From owner-p4-projects Sun Jul 28 16:13:28 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id D888A37B401; Sun, 28 Jul 2002 16:12:26 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72D3C37B400 for ; Sun, 28 Jul 2002 16:12:26 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B719743E3B for ; Sun, 28 Jul 2002 16:12:25 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6SNCPJU012341 for ; Sun, 28 Jul 2002 16:12:25 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6SNCPuR012338 for perforce@freebsd.org; Sun, 28 Jul 2002 16:12:25 -0700 (PDT) Date: Sun, 28 Jul 2002 16:12:25 -0700 (PDT) Message-Id: <200207282312.g6SNCPuR012338@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 15078 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15078 Change 15078 by rwatson@rwatson_paprika on 2002/07/28 16:11:27 Rename the various relabel checks to the new entry point naming convention. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#203 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#80 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#68 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#55 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#9 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#60 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#25 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#17 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#96 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#203 (text+ko) ==== @@ -162,10 +162,10 @@ static int mac_policy_unregister(struct mac_policy_conf *mpc); static int mac_stdcreatevnode_ea(struct vnode *vp); -static void mac_subject_mmapped_drop_perms(struct thread *td, - struct ucred *cred); -static void mac_subject_mmapped_drop_perms_recurse(struct thread *td, - struct ucred *cred, struct vm_map *map); +static void mac_subject_mmapped_drop_perms(struct thread *td, + struct ucred *cred); +static void mac_subject_mmapped_drop_perms_recurse(struct thread *td, + struct ucred *cred, struct vm_map *map); /* * mac_policy_list_lock protects the consistency of 'mac_policy_list', @@ -654,10 +654,18 @@ mpc->mpc_ops->mpo_check_bpfdesc_receive = mpe->mpe_function; break; + case MAC_CHECK_CRED_RELABEL: + mpc->mpc_ops->mpo_check_cred_relabel = + mpe->mpe_function; + break; case MAC_CHECK_CRED_VISIBLE: mpc->mpc_ops->mpo_check_cred_visible = mpe->mpe_function; break; + case MAC_CHECK_IFNET_RELABEL: + mpc->mpc_ops->mpo_check_ifnet_relabel = + mpe->mpe_function; + break; case MAC_CHECK_IFNET_TRANSMIT: mpc->mpc_ops->mpo_check_ifnet_transmit = mpe->mpe_function; @@ -666,6 +674,10 @@ mpc->mpc_ops->mpo_check_mount_stat = mpe->mpe_function; break; + case MAC_CHECK_PIPE_RELABEL: + mpc->mpc_ops->mpo_check_pipe_relabel = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -694,30 +706,14 @@ mpc->mpc_ops->mpo_check_socket_receive = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_RELABEL: + mpc->mpc_ops->mpo_check_socket_relabel = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; break; - case MAC_CHECK_RELABEL_IFNET: - mpc->mpc_ops->mpo_check_relabel_ifnet = - mpe->mpe_function; - break; - case MAC_CHECK_RELABEL_PIPE: - mpc->mpc_ops->mpo_check_relabel_pipe = - mpe->mpe_function; - break; - case MAC_CHECK_RELABEL_SOCKET: - mpc->mpc_ops->mpo_check_relabel_socket = - mpe->mpe_function; - break; - case MAC_CHECK_RELABEL_SUBJECT: - mpc->mpc_ops->mpo_check_relabel_subject = - mpe->mpe_function; - break; - case MAC_CHECK_RELABEL_VNODE: - mpc->mpc_ops->mpo_check_relabel_vnode = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; @@ -770,6 +766,10 @@ mpc->mpc_ops->mpo_check_vnode_readlink = mpe->mpe_function; break; + case MAC_CHECK_VNODE_RELABEL: + mpc->mpc_ops->mpo_check_vnode_relabel = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_RENAME_FROM: mpc->mpc_ops->mpo_check_vnode_rename_from = mpe->mpe_function; @@ -1667,39 +1667,6 @@ MAC_PERFORM(create_subject, parent_cred, child_cred); } -/* - * Processes may need to modify their current subject label if they - * perform multi-level activities, or proxy data between levels. - * This function determines if a particular label change is permitted. - * 0 is returned for success, otherwise an errno. - */ -static int -mac_check_relabel_subject(struct ucred *cred, struct label *newlabel) -{ - int error; - - MAC_CHECK(check_relabel_subject, cred, newlabel); - - return (error); -} - -static int -mac_check_relabel_vnode(struct ucred *cred, struct vnode *vp, - struct label *newlabel) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_relabel_vnode"); - - error = vn_refreshlabel(vp, cred); - if (error) - return (error); - - MAC_CHECK(check_relabel_vnode, cred, vp, &vp->v_label, newlabel); - - return (error); -} - int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { @@ -1914,6 +1881,23 @@ return (error); } +static int +mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, + struct label *newlabel) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); + + return (error); +} + int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) { @@ -2347,29 +2331,6 @@ &mbuf->m_pkthdr.label); } -static int -mac_check_relabel_socket(struct ucred *cred, struct socket *socket, - struct label *newlabel) -{ - int error; - - MAC_CHECK(check_relabel_socket, cred, socket, &socket->so_label, - newlabel); - - return (error); -} - -static int -mac_check_relabel_pipe(struct ucred *cred, struct pipe *pipe, - struct label *newlabel) -{ - int error; - - MAC_CHECK(check_relabel_pipe, cred, pipe, pipe->pipe_label, newlabel); - - return (error); -} - int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) { @@ -2421,6 +2382,16 @@ return (error); } +static int +mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) +{ + int error; + + MAC_CHECK(check_cred_relabel, cred, newlabel); + + return (error); +} + int mac_check_cred_visible(struct ucred *u1, struct ucred *u2) { @@ -2466,6 +2437,17 @@ return (error); } +static int +mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, + struct label *newlabel) +{ + int error; + + MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); + + return (error); +} + int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { @@ -2561,6 +2543,18 @@ return (error); } +static int +mac_check_socket_relabel(struct ucred *cred, struct socket *socket, + struct label *newlabel) +{ + int error; + + MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label, + newlabel); + + return (error); +} + int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { @@ -2613,7 +2607,7 @@ if (error) goto out; - MAC_CHECK(check_relabel_ifnet, cred, ifnet, &ifnet->if_label, + MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, &intlabel); if (error) goto out; @@ -2722,7 +2716,7 @@ if (error) return (error); - mac_check_relabel_socket(cred, so, &intlabel); + mac_check_socket_relabel(cred, so, &intlabel); if (error) { mac_destroy_temp(&intlabel); return (error); @@ -2739,7 +2733,7 @@ { int error; - error = mac_check_relabel_pipe(cred, pipe, label); + error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); @@ -2824,7 +2818,7 @@ * update the actual vnode label. Question: maybe the filesystem * should update the vnode at the end as part of VOP_SETLABEL()? */ - error = mac_check_relabel_vnode(cred, vp, intlabel); + error = mac_check_vnode_relabel(cred, vp, intlabel); if (error) return (error); @@ -2890,7 +2884,7 @@ PROC_LOCK(p); oldcred = p->p_ucred; - error = mac_check_relabel_subject(oldcred, &intlabel); + error = mac_check_cred_relabel(oldcred, &intlabel); if (error) { PROC_UNLOCK(p); mac_destroy_temp(&intlabel); ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#80 (text+ko) ==== @@ -1181,6 +1181,44 @@ } static int +mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) +{ + struct mac_biba *subj, *new; + + subj = SLOT(&cred->cr_label); + new = SLOT(newlabel); + + if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH) + return (EINVAL); + + /* + * XXX: Allow processes with root privilege to set labels outside + * their range, so suid things like "su" work. This WILL go away + * when we figure out the 'correct' solution... + */ + if (!suser_cred(cred, 0)) + return (0); + + /* + * The new single must be in the old range. + */ + if (!mac_biba_single_in_range(new, subj)) + return (EPERM); + + /* + * The new range must be in the old range. + */ + if (!mac_biba_range_in_range(new, subj)) + return (EPERM); + + /* + * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. + */ + + return (0); +} + +static int mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2) { struct mac_biba *subj, *obj; @@ -1198,6 +1236,26 @@ return (0); } +static int +mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, + struct label *ifnetlabel, struct label *newlabel) +{ + struct mac_biba *subj, *new; + + subj = SLOT(&cred->cr_label); + new = SLOT(newlabel); + + if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH) + return (EINVAL); + + /* + * XXX: Only Biba HIGH subjects may relabel interfaces. */ + if (!mac_biba_high_single(subj)) + return (EPERM); + + return (suser_cred(cred, 0)); +} + static int mac_biba_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) @@ -1232,6 +1290,40 @@ } static int +mac_biba_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel, struct label *newlabel) +{ + struct mac_biba *subj, *obj, *new; + + new = SLOT(newlabel); + subj = SLOT(&cred->cr_label); + obj = SLOT(pipelabel); + + if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE) + return (EINVAL); + + /* + * To relabel a pipe, the old pipe label must be in the subject + * range. + */ + if (!mac_biba_single_in_range(obj, subj)) + return (EPERM); + + /* + * To relabel a pipe, the new pipe label must be in the subject + * range. + */ + if (!mac_biba_single_in_range(new, subj)) + return (EPERM); + + /* + * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. + */ + + return (0); +} + +static int mac_biba_check_proc_debug(struct ucred *cred, struct proc *proc) { struct mac_biba *subj, *obj; @@ -1307,42 +1399,7 @@ } static int -mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket, - struct label *socketlabel) -{ - struct mac_biba *subj, *obj; - - subj = SLOT(&cred->cr_label); - obj = SLOT(socketlabel); - - if (!mac_biba_dominate_single(obj, subj)) - return (ENOENT); - - return (0); -} - -static int -mac_biba_check_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, - struct label *ifnetlabel, struct label *newlabel) -{ - struct mac_biba *subj, *new; - - subj = SLOT(&cred->cr_label); - new = SLOT(newlabel); - - if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH) - return (EINVAL); - - /* - * XXX: Only Biba HIGH subjects may relabel interfaces. */ - if (!mac_biba_high_single(subj)) - return (EPERM); - - return (suser_cred(cred, 0)); -} - -static int -mac_biba_check_relabel_socket(struct ucred *cred, struct socket *socket, +mac_biba_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { struct mac_biba *subj, *obj, *new; @@ -1376,112 +1433,21 @@ } static int -mac_biba_check_relabel_pipe(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, struct label *newlabel) +mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket, + struct label *socketlabel) { - struct mac_biba *subj, *obj, *new; + struct mac_biba *subj, *obj; - new = SLOT(newlabel); subj = SLOT(&cred->cr_label); - obj = SLOT(pipelabel); + obj = SLOT(socketlabel); - if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE) - return (EINVAL); - - /* - * To relabel a pipe, the old pipe label must be in the subject - * range. - */ - if (!mac_biba_single_in_range(obj, subj)) - return (EPERM); - - /* - * To relabel a pipe, the new pipe label must be in the subject - * range. - */ - if (!mac_biba_single_in_range(new, subj)) - return (EPERM); - - /* - * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. - */ - - return (0); -} - -static int -mac_biba_check_relabel_subject(struct ucred *cred, struct label *newlabel) -{ - struct mac_biba *subj, *new; - - subj = SLOT(&cred->cr_label); - new = SLOT(newlabel); - - if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH) - return (EINVAL); - - /* - * XXX: Allow processes with root privilege to set labels outside - * their range, so suid things like "su" work. This WILL go away - * when we figure out the 'correct' solution... - */ - if (!suser_cred(cred, 0)) - return (0); - - /* - * The new single must be in the old range. - */ - if (!mac_biba_single_in_range(new, subj)) - return (EPERM); - - /* - * The new range must be in the old range. - */ - if (!mac_biba_range_in_range(new, subj)) - return (EPERM); - - /* - * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. - */ + if (!mac_biba_dominate_single(obj, subj)) + return (ENOENT); return (0); } static int -mac_biba_check_relabel_vnode(struct ucred *cred, struct vnode *vp, - struct label *vnodelabel, struct label *newlabel) -{ - struct mac_biba *old, *new, *subj; - - old = SLOT(vnodelabel); - new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); - - if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE) - return (EINVAL); - - /* - * To relabel a vnode, the old vnode label must be in the subject - * range. - */ - if (!mac_biba_single_in_range(old, subj)) - return (EPERM); - - /* - * To relabel a vnode, the new vnode label must be in the subject - * range. - */ - if (!mac_biba_single_in_range(new, subj)) - return (EPERM); - - /* - * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. - */ - - return (suser_cred(cred, 0)); -} - -static int mac_biba_check_vnode_access(struct ucred *cred, struct vnode *vp, struct label *label, mode_t flags) { @@ -1719,6 +1685,40 @@ } static int +mac_biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp, + struct label *vnodelabel, struct label *newlabel) +{ + struct mac_biba *old, *new, *subj; + + old = SLOT(vnodelabel); + new = SLOT(newlabel); + subj = SLOT(&cred->cr_label); + + if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE) + return (EINVAL); + + /* + * To relabel a vnode, the old vnode label must be in the subject + * range. + */ + if (!mac_biba_single_in_range(old, subj)) + return (EPERM); + + /* + * To relabel a vnode, the new vnode label must be in the subject + * range. + */ + if (!mac_biba_single_in_range(new, subj)) + return (EPERM); + + /* + * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. + */ + + return (suser_cred(cred, 0)); +} + +static int mac_biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp) @@ -2142,12 +2142,18 @@ (macop_t)mac_biba_relabel_subject }, { MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_biba_check_bpfdesc_receive }, + { MAC_CHECK_CRED_RELABEL, + (macop_t)mac_biba_check_cred_relabel }, { MAC_CHECK_CRED_VISIBLE, (macop_t)mac_biba_check_cred_visible }, + { MAC_CHECK_IFNET_RELABEL, + (macop_t)mac_biba_check_ifnet_relabel }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_biba_check_ifnet_transmit }, { MAC_CHECK_MOUNT_STAT, (macop_t)mac_biba_check_mount_stat }, + { MAC_CHECK_PIPE_RELABEL, + (macop_t)mac_biba_check_pipe_relabel }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_biba_check_proc_debug }, { MAC_CHECK_PROC_SCHED, @@ -2156,18 +2162,10 @@ (macop_t)mac_biba_check_proc_signal }, { MAC_CHECK_SOCKET_RECEIVE, (macop_t)mac_biba_check_socket_receive }, + { MAC_CHECK_SOCKET_RELABEL, + (macop_t)mac_biba_check_socket_relabel }, { MAC_CHECK_SOCKET_VISIBLE, (macop_t)mac_biba_check_socket_visible }, - { MAC_CHECK_RELABEL_IFNET, - (macop_t)mac_biba_check_relabel_ifnet }, - { MAC_CHECK_RELABEL_PIPE, - (macop_t)mac_biba_check_relabel_pipe }, - { MAC_CHECK_RELABEL_SOCKET, - (macop_t)mac_biba_check_relabel_socket }, - { MAC_CHECK_RELABEL_SUBJECT, - (macop_t)mac_biba_check_relabel_subject }, - { MAC_CHECK_RELABEL_VNODE, - (macop_t)mac_biba_check_relabel_vnode }, { MAC_CHECK_VNODE_ACCESS, (macop_t)mac_biba_check_vnode_access }, { MAC_CHECK_VNODE_CHDIR, @@ -2198,6 +2196,8 @@ (macop_t)mac_biba_check_vnode_readdir }, { MAC_CHECK_VNODE_READLINK, (macop_t)mac_biba_check_vnode_readlink }, + { MAC_CHECK_VNODE_RELABEL, + (macop_t)mac_biba_check_vnode_relabel }, { MAC_CHECK_VNODE_RENAME_FROM, (macop_t)mac_biba_check_vnode_rename_from }, { MAC_CHECK_VNODE_RENAME_TO, ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#68 (text+ko) ==== @@ -1130,6 +1130,45 @@ } static int +mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) +{ + struct mac_mls *subj, *new; + + subj = SLOT(&cred->cr_label); + new = SLOT(newlabel); + + if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAGS_BOTH) + return (EINVAL); + + /* + * XXX: Allow processes with root privilege to set labels outside + * their range, so suid things like "su" work. This WILL go away + * when we figure out the 'correct' solution... + */ + if (!suser_cred(cred, 0)) + return (0); + + /* + * The new single must be in the old range. + */ + if (!mac_mls_single_in_range(new, subj)) + return (EPERM); + + /* + * The new range must be in the old range. + */ + if (!mac_mls_range_in_range(new, subj)) + return (EPERM); + + /* + * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. + */ + + return (0); +} + + +static int mac_mls_check_cred_visible(struct ucred *u1, struct ucred *u2) { struct mac_mls *subj, *obj; @@ -1148,6 +1187,23 @@ } static int +mac_mls_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, + struct label *ifnetlabel, struct label *newlabel) +{ + struct mac_mls *subj, *new; + + subj = SLOT(&cred->cr_label); + new = SLOT(newlabel); + + if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAGS_BOTH) + return (EINVAL); + + /* XXX: privilege model here? */ + + return (suser_cred(cred, 0)); +} + +static int mac_mls_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) { @@ -1181,6 +1237,40 @@ } static int +mac_mls_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel, struct label *newlabel) +{ + struct mac_mls *subj, *obj, *new; + + new = SLOT(newlabel); + subj = SLOT(&cred->cr_label); + obj = SLOT(pipelabel); + + if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_SINGLE) + return (EINVAL); + + /* + * To relabel a pipe, the old pipe label must be in the subject + * range. + */ + if (!mac_mls_single_in_range(obj, subj)) + return (EPERM); + + /* + * To relabel a pipe, the new pipe label must be in the subject + * range. + */ + if (!mac_mls_single_in_range(new, subj)) + return (EPERM); + + /* + * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. + */ + + return (0); +} + +static int mac_mls_check_proc_debug(struct ucred *cred, struct proc *proc) { struct mac_mls *subj, *obj; @@ -1256,42 +1346,7 @@ } static int -mac_mls_check_socket_visible(struct ucred *cred, struct socket *socket, - struct label *socketlabel) -{ - struct mac_mls *subj, *obj; - - if (!mac_mls_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(socketlabel); - - if (!mac_mls_dominate_single(subj, obj)) - return (ENOENT); - - return (0); -} - -static int -mac_mls_check_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, - struct label *ifnetlabel, struct label *newlabel) -{ - struct mac_mls *subj, *new; - - subj = SLOT(&cred->cr_label); - new = SLOT(newlabel); - - if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAGS_BOTH) - return (EINVAL); - - /* XXX: privilege model here? */ - - return (suser_cred(cred, 0)); -} - -static int -mac_mls_check_relabel_socket(struct ucred *cred, struct socket *socket, +mac_mls_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { struct mac_mls *subj, *obj, *new; @@ -1325,112 +1380,24 @@ } static int -mac_mls_check_relabel_pipe(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, struct label *newlabel) +mac_mls_check_socket_visible(struct ucred *cred, struct socket *socket, + struct label *socketlabel) { - struct mac_mls *subj, *obj, *new; + struct mac_mls *subj, *obj; - new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); - obj = SLOT(pipelabel); - - if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_SINGLE) - return (EINVAL); - - /* - * To relabel a pipe, the old pipe label must be in the subject - * range. - */ - if (!mac_mls_single_in_range(obj, subj)) - return (EPERM); - - /* - * To relabel a pipe, the new pipe label must be in the subject - * range. - */ - if (!mac_mls_single_in_range(new, subj)) - return (EPERM); - - /* - * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. - */ - - return (0); -} + if (!mac_mls_enabled) + return (0); -static int -mac_mls_check_relabel_subject(struct ucred *cred, struct label *newlabel) -{ - struct mac_mls *subj, *new; - subj = SLOT(&cred->cr_label); - new = SLOT(newlabel); + obj = SLOT(socketlabel); - if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAGS_BOTH) - return (EINVAL); - - /* - * XXX: Allow processes with root privilege to set labels outside - * their range, so suid things like "su" work. This WILL go away - * when we figure out the 'correct' solution... - */ - if (!suser_cred(cred, 0)) - return (0); - - /* - * The new single must be in the old range. - */ - if (!mac_mls_single_in_range(new, subj)) - return (EPERM); - - /* - * The new range must be in the old range. - */ - if (!mac_mls_range_in_range(new, subj)) - return (EPERM); - - /* - * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. - */ + if (!mac_mls_dominate_single(subj, obj)) + return (ENOENT); return (0); } static int -mac_mls_check_relabel_vnode(struct ucred *cred, struct vnode *vp, - struct label *vnodelabel, struct label *newlabel) -{ - struct mac_mls *old, *new, *subj; - - old = SLOT(vnodelabel); - new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); - - if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_SINGLE) - return (EINVAL); - - /* - * To relabel a vnode, the old vnode label must be in the subject - * range. - */ - if (!mac_mls_single_in_range(old, subj)) - return (EPERM); - - /* - * To relabel a vnode, the new vnode label must be in the subject - * range. - */ - if (!mac_mls_single_in_range(new, subj)) - return (EPERM); - - /* - * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. - */ - - return (suser_cred(cred, 0)); -} - -static int mac_mls_check_vnode_access(struct ucred *cred, struct vnode *vp, struct label *label, mode_t flags) { @@ -1668,6 +1635,41 @@ } static int +mac_mls_check_vnode_relabel(struct ucred *cred, struct vnode *vp, + struct label *vnodelabel, struct label *newlabel) +{ + struct mac_mls *old, *new, *subj; + + old = SLOT(vnodelabel); + new = SLOT(newlabel); + subj = SLOT(&cred->cr_label); + + if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_SINGLE) + return (EINVAL); + + /* + * To relabel a vnode, the old vnode label must be in the subject + * range. + */ + if (!mac_mls_single_in_range(old, subj)) + return (EPERM); + + /* + * To relabel a vnode, the new vnode label must be in the subject + * range. + */ + if (!mac_mls_single_in_range(new, subj)) + return (EPERM); + + /* + * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. + */ + + return (suser_cred(cred, 0)); +} + + +static int mac_mls_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp) @@ -2091,12 +2093,18 @@ (macop_t)mac_mls_relabel_subject }, { MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_mls_check_bpfdesc_receive }, + { MAC_CHECK_CRED_RELABEL, >>> TRUNCATED FOR MAIL (1000 lines) <<< To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message