PERFORCE change 108416 for review

Todd Miller millert at FreeBSD.org
Wed Oct 25 12:33:12 PDT 2006 

http://perforce.freebsd.org/chv.cgi?CH=108416

Change 108416 by millert at millert_macbook on 2006/10/25 19:24:34

	Change ikm_sender from struct ipc_labelh * to task_t.  This
	allows us to report the correct sender in the avc audit
	logs for MiG-based permissions.  To do this, we now pass a
	struct proc * to mpo_port_check_method.
	
	This change may be reverted in the future but is very useful
	for debugging.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_kmsg.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_kmsg.h#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_mqueue.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/mach_msg.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_mach_internal.h#8 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#16 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_port.c#7 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.h#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#25 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.h#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/ss/mach_av.c#6 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_kmsg.c#3 (text+ko) ====

@@ -294,9 +294,10 @@
 	ipc_port_t port;
 
 #ifdef MAC
-	if (kmsg->ikm_sender != NULL){
-	    labelh_release (kmsg->ikm_sender);
-	    kmsg->ikm_sender = NULL;
+	if (kmsg->ikm_sender != NULL) {
+		labelh_release(kmsg->ikm_sender->label);
+		task_deallocate(kmsg->ikm_sender);
+		kmsg->ikm_sender = NULL;
 	}
 #endif
 
@@ -663,8 +664,9 @@
 
 #ifdef MAC
 	if (kmsg->ikm_sender != NULL) {
-	    labelh_release (kmsg->ikm_sender);
-	    kmsg->ikm_sender = NULL;
+		labelh_release(kmsg->ikm_sender->label);
+		task_deallocate(kmsg->ikm_sender);
+		kmsg->ikm_sender = NULL;
 	}
 #endif
 }
@@ -769,13 +771,13 @@
 #endif
 
 #ifdef MAC
-	task_t cur = current_thread()->task;
-	if (cur)
-	  {
-	    labelh_reference (cur->label);
-	    kmsg->ikm_sender = cur->label;
-	  }
-	else
+	/* XXX - why do we zero sender labels here instead of in mach_msg()? */
+	task_t cur = current_task();
+	if (cur) {
+		task_reference(cur);
+		labelh_reference(cur->label);
+		kmsg->ikm_sender = cur;
+	} else
 		trailer->msgh_labels.sender = 0;
 #else
 	  trailer->msgh_labels.sender = 0;
@@ -869,7 +871,7 @@
 	trailer->msgh_labels.sender = 0;
 
 #ifdef MAC
-	kmsg->ikm_sender = (ipc_labelh_t)NULL;
+	kmsg->ikm_sender = NULL;
 #endif
 	*kmsgp = kmsg;
 	return MACH_MSG_SUCCESS;

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_kmsg.h#2 (text+ko) ====

@@ -94,7 +94,7 @@
 	struct ipc_kmsg *ikm_prev;
 	ipc_port_t ikm_prealloc;	/* port we were preallocated from */
 	mach_msg_size_t ikm_size;
-	struct ipc_labelh *ikm_sender;
+	task_t ikm_sender;
 	mach_msg_header_t *ikm_header;
 };
 

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_mqueue.c#3 (text+ko) ====

@@ -716,7 +716,7 @@
 #ifdef MAC
 			if (self->ith_kmsg != NULL &&
 			    self->ith_kmsg->ikm_sender != NULL) {
-				lh = self->ith_kmsg->ikm_sender;
+				lh = self->ith_kmsg->ikm_sender->label;
 				task = current_task();
 				tasklabel_lock(task);
 				ip_lock(lh->lh_port);
@@ -745,7 +745,7 @@
 #ifdef MAC
 			if (self->ith_kmsg != NULL &&
 			    self->ith_kmsg->ikm_sender != NULL) {
-				lh = self->ith_kmsg->ikm_sender;
+				lh = self->ith_kmsg->ikm_sender->label;
 				task = current_task();
 				tasklabel_lock(task);
 				ip_lock(lh->lh_port);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/mach_msg.c#5 (text+ko) ====

@@ -314,7 +314,8 @@
 #ifdef MAC
 		  if (kmsg->ikm_sender != NULL &&
 		    IP_VALID(kmsg->ikm_header->msgh_remote_port) &&
-		    mac_port_check_method(&kmsg->ikm_sender->lh_label,
+		    mac_port_check_method(kmsg->ikm_sender,
+		    &kmsg->ikm_sender->maclabel,
 		    &((ipc_port_t)kmsg->ikm_header->msgh_remote_port)->ip_label,
 		    kmsg->ikm_header->msgh_id) == 0)
 		      trailer->msgh_ad = 1;
@@ -331,7 +332,7 @@
 		if (option & MACH_RCV_TRAILER_ELEMENTS (MACH_RCV_TRAILER_LABELS)) {
 #ifdef MAC
 		  if (kmsg->ikm_sender != NULL) {
-		    ipc_labelh_t  lh = kmsg->ikm_sender;
+		    ipc_labelh_t  lh = kmsg->ikm_sender->label;
 		    kern_return_t kr;
 
 		    ip_lock(lh->lh_port);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_mach_internal.h#8 (text+ko) ====

@@ -31,7 +31,7 @@
 void mac_task_label_update_internal(struct label *pl, struct task *t);
 int mac_port_label_compute(struct label *subj, struct label *obj,
     const char *serv, struct label *out);
-int mac_port_check_method(struct label *task, struct label *port, int msgid);
+int mac_port_check_method(task_t task, struct label *sub, struct label *obj, int msgid);
 
 #ifdef MAC
 void mac_policy_init(void);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#16 (text+ko) ====

@@ -2867,6 +2867,7 @@
 
 /**
   @brief Compute access control check for a Mach message-based service
+  @param proc Sender's process structure (may be NULL)
   @param task Sender's task label
   @param port Destination port label
   @param msgid Message id
@@ -2884,6 +2885,7 @@
 */
 
 typedef int mpo_port_check_method_t(
+	struct proc *proc,
 	struct label *task,
 	struct label *port,
 	int msgid

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_port.c#7 (text+ko) ====

@@ -244,11 +244,11 @@
 }
 
 int
-mac_port_check_method(struct label *task, struct label *port, int msgid)
+mac_port_check_method(task_t task, struct label *sub, struct label *obj, int msgid)
 {
 	int error;
 
-	MAC_CHECK(port_check_method, task, port, msgid);
+	MAC_CHECK(port_check_method, get_bsdtask_info(task), sub, obj, msgid);
 
 	return (error);
 }

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.c#3 (text+ko) ====

@@ -653,7 +653,7 @@
                u16 tclass, u32 requested,
                struct av_decision *avd, int result, struct avc_audit_data *a)
 {
-	struct proc *tsk = current_proc();
+	struct proc *tsk;
 	u32 denied, audited;
 	struct audit_buffer *ab;
 
@@ -679,10 +679,10 @@
 	audit_log_format(ab, "avc:  %s ", denied ? "denied" : "granted");
 	avc_dump_av(ab, tclass,audited);
 	audit_log_format(ab, " for ");
-#ifdef __linux__
 	if (a && a->tsk)
 		tsk = a->tsk;
-#endif
+	else
+		tsk = current_proc();	/* XXX, should be set by caller */
 	if (tsk && tsk->p_pid) {
 		audit_log_format(ab, " pid=%d comm=", tsk->p_pid);
 		audit_log_untrustedstring(ab, tsk->p_comm);
@@ -799,6 +799,9 @@
 					a->u.net.netif);
 #endif /* __linux__ */
 			break;
+		case AVC_AUDIT_DATA_MIG:
+			audit_log_format(ab, " msgid=%d", a->u.ipc_id);
+			break;
 		}
 	}
 	audit_log_format(ab, " ");

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.h#2 (text+ko) ====

@@ -34,7 +34,7 @@
  */
 struct avc_entry;
 
-struct task_struct;
+struct proc;
 struct xsocket;
 
 /* Auxiliary data to use in generating the audit record. */
@@ -44,9 +44,8 @@
 #define AVC_AUDIT_DATA_NET  2
 #define AVC_AUDIT_DATA_CAP  3
 #define AVC_AUDIT_DATA_IPC  4
-#ifdef __linux__
-	struct task_struct *tsk;
-#endif
+#define AVC_AUDIT_DATA_MIG  5
+	struct proc *tsk;
 	union 	{
 		struct {
 			struct vnode *vp;

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#25 (text+ko) ====

@@ -1481,14 +1481,15 @@
 }
 
 static int
-sebsd_port_check_method(struct label *subj, struct label *obj, int msgid)
+sebsd_port_check_method(struct proc *p, struct label *subj, struct label *obj,
+    int msgid)
 {
 	struct task_security_struct *tsec, *psec;
 
 	psec = SLOT(obj);
 	tsec = SLOT(subj);
 
-	return (sebsd_ipc_check_method1(tsec->sid,psec->sid, msgid));
+	return (sebsd_ipc_check_method1(p, tsec->sid, psec->sid, msgid));
 }
 
 static int

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.h#5 (text+ko) ====

@@ -57,6 +57,6 @@
 extern int sebsd_syscall(struct proc *p, int call, user_addr_t args);
 extern int cred_has_system(struct ucred *cred, u_int32_t perm);
 extern int cred_has_security(struct ucred *cred, u_int32_t perm);
-extern int sebsd_ipc_check_method1(int subj, int obj, int msgid);
+extern int sebsd_ipc_check_method1(struct proc *p, int subj, int obj, int msgid);
 
 #endif /* _SYS_SECURITY_SEBSD_H */

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/ss/mach_av.c#6 (text+ko) ====

@@ -154,13 +154,18 @@
 
 
 int
-sebsd_ipc_check_method1(int subj, int obj, int msgid)
+sebsd_ipc_check_method1(struct proc *p, int subj, int obj, int msgid)
 {
 	struct msgid_classinfo *mcl;
 	u16 tclass;
 	u32 perms, cl;
 	int msgid_norm;
+	struct avc_audit_data ad;
 
+	AVC_AUDIT_DATA_INIT(&ad, MIG);
+	ad.u.ipc_id = msgid;
+	ad.tsk = p;
+
 	/*
 	 * Return allowed for messages in an unknown subsystem.
 	 * Instead, we probably should make a check against a
@@ -190,5 +195,5 @@
 	lck_rw_unlock_shared(migscs_rwlock);
 
 	perms = (u32)1 << (msgid_norm - (cl * 8 * sizeof(u32)));
-	return avc_has_perm(subj, obj, tclass, perms, NULL);
+	return avc_has_perm(subj, obj, tclass, perms, &ad);
 }

More information about the trustedbsd-cvs mailing list