From owner-p4-projects  Thu Oct 24 11: 8:16 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 0E2E337B409; Thu, 24 Oct 2002 11:07:53 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 151BD37B406
	for <perforce@freebsd.org>; Thu, 24 Oct 2002 11:07:53 -0700 (PDT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 21FAE43E6E
	for <perforce@freebsd.org>; Thu, 24 Oct 2002 11:07:52 -0700 (PDT)
	(envelope-from green@freebsd.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id g9OI77mV017227
	for <perforce@freebsd.org>; Thu, 24 Oct 2002 11:07:07 -0700 (PDT)
	(envelope-from green@freebsd.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.12.6/8.12.6/Submit) id g9OI76CI017224
	for perforce@freebsd.org; Thu, 24 Oct 2002 11:07:06 -0700 (PDT)
Date: Thu, 24 Oct 2002 11:07:06 -0700 (PDT)
Message-Id: <200210241807.g9OI76CI017224@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to green@freebsd.org using -f
From: Brian Feldman <green@FreeBSD.org>
Subject: PERFORCE change 20061 for review
To: Perforce Change Reviews <perforce@freebsd.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

http://perforce.freebsd.org/chv.cgi?CH=20061

Change 20061 by green@green_laptop_2 on 2002/10/24 11:06:31

	* Continue synchronize mac_lomac with mac_biba changes (e.g.
	  complete extattr methodology switchover).
	* Disable mac_lomac protection against sysctl changes for the
	  time being.
	* Update mac_lomac logic to utilize demotion rather than
	  denial, so now it's LESS like Biba!
	* Include debugging code for mmap revocation as that is currently
	  not doing anything.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/modules/Makefile#48 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#15 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.h#8 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/modules/Makefile#48 (text+ko) ====

@@ -66,6 +66,7 @@
 	mac_biba \
 	mac_bsdextended \
 	mac_ifoff \
+	mac_lomac \
 	mac_mls \
 	mac_none \
 	mac_partition \

==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#15 (text+ko) ====

@@ -79,6 +79,11 @@
 
 #include <security/mac_lomac/mac_lomac.h>
 
+struct mac_lomac_proc {
+	struct mac_lomac mac_lomac;
+	struct mtx mtx;
+};
+
 SYSCTL_DECL(_security_mac);
 
 SYSCTL_NODE(_security_mac, OID_AUTO, lomac, CTLFLAG_RW, 0,
@@ -120,6 +125,8 @@
 
 static int	mac_lomac_slot;
 #define	SLOT(l)	((struct mac_lomac *)LABEL_TO_SLOT((l), mac_lomac_slot).l_ptr)
+#define	PSLOT(l) ((struct mac_lomac_proc *)				\
+    LABEL_TO_SLOT((l), mac_lomac_slot).l_ptr)
 
 MALLOC_DEFINE(M_MACLOMAC, "lomac label", "MAC/LOMAC labels");
 
@@ -420,6 +427,36 @@
 		mac_lomac_copy_range(source, dest);
 }
 
+static int
+maybe_demote(struct mac_lomac *subjlabel, struct mac_lomac *objlabel)
+{
+	struct mac_lomac_proc *subj = PSLOT(&curthread->td_proc->p_label);
+
+	mtx_lock(&subj->mtx);
+        if (subj->mac_lomac.ml_flags & MAC_LOMAC_FLAG_UPDATE) {
+		/*
+		 * Check to see if the pending demotion would be more or
+		 * less severe than this one, and keep the more severe.
+		 * This can only happen for a multi-threaded application.
+		 */
+		if (mac_lomac_dominate_single(objlabel, &subj->mac_lomac))
+			goto out;
+	}
+	bzero(&subj->mac_lomac, sizeof(subj->mac_lomac));
+	mac_lomac_copy_single(objlabel, &subj->mac_lomac);
+	mac_lomac_set_range(&subj->mac_lomac,
+	    objlabel->ml_single.mle_type, objlabel->ml_single.mle_grade,
+	    objlabel->ml_single.mle_type, objlabel->ml_single.mle_grade);
+	subj->mac_lomac.ml_flags |= MAC_LOMAC_FLAG_UPDATE;
+	mtx_lock_spin(&sched_lock);
+	curthread->td_kse->ke_flags |= KEF_ASTPENDING;
+	curthread->td_proc->p_sflag |= PS_MACPEND;
+	mtx_unlock_spin(&sched_lock);
+out:
+	mtx_unlock(&subj->mtx);
+	return (0);
+}
+
 /*
  * Policy module operations.
  */
@@ -457,6 +494,15 @@
 }
 
 static void
+mac_lomac_init_proc_label(struct ucred *ucred, struct label *label)
+{
+
+	PSLOT(label) = malloc(sizeof(struct mac_lomac_proc), M_MACLOMAC,
+	    M_ZERO | M_WAITOK);
+	mtx_init(&PSLOT(label)->mtx, "MAC/Lomac proc lock", NULL, MTX_DEF);
+}
+
+static void
 mac_lomac_destroy_label(struct label *label)
 {
 
@@ -464,6 +510,15 @@
 	SLOT(label) = NULL;
 }
 
+static void
+mac_lomac_destroy_proc_label(struct ucred *ucred, struct label *label)
+{
+
+	mtx_destroy(&PSLOT(label)->mtx);
+	FREE(PSLOT(label), M_MACLOMAC);
+	PSLOT(label) = NULL;
+}
+
 /*
  * mac_lomac_element_to_string() is basically an snprintf wrapper with
  * the same properties as snprintf().  It returns the length it would
@@ -763,30 +818,6 @@
 }
 
 static void
-mac_lomac_create_vnode(struct ucred *cred, struct vnode *dvp,
-    struct label *dlabel, struct vnode *vp, struct label *vlabel)
-{
-	struct mac_lomac *source, *dest, temp;
-	size_t buflen;
-	int error;
-
-	buflen = sizeof(temp);
-	bzero(&temp, buflen);
-
-	source = SLOT(&cred->cr_label);
-	dest = SLOT(vlabel);
-	mac_lomac_copy_single(source, &temp);
-
-	error = vn_extattr_set(vp, IO_NODELOCKED, MAC_LOMAC_EXTATTR_NAMESPACE,
-	    MAC_LOMAC_EXTATTR_NAME, buflen, (char *)&temp, curthread);
-	if (error == 0)
-		mac_lomac_copy_single(source, dest);
-#ifdef notyet
-	return (error);
-#endif
-}
-
-static void
 mac_lomac_create_mount(struct ucred *cred, struct mount *mp,
     struct label *mntlabel, struct label *fslabel)
 {
@@ -825,7 +856,7 @@
 
 	source = SLOT(label);
 #ifdef notyet
-	if ((source->ml_flags & MAC_BIBA_FLAG_SINGLE) == 0)
+	if ((source->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
 		return (0);
 #endif
 #ifndef notyet
@@ -854,24 +885,21 @@
 }
 
 static void
-mac_lomac_update_procfsvnode(struct vnode *vp, struct label *vnodelabel,
-    struct ucred *cred)
+mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
+    struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
+    struct label *vlabel)
 {
 	struct mac_lomac *source, *dest;
 
-	source = SLOT(&cred->cr_label);
-	dest = SLOT(vnodelabel);
+	source = SLOT(delabel);
+	dest = SLOT(vlabel);
 
-	/*
-	 * Only copy the single, not the range, since vnodes only have
-	 * a single.
-	 */
 	mac_lomac_copy_single(source, dest);
 }
 
 static int
-mac_lomac_update_vnode_from_extattr(struct vnode *vp, struct label *vlabel,
-    struct mount *mp, struct label *fslabel)
+mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
+    struct vnode *vp, struct label *vlabel)
 {
 	struct mac_lomac temp, *source, *dest;
 	size_t buflen;
@@ -911,17 +939,61 @@
 }
 
 static void
-mac_lomac_update_vnode_from_mount(struct vnode *vp, struct label *vnodelabel,
-    struct mount *mp, struct label *fslabel)
+mac_lomac_associate_vnode_singlelabel(struct mount *mp,
+    struct label *fslabel, struct vnode *vp, struct label *vlabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(fslabel);
-	dest = SLOT(vnodelabel);
+	dest = SLOT(vlabel);
 
 	mac_lomac_copy_single(source, dest);
 }
 
+static int
+mac_lomac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
+    struct label *fslabel, struct vnode *dvp, struct label *dlabel,
+    struct vnode *vp, struct label *vlabel, struct componentname *cnp)
+{
+	struct mac_lomac *source, *dest, temp;
+	size_t buflen;
+	int error;
+
+	buflen = sizeof(temp);
+	bzero(&temp, buflen);
+
+	source = SLOT(&cred->cr_label);
+	dest = SLOT(vlabel);
+	mac_lomac_copy_single(source, &temp);
+
+	error = vn_extattr_set(vp, IO_NODELOCKED, MAC_LOMAC_EXTATTR_NAMESPACE,
+	    MAC_LOMAC_EXTATTR_NAME, buflen, (char *)&temp, curthread);
+	if (error == 0)
+		mac_lomac_copy_single(source, dest);
+	return (error);
+}
+
+static int
+mac_lomac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
+    struct label *vlabel, struct label *intlabel)
+{
+	struct mac_lomac *source, temp;
+	size_t buflen;
+	int error;
+
+	buflen = sizeof(temp);
+	bzero(&temp, buflen);
+
+	source = SLOT(intlabel);
+	if ((source->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
+		return (0);
+
+	mac_lomac_copy_single(source, &temp);
+	error = vn_extattr_set(vp, IO_NODELOCKED, MAC_LOMAC_EXTATTR_NAMESPACE,
+	    MAC_LOMAC_EXTATTR_NAME, buflen, (char *)&temp, curthread);
+	return (error);
+}
+
 /*
  * Labeling event operations: IPC object.
  */
@@ -1473,24 +1545,6 @@
 }
 
 static int
-mac_lomac_check_mount_stat(struct ucred *cred, struct mount *mp,
-    struct label *mntlabel)
-{
-	struct mac_lomac *subj, *obj;
-
-	if (!mac_lomac_enabled)
-		return (0);
-
-	subj = SLOT(&cred->cr_label);
-	obj = SLOT(mntlabel);
-
-	if (!mac_lomac_dominate_single(obj, subj))
-		return (EACCES);
-
-	return (0);
-}
-
-static int
 mac_lomac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
     struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
 {
@@ -1504,24 +1558,6 @@
 }
 
 static int
-mac_lomac_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
-    struct label *pipelabel)
-{
-	struct mac_lomac *subj, *obj;
-
-	if (!mac_lomac_enabled)
-		return (0);
-
-	subj = SLOT(&cred->cr_label);
-	obj = SLOT((pipelabel));
-
-	if (!mac_lomac_dominate_single(obj, subj))
-		return (EACCES);
-
-	return (0);
-}
-
-static int
 mac_lomac_check_pipe_read(struct ucred *cred, struct pipe *pipe,
     struct label *pipelabel)
 {
@@ -1534,7 +1570,7 @@
 	obj = SLOT((pipelabel));
 
 	if (!mac_lomac_dominate_single(obj, subj))
-		return (EACCES);
+		return (maybe_demote(subj, obj));
 
 	return (0);
 }
@@ -1591,24 +1627,6 @@
 }
 
 static int
-mac_lomac_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
-    struct label *pipelabel)
-{
-	struct mac_lomac *subj, *obj;
-
-	if (!mac_lomac_enabled)
-		return (0);
-
-	subj = SLOT(&cred->cr_label);
-	obj = SLOT((pipelabel));
-
-	if (!mac_lomac_dominate_single(obj, subj))
-		return (EACCES);
-
-	return (0);
-}
-
-static int
 mac_lomac_check_pipe_write(struct ucred *cred, struct pipe *pipe,
     struct label *pipelabel)
 {
@@ -1774,6 +1792,7 @@
 mac_lomac_check_sysctl(struct ucred *cred, int *name, u_int namelen,
     void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
 {
+#ifdef notyet
 	struct mac_lomac *subj;
 
 	if (!mac_lomac_enabled)
@@ -1790,46 +1809,11 @@
 			return (EPERM);
 	}
 
-	return (0);
-}
-
-static int
-mac_lomac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
-    struct label *dlabel)
-{
-	struct mac_lomac *subj, *obj;
-
-	if (!mac_lomac_enabled)
-		return (0);
-
-	subj = SLOT(&cred->cr_label);
-	obj = SLOT(dlabel);
-
-	if (!mac_lomac_dominate_single(obj, subj))
-		return (EACCES);
-
+#endif
 	return (0);
 }
 
 static int
-mac_lomac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
-    struct label *dlabel)
-{
-	struct mac_lomac *subj, *obj;
-
-	if (!mac_lomac_enabled)
-		return (0);
-
-	subj = SLOT(&cred->cr_label);
-	obj = SLOT(dlabel);
-
-	if (!mac_lomac_dominate_single(obj, subj))
-		return (EACCES);
-
-	return (0);
-}
-
-static int
 mac_lomac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
     struct label *dlabel, struct componentname *cnp, struct vattr *vap)
 {
@@ -1890,60 +1874,6 @@
 }
 
 static int
-mac_lomac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
-    struct label *label, struct image_params *imgp)
-{
-	struct mac_lomac *subj, *obj;
-
-	if (!mac_lomac_enabled)
-		return (0);
-
-	subj = SLOT(&cred->cr_label);
-	obj = SLOT(label);
-
-	if (!mac_lomac_dominate_single(obj, subj))
-		return (EACCES);
-
-	return (0);
-}
-
-static int
-mac_lomac_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
-    struct label *label, acl_type_t type)
-{
-	struct mac_lomac *subj, *obj;
-
-	if (!mac_lomac_enabled)
-		return (0);
-
-	subj = SLOT(&cred->cr_label);
-	obj = SLOT(label);
-
-	if (!mac_lomac_dominate_single(obj, subj))
-		return (EACCES);
-
-	return (0);
-}
-
-static int
-mac_lomac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
-    struct label *label, int attrnamespace, const char *name, struct uio *uio)
-{
-	struct mac_lomac *subj, *obj;
-
-	if (!mac_lomac_enabled)
-		return (0);
-
-	subj = SLOT(&cred->cr_label);
-	obj = SLOT(label);
-
-	if (!mac_lomac_dominate_single(obj, subj))
-		return (EACCES);
-
-	return (0);
-}
-
-static int
 mac_lomac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
     struct label *dlabel, struct vnode *vp, struct label *label,
     struct componentname *cnp)
@@ -1968,25 +1898,35 @@
 }
 
 static int
-mac_lomac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
-    struct label *dlabel, struct componentname *cnp)
+mac_lomac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
+    struct label *label, int prot)
 {
 	struct mac_lomac *subj, *obj;
 
+	/*
+	 * Rely on the use of open()-time protections to handle
+	 * non-revocation cases.
+	 */
 	if (!mac_lomac_enabled)
 		return (0);
 
 	subj = SLOT(&cred->cr_label);
-	obj = SLOT(dlabel);
+	obj = SLOT(label);
 
-	if (!mac_lomac_dominate_single(obj, subj))
-		return (EACCES);
+	if (prot & VM_PROT_WRITE) {
+		if (!mac_lomac_dominate_single(subj, obj))
+			return (EACCES);
+	}
+	if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
+		if (!mac_lomac_dominate_single(obj, subj))
+			return (maybe_demote(subj, obj));
+	}
 
 	return (0);
 }
 
 static int
-mac_lomac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
+mac_lomac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp,
     struct label *label, int prot)
 {
 	struct mac_lomac *subj, *obj;
@@ -2001,82 +1941,69 @@
 	subj = SLOT(&cred->cr_label);
 	obj = SLOT(label);
 
-	if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
-		if (!mac_lomac_dominate_single(obj, subj))
-			return (EACCES);
-	}
 	if (prot & VM_PROT_WRITE) {
 		if (!mac_lomac_dominate_single(subj, obj))
 			return (EACCES);
 	}
-
-	return (0);
-}
-
-static int
-mac_lomac_check_vnode_open(struct ucred *cred, struct vnode *vp,
-    struct label *vnodelabel, mode_t acc_mode)
-{
-	struct mac_lomac *subj, *obj;
-
-	if (!mac_lomac_enabled)
-		return (0);
-
-	subj = SLOT(&cred->cr_label);
-	obj = SLOT(vnodelabel);
-
-	/* XXX privilege override for admin? */
-	if (acc_mode & (VREAD | VEXEC | VSTAT)) {
+	if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
 		if (!mac_lomac_dominate_single(obj, subj))
 			return (EACCES);
 	}
-	if (acc_mode & (VWRITE | VAPPEND | VADMIN)) {
-		if (!mac_lomac_dominate_single(subj, obj))
-			return (EACCES);
-	}
 
 	return (0);
 }
 
-static int
-mac_lomac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
-    struct vnode *vp, struct label *label)
+static __inline const char *
+prot2str(vm_prot_t prot)
 {
-	struct mac_lomac *subj, *obj;
 
-	if (!mac_lomac_enabled || !revocation_enabled)
-		return (0);
-
-	subj = SLOT(&active_cred->cr_label);
-	obj = SLOT(label);
-
-	if (!mac_lomac_dominate_single(obj, subj))
-		return (EACCES);
-
-	return (0);
+	switch (prot & VM_PROT_ALL) {
+	case VM_PROT_READ:
+		return ("r--");
+	case VM_PROT_READ | VM_PROT_WRITE:
+		return ("rw-");
+	case VM_PROT_READ | VM_PROT_EXECUTE:
+		return ("r-x");
+	case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE:
+		return ("rwx");
+	case VM_PROT_WRITE:
+		return ("-w-");
+	case VM_PROT_EXECUTE:
+		return ("--x");
+	case VM_PROT_WRITE | VM_PROT_EXECUTE:
+		return ("-wx");
+	default:
+		return ("---");
+	}
 }
 
-static int
-mac_lomac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
-    struct vnode *vp, struct label *label)
+static void
+mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp,
+    struct label *label, vm_prot_t *prot)
 {
 	struct mac_lomac *subj, *obj;
 
+	/*
+	 * Rely on the use of open()-time protections to handle
+	 * non-revocation cases.
+	 */
 	if (!mac_lomac_enabled || !revocation_enabled)
-		return (0);
+		return;
 
-	subj = SLOT(&active_cred->cr_label);
+	subj = SLOT(&cred->cr_label);
 	obj = SLOT(label);
 
-	if (!mac_lomac_dominate_single(obj, subj))
-		return (EACCES);
-
-	return (0);
+	printf("lomac mmap dg (%u): *prot was %s\n",
+	    curthread->td_proc->p_pid, prot2str(*prot));
+	if (!mac_lomac_dominate_single(subj, obj))
+		*prot &= ~VM_PROT_WRITE;
+	printf("lomac mmap dg (%u): *prot is %s\n",
+	    curthread->td_proc->p_pid, prot2str(*prot));
 }
 
 static int
-mac_lomac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
-    struct label *dlabel)
+mac_lomac_check_vnode_open(struct ucred *cred, struct vnode *vp,
+    struct label *vnodelabel, mode_t acc_mode)
 {
 	struct mac_lomac *subj, *obj;
 
@@ -2084,28 +2011,31 @@
 		return (0);
 
 	subj = SLOT(&cred->cr_label);
-	obj = SLOT(dlabel);
+	obj = SLOT(vnodelabel);
 
-	if (!mac_lomac_dominate_single(obj, subj))
-		return (EACCES);
+	/* XXX privilege override for admin? */
+	if (acc_mode & (VWRITE | VAPPEND | VADMIN)) {
+		if (!mac_lomac_dominate_single(subj, obj))
+			return (EACCES);
+	}
 
 	return (0);
 }
 
 static int
-mac_lomac_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
-    struct label *label)
+mac_lomac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
+    struct vnode *vp, struct label *label)
 {
 	struct mac_lomac *subj, *obj;
 
-	if (!mac_lomac_enabled)
+	if (!mac_lomac_enabled || !revocation_enabled)
 		return (0);
 
-	subj = SLOT(&cred->cr_label);
+	subj = SLOT(&active_cred->cr_label);
 	obj = SLOT(label);
 
 	if (!mac_lomac_dominate_single(obj, subj))
-		return (EACCES);
+		return (maybe_demote(subj, obj));
 
 	return (0);
 }
@@ -2341,24 +2271,6 @@
 }
 
 static int
-mac_lomac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
-    struct vnode *vp, struct label *vnodelabel)
-{
-	struct mac_lomac *subj, *obj;
-
-	if (!mac_lomac_enabled)
-		return (0);
-
-	subj = SLOT(&active_cred->cr_label);
-	obj = SLOT(vnodelabel);
-
-	if (!mac_lomac_dominate_single(obj, subj))
-		return (EACCES);
-
-	return (0);
-}
-
-static int
 mac_lomac_check_vnode_swapon(struct ucred *cred, struct vnode *vp,
     struct label *label)
 {
@@ -2394,6 +2306,46 @@
 	return (0);
 }
 
+static void
+mac_lomac_thread_userret(struct thread *td)
+{
+	struct proc *p = td->td_proc;
+	struct mac_lomac_proc *subj = PSLOT(&p->p_label);
+	struct ucred *newcred, *oldcred;
+
+	mtx_lock(&subj->mtx);
+	if (subj->mac_lomac.ml_flags & MAC_LOMAC_FLAG_UPDATE) {
+		mtx_unlock(&subj->mtx);
+		newcred = crget();
+		/*
+		 * Prevent a lock order reversal in
+		 * mac_cred_mmapped_drop_perms; ideally, the other
+		 * user of subj->mtx wouldn't be holding Giant.
+		 */
+		mtx_lock(&Giant);
+		mtx_lock(&subj->mtx);
+		/*
+		 * Check if we lost the race while allocating the cred.
+		 */
+		if ((subj->mac_lomac.ml_flags & MAC_LOMAC_FLAG_UPDATE) == 0)
+			goto out;
+		PROC_LOCK(p);
+		oldcred = p->p_ucred;
+		crcopy(newcred, oldcred);
+		crhold(newcred);
+		mac_lomac_copy(&subj->mac_lomac, SLOT(&newcred->cr_label));
+		p->p_ucred = newcred;
+		crfree(oldcred);
+		PROC_UNLOCK(p);
+		mac_cred_mmapped_drop_perms(curthread, newcred);
+	out:
+		mtx_unlock(&subj->mtx);
+		mtx_unlock(&Giant);
+	} else {
+		mtx_unlock(&subj->mtx);
+	}
+}
+
 static struct mac_policy_op_entry mac_lomac_ops[] =
 {
 	{ MAC_DESTROY,
@@ -2418,6 +2370,8 @@
 	    (macop_t)mac_lomac_init_label },
 	{ MAC_INIT_PIPE_LABEL,
 	    (macop_t)mac_lomac_init_label },
+	{ MAC_INIT_PROC,
+	    (macop_t)mac_lomac_init_proc_label },
 	{ MAC_INIT_SOCKET_LABEL,
 	    (macop_t)mac_lomac_init_label_waitcheck },
 	{ MAC_INIT_SOCKET_PEER_LABEL,
@@ -2442,6 +2396,8 @@
 	    (macop_t)mac_lomac_destroy_label },
 	{ MAC_DESTROY_PIPE_LABEL,
 	    (macop_t)mac_lomac_destroy_label },
+	{ MAC_DESTROY_PROC,
+	    (macop_t)mac_lomac_destroy_proc_label },
 	{ MAC_DESTROY_SOCKET_LABEL,
 	    (macop_t)mac_lomac_destroy_label },
 	{ MAC_DESTROY_SOCKET_PEER_LABEL,
@@ -2482,8 +2438,6 @@
 	    (macop_t)mac_lomac_create_devfs_symlink },
 	{ MAC_CREATE_DEVFS_VNODE,
 	    (macop_t)mac_lomac_create_devfs_vnode },
-	{ MAC_CREATE_VNODE,
-	    (macop_t)mac_lomac_create_vnode },
 	{ MAC_CREATE_MOUNT,
 	    (macop_t)mac_lomac_create_mount },
 	{ MAC_CREATE_ROOT_MOUNT,
@@ -2492,12 +2446,16 @@
 	    (macop_t)mac_lomac_relabel_vnode },
 	{ MAC_UPDATE_DEVFSDIRENT,
 	    (macop_t)mac_lomac_update_devfsdirent },
-	{ MAC_UPDATE_PROCFSVNODE,
-	    (macop_t)mac_lomac_update_procfsvnode },
-	{ MAC_UPDATE_VNODE_FROM_EXTATTR,
-	    (macop_t)mac_lomac_update_vnode_from_extattr },
-	{ MAC_UPDATE_VNODE_FROM_MOUNT,
-	    (macop_t)mac_lomac_update_vnode_from_mount },
+	{ MAC_ASSOCIATE_VNODE_DEVFS,
+	    (macop_t)mac_lomac_associate_vnode_devfs },
+	{ MAC_ASSOCIATE_VNODE_EXTATTR,
+	    (macop_t)mac_lomac_associate_vnode_extattr },
+	{ MAC_ASSOCIATE_VNODE_SINGLELABEL,
+	    (macop_t)mac_lomac_associate_vnode_singlelabel },
+	{ MAC_CREATE_VNODE_EXTATTR,
+	    (macop_t)mac_lomac_create_vnode_extattr },
+	{ MAC_SETLABEL_VNODE_EXTATTR,
+	    (macop_t)mac_lomac_setlabel_vnode_extattr },
 	{ MAC_CREATE_MBUF_FROM_SOCKET,
 	    (macop_t)mac_lomac_create_mbuf_from_socket },
 	{ MAC_CREATE_PIPE,
@@ -2564,18 +2522,12 @@
 	    (macop_t)mac_lomac_check_ifnet_relabel },
 	{ MAC_CHECK_IFNET_TRANSMIT,
 	    (macop_t)mac_lomac_check_ifnet_transmit },
-	{ MAC_CHECK_MOUNT_STAT,
-	    (macop_t)mac_lomac_check_mount_stat },
 	{ MAC_CHECK_PIPE_IOCTL,
 	    (macop_t)mac_lomac_check_pipe_ioctl },
-	{ MAC_CHECK_PIPE_POLL,
-	    (macop_t)mac_lomac_check_pipe_poll },
 	{ MAC_CHECK_PIPE_READ,
 	    (macop_t)mac_lomac_check_pipe_read },
 	{ MAC_CHECK_PIPE_RELABEL,
 	    (macop_t)mac_lomac_check_pipe_relabel },
-	{ MAC_CHECK_PIPE_STAT,
-	    (macop_t)mac_lomac_check_pipe_stat },
 	{ MAC_CHECK_PIPE_WRITE,
 	    (macop_t)mac_lomac_check_pipe_write },
 	{ MAC_CHECK_PROC_DEBUG,
@@ -2594,40 +2546,24 @@
 	    (macop_t)mac_lomac_check_sysctl },
 	{ MAC_CHECK_VNODE_ACCESS,
 	    (macop_t)mac_lomac_check_vnode_open },
-	{ MAC_CHECK_VNODE_CHDIR,
-	    (macop_t)mac_lomac_check_vnode_chdir },
-	{ MAC_CHECK_VNODE_CHROOT,
-	    (macop_t)mac_lomac_check_vnode_chroot },
 	{ MAC_CHECK_VNODE_CREATE,
 	    (macop_t)mac_lomac_check_vnode_create },
 	{ MAC_CHECK_VNODE_DELETE,
 	    (macop_t)mac_lomac_check_vnode_delete },
 	{ MAC_CHECK_VNODE_DELETEACL,
 	    (macop_t)mac_lomac_check_vnode_deleteacl },
-	{ MAC_CHECK_VNODE_EXEC,
-	    (macop_t)mac_lomac_check_vnode_exec },
-	{ MAC_CHECK_VNODE_GETACL,
-	    (macop_t)mac_lomac_check_vnode_getacl },
-	{ MAC_CHECK_VNODE_GETEXTATTR,
-	    (macop_t)mac_lomac_check_vnode_getextattr },
 	{ MAC_CHECK_VNODE_LINK,
 	    (macop_t)mac_lomac_check_vnode_link },
-	{ MAC_CHECK_VNODE_LOOKUP,
-	    (macop_t)mac_lomac_check_vnode_lookup },
 	{ MAC_CHECK_VNODE_MMAP,
 	    (macop_t)mac_lomac_check_vnode_mmap },
+	{ MAC_CHECK_VNODE_MMAP_DOWNGRADE,
+	    (macop_t)mac_lomac_check_vnode_mmap_downgrade },
 	{ MAC_CHECK_VNODE_MPROTECT,
-	    (macop_t)mac_lomac_check_vnode_mmap },
+	    (macop_t)mac_lomac_check_vnode_mprotect },
 	{ MAC_CHECK_VNODE_OPEN,
 	    (macop_t)mac_lomac_check_vnode_open },
-	{ MAC_CHECK_VNODE_POLL,
-	    (macop_t)mac_lomac_check_vnode_poll },
 	{ MAC_CHECK_VNODE_READ,
 	    (macop_t)mac_lomac_check_vnode_read },
-	{ MAC_CHECK_VNODE_READDIR,
-	    (macop_t)mac_lomac_check_vnode_readdir },
-	{ MAC_CHECK_VNODE_READLINK,
-	    (macop_t)mac_lomac_check_vnode_readlink },
 	{ MAC_CHECK_VNODE_RELABEL,
 	    (macop_t)mac_lomac_check_vnode_relabel },
 	{ MAC_CHECK_VNODE_RENAME_FROM,
@@ -2648,12 +2584,12 @@
 	    (macop_t)mac_lomac_check_vnode_setowner },
 	{ MAC_CHECK_VNODE_SETUTIMES,
 	    (macop_t)mac_lomac_check_vnode_setutimes },
-	{ MAC_CHECK_VNODE_STAT,
-	    (macop_t)mac_lomac_check_vnode_stat },
 	{ MAC_CHECK_VNODE_SWAPON,
 	    (macop_t)mac_lomac_check_vnode_swapon },
 	{ MAC_CHECK_VNODE_WRITE,
 	    (macop_t)mac_lomac_check_vnode_write },
+	{ MAC_THREAD_USERRET,
+	    (macop_t)mac_lomac_thread_userret },
 	{ MAC_OP_LAST, NULL }
 };
 

==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.h#8 (text+ko) ====

@@ -50,6 +50,10 @@
 #define	MAC_LOMAC_FLAG_SINGLE	0x00000001	/* mb_single initialized */
 #define	MAC_LOMAC_FLAG_RANGE	0x00000002	/* mb_range* initialized */
 #define	MAC_LOMAC_FLAGS_BOTH	(MAC_LOMAC_FLAG_SINGLE | MAC_LOMAC_FLAG_RANGE)
+#define	MAC_LOMAC_CFLAG_SINGLE	0x00000004	/* mb_single initialized */
+#define	MAC_LOMAC_CFLAG_RANGE	0x00000008	/* mb_range* initialized */
+#define	MAC_LOMAC_CFLAGS_BOTH	(MAC_LOMAC_CFLAG_SINGLE | MAC_LOMAC_CFLAG_RANGE)
+#define	MAC_LOMAC_FLAG_UPDATE	0x00000010	/* must demote this process */
 
 #define	MAC_LOMAC_TYPE_UNDEF	0	/* Undefined */
 #define	MAC_LOMAC_TYPE_GRADE	1	/* Hierarchal grade with mb_grade. */

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message