From owner-p4-projects Wed Jul 24 8:58: 5 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 6E46937B401; Wed, 24 Jul 2002 08:57:33 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27A4D37B400 for ; Wed, 24 Jul 2002 08:57:33 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4B4843E42 for ; Wed, 24 Jul 2002 08:57:32 -0700 (PDT) (envelope-from green@freebsd.org) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6OFvWJU041986 for ; Wed, 24 Jul 2002 08:57:32 -0700 (PDT) (envelope-from green@freebsd.org) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6OFvW1S041983 for perforce@freebsd.org; Wed, 24 Jul 2002 08:57:32 -0700 (PDT) Date: Wed, 24 Jul 2002 08:57:32 -0700 (PDT) Message-Id: <200207241557.g6OFvW1S041983@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to green@freebsd.org using -f From: Brian Feldman Subject: PERFORCE change 14845 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14845 Change 14845 by green@green_laptop_2 on 2002/07/24 08:56:44 Add an "int newmapping" argument to MAC_CRED_CHECK_MMAP_VNODE_PERMS. Use vm_prot_t instead of u_char in mac_policy.h, and include vm/vm.h in places where sys/mac_policy.h is included. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#193 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#68 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#43 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c#9 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#56 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#45 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#5 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_seeotheruids/mac_seeotheruids.c#10 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#50 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#15 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.c#3 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#14 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#121 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#86 edit .. //depot/projects/trustedbsd/mac/sys/vm/vm_mmap.c#9 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#193 (text+ko) ==== @@ -57,7 +57,6 @@ #include #include #include -#include #include #include #include @@ -70,6 +69,8 @@ #include #include +#include + #include #include @@ -145,6 +146,10 @@ static int mac_vnode_label_cache_misses = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD, &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels"); +static int mac_mmap_revocation_via_cow = 1; +SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, + &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " + "copy-on-write semantics, or by removing all write access"); static int error_select(int error1, int error2); static int mac_externalize(struct label *label, struct mac *mac); @@ -330,13 +335,8 @@ if (object->type != OBJT_VNODE) continue; vp = (struct vnode *)object->handle; - result = VM_PROT_ALL; - /* - * This should be some sort of MAC_BITWISE, maybe :) - */ vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - MAC_BOOLEAN(cred_check_vnode_mmap_perms, &, cred, - vp, &vp->v_label); + result = mac_cred_check_mmap_vnode_prot(cred, vp, 0); VOP_UNLOCK(vp, 0, td); /* * Find out what maximum protection we may be allowing @@ -377,11 +377,14 @@ vm_object_deallocate(object); /* * Why bother if there's no read permissions - * anymore? For the rest of it, we need to - * leave the write permissions on for COW - * to happen. + * anymore? For the rest, we need to leave + * the write permissions on for COW, or + * remove them entirely if configured to. */ - if ((revokeperms & VM_PROT_READ) == 0) + if (!mac_mmap_revocation_via_cow) { + vme->max_protection &= ~VM_PROT_WRITE; + vme->protection &= ~VM_PROT_WRITE; + } if ((revokeperms & VM_PROT_READ) == 0) vme->eflags |= MAP_ENTRY_COW | MAP_ENTRY_NEEDS_COPY; } @@ -1864,6 +1867,21 @@ return (error); } +vm_prot_t +mac_cred_check_mmap_vnode_prot(struct ucred *cred, struct vnode *vp, + int newmapping) +{ + vm_prot_t result = VM_PROT_ALL; + + /* + * This should be some sort of MAC_BITWISE, maybe :) + */ + ASSERT_VOP_LOCKED(vp, "mac_cred_check_mmap_vnode_perms"); + MAC_BOOLEAN(cred_check_vnode_mmap_perms, &, cred, vp, &vp->v_label, + newmapping); + return (result); +} + int mac_cred_check_open_vnode(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#68 (text+ko) ==== @@ -54,7 +54,6 @@ #include #include #include -#include #include #include #include @@ -72,6 +71,8 @@ #include +#include + #include SYSCTL_DECL(_security_mac); @@ -1836,14 +1837,14 @@ return (mac_biba_equal_single(p, s) ? 0 : EACCES); } -static int +static vm_prot_t mac_biba_cred_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, - struct label *label) + struct label *label, int newmapping) { struct mac_biba *subj, *obj; vm_prot_t prot = 0; - if (!mac_biba_enabled || !mac_biba_revocation_enabled) + if (!mac_biba_enabled || (!mac_biba_revocation_enabled && !newmapping)) return (VM_PROT_ALL); subj = SLOT(&cred->cr_label); ==== //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#43 (text+ko) ==== @@ -57,7 +57,6 @@ #include #include #include -#include #include #include #include @@ -68,6 +67,10 @@ #include #include +#include + +#include + #include SYSCTL_DECL(_security_mac); ==== //depot/projects/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c#9 (text+ko) ==== @@ -55,7 +55,6 @@ #include #include #include -#include #include #include #include @@ -66,6 +65,10 @@ #include #include +#include + +#include + SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security_mac, OID_AUTO, ifoff, CTLFLAG_RW, 0, ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#56 (text+ko) ==== @@ -54,7 +54,6 @@ #include #include #include -#include #include #include #include @@ -72,6 +71,8 @@ #include +#include + #include SYSCTL_DECL(_security_mac); @@ -1775,14 +1776,14 @@ return (mac_mls_equal_single(p, s) ? 0 : EACCES); } -static int +static vm_prot_t mac_mls_cred_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, - struct label *label) + struct label *label, int newmapping) { struct mac_mls *subj, *obj; vm_prot_t prot = 0; - if (!mac_mls_enabled || !mac_mls_revocation_enabled) + if (!mac_mls_enabled || (!mac_mls_revocation_enabled && !newmapping)) return (VM_PROT_ALL); subj = SLOT(&cred->cr_label); ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#45 (text+ko) ==== @@ -54,7 +54,6 @@ #include #include #include -#include #include #include #include @@ -70,6 +69,10 @@ #include #include +#include + +#include + SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security_mac, OID_AUTO, none, CTLFLAG_RW, 0, ==== //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#5 (text+ko) ==== @@ -53,7 +53,6 @@ #include #include #include -#include #include #include #include @@ -66,6 +65,10 @@ #include #include +#include + +#include + SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security_mac, OID_AUTO, partition, CTLFLAG_RW, 0, ==== //depot/projects/trustedbsd/mac/sys/security/mac_seeotheruids/mac_seeotheruids.c#10 (text+ko) ==== @@ -54,7 +54,6 @@ #include #include #include -#include #include #include #include @@ -65,6 +64,10 @@ #include #include +#include + +#include + SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security_mac, OID_AUTO, seeotheruids, CTLFLAG_RW, 0, ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#50 (text+ko) ==== @@ -54,7 +54,6 @@ #include #include #include -#include #include #include #include @@ -65,6 +64,10 @@ #include #include +#include + +#include + #include #include @@ -1506,14 +1509,14 @@ return (error); } -static int -mac_te_cred_check_mmap_perms(struct ucred *cred, struct vnode *vp, - struct label *label) +static vm_prot_t +mac_te_cred_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, + struct label *label, int newmapping) { struct mac_te *subj, *obj; vm_prot_t prot = 0; - if (!mac_te_revocation_enabled) + if (!mac_te_enabled || (!mac_te_revocation_enabled && !newmapping)) return (VM_PROT_ALL); subj = SLOT(&cred->cr_label); @@ -1742,7 +1745,7 @@ { MAC_CRED_CHECK_SIGNAL_PROC, (macop_t)mac_te_cred_check_signal_proc }, { MAC_CRED_CHECK_STAT_VNODE, (macop_t)mac_te_cred_check_stat_vnode }, { MAC_CRED_CHECK_VNODE_MMAP_PERMS, - (macop_t)mac_te_cred_check_mmap_perms }, + (macop_t)mac_te_cred_check_vnode_mmap_perms }, { MAC_CRED_CHECK_VNODE_OP, (macop_t)mac_te_cred_check_vnode_op }, { MAC_IFNET_CHECK_SEND_MBUF, (macop_t)mac_te_ifnet_check_send_mbuf }, ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#15 (text+ko) ==== @@ -54,7 +54,6 @@ #include #include #include -#include #include #include #include @@ -67,6 +66,10 @@ #include #include +#include + +#include + SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.c#3 (text+ko) ==== @@ -25,6 +25,9 @@ #include #include #include + +#include + #include #include ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#14 (text+ko) ==== @@ -47,6 +47,9 @@ #include #include #include + +#include + #include #include ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#121 (text+ko) ==== @@ -286,6 +286,9 @@ struct vnode *vp, struct componentname *cnp); int mac_cred_check_rename_to_vnode(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp); +/* XXX This u_char should be vm_prot_t! */ +u_char mac_cred_check_mmap_vnode_prot(struct ucred *cred, struct vnode *vp, + int newmapping); int mac_cred_check_open_vnode(struct ucred *cred, struct vnode *vp, mode_t acc_mode); int mac_cred_check_readdir_vnode(struct ucred *cred, struct vnode *vp); ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#86 (text+ko) ==== @@ -313,9 +313,8 @@ struct proc *proc, int signum); int (*mpo_cred_check_stat_vnode)(struct ucred *cred, struct vnode *vp, struct label *label); - /* XXX should be vm_prot_t, not u_char directly */ - u_char (*mpo_cred_check_vnode_mmap_perms)(struct ucred *cred, - struct vnode *vp, struct label *label); + vm_prot_t (*mpo_cred_check_vnode_mmap_perms)(struct ucred *cred, + struct vnode *vp, struct label *label, int newmapping); int (*mpo_cred_check_vnode_op)(struct ucred *cred, struct vnode *vp, struct label *label, int op); int (*mpo_ifnet_check_send_mbuf)(struct ifnet *ifnet, ==== //depot/projects/trustedbsd/mac/sys/vm/vm_mmap.c#9 (text+ko) ==== @@ -46,6 +46,7 @@ */ #include "opt_compat.h" +#include "opt_mac.h" #include #include @@ -60,6 +61,7 @@ #include #include #include +#include #include #include #include @@ -421,6 +423,24 @@ } mtx_unlock(&Giant); +#ifdef MAC + if (handle != NULL) { + if (flags & MAP_SHARED) { + vm_prot_t macmaxprot; + + macmaxprot = mac_cred_check_mmap_vnode_prot( + td->td_ucred, (struct vnode *)handle, 1); + if ((maxprot & macmaxprot) != maxprot) { + error = EPERM; + goto done; + } + } + /* + * XXX Policies (e.g. LOMAC) should possibly check for a read + * operation here. + */ + } +#endif /* MAC */ error = vm_mmap(&vms->vm_map, &addr, size, prot, maxprot, flags, handle, pos); if (error == 0) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message