PERFORCE change 113367 for review
Todd Miller
millert at FreeBSD.org
Mon Jan 22 16:26:31 UTC 2007
http://perforce.freebsd.org/chv.cgi?CH=113367
Change 113367 by millert at millert_macbook on 2007/01/22 16:25:40
Add audit info for sockets and network interfaces.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/config/MACFramework.exports#9 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.c#20 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.h#10 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#77 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/config/MACFramework.exports#9 (text+ko) ====
@@ -25,6 +25,7 @@
_kauth_cred_dup_add
_sotoxsocket
+_ip6_sprintf
_mac_kalloc
_mac_kfree
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.c#20 (text+ko) ====
@@ -31,6 +31,10 @@
#include <sys/vnode.h>
#include <sys/vnode_internal.h>
+#include <net/if.h>
+#include <netinet/in.h>
+#include <netinet/in_var.h>
+
#ifdef CAPABILITIES
#include <sys/capability.h>
#endif
@@ -543,26 +547,27 @@
return node;
}
-#ifdef __linux__
static inline void avc_print_ipv6_addr(struct audit_buffer *ab,
struct in6_addr *addr, __be16 port,
- char *name1, char *name2)
+ const char *name1, const char *name2)
{
- if (!ipv6_addr_any(addr))
- audit_log_format(ab, " %s=" NIP6_FMT, name1, NIP6(*addr));
+ if (!IN6_IS_ADDR_UNSPECIFIED(addr))
+ audit_log_format(ab, " %s=%s", name1, ip6_sprintf(addr));
if (port)
audit_log_format(ab, " %s=%d", name2, ntohs(port));
}
static inline void avc_print_ipv4_addr(struct audit_buffer *ab, u32 addr,
- __be16 port, char *name1, char *name2)
+ __be16 port, const char *name1,
+ const char *name2)
{
- if (addr)
- audit_log_format(ab, " %s=" NIPQUAD_FMT, name1, NIPQUAD(addr));
+ if (addr != INADDR_ANY)
+ audit_log_format(ab, " %s=%ld.%ld.%ld.%ld", name1,
+ (ntohl(addr)>>24)&0xFF, (ntohl(addr)>>16)&0xFF,
+ (ntohl(addr)>>8)&0xFF, (ntohl(addr))&0xFF);
if (port)
audit_log_format(ab, " %s=%d", name2, ntohs(port));
}
-#endif /* __linux__ */
/**
* avc_audit - Audit the granting or denial of permissions.
@@ -680,8 +685,7 @@
break;
case AVC_AUDIT_DATA_NET:
#ifdef __linux__
- /* XXX - convert to xsocket */
- if (a->u.net.sk) {
+ if (a->u.net.xso) {
struct sock *sk = a->u.net.sk;
struct unix_sock *u;
int len = 0;
@@ -731,6 +735,7 @@
break;
}
}
+#endif /* __linux__ */
switch (a->u.net.family) {
case AF_INET:
@@ -751,9 +756,8 @@
break;
}
if (a->u.net.netif)
- audit_log_format(ab, " netif=%s",
- a->u.net.netif);
-#endif /* __linux__ */
+ audit_log_format(ab, " netif=%s%d",
+ a->u.net.netif, a->u.net.netif_unit);
break;
case AVC_AUDIT_DATA_MIG:
audit_log_format(ab, " msgid=%d", a->u.ipc_id);
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.h#10 (text+ko) ====
@@ -54,7 +54,8 @@
int pathlen;
} fs;
struct {
- char *netif;
+ const char *netif;
+ u32 netif_unit;
struct xsocket *xso;
u16 family;
u16 dport;
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#77 (text+ko) ====
@@ -505,19 +505,21 @@
}
static int
-socket_has_perm(struct ucred *cred, struct label *socklabel, u_int32_t perm)
+socket_has_perm(struct ucred *cred, struct label *socklabel, u_int32_t perm,
+ struct xsocket *xso)
{
struct task_security_struct *tsec;
struct network_security_struct *nsec;
+ struct avc_audit_data ad;
tsec = SLOT(cred->cr_label);
nsec = SLOT(socklabel);
- /*
- * TBD: No audit information yet
- */
+ AVC_AUDIT_DATA_INIT(&ad, NET);
+ ad.u.net.xso = xso;
+ ad.u.net.family = xso->xso_family;
- return (avc_has_perm(tsec->sid, nsec->sid, SECCLASS_SOCKET, perm, NULL));
+ return (avc_has_perm(tsec->sid, nsec->sid, SECCLASS_SOCKET, perm, &ad));
}
static void
@@ -2547,7 +2549,7 @@
}
/* XXX - SELinux just uses plain old SOCKET__ACCEPT */
- return (socket_has_perm(cred, socklabel, perm));
+ return (socket_has_perm(cred, socklabel, perm, xso));
}
static int
@@ -2574,6 +2576,9 @@
/* XXX - unix domain socket-specific checks too? */
+ AVC_AUDIT_DATA_INIT(&ad, NET);
+ ad.u.net.family = xso->xso_family;
+
/*
* Note that we use the xso_family instead of sa_family since
* the latter has not been sanity checked yet.
@@ -2581,20 +2586,21 @@
if (xso->xso_family == AF_INET) {
sin = (struct sockaddr_in *)addr;
port = ntohs(sin->sin_port);
+ ad.u.net.sport = sin->sin_port;
+ ad.u.net.fam.v4.saddr = sin->sin_addr.s_addr;
} else /* if (xso->xso_family == AF_INET6) */ {
sin6 = (struct sockaddr_in6 *)addr;
port = ntohs(sin6->sin6_port);
+ ad.u.net.sport = sin6->sin6_port;
+ memcpy(&ad.u.net.fam.v6.saddr, &sin6->sin6_addr,
+ sizeof(struct in6_addr));
}
if (port) {
- /* XXX - check against net.inet.ip.portrange.last? */
error = security_port_sid(xso->xso_family, xso->so_type,
xso->xso_protocol, port, &sid);
if (error)
return (error);
- AVC_AUDIT_DATA_INIT(&ad, NET);
- ad.u.net.sport = htons(port);
- ad.u.net.family = xso->xso_family;
error = avc_has_perm(nsec->sid, sid, nsec->sclass,
SOCKET__NAME_BIND, &ad);
if (error)
@@ -2616,10 +2622,6 @@
if (error)
return (error);
- AVC_AUDIT_DATA_INIT(&ad, NET);
- ad.u.net.sport = htons(port);
- ad.u.net.family = xso->xso_family;
-
if (xso->xso_family == AF_INET)
ad.u.net.v4info.saddr = sin->sin_addr.s_addr;
else
@@ -2643,7 +2645,7 @@
u_int32_t sid;
int error;
- error = socket_has_perm(cred, socklabel, SOCKET__CONNECT);
+ error = socket_has_perm(cred, socklabel, SOCKET__CONNECT, xso);
if (error)
return (error);
@@ -2715,7 +2717,7 @@
struct xsocket *xso, struct label *socklabel)
{
- return (socket_has_perm(cred, socklabel, SOCKET__POLL));
+ return (socket_has_perm(cred, socklabel, SOCKET__POLL, xso));
}
#endif
@@ -2724,7 +2726,7 @@
struct label *socklabel)
{
- return (socket_has_perm(cred, socklabel, SOCKET__LISTEN));
+ return (socket_has_perm(cred, socklabel, SOCKET__LISTEN, xso));
}
static int
@@ -2732,7 +2734,7 @@
struct label *socklabel)
{
- return (socket_has_perm(cred, socklabel, SOCKET__READ));
+ return (socket_has_perm(cred, socklabel, SOCKET__READ, xso));
}
static int
@@ -2767,7 +2769,7 @@
struct label *socklabel, int which)
{
- return (socket_has_perm(cred, socklabel, SOCKET__POLL));
+ return (socket_has_perm(cred, socklabel, SOCKET__POLL, xso));
}
#endif
@@ -2776,7 +2778,7 @@
struct label *socklabel)
{
- return (socket_has_perm(cred, socklabel, SOCKET__WRITE));
+ return (socket_has_perm(cred, socklabel, SOCKET__WRITE, xso));
}
static int
@@ -2784,7 +2786,7 @@
struct label *socklabel)
{
- return (socket_has_perm(cred, socklabel, SOCKET__GETATTR));
+ return (socket_has_perm(cred, socklabel, SOCKET__GETATTR, xso));
}
static int
@@ -3129,12 +3131,19 @@
struct mbuf *m, struct label *mbuflabel, int family, int type)
{
struct network_security_struct *ifsec, *msec;
+ struct avc_audit_data ad;
u_int32_t perm;
int error;
ifsec = SLOT(ifnetlabel);
msec = SLOT(mbuflabel);
+ AVC_AUDIT_DATA_INIT(&ad, NET);
+ ad.u.net.netif = ifnet_name(ifp);
+ ad.u.net.netif_unit = ifnet_unit(ifp);
+ ad.u.net.family = family;
+ /* XXX - if_index too? */
+
/* XXX - other types of perm, see selinux_sock_rcv_skb_compat() */
switch (type) {
case SOCK_STREAM:
@@ -3149,9 +3158,8 @@
break;
}
- /* XXX - use an audit struct so we can log useful info */
error = avc_has_perm(msec->sid, ifsec->sid, SECCLASS_NETIF,
- perm, NULL);
+ perm, &ad);
return (error);
}
More information about the trustedbsd-cvs
mailing list