From owner-p4-projects Fri Oct 4 7:58:11 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 9C95337B404; Fri, 4 Oct 2002 07:58:07 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33D0137B401 for ; Fri, 4 Oct 2002 07:58:07 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C778743E6E for ; Fri, 4 Oct 2002 07:58:06 -0700 (PDT) (envelope-from green@freebsd.org) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g94Ew6Co081931 for ; Fri, 4 Oct 2002 07:58:06 -0700 (PDT) (envelope-from green@freebsd.org) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g94Ew60i081928 for perforce@freebsd.org; Fri, 4 Oct 2002 07:58:06 -0700 (PDT) Date: Fri, 4 Oct 2002 07:58:06 -0700 (PDT) Message-Id: <200210041458.g94Ew60i081928@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to green@freebsd.org using -f From: Brian Feldman Subject: PERFORCE change 18664 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=18664 Change 18664 by green@green_laptop_2 on 2002/10/04 07:57:55 Fix up an error message; implement kernel-side externalization so that e.g. ps(1) works to show the processes' contexts. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#29 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#29 (text+ko) ==== @@ -131,7 +131,7 @@ if (file->sclass == 0) { struct vattr va; VOP_GETATTR(vp, &va, curthread->td_ucred, curthread); - printf("vnode_has_perm:: ERROR, sid=%d, sclass=0, v_type=%d" + printf("vnode_has_perm:: ERROR, sid=%d, sclass=0, v_type=%d," " inode=%ld, fsid=%d\n", file->sid, vp->v_type, va.va_fileid, va.va_fsid); file->sclass = vnode_type_to_security_class(vp->v_type); @@ -937,6 +937,7 @@ return (VM_PROT_ALL); } +#if 0 static int sebsd_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac) { @@ -949,7 +950,55 @@ return 0; } +#endif +static int +sebsd_externalize_sid(security_id_t sid, struct mac_element *element, + int *claimed) +{ + security_context_t context; + u_int32_t context_len; + int error; + + if (strcmp("sebsd", element->me_name) == 0) { + (*claimed)++; + error = security_sid_to_context(sid, &context, + &context_len); + if (error) + return (error); + if (element->me_databuflen < context_len) { + security_free_context(context); + return (EINVAL); + } + error = copyout(context, element->me_data, context_len); + security_free_context(context); + if (error) + return (error); + element->me_datalen = context_len; + } + return (0); +} + +static int +sebsd_externalize_cred_label(struct label *label, struct mac *mac, + struct mac_element *element, int *claimed) +{ + struct task_security_struct *tsec; + + tsec = SLOT(label); + return (sebsd_externalize_sid(tsec->sid, element, claimed)); +} + +static int +sebsd_externalize_vnode_label(struct label *label, struct mac *mac, + struct mac_element *element, int *claimed) +{ + struct vnode_security_struct *vsec; + + vsec = SLOT(label); + return (sebsd_externalize_sid(vsec->sid, element, claimed)); +} + /* * Initialize the SEBSD security server after the root partition has * been mounted; policy is located on root partition. @@ -983,14 +1032,12 @@ (macop_t)sebsd_destroy_vnode_label }, /* In/Out */ + { MAC_EXTERNALIZE_CRED_LABEL, sebsd_externalize_cred_label }, + { MAC_EXTERNALIZE_VNODE_LABEL, sebsd_externalize_vnode_label }, #if 0 - { MAC_EXTERNALIZE, - (macop_t)sebsd_externalize }, - { MAC_EXTERNALIZE_PID, - (macop_t)sebsd_externalize_pid }, -#endif { MAC_EXTERNALIZE_VNODE_OLDMAC, (macop_t)sebsd_externalize_vnode_oldmac }, +#endif /* Create Labels */ { MAC_CREATE_CRED, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message