct 3 07:47:44 PDT 2006
http://perforce.freebsd.org/chv.cgi?CH=107181
Change 107181 by millert at millert_macbook on 2006/10/03 14:46:04
Add modification notices
Add mac_getfsstat to audit
Fix warnings for sbuf(9)
Provide a MAC bypass mechanism for vn_rdwr() (ioflg IO_NOAUTH)
and use in shift_data_down(), shift_data_up().
Split color policy into several files
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/darwin/bsm/bsm/etc/audit_event#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/diskdev_cmds/disklib/mntopts.h#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/diskdev_cmds/mount.tproj/mount.8#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/diskdev_cmds/mount.tproj/mount.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/diskdev_cmds/mount_fdesc.tproj/mount_fdesc.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/bsm/audit_kevents.h#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_audit.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_klib.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/subr_sbuf.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/sys/sbuf.h#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/sys/vnode.h#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_vnops.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_xattr.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#12 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/color/Makefile#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/color/color_util.c#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.h#1 add
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/darwin/bsm/bsm/etc/audit_event#3 (text+ko) ====
@@ -301,6 +301,7 @@
415:AUE_GETLCID:getlcid(2):pc
416:AUE_MAC_MOUNT:mac_mount(2):ad
417:AUE_MAC_GET_MOUNT:mac_get_mount(2):fa
+418:AUE_MAC_GETFSSTAT:mac_getfsstat(2):fa
451:AUE_EXTATTR_SET_FILE:extattr_set_file(2):fm
452:AUE_EXTATTR_GET_FILE:extattr_get_file(2):fa
453:AUE_EXTATTR_DELETE_FILE:extattr_delete_file(2):fm
==== //depot/projects/trustedbsd/sedarwin8/darwin/diskdev_cmds/disklib/mntopts.h#2 (text+ko) ====
@@ -54,6 +54,12 @@
*
* @(#)mntopts.h 8.7 (Berkeley) 3/29/95
*/
+/*
+ * NOTICE: This file was modified by SPARTA, Inc. in 2006 to introduce
+ * support for mandatory and extensible security protections. This notice
+ * is included in support of clause 2.2 (b) of the Apple Public License,
+ * Version 2.0.
+ */
#ifdef linux
#define MNT_RDONLY 0x00000001 /* read only filesystem */
==== //depot/projects/trustedbsd/sedarwin8/darwin/diskdev_cmds/mount.tproj/mount.8#3 (text+ko) ====
@@ -31,6 +31,12 @@
.\"
.\" @(#)mount.8 8.8 (Berkeley) 6/16/94
.\"
+.\"
+.\" NOTICE: This file was modified by SPARTA, Inc. in 2006 to introduce
+.\" support for mandatory and extensible security protections. This notice
+.\" is included in support of clause 2.2 (b) of the Apple Public License,
+.\" Version 2.0.
+.\"
.Dd June 16, 1994
.Dt MOUNT 8
.Os BSD 4
==== //depot/projects/trustedbsd/sedarwin8/darwin/diskdev_cmds/mount.tproj/mount.c#3 (text+ko) ====
@@ -52,7 +52,12 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
-
+/*
+ * NOTICE: This file was modified by SPARTA, Inc. in 2006 to introduce
+ * support for mandatory and extensible security protections. This notice
+ * is included in support of clause 2.2 (b) of the Apple Public License,
+ * Version 2.0.
+ */
#include <sys/param.h>
#include <sys/mount.h>
==== //depot/projects/trustedbsd/sedarwin8/darwin/diskdev_cmds/mount_fdesc.tproj/mount_fdesc.c#3 (text+ko) ====
@@ -56,7 +56,12 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
-
+/*
+ * NOTICE: This file was modified by SPARTA, Inc. in 2006 to introduce
+ * support for mandatory and extensible security protections. This notice
+ * is included in support of clause 2.2 (b) of the Apple Public License,
+ * Version 2.0.
+ */
#include <sys/param.h>
#include <sys/mount.h>
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/bsm/audit_kevents.h#3 (text+ko) ====
@@ -353,6 +353,7 @@
#define AUE_GETLCID 415
#define AUE_MAC_MOUNT 416
#define AUE_MAC_GET_MOUNT 417
+#define AUE_MAC_GETFSSTAT 418
// BSM events for extended attributes
#define AUE_EXTATTR_SET_FILE 451
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_audit.c#4 (text+ko) ====
@@ -611,6 +611,7 @@
case AUE_GETAUDIT_ADDR:
case AUE_GETAUID:
case AUE_GETFSSTAT:
+ case AUE_MAC_GETFSSTAT:
case AUE_PIPE:
case AUE_SETPGRP:
case AUE_SETRLIMIT:
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_klib.c#3 (text+ko) ====
@@ -460,6 +460,7 @@
AUE_GETLCID, /* 395 = getlcid */
AUE_MAC_MOUNT, /* 396 = __mac_mount */
AUE_MAC_GET_MOUNT, /* 397 = __mac_get_mount */
+ AUE_MAC_GETFSSTAT, /* 398 = __mac_getfsstat */
};
int nsys_au_event = sizeof(sys_au_event) / sizeof(sys_au_event[0]);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/subr_sbuf.c#2 (text+ko) ====
@@ -83,6 +83,8 @@
#define SBUF_MAXEXTENDSIZE PAGE_SIZE
#define SBUF_MAXEXTENDINCR PAGE_SIZE
+#define isspace(c) ((c) == ' ' || ((c) >= '\t' && (c) <= '\r'))
+
/*
* Debugging support
*/
@@ -299,11 +301,11 @@
if (len == 0)
return (0);
- if (len > SBUF_FREESPACE(s)) {
+ if ((int)len > SBUF_FREESPACE(s)) {
sbuf_extend(s, len - SBUF_FREESPACE(s));
len = min(len, SBUF_FREESPACE(s));
}
- if (copyin(uaddr, s->s_buf + s->s_len, len) != 0)
+ if (copyin(CAST_USER_ADDR_T(uaddr), s->s_buf + s->s_len, len) != 0)
return (-1);
s->s_len += len;
@@ -365,11 +367,11 @@
if (len == 0)
len = SBUF_FREESPACE(s); /* XXX return 0? */
- if (len > SBUF_FREESPACE(s)) {
+ if ((int)len > SBUF_FREESPACE(s)) {
sbuf_extend(s, len);
len = min(len, SBUF_FREESPACE(s));
}
- switch (copyinstr(uaddr, s->s_buf + s->s_len, len + 1, &done)) {
+ switch (copyinstr(CAST_USER_ADDR_T(uaddr), s->s_buf + s->s_len, len + 1, &done)) {
case ENAMETOOLONG:
SBUF_SETFLAG(s, SBUF_OVERFLOWED);
/* fall through */
@@ -480,11 +482,6 @@
return (0);
}
-static inline int isspace(ch)
-{
- return (ch == ' ' || ch == '\n' || ch == '\t');
-}
-
/*
* Trim whitespace characters from end of an sbuf.
*/
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/sys/sbuf.h#2 (text+ko) ====
@@ -74,7 +74,7 @@
int sbuf_done(struct sbuf *);
void sbuf_delete(struct sbuf *);
-#ifdef _KERNEL
+#ifdef KERNEL
struct uio;
struct sbuf *sbuf_uionew(struct sbuf *, struct uio *, int *);
int sbuf_bcopyin(struct sbuf *, const void *, size_t);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/sys/vnode.h#2 (text+ko) ====
@@ -131,6 +131,7 @@
#define IO_NOCACHE 0x0800 /* same effect as VNOCACHE_DATA, but only for this 1 I/O */
#define IO_RAOFF 0x1000 /* same effect as VRAOFF, but only for this 1 I/O */
#define IO_DEFWRITE 0x2000 /* defer write if vfs.defwrite is set */
+#define IO_NOAUTH 0x4000 /* No authorization checks. */
/*
* Component Name: this structure describes the pathname
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_vnops.c#5 (text+ko) ====
@@ -510,11 +510,17 @@
uio_addiov(auio, base, len);
#ifdef MAC
+ /* XXXMAC
+ * IO_NOAUTH should be re-examined.
+ * Likely that mediation should be performed in caller.
+ */
+ if ((ioflg & IO_NOAUTH) == 0) {
/* passed cred is fp->f_cred */
- if (rw == UIO_READ)
- error = mac_vnode_check_read(kauth_cred_get(), cred, vp);
- else
- error = mac_vnode_check_write(kauth_cred_get(), cred, vp);
+ if (rw == UIO_READ)
+ error = mac_vnode_check_read(kauth_cred_get(), cred, vp);
+ else
+ error = mac_vnode_check_write(kauth_cred_get(), cred, vp);
+ }
#endif
if (error == 0) {
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_xattr.c#4 (text+ko) ====
@@ -1932,14 +1932,14 @@
}
for(pos=start+len-chunk; pos >= start; pos-=chunk) {
- ret = vn_rdwr(UIO_READ, xvp, buff, chunk, pos, UIO_SYSSPACE, IO_NODELOCKED, ucred, &iolen, p);
+ ret = vn_rdwr(UIO_READ, xvp, buff, chunk, pos, UIO_SYSSPACE, IO_NODELOCKED|IO_NOAUTH, ucred, &iolen, p);
if (iolen != 0) {
printf("xattr:shift_data: error reading data @ %lld (read %d of %d) (%d)\n",
pos, ret, chunk, ret);
break;
}
- ret = vn_rdwr(UIO_WRITE, xvp, buff, chunk, pos + delta, UIO_SYSSPACE, IO_NODELOCKED, ucred, &iolen, p);
+ ret = vn_rdwr(UIO_WRITE, xvp, buff, chunk, pos + delta, UIO_SYSSPACE, IO_NODELOCKED|IO_NOAUTH, ucred, &iolen, p);
if (iolen != 0) {
printf("xattr:shift_data: error writing data @ %lld (wrote %d of %d) (%d)\n",
pos+delta, ret, chunk, ret);
@@ -1987,14 +1987,14 @@
}
for(pos = start; pos < end; pos += chunk) {
- ret = vn_rdwr(UIO_READ, xvp, buff, chunk, pos, UIO_SYSSPACE, IO_NODELOCKED, ucred, &iolen, p);
+ ret = vn_rdwr(UIO_READ, xvp, buff, chunk, pos, UIO_SYSSPACE, IO_NODELOCKED|IO_NOAUTH, ucred, &iolen, p);
if (iolen != 0) {
printf("xattr:shift_data: error reading data @ %lld (read %d of %d) (%d)\n",
pos, ret, chunk, ret);
break;
}
- ret = vn_rdwr(UIO_WRITE, xvp, buff, chunk, pos - delta, UIO_SYSSPACE, IO_NODELOCKED, ucred, &iolen, p);
+ ret = vn_rdwr(UIO_WRITE, xvp, buff, chunk, pos - delta, UIO_SYSSPACE, IO_NODELOCKED|IO_NOAUTH, ucred, &iolen, p);
if (iolen != 0) {
printf("xattr:shift_data: error writing data @ %lld (wrote %d of %d) (%d)\n",
pos+delta, ret, chunk, ret);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#12 (text+ko) ====
@@ -295,6 +295,7 @@
case MLJ_TYPE_TASK:
if (mlj->ops & MLJ_TASK_OP_INIT)
MAC_PERFORM(task_init_label, mlj->l);
+ /* Not enough context to replay. */
if (mlj->ops & MLJ_TASK_OP_CREATE_K)
;
break;
==== //depot/projects/trustedbsd/sedarwin8/policies/color/Makefile#2 (text+ko) ====
@@ -2,7 +2,7 @@
POLICY_VER= 1.0
POLICY_COMPVER= 1.0
POLICY_DESC= "MAC Color Security"
-POLICY_SRCS= mac_color.c
+POLICY_SRCS= mac_color.c color_util.c
POLICY_NOMAN= yes
include ../../Makeconfig
==== //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#4 (text+ko) ====
@@ -32,7 +32,6 @@
#include <sys/proc_internal.h>
#include <sys/sbuf.h>
#include <sys/systm.h>
-#include <sys/sysctl.h>
#include <sys/vnode.h>
#include <sys/mman.h>
#include <sys/fcntl.h>
@@ -42,232 +41,20 @@
#include <security/mac_policy.h>
#include <security/mac_alloc.h>
+#include "mac_color.h"
-#define MAC_COLOR_XATTR_NAME "security.color"
-#define MAC_COLOR_POLICY_NAME "mac_color"
-#define MAC_COLOR_LABEL_COUNT 1
static const char *labelnamespaces[MAC_COLOR_LABEL_COUNT] =
{ MAC_COLOR_POLICY_NAME };
-#define MAC_COLOR_NAMELEN 8
+static int color_slot; /* Per-policy label storage */
static mac_policy_handle_t mac_color_handle;
-static int color_slot;
-#define SLOT(l) ((struct color *)LABEL_TO_SLOT((l), color_slot).l_ptr)
-#define SLOTREF(l) ((struct mac_color *)LABEL_TO_SLOT((l), color_slot).l_ptr)
-
-struct color {
- char name[MAC_COLOR_NAMELEN];
- int level;
- int refs;
-};
-
-static struct color colors[8] = {
- {"red", 1, 0},
- {"orange", 2, 0},
- {"yellow", 3, 0},
- {"green", 4, 0},
- {"cyan", 5, 0},
- {"blue", 6, 0},
- {"indigo", 7, 0},
- {"violet", 8, 0}
-};
-
-struct mac_color {
- LIST_ENTRY(mac_color) list;
- int refs;
- struct color *color;
- int valid;
-};
-
-LIST_HEAD(mc_list, mac_color);
-static struct mc_list mc_list_free; /* Free list */
-static struct mc_list mc_list_used; /* Labels in use */
-static int used_count = 0;
-static int free_count = 0;
-static int free_max = 256;
-
-SYSCTL_DECL(_security_mac);
-SYSCTL_NODE(_security_mac, OID_AUTO, color, CTLFLAG_RW, 0,
- "MAC Color Policy controls");
-static int mac_color_enabled = 1;
-SYSCTL_INT(_security_mac_color, OID_AUTO, enabled, CTLFLAG_RW,
- &mac_color_enabled, 0, "Enforce Mac Color Policy");
-
-SYSCTL_NODE(_security_mac_color, OID_AUTO, used, CTLFLAG_RW, 0, NULL);
-SYSCTL_INT(_security_mac_color_used, OID_AUTO, count, CTLFLAG_RD,
- &used_count, 0, "Labels in use");
-
-SYSCTL_NODE(_security_mac_color, OID_AUTO, free, CTLFLAG_RW, 0, NULL);
-SYSCTL_INT(_security_mac_color_free, OID_AUTO, count, CTLFLAG_RD,
- &free_count, 0, "Size of free list.");
-SYSCTL_INT(_security_mac_color_free, OID_AUTO, max, CTLFLAG_RW,
- &free_max, 0, "Maximum size of free list.");
-
-
-#define MC_ALLOC(val, type, flag) \
- do { \
- val = (type *)mac_kalloc(sizeof(type), (flag)); \
- if (val != NULL && (((flag) & M_ZERO) == M_ZERO)) \
- bzero(val, sizeof(type)); \
- } while (0)
-#define MC_FREE(p, type) \
- do { \
- if (p != NULL) \
- mac_kfree((void *)p, sizeof(type));\
- } while (0)
-
-
-/* MAC Color label reference list */
-
-static struct mac_color *
-mc_alloc(int flag)
-{
- struct mac_color *mc;
-
- if (LIST_EMPTY(&mc_list_free)) {
- MC_ALLOC(mc, struct mac_color, flag|M_ZERO);
- } else {
- mc = LIST_FIRST(&mc_list_free);
- LIST_REMOVE(mc, list);
- free_count--;
- mc->refs = 0;
- mc->valid = 0;
- }
-
- mc->refs++;
- used_count++;
- mc->color = &colors[0];
- LIST_INSERT_HEAD(&mc_list_used, mc, list);
-// printf("mc_alloc, mc=%p, refs=%d\n", mc, mc->refs);
-
- return (mc);
-}
-
-static void
-mc_free(struct mac_color *mc)
-{
-
- if (mc == NULL)
- return;
-// printf("mc_free, mc=%p, refs=%d\n", mc, mc->refs);
- LIST_REMOVE(mc, list);
- used_count--;
-
- if (free_count >= free_max)
- MC_FREE(mc, struct mac_color);
- else {
- LIST_INSERT_HEAD(&mc_list_free, mc, list);
- free_count++;
- }
-
- return;
-}
-
-
-/* MAC Color label routines */
-
-static struct color *
-co_findlabel(char *name)
-{
- int i;
-
- for (i = 0; i < 8; i++)
- if (strncmp(colors[i].name, name, MAC_COLOR_NAMELEN) == 0)
- return (&colors[i]);
-
- return (NULL);
-}
-
-static inline void
-co_setlabel(struct label *label, struct color *color)
-{
-
- SLOT(label) = color;
-}
-
-static inline void
-co_setreflabel(struct label *label, struct mac_color *color)
-{
-
- SLOTREF(label) = color;
-}
-
-static inline struct color *
-co_getlabel(struct label *label)
-{
-
- return (SLOT(label));
-}
-
-static inline struct mac_color *
-co_getreflabel(struct label *label)
-{
-
- return (SLOTREF(label));
-}
-
static void
-color_destroy_reflabel(struct label *label)
-{
- struct mac_color *mc;
-
- mc = co_getreflabel(label);
- if (mc == NULL)
- return;
-
- if (--mc->refs <= 0)
- mc_free(mc);
-
- co_setreflabel(label, NULL);
-
- return;
-}
-
-
-static void
-co_reference_label(struct label *src, struct label *dst)
-{
- struct mac_color *mc;
-
- mc = co_getreflabel(src);
- if (SLOTREF(dst) != NULL) {
- /* Already has a reference. */
- if (SLOTREF(dst) == mc) {
-// printf("co_reference_label: already has matching reference\n");
- return;
- } else {
-// printf("co_reference_label: already has a reference\n");
- }
- color_destroy_reflabel(dst);
- }
- printf("co_reference_label: copying reference, mc=%p, refs=%d\n", mc, mc->refs);
- mc->refs++;
- co_setreflabel(dst, mc);
-
- return;
-}
-
-static inline void
-co_setlabelstring(struct label *label, char *color)
-{
-
- SLOT(label) = co_findlabel(color); /* Might set label to NULL */
-}
-
-static void
-co_copylabel(struct label *src, struct label *dst)
-{
-
- SLOT(dst) = SLOT(src); /* Just copy the pointer */
-}
-
-static void
color_init_reflabel(struct label *label)
{
- co_setreflabel(label, mc_alloc(M_WAITOK));
+ co_init_reflabel(label);
}
static void
@@ -278,27 +65,12 @@
}
static void
-color_policy_init(struct mac_policy_conf *conf)
+color_destroy_reflabel(struct label *label)
{
- LIST_INIT(&mc_list_used);
- LIST_INIT(&mc_list_free);
+ co_destroy_reflabel(label);
}
-static void
-color_policy_initbsd(struct mac_policy_conf *conf)
-{
-
- sysctl_register_oid(&sysctl__security_mac_color);
- sysctl_register_oid(&sysctl__security_mac_color_enabled);
- sysctl_register_oid(&sysctl__security_mac_color_used);
- sysctl_register_oid(&sysctl__security_mac_color_used_count);
- sysctl_register_oid(&sysctl__security_mac_color_free);
- sysctl_register_oid(&sysctl__security_mac_color_free_count);
- sysctl_register_oid(&sysctl__security_mac_color_free_max);
-}
-
-
static int
color_internalize_label(struct label *label, char *element_name,
char *string)
More information about the trustedbsd-cvs
mailing list