Date: Tue, 29 Oct 2002 13:17:58 -0800 (PST) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 20373 for review Message-ID: <200210292117.g9TLHwOB056573@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=20373 Change 20373 by rwatson@rwatson_tislabs on 2002/10/29 13:17:19 Permit the MAC Framework to mediate access to kernel environment interfaces kenv_{dump,get,set,unset}. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_environment.c#6 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#338 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#203 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#155 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_environment.c#6 (text+ko) ==== @@ -36,11 +36,14 @@ * the kernel. */ +#include "opt_mac.h" + #include <sys/types.h> #include <sys/param.h> #include <sys/proc.h> #include <sys/queue.h> #include <sys/lock.h> +#include <sys/mac.h> #include <sys/malloc.h> #include <sys/mutex.h> #include <sys/kernel.h> @@ -90,6 +93,11 @@ error = 0; if (SCARG(uap, what) == KENV_DUMP) { +#ifdef MAC + error = mac_check_kenv_dump(td->td_ucred); + if (error) + return (error); +#endif len = 0; /* Return the size if called with a NULL buffer */ if (SCARG(uap, value) == NULL) { @@ -131,6 +139,11 @@ switch (SCARG(uap, what)) { case KENV_GET: +#ifdef MAC + error = mac_check_kenv_get(td->td_ucred, name); + if (error) + goto done; +#endif value = getenv(name); if (value == NULL) { error = ENOENT; @@ -159,10 +172,19 @@ free(value, M_TEMP); goto done; } - setenv(name, value); +#ifdef MAC + error = mac_check_kenv_set(td->td_ucred, name, value); + if (error == 0) +#endif + setenv(name, value); free(value, M_TEMP); break; case KENV_UNSET: +#ifdef MAC + error = mac_check_kenv_unset(td->td_ucred, name); + if (error) + goto done; +#endif error = unsetenv(name); if (error) error = ENOENT; ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#338 (text+ko) ==== @@ -843,6 +843,22 @@ mpc->mpc_ops->mpo_check_ifnet_transmit = mpe->mpe_function; break; + case MAC_CHECK_KENV_DUMP: + mpc->mpc_ops->mpo_check_kenv_dump = + mpe->mpe_function; + break; + case MAC_CHECK_KENV_GET: + mpc->mpc_ops->mpo_check_kenv_get = + mpe->mpe_function; + break; + case MAC_CHECK_KENV_SET: + mpc->mpc_ops->mpo_check_kenv_set = + mpe->mpe_function; + break; + case MAC_CHECK_KENV_UNSET: + mpc->mpc_ops->mpo_check_kenv_unset = + mpe->mpe_function; + break; case MAC_CHECK_MOUNT_STAT: mpc->mpc_ops->mpo_check_mount_stat = mpe->mpe_function; @@ -2801,6 +2817,58 @@ } int +mac_check_kenv_dump(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_kenv_dump, cred); + + return (error); +} + +int +mac_check_kenv_get(struct ucred *cred, char *name) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_kenv_get, cred, name); + + return (error); +} + +int +mac_check_kenv_set(struct ucred *cred, char *name, char *value) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_kenv_set, cred, name, value); + + return (error); +} + +int +mac_check_kenv_unset(struct ucred *cred, char *name) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_kenv_unset, cred, name); + + return (error); +} + +int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#203 (text+ko) ==== @@ -240,6 +240,10 @@ int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet); int mac_check_cred_visible(struct ucred *u1, struct ucred *u2); int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m); +int mac_check_kenv_dump(struct ucred *cred); +int mac_check_kenv_get(struct ucred *cred, char *name); +int mac_check_kenv_set(struct ucred *cred, char *name, char *value); +int mac_check_kenv_unset(struct ucred *cred, char *name); int mac_check_mount_stat(struct ucred *cred, struct mount *mp); int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, void *data); ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#155 (text+ko) ==== @@ -275,6 +275,11 @@ int (*mpo_check_ifnet_transmit)(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel); + int (*mpo_check_kenv_dump)(struct ucred *cred); + int (*mpo_check_kenv_get)(struct ucred *cred, char *name); + int (*mpo_check_kenv_set)(struct ucred *cred, char *name, + char *value); + int (*mpo_check_kenv_unset)(struct ucred *cred, char *name); int (*mpo_check_mount_stat)(struct ucred *cred, struct mount *mp, struct label *mntlabel); int (*mpo_check_pipe_ioctl)(struct ucred *cred, struct pipe *pipe, @@ -498,6 +503,10 @@ MAC_CHECK_CRED_VISIBLE, MAC_CHECK_IFNET_RELABEL, MAC_CHECK_IFNET_TRANSMIT, + MAC_CHECK_KENV_DUMP, + MAC_CHECK_KENV_GET, + MAC_CHECK_KENV_SET, + MAC_CHECK_KENV_UNSET, MAC_CHECK_MOUNT_STAT, MAC_CHECK_PIPE_IOCTL, MAC_CHECK_PIPE_POLL, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210292117.g9TLHwOB056573>