Date: Sun, 14 Dec 2003 17:41:02 -0800 (PST) From: Chris Vance <cvance@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 43936 for review Message-ID: <200312150141.hBF1f2mu001733@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=43936 Change 43936 by cvance@cvance_release on 2003/12/14 17:40:25 Add file ioctl entry point and SEBSD implementation... Affected files ... .. //depot/projects/trustedbsd/sebsd/sys/kern/sys_generic.c#8 edit .. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_file.c#4 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#29 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/sys/kern/sys_generic.c#8 (text+ko) ==== @@ -584,6 +584,14 @@ mtx_unlock(&Giant); return (EBADF); } +#ifdef MAC + error = mac_check_file_ioctl(td->td_ucred, fp, uap->com); + if (error) { + fdrop(fp, td); + mtx_unlock(&Giant); + return (error); + } +#endif fdp = td->td_proc->p_fd; switch (com = uap->com) { case FIONCLEX: ==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_file.c#4 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#29 (text+ko) ==== @@ -49,6 +49,7 @@ #include <sys/systm.h> #include <sys/sysproto.h> #include <sys/vnode.h> +#include <sys/file.h> #include <sys/pipe.h> #include <sys/dirent.h> #include <sys/capability.h> @@ -511,7 +512,6 @@ static void sebsd_create_cred(struct ucred *cred_parent, struct ucred *cred_child) { - int rc; struct task_security_struct *parent, *task; parent = SLOT(cred_parent->cr_label); @@ -1971,6 +1971,27 @@ FD__CREATE, NULL)); } +static int +sebsd_check_file_ioctl(struct ucred *cred, struct file *fp, + struct label *fplabel, u_long com) +{ + struct task_security_struct *tsec; + struct file_security_struct *fsec; + int error; + + tsec = SLOT(cred->cr_label); + fsec = SLOT(fplabel); + + error = avc_has_perm_audit(tsec->sid, fsec->sid, SECCLASS_FD, + FD__USE, NULL); + if (error) + return (error); + if (fp->f_type != DTYPE_VNODE) + return (0); + + return (vnode_has_perm(cred, fp->f_vnode, FILE__IOCTL, NULL)); +} + /* * Simplify all other fd permissions to just "use" for now. The ones we * implement in SEBSD roughly correlate to the SELinux FD__USE permissions, @@ -2442,10 +2463,11 @@ .mpo_check_cap = sebsd_check_cap, .mpo_check_cred_relabel = sebsd_check_cred_relabel, .mpo_check_file_create = sebsd_check_file_create, + .mpo_check_file_ioctl = sebsd_check_file_ioctl, + /* .mpo_check_file_dup .mpo_check_file_inherit - .mpo_check_file_ioctl .mpo_check_file_receive */ .mpo_check_file_get_flags = sebsd_check_file_get_flags,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200312150141.hBF1f2mu001733>