Date: Fri, 20 Apr 2007 14:56:16 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 118479 for review Message-ID: <200704201456.l3KEuGg7025276@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=118479 Change 118479 by rwatson@rwatson_zoo on 2007/04/20 14:56:02 Implement audit MAC checks for mac_biba, mac_bsdextended, mac_lomac, mac_mls, mac_stub, mac_test. Implement and/or sort missing system checks for mac_bsdextended, mac_lomac, mac_mls, mac_stub, mac_test. Affected files ... .. //depot/projects/trustedbsd/audit3/sys/security/mac_biba/mac_biba.c#11 edit .. //depot/projects/trustedbsd/audit3/sys/security/mac_bsdextended/mac_bsdextended.c#11 edit .. //depot/projects/trustedbsd/audit3/sys/security/mac_lomac/mac_lomac.c#10 edit .. //depot/projects/trustedbsd/audit3/sys/security/mac_mls/mac_mls.c#9 edit .. //depot/projects/trustedbsd/audit3/sys/security/mac_stub/mac_stub.c#8 edit .. //depot/projects/trustedbsd/audit3/sys/security/mac_test/mac_test.c#8 edit Differences ... ==== //depot/projects/trustedbsd/audit3/sys/security/mac_biba/mac_biba.c#11 (text+ko) ==== @@ -2304,6 +2304,50 @@ } static int +mac_biba_check_system_auditctl(struct ucred *cred, struct vnode *vp, + struct label *vplabel) +{ + struct mac_biba *subj, *obj; + int error; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(cred->cr_label); + + error = mac_biba_subject_privileged(subj); + if (error) + return (error); + + if (vplabel == NULL) + return (0); + + obj = SLOT(vplabel); + if (!mac_biba_high_effective(obj)) + return (EACCES); + + return (0); +} + +static int +mac_biba_check_system_auditon(struct ucred *cred, int cmd) +{ + struct mac_biba *subj; + int error; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(cred->cr_label); + + error = mac_biba_subject_privileged(subj); + if (error) + return (error); + + return (0); +} + +static int mac_biba_check_system_settime(struct ucred *cred) { struct mac_biba *subj; @@ -3204,6 +3248,8 @@ .mpo_check_socket_visible = mac_biba_check_socket_visible, .mpo_check_sysarch_ioperm = mac_biba_check_sysarch_ioperm, .mpo_check_system_acct = mac_biba_check_system_acct, + .mpo_check_system_auditctl = mac_biba_check_system_auditctl, + .mpo_check_system_auditon = mac_biba_check_system_auditon, .mpo_check_system_settime = mac_biba_check_system_settime, .mpo_check_system_swapon = mac_biba_check_system_swapon, .mpo_check_system_swapoff = mac_biba_check_system_swapoff, ==== //depot/projects/trustedbsd/audit3/sys/security/mac_bsdextended/mac_bsdextended.c#11 (text+ko) ==== @@ -488,6 +488,30 @@ } static int +mac_bsdextended_check_system_acct(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); +} + +static int +mac_bsdextended_check_system_auditctl(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); +} + +static int +mac_bsdextended_check_system_swapoff(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); +} + +static int mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -739,6 +763,9 @@ { .mpo_destroy = mac_bsdextended_destroy, .mpo_init = mac_bsdextended_init, + .mpo_check_system_acct = mac_bsdextended_check_system_acct, + .mpo_check_system_auditctl = mac_bsdextended_check_system_auditctl, + .mpo_check_system_swapoff = mac_bsdextended_check_system_swapoff, .mpo_check_system_swapon = mac_bsdextended_check_system_swapon, .mpo_check_vnode_access = mac_bsdextended_check_vnode_access, .mpo_check_vnode_chdir = mac_bsdextended_check_vnode_chdir, ==== //depot/projects/trustedbsd/audit3/sys/security/mac_lomac/mac_lomac.c#10 (text+ko) ==== @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * @@ -2046,6 +2046,65 @@ } static int +mac_lomac_check_system_acct(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_lomac *subj, *obj; + + if (!mac_lomac_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(label); + + if (mac_lomac_subject_privileged(subj)) + return (EPERM); + + if (!mac_lomac_high_single(obj)) + return (EACCES); + + return (0); +} + +static int +mac_lomac_check_system_auditctl(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_lomac *subj, *obj; + + if (!mac_lomac_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(label); + + if (mac_lomac_subject_privileged(subj)) + return (EPERM); + + if (!mac_lomac_high_single(obj)) + return (EACCES); + + return (0); +} + +static int +mac_lomac_check_system_swapoff(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_lomac *subj; + + if (!mac_lomac_enabled) + return (0); + + subj = SLOT(cred->cr_label); + + if (mac_lomac_subject_privileged(subj)) + return (EPERM); + + return (0); +} + +static int mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -2700,6 +2759,9 @@ .mpo_check_socket_deliver = mac_lomac_check_socket_deliver, .mpo_check_socket_relabel = mac_lomac_check_socket_relabel, .mpo_check_socket_visible = mac_lomac_check_socket_visible, + .mpo_check_system_acct = mac_lomac_check_system_acct, + .mpo_check_system_auditctl = mac_lomac_check_system_auditctl, + .mpo_check_system_swapoff = mac_lomac_check_system_swapoff, .mpo_check_system_swapon = mac_lomac_check_system_swapon, .mpo_check_system_sysctl = mac_lomac_check_system_sysctl, .mpo_check_vnode_access = mac_lomac_check_vnode_open, ==== //depot/projects/trustedbsd/audit3/sys/security/mac_mls/mac_mls.c#9 (text+ko) ==== @@ -2165,6 +2165,44 @@ } static int +mac_mls_check_system_acct(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_effective(obj, subj) || + !mac_mls_dominate_effective(subj, obj)) + return (EACCES); + + return (0); +} + +static int +mac_mls_check_system_auditctl(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_effective(obj, subj) || + !mac_mls_dominate_effective(subj, obj)) + return (EACCES); + + return (0); +} + +static int mac_mls_check_system_swapon(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -2972,6 +3010,8 @@ .mpo_check_socket_deliver = mac_mls_check_socket_deliver, .mpo_check_socket_relabel = mac_mls_check_socket_relabel, .mpo_check_socket_visible = mac_mls_check_socket_visible, + .mpo_check_system_acct = mac_mls_check_system_acct, + .mpo_check_system_auditctl = mac_mls_check_system_auditctl, .mpo_check_system_swapon = mac_mls_check_system_swapon, .mpo_check_vnode_access = mac_mls_check_vnode_open, .mpo_check_vnode_chdir = mac_mls_check_vnode_chdir, ==== //depot/projects/trustedbsd/audit3/sys/security/mac_stub/mac_stub.c#8 (text+ko) ==== @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2005 SPARTA, Inc. * All rights reserved. @@ -920,6 +920,20 @@ } static int +stub_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) +{ + + return (0); +} + +static int +stub_check_proc_setauid(struct ucred *cred, uid_t auid) +{ + + return (0); +} + +static int stub_check_proc_setuid(struct ucred *cred, uid_t uid) { @@ -1096,6 +1110,28 @@ } static int +stub_check_system_audit(struct ucred *cred, void *record, int length) +{ + + return (0); +} + +static int +stub_check_system_auditctl(struct ucred *cred, struct vnode *vp, + struct label *vlabel) +{ + + return (0); +} + +static int +stub_check_system_auditon(struct ucred *cred, int cmd) +{ + + return (0); +} + +static int stub_check_system_nfsd(struct ucred *cred) { @@ -1117,7 +1153,7 @@ } static int -stub_check_system_swapon(struct ucred *cred, struct vnode *vp, +stub_check_system_swapoff(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -1125,7 +1161,7 @@ } static int -stub_check_system_swapoff(struct ucred *cred, struct vnode *vp, +stub_check_system_swapon(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -1576,6 +1612,8 @@ .mpo_check_posix_sem_wait = stub_check_posix_sem_wait, .mpo_check_proc_debug = stub_check_proc_debug, .mpo_check_proc_sched = stub_check_proc_sched, + .mpo_check_proc_setaudit = stub_check_proc_setaudit, + .mpo_check_proc_setauid = stub_check_proc_setauid, .mpo_check_proc_setuid = stub_check_proc_setuid, .mpo_check_proc_seteuid = stub_check_proc_seteuid, .mpo_check_proc_setgid = stub_check_proc_setgid, @@ -1601,11 +1639,14 @@ .mpo_check_socket_visible = stub_check_socket_visible, .mpo_check_sysarch_ioperm = stub_check_sysarch_ioperm, .mpo_check_system_acct = stub_check_system_acct, + .mpo_check_system_audit = stub_check_system_audit, + .mpo_check_system_auditctl = stub_check_system_auditctl, + .mpo_check_system_auditon = stub_check_system_auditon, .mpo_check_system_nfsd = stub_check_system_nfsd, .mpo_check_system_reboot = stub_check_system_reboot, .mpo_check_system_settime = stub_check_system_settime, + .mpo_check_system_swapoff = stub_check_system_swapoff, .mpo_check_system_swapon = stub_check_system_swapon, - .mpo_check_system_swapoff = stub_check_system_swapoff, .mpo_check_system_sysctl = stub_check_system_sysctl, .mpo_check_vnode_access = stub_check_vnode_access, .mpo_check_vnode_chdir = stub_check_vnode_chdir, ==== //depot/projects/trustedbsd/audit3/sys/security/mac_test/mac_test.c#8 (text+ko) ==== @@ -1712,6 +1712,24 @@ } static int +mac_test_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + + return (0); +} + +static int +mac_test_check_proc_setauid(struct ucred *cred, uid_t auid) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + + return (0); +} + +static int mac_test_check_proc_setuid(struct ucred *cred, uid_t uid) { @@ -1942,11 +1960,45 @@ { ASSERT_CRED_LABEL(cred->cr_label); + if (label != NULL) { + ASSERT_VNODE_LABEL(label); + } + + return (0); +} + +static int +mac_test_check_system_audit(struct ucred *cred, void *record, int length) +{ + + ASSERT_CRED_LABEL(cred->cr_label); return (0); } static int +mac_test_check_system_auditctl(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + if (label != NULL) { + ASSERT_VNODE_LABEL(label); + } + + return (0); +} + +static int +mac_test_check_system_auditon(struct ucred *cred, int cmd) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + + return (0); +} + +static int mac_test_check_system_reboot(struct ucred *cred, int how) { @@ -1965,7 +2017,7 @@ } static int -mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, +mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -1976,7 +2028,7 @@ } static int -mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, +mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -2515,6 +2567,8 @@ .mpo_check_posix_sem_wait = mac_test_check_posix_sem, .mpo_check_proc_debug = mac_test_check_proc_debug, .mpo_check_proc_sched = mac_test_check_proc_sched, + .mpo_check_proc_setaudit = mac_test_check_proc_setaudit, + .mpo_check_proc_setauid = mac_test_check_proc_setauid, .mpo_check_proc_setuid = mac_test_check_proc_setuid, .mpo_check_proc_seteuid = mac_test_check_proc_seteuid, .mpo_check_proc_setgid = mac_test_check_proc_setgid, @@ -2539,10 +2593,13 @@ .mpo_check_socket_visible = mac_test_check_socket_visible, .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, .mpo_check_system_acct = mac_test_check_system_acct, + .mpo_check_system_audit = mac_test_check_system_audit, + .mpo_check_system_auditctl = mac_test_check_system_auditctl, + .mpo_check_system_auditon = mac_test_check_system_auditon, .mpo_check_system_reboot = mac_test_check_system_reboot, .mpo_check_system_settime = mac_test_check_system_settime, + .mpo_check_system_swapoff = mac_test_check_system_swapoff, .mpo_check_system_swapon = mac_test_check_system_swapon, - .mpo_check_system_swapoff = mac_test_check_system_swapoff, .mpo_check_system_sysctl = mac_test_check_system_sysctl, .mpo_check_vnode_access = mac_test_check_vnode_access, .mpo_check_vnode_chdir = mac_test_check_vnode_chdir,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200704201456.l3KEuGg7025276>