Date: Wed, 24 Jul 2002 07:27:11 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 14834 for review Message-ID: <200207241427.g6OERBn7027905@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14834 Change 14834 by rwatson@rwatson_paprika on 2002/07/24 07:26:41 Implement mac_cred_check_vnode_op() for mls and biba, as well as correct bugs in the not enabled cases for these policies relating to bfeldman's mmap check (disabling the policy broke all mmaps for processes that changed their label, like login). Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#67 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#54 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#67 (text+ko) ==== @@ -98,6 +98,12 @@ TUNABLE_STR("security.mac.biba.trusted_interfaces", trusted_interfaces, sizeof(trusted_interfaces)); +static int mac_biba_revocation_enabled = 0; +SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RW, + &mac_biba_revocation_enabled, 0, "Revoke access to objects on relabel"); +TUNABLE_INT("security.mac.biba.revocation_enabled", + &mac_biba_revocation_enabled); + static int mac_biba_slot; #define SLOT(l) ((struct mac_biba *)LABEL_TO_SLOT((l), mac_biba_slot).l_ptr) @@ -1837,8 +1843,8 @@ struct mac_biba *subj, *obj; vm_prot_t prot = 0; - if (!mac_biba_enabled) - return (0); + if (!mac_biba_enabled || !mac_biba_revocation_enabled) + return (VM_PROT_ALL); subj = SLOT(&cred->cr_label); obj = SLOT(label); @@ -1850,6 +1856,37 @@ return (prot); } +static int +mac_biba_cred_check_vnode_op(struct ucred *cred, struct vnode *vp, + struct label *label, int op) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled || !mac_biba_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + switch (op) { + case MAC_OP_VNODE_POLL: + case MAC_OP_VNODE_READ: + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + return (0); + + case MAC_OP_VNODE_WRITE: + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + return (0); + + default: + printf("mac_biba_cred_check_vnode_op: unknown operation %d\n", + op); + return (EINVAL); + } +} + static struct mac_policy_op_entry mac_biba_ops[] = { { MAC_DESTROY, @@ -2048,6 +2085,8 @@ (macop_t)mac_biba_socket_check_receive_mbuf }, { MAC_CRED_CHECK_VNODE_MMAP_PERMS, (macop_t)mac_biba_cred_check_vnode_mmap_perms }, + { MAC_CRED_CHECK_VNODE_OP, + (macop_t)mac_biba_cred_check_vnode_op }, { MAC_OP_LAST, NULL } }; ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#54 (text+ko) ==== @@ -87,6 +87,12 @@ SYSCTL_INT(_security_mac_mls, OID_AUTO, destroyed_not_inited, CTLFLAG_RD, &destroyed_not_inited, 0, "Count of labels destroyed but not inited"); +static int mac_mls_revocation_enabled = 0; +SYSCTL_INT(_security_mac_mls, OID_AUTO, revocation_enabled, CTLFLAG_RW, + &revocation_enabled, 0, "Revoke access to objects on relabel"); +TUNABLE_INT("security.mac.mls.revocation_enabled", + &mac_mls_revocation_enabled); + static int mac_mls_slot; #define SLOT(l) ((struct mac_mls *)LABEL_TO_SLOT((l), mac_mls_slot).l_ptr) @@ -1776,8 +1782,8 @@ struct mac_mls *subj, *obj; vm_prot_t prot = 0; - if (!mac_mls_enabled) - return (0); + if (!mac_mls_enabled || !mac_mls_revocation_enabled) + return (VM_PROT_ALL); subj = SLOT(&cred->cr_label); obj = SLOT(label); @@ -1789,6 +1795,37 @@ return (prot); } +static int +mac_mls_cred_check_vnode_op(struct ucred *cred, struct vnode *vp, + struct label *label, int op) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled || !mac_mls_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + switch (op) { + case MAC_OP_VNODE_POLL: + case MAC_OP_VNODE_READ: + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + return (0); + + case MAC_OP_VNODE_WRITE: + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + return (0); + + default: + printf("mac_mls_cred_check_vnode_op: unknown operation %d\n", + op); + return (EINVAL); + } +} + static struct mac_policy_op_entry mac_mls_ops[] = { { MAC_DESTROY, @@ -1987,6 +2024,8 @@ (macop_t)mac_mls_socket_check_receive_mbuf }, { MAC_CRED_CHECK_VNODE_MMAP_PERMS, (macop_t)mac_mls_cred_check_vnode_mmap_perms }, + { MAC_CRED_CHECK_VNODE_OP, + (macop_t)mac_mls_cred_check_vnode_op }, { MAC_OP_LAST, NULL } }; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207241427.g6OERBn7027905>