From owner-p4-projects Wed Jul 10 10:57:43 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 9DE5537B400; Wed, 10 Jul 2002 10:57:13 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BE9437B401 for ; Wed, 10 Jul 2002 10:57:13 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3479343E42 for ; Wed, 10 Jul 2002 10:57:12 -0700 (PDT) (envelope-from cvance@tislabs.com) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6AHvCJU011185 for ; Wed, 10 Jul 2002 10:57:12 -0700 (PDT) (envelope-from cvance@tislabs.com) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6AHvBPk011182 for perforce@freebsd.org; Wed, 10 Jul 2002 10:57:11 -0700 (PDT) Date: Wed, 10 Jul 2002 10:57:11 -0700 (PDT) Message-Id: <200207101757.g6AHvBPk011182@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to cvance@tislabs.com using -f From: Chris Vance Subject: PERFORCE change 14048 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14048 Change 14048 by cvance@cvance_korben on 2002/07/10 10:56:28 Updated SEBSD to include minimal support for using extended attributes to store persistent file labels. Fixed a bit of the process labeling code as well. This is a checkpoint submission, not everything works as well as it could and it's certainly not ready for general use. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#10 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.h#5 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd_sysctl.c#2 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#10 (text+ko) ==== @@ -36,6 +36,7 @@ #include #include +#include #include #include #include @@ -51,6 +52,8 @@ #include #include +int sebsd_verbose = 0; + static int slot; #define SLOT(l) ((void *)LABEL_TO_SLOT((l), slot).l_ptr) @@ -131,7 +134,7 @@ task = SLOT(&cred->cr_label); task->osid = task->sid = SECINITSID_KERNEL; - printf("sebsd_create_proc0:: using SICINITSID_KERNEL = %d\n", + printf("sebsd_create_proc0:: using SECINITSID_KERNEL = %d\n", SECINITSID_KERNEL); } @@ -141,84 +144,59 @@ struct task_security_struct *task; task = SLOT(&cred->cr_label); - task->osid = task->sid = SECINITSID_UNLABELED; - printf("sebsd_create_proc1:: using SICINITSID_UNLABELED = %d\n", - SECINITSID_KERNEL); -} - -static void -sebsd_execve_transition(struct ucred *old, struct ucred *new, - struct vnode *vp, struct mac *vnodelabel) -{ - /* NOP */ + task->osid = SECINITSID_KERNEL; + task->sid = SECINITSID_INIT; + printf("sebsd_create_proc1:: using SICINITSID_INIT = %d\n", + SECINITSID_INIT); } static int -sebsd_execve_will_transition(struct ucred *old, struct vnode *vp, - struct mac *vnodelabel) +sebsd_compute_transition(struct ucred *cred, struct vnode *vp, + struct label *label, security_id_t *newsid) { - /* NOP */ - return (0); -} - -static int -sebsd_check_exec_vnode(struct ucred *cred, struct vnode *vp, - struct label *label) -{ - struct task_security_struct *task, *file; - security_id_t newsid; - avc_audit_data_t ad; + struct task_security_struct *task; + struct vnode_security_struct *file; int rc; - u_int32_t scontext_len; - security_context_t scontext; - task = SLOT(&cred->cr_label); file = SLOT(label); rc = security_transition_sid(task->sid, file->sid, SECCLASS_PROCESS, - &newsid); + newsid); if (rc) return EACCES; - /* + if (sebsd_verbose > 0) { + u_int32_t scontext_len; + security_context_t scontext; (void)security_sid_to_context(task->sid, &scontext, &scontext_len); printf("exec_vnode:: tsid (%d) = %s", task->sid, scontext); security_free_context(scontext); (void)security_sid_to_context(file->sid, &scontext, &scontext_len); printf(" fsid (%d) = %s", file->sid, scontext); security_free_context(scontext); - (void)security_sid_to_context(newsid, &scontext, &scontext_len); - printf(" newsid (%d) = %s\n", newsid, scontext); + (void)security_sid_to_context(*newsid, &scontext, &scontext_len); + printf(" newsid (%d) = %s\n", *newsid, scontext); security_free_context(scontext); - */ + } -/* AVC_AUDIT_DATA_INIT(&ad, FS); */ + return (*newsid != task->sid); +#ifdef notdef /* TBD, auditing not really working yet */ -/* ad.u.fs.dentry = bprm->file->f_dentry; */ if (newsid == task->sid) { - /* - rc = avc_has_perm_ref_audit(task->sid, file->sid, - SECCLASS_FILE, - FILE__EXECUTE_NO_TRANS, - &task->avcr, &ad); - */ rc = avc_has_perm(task->sid, file->sid, SECCLASS_FILE, FILE__EXECUTE_NO_TRANS); if (rc) return EACCES; - } -#ifdef broken_stuff } else { /* Check permissions for the transition. */ - rc = avc_has_perm_audit(task->sid, newsid, - SECCLASS_PROCESS, PROCESS__TRANSITION, - &ad); + rc = avc_has_perm(task->sid, newsid, SECCLASS_PROCESS, + PROCESS__TRANSITION); if (rc) return EACCES; - rc = avc_has_perm_ref_audit(newsid, file->sid, - SECCLASS_FILE, FILE__ENTRYPOINT, - &file->avcr, &ad); + rc = avc_has_perm(newsid, file->sid, + SECCLASS_FILE, FILE__ENTRYPOINT); +/* &file->avcr, &ad); */ if (rc) return EACCES; @@ -243,12 +221,41 @@ * permission check if the parent was waiting. */ } -#endif /* broken_stuff */ + task->sid = newsid; +#endif /* notdef */ return (0); } static void +sebsd_execve_transition(struct ucred *old, struct ucred *new, + struct vnode *vp, struct mac *vnodelabel) +{ + struct task_security_struct *task; + security_id_t newsid; + + sebsd_compute_transition(old, vp, &vp->v_label, &newsid); + task = SLOT(&new->cr_label); + task->osid = task->sid; + task->sid = newsid; +} + +static int +sebsd_execve_will_transition(struct ucred *old, struct vnode *vp, + struct mac *vnodelabel) +{ + security_id_t newsid; + return sebsd_compute_transition(old, vp, &vp->v_label, &newsid); +} + +static int +sebsd_check_exec_vnode(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + return 0; +} + +static void sebsd_init_vnode(struct vnode *vp, struct label *label) { struct vnode_security_struct *vsec; @@ -257,8 +264,7 @@ vsec->sid = SECINITSID_UNLABELED; /* - * TBD: should actually set this from the task sid, either here - * or in the create_vnode_from_vnode hook. + * TBD: should actually set this from the task sid */ vsec->task_sid = SECINITSID_UNLABELED; @@ -277,25 +283,169 @@ struct label *parentlabel, struct vnode *child, struct label *childlabel) { + struct vnode_security_struct *dir, *vsec; struct task_security_struct *task; - struct vnode_security_struct *dir, *vsec; - - u_int32_t scontext_len; - security_context_t scontext; + security_context_t context; + u_int32_t context_len; + security_id_t newsid; + int error; task = SLOT(&cred->cr_label); dir = SLOT(parentlabel); vsec = SLOT(childlabel); - /* - * TBD, temporarily use a generic file sid. Need to use - * extended attributes at some future point. - */ - vsec->sid = SECINITSID_FILE; - (void)security_sid_to_context(vsec->sid, &scontext, &scontext_len); - printf("create_vnode_from_vnode:: sid=%d, context=%s\n", - vsec->sid, scontext); - security_free_context(scontext); + error = security_transition_sid(task->sid, dir->sid, SECCLASS_FILE, + &newsid); + vsec->sid = newsid; + vsec->task_sid = task->sid; + + if ((child->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { + return; + } + + /* store label in vnode */ + error = security_sid_to_context(vsec->sid, &context, + &context_len); + if (error) { + /* TBD: this is probably bad... */ + return; + } + error = vn_extattr_set(child, IO_NODELOCKED, + SEBSD_MAC_EXTATTR_NAMESPACE, + SEBSD_MAC_EXTATTR_NAME, + context_len, context, curthread); + + security_free_context(context); + if (error) { + /* TBD: this is probably bad... */ + return; + } +} + + +static void +sebsd_relabel_vnode(struct ucred *cred, struct vnode *vp, + struct label *vnodelabel, struct label *label) +{ + struct vnode_security_struct *source, *dest; + security_context_t context; + u_int32_t context_len; + int error; + + source = SLOT(label); + dest = SLOT(vnodelabel); + + if (!source) { +/* Debugger("sebsd_relabel_vnode:: source is NULL!\n"); */ + printf("sebsd_relabel_vnode:: source is NULL!\n"); + return; + } + if (!dest) { + printf("sebsd_relabel_vnode:: dest is NULL!\n"); + return; + } + + printf("relabel_vnode:: source=%d, dest=%d\n", source->sid, + dest->sid); + + if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { + return; + } + + error = security_sid_to_context(source->sid, &context, + &context_len); + if (error) { + /* TBD: this is probably bad... */ + return; + } + + error = vn_extattr_set(vp, IO_NODELOCKED, + SEBSD_MAC_EXTATTR_NAMESPACE, + SEBSD_MAC_EXTATTR_NAME, + context_len, context, curthread); + + security_free_context(context); + if (error) { + /* TBD: this is probably bad... */ + return; + } +} + +static int +sebsd_check_create_vnode(struct ucred *cred, struct vnode *dvp, + struct label *dlabel, struct vattr *vap) +{ + struct vnode_security_struct *file, *dir; + + file = SLOT(&cred->cr_label); + dir = SLOT(dlabel); + +/* + printf("check_create_vnode:: file=%d, dir=%d\n", file->sid, + dir->sid); +*/ + return 0; +} + +static int +sebsd_update_vnode_from_externalized(struct vnode *vp, + struct label *vnodelabel, + struct mac *extmac) +{ + struct vnode_security_struct *vsec; + /* TBD: Need to limit size of contexts used in extattr labels */ + char context[128]; + u_int32_t context_len; + int error; + + if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { + return (EOPNOTSUPP); + } + + context_len = 128; /* TBD: bad fixed length */ + error = vn_extattr_get(vp, IO_NODELOCKED, + SEBSD_MAC_EXTATTR_NAMESPACE, + SEBSD_MAC_EXTATTR_NAME, + &context_len, context, curthread); + if (error) + return (error); + + if (sebsd_verbose > 1) { + char *fullpath = "unknown"; + char *freepath = NULL; + struct vattr va; + + VOP_GETATTR(vp, &va, curthread->td_ucred, curthread); + VOP_UNLOCK(vp, 0, curthread); + vn_fullpath(curthread, vp->v_dd, vp, &fullpath, &freepath); + printf("sebsd_vnode_from_externallize: len=%d: context=%s file=%s inode=%d, fsid=%d\n", context_len, context, fullpath, va.va_fileid, va.va_fsid); + if (freepath) + free(freepath, M_TEMP); + vn_lock(vp, LK_EXCLUSIVE, curthread); + } + + vsec = SLOT(vnodelabel); + error = security_context_to_sid(context, context_len, &vsec->sid); + if (error) { + printf("sebsd_update_vnode_from_externalized: ERROR mapping context to sid: %s\n", context); + } + +/* printf("sebsd_update_vnode_from_externalized got sid %d, label size=%d: %s\n", vsec->sid, context_len, context); */ + + return (0); +} + +static int +sebsd_externalize(struct label *label, struct mac *extmac) +{ + /* TBD: this assumes vnodes only and only stores '5' */ + struct vnode_security_struct *vsec; + + vsec = SLOT(label); + if (vsec) + extmac->m_sebsd.ms_psid = (uint32_t)5; + + return 0; } /* @@ -342,8 +492,14 @@ (macop_t)sebsd_destroy_vnode }, { MAC_CREATE_VNODE_FROM_VNODE, (macop_t)sebsd_create_vnode_from_vnode }, + { MAC_UPDATE_VNODE_FROM_EXTERNALIZED, + (macop_t)sebsd_update_vnode_from_externalized }, + { MAC_RELABEL_VNODE, + (macop_t)sebsd_relabel_vnode }, { MAC_CRED_CHECK_EXEC_VNODE, (macop_t)sebsd_check_exec_vnode }, + { MAC_CRED_CHECK_CREATE_VNODE, + (macop_t)sebsd_check_create_vnode }, { MAC_EXECVE_TRANSITION, @@ -351,6 +507,8 @@ { MAC_EXECVE_WILL_TRANSITION, (macop_t)sebsd_execve_will_transition }, + { MAC_EXTERNALIZE, + (macop_t)sebsd_externalize }, { MAC_CREATE_ROOT_MOUNT, (macop_t)sebsd_create_root_mount }, { MAC_OP_LAST, NULL } ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.h#5 (text+ko) ==== @@ -43,7 +43,11 @@ extern int avc_debug_always_allow; extern int security_init(void); +extern int sebsd_verbose; #define SELINUX_MAGIC 0xf97cff8c +#define SEBSD_MAC_EXTATTR_NAME "sebsd" +#define SEBSD_MAC_EXTATTR_NAMESPACE EXTATTR_NAMESPACE_SYSTEM + #endif /* _SYS_SECURITY_SEBSD_H */ ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd_sysctl.c#2 (text+ko) ==== @@ -63,6 +63,10 @@ &avc_debug_always_allow, 0, "Debug Security Enhanced BSD policy"); TUNABLE_INT("security.mac.sebsd.debug", &avc_debug_always_allow); +SYSCTL_INT(_security_mac_sebsd, OID_AUTO, verbose, CTLFLAG_RW, + &sebsd_verbose, 0, " SEBSD Verbose Debug Stuff"); +TUNABLE_INT("security.mac.sebsd.verbose", &sebsd_verbose); + SYSCTL_OID(_security_mac_sebsd, OID_AUTO, sids, CTLTYPE_STRING|CTLFLAG_RD, NULL, 0, sysctl_list_sids, "A", "SEBSD SIDs"); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message