Date: Fri, 22 Mar 2002 14:34:57 -0800 (PST) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 8217 for review Message-ID: <200203222234.g2MMYva37602@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=8217 Change 8217 by rwatson@rwatson_paprika on 2002/03/22 14:34:02 Teach the MAC framework to seperately authorize the visibility of sockets using various socket listing management interfaces. Previously, it was clumped in with the ability to see other processes with management interfaces. Introduce MAC ACPI mac_cred_canseesocket() and place a reference to it in cr_canseesocket(). Implement it using a callout to the per-policy mpo_cred_check_see_socket() MAC Policy API. Key disabling enforcement to mac_enforce_socket, since it's a socket-related interface. Implement mpo_cred_check_see_socket() for various policies: babyaudit: ignore this entry point mac_biba: socket label must dominate subject label mac_bsdextended: always succeed mac_mls: subject label must dominate socket label mac_none: always succeed mac_seeotheruids: socket credential uid must be visible to subject uid mac_te: Introduce MAC_TE_CLASS_SOCKET and MAC_TE_OPERATION_SOCKET_SEE, and authorize the entry point using that class/operation pair. Affected files ... ... //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#119 edit ... //depot/projects/trustedbsd/mac/sys/kern/kern_prot.c#15 edit ... //depot/projects/trustedbsd/mac/sys/security/babyaudit/babyaudit.c#5 edit ... //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#23 edit ... //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#23 edit ... //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#19 edit ... //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#18 edit ... //depot/projects/trustedbsd/mac/sys/security/mac_seeotheruids/mac_seeotheruids.c#4 edit ... //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#18 edit ... //depot/projects/trustedbsd/mac/sys/sys/mac.h#88 edit ... //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#52 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#119 (text+ko) ==== @@ -333,6 +333,19 @@ } int +mac_cred_canseesocket(struct ucred *cred, struct socket *socket) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(cred_check_see_socket, cred, socket); + + return (error); +} + +int mac_cred_cansignal(struct ucred *cred, struct proc *proc, int signum) { int error; ==== //depot/projects/trustedbsd/mac/sys/kern/kern_prot.c#15 (text+ko) ==== @@ -1699,7 +1699,9 @@ return (ENOENT); #ifdef MAC - /* XXX: error = mac_cred_check_seesocket() here. */ + error = mac_cred_canseesocket(cred, so); + if (error) + return (error); #endif return (0); ==== //depot/projects/trustedbsd/mac/sys/security/babyaudit/babyaudit.c#5 (text+ko) ==== @@ -261,6 +261,7 @@ NULL /* babyaudit_relabel_subject */, NULL /* babyaudit_bpfdesc_check_receive_from_ifnet */, NULL /* babyaudit_cred_check_see_cred */, + NULL /* babyaudit_cred_check_see_socket */, NULL /* babyaudit_cred_check_relabel_ifnet */, NULL /* babyaudit_cred_check_relabel_socket */, NULL /* babyaudit_cred_check_relabel_subject */, ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#23 (text+ko) ==== @@ -748,6 +748,17 @@ } static int +mac_biba_cred_check_see_socket(struct ucred *cred, struct socket *socket) +{ + + if (!mac_biba_enabled) + return (0); + if (!mac_biba_single_dominate(&socket->so_label, &cred->cr_label)) + return (ENOENT); + return (0); +} + +static int mac_biba_cred_cantouch(struct ucred *cred, struct proc *proc) { int error; @@ -1024,6 +1035,7 @@ mac_biba_relabel_subject, mac_biba_bpfdesc_check_receive_from_ifnet, mac_biba_cred_check_see_cred, + mac_biba_cred_check_see_socket, mac_biba_cred_check_relabel_ifnet, mac_biba_cred_check_relabel_socket, mac_biba_cred_check_relabel_subject, ==== //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#23 (text+ko) ==== @@ -547,6 +547,17 @@ } static int +mac_bsdextended_cred_check_see_socket(struct ucred *cred, + struct socket *socket) +{ + + if (!mac_bsdextended_enabled) + return (0); + + return (0); +} + +static int mac_bsdextended_cred_cantouch(struct ucred *cred, struct proc *proc) { @@ -617,6 +628,7 @@ NULL, /* relabel subject */ NULL, /* bpfdesc check ifnet */ mac_bsdextended_cred_check_see_cred, + mac_bsdextended_cred_check_see_socket, NULL, /* check relabel ifnet */ NULL, /* check relabel socket */ NULL, /* check relabel subject */ ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#19 (text+ko) ==== @@ -717,6 +717,17 @@ } static int +mac_mls_cred_check_see_socket(struct ucred *cred, struct socket *socket) +{ + + if (!mac_mls_enabled) + return (0); + if (!mac_mls_single_dominate(&cred->cr_label, &socket->so_label)) + return (ENOENT); + return (0); +} + +static int mac_mls_cred_cantouch(struct ucred *cred, struct proc *proc) { int error; @@ -993,6 +1004,7 @@ mac_mls_relabel_subject, mac_mls_bpfdesc_check_receive_from_ifnet, mac_mls_cred_check_see_cred, + mac_mls_cred_check_see_socket, mac_mls_cred_check_relabel_ifnet, mac_mls_cred_check_relabel_socket, mac_mls_cred_check_relabel_subject, ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#18 (text+ko) ==== @@ -405,6 +405,14 @@ } static int +mac_none_cred_check_see_socket(struct ucred *cred, struct socket *socket) +{ + + /* Perform access controlc heck here. */ + return (0); +} + +static int mac_none_cred_check_signal_proc(struct ucred *cred, struct proc *proc, int signum) { @@ -617,6 +625,7 @@ mac_none_relabel_subject, mac_none_bpfdesc_check_receive_from_ifnet, mac_none_cred_check_see_cred, + mac_none_cred_check_see_socket, mac_none_cred_check_relabel_ifnet, mac_none_cred_check_relabel_socket, mac_none_cred_check_relabel_subject, ==== //depot/projects/trustedbsd/mac/sys/security/mac_seeotheruids/mac_seeotheruids.c#4 (text+ko) ==== @@ -128,6 +128,14 @@ } static int +mac_seeotheruids_cred_check_see_socket(struct ucred *cred, + struct socket *socket) +{ + + return (mac_seeotheruids_check(cred, socket->so_cred)); +} + +static int mac_seeotheruids_cred_check_signal_proc(struct ucred *cred, struct proc *proc, int signum) { @@ -188,6 +196,7 @@ NULL, NULL, mac_seeotheruids_cred_check_see_cred, + mac_seeotheruids_cred_check_see_socket, NULL, NULL, NULL, ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#18 (text+ko) ==== @@ -767,6 +767,14 @@ } static int +mac_te_cred_check_see_socket(struct ucred *cred, struct socket *socket) +{ + + return (mac_te_check(&cred->cr_label, &socket->so_label, + MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_SEE)); +} + +static int mac_te_cred_check_signal_proc(struct ucred *cred, struct proc *proc, int signum) { @@ -1070,6 +1078,7 @@ mac_te_relabel_subject, mac_te_bpfdesc_check_receive_from_ifnet, mac_te_cred_check_see_cred, + mac_te_cred_check_see_socket, mac_te_cred_check_relabel_ifnet, mac_te_cred_check_relabel_socket, mac_te_cred_check_relabel_subject, ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#88 (text+ko) ==== @@ -180,6 +180,9 @@ #define MAC_TE_CLASS_BPF 6 #define MAC_TE_OPERATION_BPF_RECEIVE 1 +#define MAC_TE_CLASS_SOCKET 7 +#define MAC_TE_OPERATION_SOCKET_SEE 1 + struct mac_sebsd { uint32_t ms_psid; /* persistent sid storage */ }; @@ -378,6 +381,7 @@ int mac_cred_canexec(struct ucred *cred, struct mac *label); int mac_cred_cansched(struct ucred *cred, struct proc *proc); int mac_cred_cansee(struct ucred *u1, struct ucred *u2); +int mac_cred_canseesocket(struct ucred *cred, struct socket *socket); int mac_cred_cansignal(struct ucred *cred, struct proc *proc, int signum); #endif /* _KERNEL */ ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#52 (text+ko) ==== @@ -145,6 +145,8 @@ int (*mpo_bpfdesc_check_receive_from_ifnet)(struct bpf_d *bpf_d, struct ifnet *ifnet); int (*mpo_cred_check_see_cred)(struct ucred *u1, struct ucred *u2); + int (*mpo_cred_check_see_socket)(struct ucred *cred, + struct socket *socket); int (*mpo_cred_check_relabel_ifnet)(struct ucred *cred, struct ifnet *ifnet, struct mac *newlabel); int (*mpo_cred_check_relabel_socket)(struct ucred *cred, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203222234.g2MMYva37602>