PERFORCE change 108507 for review

Todd Miller millert at FreeBSD.org
Thu Oct 26 19:22:53 UTC 2006


http://perforce.freebsd.org/chv.cgi?CH=108507

Change 108507 by millert at millert_macbook on 2006/10/26 19:21:31

	Add missing documentation to mac_policy.h.  Rename
	mac_lctx_label_associate() to mac_lctx_notify_create().

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_proc.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#10 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#18 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#9 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#8 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/console/mac_console.c#7 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#14 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_proc.c#5 (text+ko) ====

@@ -920,7 +920,7 @@
 
 #ifdef MAC
 	if (create)
-		mac_lctx_label_associate(p, l);
+		mac_lctx_notify_create(p, l);
 	else
 		mac_lctx_notify_join(p, l);
 #endif

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#10 (text+ko) ====

@@ -466,7 +466,7 @@
 int	mac_audit_check_postselect(struct ucred *cred, unsigned short syscode,
 	    void *args, int error, int retval, int mac_forced);
 
-void	mac_lctx_label_associate(struct proc *, struct lctx *);
+void	mac_lctx_notify_create(struct proc *, struct lctx *);
 void	mac_lctx_notify_join(struct proc *, struct lctx *);
 void	mac_lctx_notify_leave(struct proc *, struct lctx *);
 

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#18 (text+ko) ====

@@ -98,6 +98,7 @@
 /**
   @name Entry Points for the Base Policy Module Only
 */
+
 /*@{*/
 
 /**
@@ -144,12 +145,15 @@
 
 */
 typedef void mpo_base_notify_finalize_t(void);
+
 /*@}*/
 
 /**
   @name Entry Points for Module Operations
 */
+
 /*@{*/
+
 /**
   @brief Policy unload event
   @param mpc MAC policy configuration
@@ -250,6 +254,7 @@
 	int call,
 	user_addr_t arg
 );
+
 /*@}*/
 
 /**
@@ -277,7 +282,9 @@
   allocation calls: one to handle sleepable requests, and one to handle
   potentially non-sleepable requests.
 */
+
 /*@{*/
+
 /**
   @brief Initialize user credential label
   @param label New label to initialize
@@ -1331,7 +1338,9 @@
 
   The following group of entry points are used to manage labels.
 */
+
 /*@{*/
+
 /**
   @brief Associate a vnode with a devfs entry
   @param mp Devfs mount point
@@ -1467,6 +1476,13 @@
   extended attribute, sometimes it is acceptible to fallback to using
   the mntlabel.
 
+  If the policy requires vnodes to have a valid label elsewhere it
+  MUST NOT return other than temporary errors, and must always provide
+  a valid label of some sort.  Returning an error will cause vnode
+  labeling to be retried at a later access.  Failure to handle policy
+  centric errors internally (corrupt labels etc.) will result in
+  inaccessible files.
+
   @return In the event of an error, an appropriate value for errno
   should be returned, otherwise return 0 upon success.
 */
@@ -2259,8 +2275,12 @@
   @brief A process has created a login context
   @param p Subject
   @param l Login Context
+
+  When a process creates a login context (via setlcid()) this entrypoint
+  is called to notify the policy that the process 'p' has created login
+  context 'l'.
 */
-typedef void mpo_lctx_label_associate_t(
+typedef void mpo_lctx_notify_create_t(
 	struct proc *p,
 	struct lctx *l
 );
@@ -2269,6 +2289,10 @@
   @brief A process has joined a login context
   @param p Subject
   @param l Login Context
+
+  When a process joins a login context, either via setlcid() or via
+  fork() this entrypoint is called to notify the policy that process
+  'p' is now a member of login context 'l'.
 */
 typedef void mpo_lctx_notify_join_t(
 	struct proc *p,
@@ -2279,6 +2303,10 @@
   @brief A process has left a login context
   @param p Subject
   @param l Login Context
+
+  When a process leaves a login context either via setlcid() or as a
+  result of the process exiting this entrypoint is called to notify
+  the policy that the process 'p' is no longer a member of login context 'l'.
 */
 typedef void mpo_lctx_notify_leave_t(
 	struct proc *p,
@@ -2292,6 +2320,10 @@
   @see mpo_lctx_check_label_update_t
   @see mac_set_lcid
   @see mac_set_lctx
+
+  Update the label on a login context, using the supplied new label.
+  This is called as a result of a login context relabel operation.  Access
+  control was already confirmed by mpo_lctx_check_label_update.
 */
 typedef void mpo_lctx_label_update_t(
 	struct lctx *l,
@@ -2326,6 +2358,7 @@
 /**
   @name Entry Points for Access Control
 */
+
 /*@{*/
 
 /**
@@ -4233,6 +4266,10 @@
   Determine whether the subject identified by the credential should be
   allowed to make the specified sysctl(3) transaction.
 
+  The sysctl(3) call specifies that if the old value is not desired,
+  oldp and oldlenp should be set to NULL.  Likewise, if a new value is
+  not to be set, newp should be set to NULL and newlen set to 0.
+
   @return Return 0 if access is granted, otherwise an appropriate value for
   errno should be returned.
 */
@@ -4241,7 +4278,7 @@
 	int *name,
 	u_int namelen,
 	void *old,		/* NULLOK */
-	size_t *oldlenp,
+	size_t *oldlenp,	/* NULLOK */
 	int inkernel,
 	void *new,		/* NULLOK */
 	size_t newlen
@@ -4413,12 +4450,18 @@
   @brief Access control check for executing the vnode
   @param cred Subject credential
   @param vp Object vnode to execute
-  @param execlabel Policy label for vp
+  @param label Policy label for vp
+  @param execlabel Userspace provided execution label
 
   Determine whether the subject identified by the credential can execute
   the passed vnode. Determination of execute privilege is made separately
   from decisions about any process label transitioning event.
 
+  The final label, execlabel, corresponds to a label supplied by a
+  user space application through the use of the mac_execve system call.
+  This label will be NULL if the user application uses the the vendor
+  execve(2) call instead of the MAC Framework mac_execve() call.
+
   @return Return 0 if access is granted, otherwise an appropriate value for
   errno should be returned. Suggested failure: EACCES for label mismatch or
   EPERM for lack of privilege.
@@ -4427,7 +4470,7 @@
 	struct ucred *cred,
 	struct vnode *vp,
 	struct label *label,
-	struct label *execlabel
+	struct label *execlabel		/* NULLOK */
 );
 
 /**
@@ -4464,7 +4507,9 @@
   @param uio I/O structure pointer
 
   Determine whether the subject identified by the credential can retrieve
-  the extended attribute from the passed vnode.
+  the extended attribute from the passed vnode.  The uio parameter
+  will be NULL when the getxattr(2) call has been made with a NULL data
+  value; this is done to request the size of the data only.
 
   @return Return 0 if access is granted, otherwise an appropriate value for
   errno should be returned. Suggested failure: EACCES for label mismatch or
@@ -4473,9 +4518,9 @@
 typedef int mpo_vnode_check_getextattr_t(
 	struct ucred *cred,
 	struct vnode *vp,
-	struct label *label,
+	struct label *label,		/* NULLOK */
 	const char *name,
-	struct uio *uio
+	struct uio *uio			/* NULLOK */
 );
 
 /**
@@ -4743,7 +4788,7 @@
   @param dvp Directory vnode
   @param dlabel Policy label associated with dvp
   @param vp vnode to be renamed
-  @param dlabel Policy label associated with vp
+  @param label Policy label associated with vp
   @param cnp Component name for vp
   @see mpo_vnode_check_rename_to_t
 
@@ -4793,8 +4838,8 @@
 	struct ucred *cred,
 	struct vnode *dvp,
 	struct label *dlabel,
-	struct vnode *vp,
-	struct label *label,
+	struct vnode *vp,			/* NULLOK */
+	struct label *label,			/* NULLOK */
 	int samedir,
 	struct componentname *cnp
 );
@@ -5027,12 +5072,15 @@
 	struct vnode *vp,
 	struct label *label
 );
+
 /*@}*/
 
 /**
   @name Entry Points for Audit
 */
+
 /*@{*/
+
 /**
   @brief Access control check for audit
   @param cred Subject credential
@@ -5238,7 +5286,9 @@
 	int devtype,
 	struct mac_module_data *mdata
 );
+
 /*@}*/
+
 /*!
   \struct mac_policy_ops
 */
@@ -5421,7 +5471,7 @@
 	/*
 	 * Labeling event operations: login context
 	 */
-	mpo_lctx_label_associate_t		*mpo_lctx_label_associate;
+	mpo_lctx_notify_create_t		*mpo_lctx_notify_create;
 	mpo_lctx_notify_join_t			*mpo_lctx_notify_join;
 	mpo_lctx_notify_leave_t			*mpo_lctx_notify_leave;
 	mpo_lctx_label_update_t			*mpo_lctx_label_update;
@@ -5671,6 +5721,7 @@
   flags specify the load time behavior of MAC Framework policy
   modules.
 */
+
 /*@{*/
 
 /**
@@ -5779,6 +5830,7 @@
   Caution should be taken; some operations are not permitted to sleep,
   and some types of locks cannot be held when sleeping.
  */
+
 /*@{*/
 
 /**
@@ -5799,6 +5851,7 @@
     sleep, preserving locking semantics.
  */
 #define MAC_NOWAIT  1
+
 /*@}*/
 
 #endif /* !_SECURITY_MAC_POLICY_H_ */

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#9 (text+ko) ====

@@ -348,9 +348,9 @@
 }
 
 void
-mac_lctx_label_associate (struct proc *p, struct lctx *l)
+mac_lctx_notify_create (struct proc *p, struct lctx *l)
 {
-	MAC_PERFORM(lctx_label_associate, p, l);
+	MAC_PERFORM(lctx_notify_create, p, l);
 }
 
 void

==== //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#8 (text+ko) ====

@@ -195,7 +195,7 @@
  * ================================================================= */
 
 static void
-color_lctx_label_associate(struct proc *p, struct lctx *l)
+color_lctx_notify_create(struct proc *p, struct lctx *l)
 {
 
 	printf("%s: process(%s) color %s(%d) create lctx (was color %s(%d))\n",
@@ -692,7 +692,7 @@
 
 	.mpo_cred_check_label_update	= color_cred_check_label_update,
 
-	.mpo_lctx_label_associate	= color_lctx_label_associate,
+	.mpo_lctx_notify_create		= color_lctx_notify_create,
 	.mpo_lctx_notify_join		= color_lctx_notify_join,
 	.mpo_lctx_notify_leave		= color_lctx_notify_leave,
 	.mpo_lctx_label_update		= color_lctx_label_update,

==== //depot/projects/trustedbsd/sedarwin8/policies/console/mac_console.c#7 (text+ko) ====

@@ -489,7 +489,7 @@
 }
 
 static void
-mac_console_lctx_label_associate (struct proc *p, struct lctx *l)
+mac_console_lctx_notify_create (struct proc *p, struct lctx *l)
 {
 	struct ucred *newcred, *oldcred;
 
@@ -763,7 +763,7 @@
 	.mpo_lctx_check_label_update	= mac_console_lctx_check_label_update,
 	.mpo_lctx_label_update		= mac_console_lctx_label_update,
 
-	.mpo_lctx_label_associate	= mac_console_lctx_label_associate,
+	.mpo_lctx_notify_create		= mac_console_lctx_notify_create,
 	.mpo_lctx_notify_join		= mac_console_lctx_notify_join,
 
 	.mpo_vnode_label_init		= mac_console_label_init,

==== //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#14 (text+ko) ====

@@ -1029,7 +1029,7 @@
 }
 
 static void
-mac_test_lctx_label_associate(struct proc *p, struct lctx *l)
+mac_test_lctx_notify_create(struct proc *p, struct lctx *l)
 {
 	CHECKNULL(p);
 	CHECKNULL(l);
@@ -1986,7 +1986,7 @@
 	/*
 	 * Labeling event operations: login context
 	 */
-	.mpo_lctx_label_associate	= mac_test_lctx_label_associate,
+	.mpo_lctx_notify_create		= mac_test_lctx_notify_create,
 	.mpo_lctx_notify_join		= mac_test_lctx_notify_join,
 	.mpo_lctx_notify_leave		= mac_test_lctx_notify_leave,
 	.mpo_lctx_label_update		= mac_test_lctx_label_update,


More information about the trustedbsd-cvs mailing list