Date: Thu, 20 Nov 2003 11:56:36 -0800 (PST) From: Chris Vance <cvance@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 42814 for review Message-ID: <200311201956.hAKJuaKw091761@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=42814 Change 42814 by cvance@cvance_osx_laptop on 2003/11/20 11:56:28 Fix a bunch of small but critical bugs: - make sure we free temporary labels in mac_set_{file,link} - make sure sebsd_ss_malloc stores the allocated size - turn on sebsd code for associate_vnode_extattr and setlabel_vnode_extattr Affected files ... .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#30 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#15 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#30 (text+ko) ==== @@ -4058,6 +4058,7 @@ vput (nd.ni_vp); } + mac_destroy_vnode_label(&intlabel); return (error); } @@ -4112,6 +4113,7 @@ vput (nd.ni_vp); } + mac_destroy_vnode_label(&intlabel); return (error); } ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#15 (text+ko) ==== @@ -99,7 +99,8 @@ void *sebsd_ss_malloc (size_t size, int flags) { - size_t *v = sebsd_malloc (size + sizeof (size_t), flags); + size += sizeof(size_t); + size_t *v = sebsd_malloc (size, flags); v[0] = size; return v+1; } @@ -500,28 +501,33 @@ struct vnode *vp, struct label *vlabel) { struct vnode_security_struct *vsec; - /* TBD: Need to limit size of contexts used in extattr labels */ - /*char context[128];*/ + /* + * TBD: static buffers aren't a good idea, and SELinux contexts + * aren't restricted in length. + * + * This doesn't matter too much, since HFS extattr support + * currently uses a backing file pre-allocated with fixed-size + * attributes. + */ + char context[256]; u_int32_t context_len; - const char *context = NULL; + struct proc *p = current_proc(); int error; vsec = SLOT(vlabel); -#ifdef HAS_EXTATTRS - context_len = sizeof(context); /* TBD: bad fixed length */ error = vn_extattr_get(vp, IO_NODELOCKED, SEBSD_MAC_EXTATTR_NAMESPACE, SEBSD_MAC_EXTATTR_NAME, - &context_len, context, curthread); + &context_len, context, p); if (error == ENOATTR || error == EOPNOTSUPP) { vsec->sid = SECINITSID_UNLABELED; /* Use the default label */ /* struct vattr va; - (void)VOP_GETATTR(vp, &va, curthread->td_ucred, curthread); + (void)VOP_GETATTR(vp, &va, p->p_ucred, p); printf("sebsd_update_vnode_from_extattr: no label for " "inode=%ld, fsid=%d\n", va.va_fileid, va.va_fsid); */ @@ -532,6 +538,8 @@ " by vn_extattr_get()\n", error); return (error); /* Fail closed */ } + +#if 0 if (sebsd_verbose > 1) { struct vattr va; @@ -541,8 +549,7 @@ context, va.va_fileid, va.va_fsid); } #endif - - struct proc *p = current_proc(); + if (p == NULL || vp == NULL || vp->v_op == NULL || vp->v_tag != VT_HFS || vp->v_data == NULL) goto dosclass; @@ -550,10 +557,6 @@ error = VOP_GETATTR (vp, &va, p->p_ucred, p); if (error) goto dosclass; - if (va.va_fileid == 28308) - context = "system_u:object_r:shell_exec_t"; - else - goto dosclass; error = security_context_to_sid(context, strlen(context), &vsec->sid); if (error) { @@ -1373,7 +1376,6 @@ dest->sid = source->sid; } -#ifdef HAS_EXTATTRS static int sebsd_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, struct label *vlabel, struct label *intlabel) @@ -1393,11 +1395,10 @@ error = vn_extattr_set(vp, IO_NODELOCKED, SEBSD_MAC_EXTATTR_NAMESPACE, SEBSD_MAC_EXTATTR_NAME, - context_len, context, curthread); + context_len, context, current_proc()); security_free_context(context); return (error); } -#endif static int sebsd_check_vnode_access(struct ucred *cred, struct vnode *vp, @@ -2242,9 +2243,12 @@ .mpo_destroy_mount_label = sebsd_destroy_mount_label, .mpo_destroy_mount_fs_label = sebsd_destroy_mount_fs_label, + .mpo_setlabel_vnode_extattr = sebsd_setlabel_vnode_extattr, + .mpo_syscall = sebsd_syscall }; + #if 0 static struct mac_policy_ops sebsd_ops_o = { /* Init Labels */ @@ -2463,9 +2467,6 @@ #endif /* .mpo_relabel_socket = sebsd_relabel_socket, */ .mpo_relabel_vnode = sebsd_relabel_vnode, -#ifdef HAS_EXTATTRS - .mpo_setlabel_vnode_extattr = sebsd_setlabel_vnode_extattr, -#endif /*.mpo_set_socket_peer_from_mbuf = sebsd_set_socket_peer_from_mbuf,*/ /*.mpo_set_socket_peer_from_socket = sebsd_set_socket_peer_from_socket,*/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311201956.hAKJuaKw091761>