PERFORCE change 113318 for review

Mon Jan 22 15:11:36 UTC 2007

http://perforce.freebsd.org/chv.cgi?CH=113318

Change 113318 by millert at millert_macbook on 2007/01/22 15:10:21

	Set sclass for all label types.  For socket labels this
	means we no longer need to re-compute the sclass post-associate.
	Also add some XXX for potential issues.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#57 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd_labels.h#6 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#57 (text+ko) ====

@@ -185,6 +185,7 @@
 	if (!kau_will_audit())
 		return;
 
+	/* XXX - malloc could sleep */
 	if (sbuf_new(&sb, NULL, 0, SBUF_AUTOEXTEND) == NULL) {
 		printf("%s: failed to allocate an sbuf for auditing\n",
 		    __func__);
@@ -612,8 +613,7 @@
 
 	vsec->sid = nsec->sid;
 	vsec->task_sid = tsec->sid;
-	vsec->sclass = socket_type_to_security_class(xso->xso_family,
-	    xso->so_type, xso->xso_protocol);
+	vsec->sclass = nsec->sclass;
 }
 
 static void
@@ -862,6 +862,7 @@
 	/* Default to using the attributes from the parent process */
 	task->osid = parent->osid;
 	task->sid = parent->sid;
+	task->sclass = parent->sclass;
 }
 
 static void
@@ -875,6 +876,7 @@
 	fsec = SLOT(label);
 
 	fsec->sid = tsec->sid;
+	fsec->sclass = SECCLASS_FD;
 }
 
 static void
@@ -905,6 +907,7 @@
 
 	psec = SLOT(port);
 	psec->sid = SECINITSID_KERNEL;
+	psec->sclass = SECCLASS_MACH_PORT;
 }
 
 /* XXX - the Darwin framework lacks ifnet and bpf labels */
@@ -1039,6 +1042,7 @@
 	dirent->sclass = devfs_type_to_security_class(devfs_dirent->dn_type);
 
 	/* Obtain a SID based on the fstype, path, and class. */
+	/* XXX - malloc could sleep */
 	path = sebsd_malloc(strlen(fullpath) + 2, M_SEBSD, M_ZERO | M_WAITOK);
 	path[0] = '/';
 	strcpy(&path[1], fullpath);
@@ -1071,6 +1075,7 @@
 	dirent->sclass = devfs_type_to_security_class(de->dn_type);
 
 	/* Obtain a SID based on the fstype, path, and class. */
+	/* XXX - malloc could sleep */
 	path = sebsd_malloc(strlen(fullpath) + 2, M_SEBSD, M_ZERO | M_WAITOK);
 	path[0] = '/';
 	strcpy(&path[1], fullpath);
@@ -1112,6 +1117,7 @@
 
 	task = SLOT(cred->cr_label);
 	task->osid = task->sid = SECINITSID_KERNEL;
+	task->sclass = SECCLASS_PROCESS;
 }
 
 static void
@@ -1161,6 +1167,7 @@
 		break;
 	}
 	sbsec->behavior = behavior;	/* note: behavior 16 bits in sbsec */
+	sbsec->sclass = SECCLASS_FILESYSTEM;
 }
 
 static void
@@ -1173,6 +1180,8 @@
 	tsec = SLOT(cred->cr_label);
 	nsec = SLOT(solabel);
 	nsec->sid = nsec->task_sid = tsec->sid;
+	nsec->sclass = socket_type_to_security_class(xso->xso_family,
+	    xso->so_type, xso->xso_protocol);
 }
 
 static void
@@ -2463,7 +2472,6 @@
 	struct sockaddr_in *sin;
 	struct sockaddr_in6 *sin6;
 	in_port_t port;
-	u_int16_t sclass;
 	u_int32_t sid, node_perm;
 	int error;
 
@@ -2490,9 +2498,6 @@
 		port = ntohs(sin6->sin6_port);
 	}
 
-	sclass = socket_type_to_security_class(xso->xso_family, xso->so_type,
-	    xso->xso_protocol);
-
 	if (port) {
 		/* XXX - check against net.inet.ip.portrange.last? */
 		error = security_port_sid(xso->xso_family, xso->so_type,
@@ -2502,13 +2507,13 @@
 		AVC_AUDIT_DATA_INIT(&ad, NET);
 		ad.u.net.sport = htons(port);
 		ad.u.net.family = xso->xso_family;
-		error = avc_has_perm(nsec->sid, sid, sclass,
+		error = avc_has_perm(nsec->sid, sid, nsec->sclass,
 		    SOCKET__NAME_BIND, &ad);
 		if (error)
 			return (error);
 	}
 
-	switch (sclass) {
+	switch (nsec->sclass) {
 	case SECCLASS_TCP_SOCKET:
 		node_perm = TCP_SOCKET__NODE_BIND;
 		break;
@@ -2533,7 +2538,7 @@
 		bcopy(&ad.u.net.v6info.saddr, &sin6->sin6_addr,
 		    sizeof(ad.u.net.v6info.saddr));
 
-	error = avc_has_perm(nsec->sid, sid, sclass, node_perm, &ad);
+	error = avc_has_perm(nsec->sid, sid, nsec->sclass, node_perm, &ad);
 
 	return (error);
 }
@@ -2547,7 +2552,6 @@
 	struct sockaddr_in *sin;
 	struct sockaddr_in6 *sin6;
 	in_port_t port;
-	u_int16_t sclass;
 	u_int32_t sid;
 	int error;
 
@@ -2555,12 +2559,8 @@
 	if (error)
 		return (error);
 
-	sclass = socket_type_to_security_class(xso->xso_family, xso->so_type,
-	    xso->xso_protocol);
-
-	if (sclass == SECCLASS_TCP_SOCKET) {
-		nsec = SLOT(socklabel);
-
+	nsec = SLOT(socklabel);
+	if (nsec->sclass == SECCLASS_TCP_SOCKET) {
 		if (xso->xso_family == AF_INET) {
 			sin = (struct sockaddr_in *)addr;
 			port = ntohs(sin->sin_port);
@@ -2577,7 +2577,7 @@
 		AVC_AUDIT_DATA_INIT(&ad, NET);
 		ad.u.net.dport = htons(port);
 		ad.u.net.family = xso->xso_family;
-		error = avc_has_perm(nsec->sid, sid, sclass,
+		error = avc_has_perm(nsec->sid, sid, nsec->sclass,
 		    TCP_SOCKET__NAME_CONNECT, &ad);
 	}
 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd_labels.h#6 (text+ko) ====

@@ -44,10 +44,10 @@
 struct sebsd_label {
 	u_int32_t osid;		/* task_sid for all but task_security_struct */
 	u_int32_t sid;
-	u_int16_t sclass;	/* only used for vnode and ipc */
+	u_int16_t sclass;
 	u_int16_t behavior;	/* only used for mount */
 };
-#define	task_sid	osid
+#define	task_sid	osid	/* XXX - need to be separate if polymorphic */
 
 #define	task_security_struct	sebsd_label
 #define	file_security_struct	sebsd_label
