From owner-p4-projects  Wed Jul 24  6:57:26 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 3678837B401; Wed, 24 Jul 2002 06:57:18 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6EA9137B400
	for <perforce@freebsd.org>; Wed, 24 Jul 2002 06:57:17 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E807143E5E
	for <perforce@freebsd.org>; Wed, 24 Jul 2002 06:57:16 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.12.4/8.12.4) with SMTP id g6ODv9Oo085622
	for <perforce@freebsd.org>; Wed, 24 Jul 2002 09:57:09 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Wed, 24 Jul 2002 09:57:09 -0400 (EDT)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: Perforce Change Reviews <perforce@freebsd.org>
Subject: Re: PERFORCE change 14832 for review
In-Reply-To: <200207241356.g6ODuQgR020804@freefall.freebsd.org>
Message-ID: <Pine.NEB.3.96L.1020724095624.85202B-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG


On Wed, 24 Jul 2002, Robert Watson wrote:

> http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14832
> 
> Change 14832 by rwatson@rwatson_paprika on 2002/07/24 06:56:16
> 
> 	Add MAC_TE_OPERATION_FILE_POLL.

Sigh.  I committed the wrong file.  This description should read:

- Implement mac_te_cred_check_mmap_perms() for mac_te
- Implement mac_te_cred_check_vnode_op() for mac_te

> 
> Affected files ...
> 
> .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#47 edit
> 
> Differences ...
> 
> ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#47 (text+ko) ====
> 
> @@ -92,6 +92,12 @@
>  TUNABLE_INT("security.mac.te.debug_transitions",
>      &mac_te_debug_transitions);
>  
> +static int	mac_te_revocation_enabled = 0;
> +SYSCTL_INT(_security_mac_te, OID_AUTO, revocation_enabled, CTLFLAG_RW,
> +    &mac_te_revocation_enabled, 0, "Revoke access to objects on relabel");
> +TUNABLE_INT("security.mac.te.revocation_enabled",
> +    &mac_te_revocation_enabled);
> +
>  static int labelslot;
>  #define	SLOT(l) ((struct mac_te *)LABEL_TO_SLOT((l), labelslot).l_ptr)
>  
> @@ -1498,6 +1504,69 @@
>  	return (error);
>  }
>  
> +static int
> +mac_te_cred_check_mmap_perms(struct ucred *cred, struct vnode *vp,
> +    struct label *label)
> +{
> +	struct mac_te *subj, *obj;
> +	vm_prot_t prot = 0;
> +
> +	if (!mac_biba_revocation_enabled)
> +		return (VM_PROT_ALL);
> +
> +	subj = SLOT(&cred->cr_label);
> +	obj = SLOT(label);
> +
> +	if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
> +	    MAC_TE_OPERATION_FILE_READ) == 0)
> +		prot |= VM_PROT_READ;
> +	if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
> +	    MAC_TE_OPERATION_FILE_EXEC) == 0)
> +		prot |= VM_PROT_EXECUTE;
> +	if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
> +	    MAC_TE_OPERATION_FILE_WRITE) == 0)
> +		prot |= VM_PROT_WRITE;
> +	return (prot);
> +}
> +
> +static int
> +mac_te_cred_check_vnode_op(struct ucred *cred, struct vnode *vp,
> +    struct label *label, int op)
> +{
> +	struct mac_te *subj, *obj;
> +	int error, te_class, te_op;
> +
> +	if (!mac_te_revocation_enabled)
> +		return (0);
> +
> +	subj = SLOT(&cred->cr_label);
> +	obj = SLOT(label);
> +
> +	te_class = MAC_TE_CLASS_FILE;
> +	switch (op) {
> +	case MAC_OP_VNODE_POLL:
> +		te_op = MAC_TE_OPERATION_FILE_POLL;
> +		break;
> +
> +	case MAC_OP_VNODE_READ:
> +		te_op = MAC_TE_OPERATION_FILE_READ;
> +		break;
> +
> +	case MAC_OP_VNODE_WRITE:
> +		te_op = MAC_TE_OPERATION_FILE_WRITE;
> +		break;
> +
> +	default:
> +		printf("mac_te_cred_check_vnode_op: unknown operation %d\n",
> +		    op);
> +		return (EINVAL);
> +	}
> +
> +	error = mac_te_check(subj, obj, MAC_TE_CLASS_FILE, te_op);
> +
> +	return (error);
> +}
> +
>  static void
>  mac_te_update_devfsdirent_from_vnode(struct devfs_dirent *devfs_dirent,
>      struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
> @@ -1670,6 +1739,10 @@
>  	{ MAC_CRED_CHECK_SCHED_PROC, (macop_t)mac_te_cred_check_sched_proc },
>  	{ MAC_CRED_CHECK_SIGNAL_PROC, (macop_t)mac_te_cred_check_signal_proc },
>  	{ MAC_CRED_CHECK_STAT_VNODE, (macop_t)mac_te_cred_check_stat_vnode },
> +	{ MAC_CRED_CHEKC_VNODE_MMAP_PERMS,
> +	    (macop_t)mac_te_cred_check_mmap_perms },
> +	{ MAC_CRED_CHECK_VNODE_OP,
> +	    (macop_t)mac_te_cred_check_vnode_op },
>  	{ MAC_IFNET_CHECK_SEND_MBUF, (macop_t)mac_te_ifnet_check_send_mbuf },
>  	{ MAC_SOCKET_CHECK_RECEIVE_MBUF,
>  	    (macop_t)mac_te_socket_check_receive_mbuf },
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message