From owner-p4-projects Tue Dec 31 15:31:11 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 49DA137B405; Tue, 31 Dec 2002 15:31:07 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D6F6A37B401 for ; Tue, 31 Dec 2002 15:31:06 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F2C143EB2 for ; Tue, 31 Dec 2002 15:31:06 -0800 (PST) (envelope-from green@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id gBVNV6fh023511 for ; Tue, 31 Dec 2002 15:31:06 -0800 (PST) (envelope-from green@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id gBVNV5jK023492 for perforce@freebsd.org; Tue, 31 Dec 2002 15:31:05 -0800 (PST) Date: Tue, 31 Dec 2002 15:31:05 -0800 (PST) Message-Id: <200212312331.gBVNV5jK023492@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to green@freebsd.org using -f From: Brian Feldman Subject: PERFORCE change 22999 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://perforce.freebsd.org/chv.cgi?CH=22999 Change 22999 by green@green_laptop_2 on 2002/12/31 15:30:36 I'm making a fine mess of perforce logs trying to separate changes, so I'll stop. This completes implementation of tty labelling for SEBSD. This also contains residue which is what the previous change should have been. Affected files ... .. //depot/projects/trustedbsd/mac/lib/libsebsd/Makefile#5 edit .. //depot/projects/trustedbsd/mac/lib/libsebsd/sebsd.h#6 edit .. //depot/projects/trustedbsd/mac/lib/libsebsd/security_get_user_contexts.c#4 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd_sysctl.c#5 edit Differences ... ==== //depot/projects/trustedbsd/mac/lib/libsebsd/Makefile#5 (text+ko) ==== @@ -11,7 +11,7 @@ NOMAN= SRCS= system.c security_get_user_contexts.c get_ordered_context_list.c \ - getseccontext.c query_user_context.c + getseccontext.c query_user_context.c security_change_context.c INCS= sebsd_context.h sebsd_ss.h sebsd_proc.h sebsd_fs.h sebsd.h \ sebsd_syscalls.h flask_types.h ==== //depot/projects/trustedbsd/mac/lib/libsebsd/sebsd.h#6 (text+ko) ==== @@ -64,5 +64,7 @@ int security_get_user_contexts(const char *fromcontext, const char *username, char ***retcontexts, size_t *ncontexts); +int security_change_context(const char *domain, const char *ocontext, + security_class_t oclass, char **newcontext); #endif /* _SEBSD_H */ ==== //depot/projects/trustedbsd/mac/lib/libsebsd/security_get_user_contexts.c#4 (text+ko) ==== @@ -57,8 +57,8 @@ size_t contexts_len, n; int error; - arguments_len = asprintf(&arguments, "%s%c%s%c%c", fromcontext, 0, - username, 0, 0); + arguments_len = asprintf(&arguments, "%s%c%s%c", fromcontext, 0, + username, 0); if (arguments_len == -1) return (-1); bigger: ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd_sysctl.c#5 (text+ko) ==== @@ -179,6 +179,57 @@ return (error); } +/* + * Sysctl handler for security.mac.sebsd.change_sid + * Report the SID to relabel to given input "scontext\0tcontext\0",tclass + */ +static int +sysctl_change_sid(SYSCTL_HANDLER_ARGS) +{ + u_int32_t newcontext_len; + security_id_t sid, tsid, newsid; + security_context_t newcontext; + security_class_t tclass; + char *scontext, *tcontext; + int error; + + if (req->newlen < 4 + sizeof(tclass)) + return (EINVAL); + if (req->newlen > 512) /* arbitrary */ + return (ENAMETOOLONG); + scontext = sebsd_malloc(req->newlen, M_SEBSD_SS, M_WAITOK); + error = SYSCTL_IN(req, scontext, req->newlen); + if (error) + goto out; + if (scontext[req->newlen - (1 + sizeof(tclass))] != '\0') { + error = EINVAL; + goto out; + } + tcontext = &scontext[strlen(scontext) + 1]; + if (tcontext >= &scontext[req->newlen - (1 + sizeof(tclass))]) { + error = EINVAL; + goto out; + } + bcopy(&scontext[strlen(scontext) + 1], &tclass, sizeof(tclass)); + error = security_context_to_sid(scontext, strlen(scontext) + 1, &sid); + if (error) + goto out; + error = security_context_to_sid(tcontext, strlen(tcontext) + 1, &tsid); + if (error) + goto out; + error = security_change_sid(sid, tsid, tclass, &newsid); + if (error) + goto out; + error = security_sid_to_context(newsid, &newcontext, &newcontext_len); + if (error) + goto out; + error = SYSCTL_OUT(req, newcontext, newcontext_len); + security_free_context(newcontext); +out: + sebsd_free(scontext, M_SEBSD_SS); + return (error); +} + SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security_mac, OID_AUTO, sebsd, CTLFLAG_RW, 0, "Security Enhanced BSD policy controls"); @@ -192,6 +243,9 @@ SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, user_sids, CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_user_sids, "A", "SEBSD transitionable user SIDs"); +SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, change_sid, CTLTYPE_STRING | + CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_change_sid, "A", + "SEBSD (tty) SID relabel to perform along with transition"); #if 0 SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, enforcing, CTLTYPE_INT | CTLFLAG_RW, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message