Date: Tue, 31 Dec 2002 15:31:05 -0800 (PST) From: Brian Feldman <green@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 22999 for review Message-ID: <200212312331.gBVNV5jK023492@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=22999 Change 22999 by green@green_laptop_2 on 2002/12/31 15:30:36 I'm making a fine mess of perforce logs trying to separate changes, so I'll stop. This completes implementation of tty labelling for SEBSD. This also contains residue which is what the previous change should have been. Affected files ... .. //depot/projects/trustedbsd/mac/lib/libsebsd/Makefile#5 edit .. //depot/projects/trustedbsd/mac/lib/libsebsd/sebsd.h#6 edit .. //depot/projects/trustedbsd/mac/lib/libsebsd/security_get_user_contexts.c#4 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd_sysctl.c#5 edit Differences ... ==== //depot/projects/trustedbsd/mac/lib/libsebsd/Makefile#5 (text+ko) ==== @@ -11,7 +11,7 @@ NOMAN= SRCS= system.c security_get_user_contexts.c get_ordered_context_list.c \ - getseccontext.c query_user_context.c + getseccontext.c query_user_context.c security_change_context.c INCS= sebsd_context.h sebsd_ss.h sebsd_proc.h sebsd_fs.h sebsd.h \ sebsd_syscalls.h flask_types.h ==== //depot/projects/trustedbsd/mac/lib/libsebsd/sebsd.h#6 (text+ko) ==== @@ -64,5 +64,7 @@ int security_get_user_contexts(const char *fromcontext, const char *username, char ***retcontexts, size_t *ncontexts); +int security_change_context(const char *domain, const char *ocontext, + security_class_t oclass, char **newcontext); #endif /* _SEBSD_H */ ==== //depot/projects/trustedbsd/mac/lib/libsebsd/security_get_user_contexts.c#4 (text+ko) ==== @@ -57,8 +57,8 @@ size_t contexts_len, n; int error; - arguments_len = asprintf(&arguments, "%s%c%s%c%c", fromcontext, 0, - username, 0, 0); + arguments_len = asprintf(&arguments, "%s%c%s%c", fromcontext, 0, + username, 0); if (arguments_len == -1) return (-1); bigger: ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd_sysctl.c#5 (text+ko) ==== @@ -179,6 +179,57 @@ return (error); } +/* + * Sysctl handler for security.mac.sebsd.change_sid + * Report the SID to relabel to given input "scontext\0tcontext\0",tclass + */ +static int +sysctl_change_sid(SYSCTL_HANDLER_ARGS) +{ + u_int32_t newcontext_len; + security_id_t sid, tsid, newsid; + security_context_t newcontext; + security_class_t tclass; + char *scontext, *tcontext; + int error; + + if (req->newlen < 4 + sizeof(tclass)) + return (EINVAL); + if (req->newlen > 512) /* arbitrary */ + return (ENAMETOOLONG); + scontext = sebsd_malloc(req->newlen, M_SEBSD_SS, M_WAITOK); + error = SYSCTL_IN(req, scontext, req->newlen); + if (error) + goto out; + if (scontext[req->newlen - (1 + sizeof(tclass))] != '\0') { + error = EINVAL; + goto out; + } + tcontext = &scontext[strlen(scontext) + 1]; + if (tcontext >= &scontext[req->newlen - (1 + sizeof(tclass))]) { + error = EINVAL; + goto out; + } + bcopy(&scontext[strlen(scontext) + 1], &tclass, sizeof(tclass)); + error = security_context_to_sid(scontext, strlen(scontext) + 1, &sid); + if (error) + goto out; + error = security_context_to_sid(tcontext, strlen(tcontext) + 1, &tsid); + if (error) + goto out; + error = security_change_sid(sid, tsid, tclass, &newsid); + if (error) + goto out; + error = security_sid_to_context(newsid, &newcontext, &newcontext_len); + if (error) + goto out; + error = SYSCTL_OUT(req, newcontext, newcontext_len); + security_free_context(newcontext); +out: + sebsd_free(scontext, M_SEBSD_SS); + return (error); +} + SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security_mac, OID_AUTO, sebsd, CTLFLAG_RW, 0, "Security Enhanced BSD policy controls"); @@ -192,6 +243,9 @@ SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, user_sids, CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_user_sids, "A", "SEBSD transitionable user SIDs"); +SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, change_sid, CTLTYPE_STRING | + CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_change_sid, "A", + "SEBSD (tty) SID relabel to perform along with transition"); #if 0 SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, enforcing, CTLTYPE_INT | CTLFLAG_RW, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200212312331.gBVNV5jK023492>