Date: Thu, 27 Jun 2002 14:13:01 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 13498 for review Message-ID: <200206272113.g5RLD1v0027984@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=13498 Change 13498 by rwatson@rwatson_tislabs on 2002/06/27 14:12:50 Teach various policies about ACLs. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#51 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#30 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#37 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#32 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#34 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.h#3 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#4 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#51 (text+ko) ==== @@ -44,6 +44,7 @@ #include <sys/types.h> #include <sys/param.h> +#include <sys/acl.h> #include <sys/conf.h> #include <sys/kernel.h> #include <sys/mac.h> @@ -1378,6 +1379,24 @@ } static int +mac_biba_cred_check_deleteacl_vnode(struct ucred *cred, struct vnode *vp, + struct label *label, acl_type_t type) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int mac_biba_cred_check_exec_vnode(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -1396,6 +1415,24 @@ } static int +mac_biba_cred_check_getacl_vnode(struct ucred *cred, struct vnode *vp, + struct label *label, acl_type_t type) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int mac_biba_cred_check_getextattr_vnode(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { @@ -1523,6 +1560,24 @@ } static int +mac_biba_cred_check_setacl_vnode(struct ucred *cred, struct vnode *vp, + struct label *label, acl_type_t type, struct acl *acl) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int mac_biba_cred_check_setextattr_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, int attrnamespace, const char *name, struct uio *uio) @@ -1852,8 +1907,12 @@ (macop_t)mac_biba_cred_check_create_vnode }, { MAC_CRED_CHECK_DELETE_VNODE, (macop_t)mac_biba_cred_check_delete_vnode }, + { MAC_CRED_CHECK_DELETEACL_VNODE, + (macop_t)mac_biba_cred_check_deleteacl_vnode }, { MAC_CRED_CHECK_EXEC_VNODE, (macop_t)mac_biba_cred_check_exec_vnode }, + { MAC_CRED_CHECK_GETACL_VNODE, + (macop_t)mac_biba_cred_check_getacl_vnode }, { MAC_CRED_CHECK_GETEXTATTR_VNODE, (macop_t)mac_biba_cred_check_getextattr_vnode }, { MAC_CRED_CHECK_OPEN_VNODE, @@ -1866,6 +1925,8 @@ (macop_t)mac_biba_cred_check_revoke_vnode }, { MAC_CRED_CHECK_SEARCH_VNODE, (macop_t)mac_biba_cred_check_search_vnode }, + { MAC_CRED_CHECK_SETACL_VNODE, + (macop_t)mac_biba_cred_check_setacl_vnode }, { MAC_CRED_CHECK_SETEXTATTR_VNODE, (macop_t)mac_biba_cred_check_setextattr_vnode }, { MAC_CRED_CHECK_SETFLAGS_VNODE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#30 (text+ko) ==== @@ -46,6 +46,7 @@ #include <sys/types.h> #include <sys/param.h> +#include <sys/acl.h> #include <sys/conf.h> #include <sys/kernel.h> #include <sys/mac.h> @@ -334,6 +335,22 @@ } static int +mac_bsdextended_cred_check_deleteacl_vnode(struct ucred *cred, + struct vnode *vp, struct label *label, acl_type_t type) +{ + struct vattr vap; + int error; + + if (!mac_bsdextended_enabled) + return (0); + + error = VOP_GETATTR(vp, &vap, cred, curthread); + if (error) + return (error); + return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); +} + +static int mac_bsdextended_cred_check_exec_vnode(struct ucred *cred, struct vnode *vp, struct mac *label) { @@ -351,6 +368,22 @@ } static int +mac_bsdextended_cred_check_getacl_vnode(struct ucred *cred, struct vnode *vp, + struct label *label, acl_type_t type) +{ + struct vattr vap; + int error; + + if (!mac_bsdextended_enabled) + return (0); + + error = VOP_GETATTR(vp, &vap, cred, curthread); + if (error) + return (error); + return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VSTAT)); +} + +static int mac_bsdextended_cred_check_getextattr_vnode(struct ucred *cred, struct vnode *vp, struct mac *label, int attrnamespace, const char *name, struct uio *uio) @@ -469,6 +502,22 @@ } static int +mac_bsdextended_cred_check_setacl_vnode(struct ucred *cred, + struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl) +{ + struct vattr vap; + int error; + + if (!mac_bsdextended_enabled) + return (0); + + error = VOP_GETATTR(vp, &vap, cred, curthread); + if (error) + return (error); + return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); +} + +static int mac_bsdextended_cred_check_setextattr_vnode(struct ucred *cred, struct vnode *vp, struct mac *label, int attrnamespace, const char *name, struct uio *uio) @@ -637,8 +686,12 @@ (macop_t)mac_bsdextended_cred_check_create_vnode }, { MAC_CRED_CHECK_DELETE_VNODE, (macop_t)mac_bsdextended_cred_check_delete_vnode }, + { MAC_CRED_CHECK_DELETEACL_VNODE, + (macop_t)mac_bsdextended_cred_check_deleteacl_vnode }, { MAC_CRED_CHECK_EXEC_VNODE, (macop_t)mac_bsdextended_cred_check_exec_vnode }, + { MAC_CRED_CHECK_GETACL_VNODE, + (macop_t)mac_bsdextended_cred_check_getacl_vnode }, { MAC_CRED_CHECK_GETEXTATTR_VNODE, (macop_t)mac_bsdextended_cred_check_getextattr_vnode }, { MAC_CRED_CHECK_OPEN_VNODE, @@ -651,6 +704,8 @@ (macop_t)mac_bsdextended_cred_check_revoke_vnode }, { MAC_CRED_CHECK_SEARCH_VNODE, (macop_t)mac_bsdextended_cred_check_search_vnode }, + { MAC_CRED_CHECK_SETACL_VNODE, + (macop_t)mac_bsdextended_cred_check_setacl_vnode }, { MAC_CRED_CHECK_SETEXTATTR_VNODE, (macop_t)mac_bsdextended_cred_check_setextattr_vnode }, { MAC_CRED_CHECK_SETFLAGS_VNODE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#37 (text+ko) ==== @@ -44,6 +44,7 @@ #include <sys/types.h> #include <sys/param.h> +#include <sys/acl.h> #include <sys/conf.h> #include <sys/kernel.h> #include <sys/mac.h> @@ -1318,6 +1319,24 @@ } static int +mac_mls_cred_check_deleteacl_vnode(struct ucred *cred, struct vnode *vp, + struct label *label, acl_type_t type) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int mac_mls_cred_check_exec_vnode(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -1336,6 +1355,24 @@ } static int +mac_mls_cred_check_getacl_vnode(struct ucred *cred, struct vnode *vp, + struct label *label, acl_type_t type) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int mac_mls_cred_check_getextattr_vnode(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { @@ -1463,6 +1500,24 @@ } static int +mac_mls_cred_check_setacl_vnode(struct ucred *cred, struct vnode *vp, + struct label *label, acl_type_t type, struct acl *acl) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int mac_mls_cred_check_setextattr_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, int attrnamespace, const char *name, struct uio *uio) @@ -1792,8 +1847,12 @@ (macop_t)mac_mls_cred_check_create_vnode }, { MAC_CRED_CHECK_DELETE_VNODE, (macop_t)mac_mls_cred_check_delete_vnode }, + { MAC_CRED_CHECK_DELETEACL_VNODE, + (macop_t)mac_mls_cred_check_deleteacl_vnode }, { MAC_CRED_CHECK_EXEC_VNODE, (macop_t)mac_mls_cred_check_exec_vnode }, + { MAC_CRED_CHECK_GETACL_VNODE, + (macop_t)mac_mls_cred_check_getacl_vnode }, { MAC_CRED_CHECK_GETEXTATTR_VNODE, (macop_t)mac_mls_cred_check_getextattr_vnode }, { MAC_CRED_CHECK_OPEN_VNODE, @@ -1806,6 +1865,8 @@ (macop_t)mac_mls_cred_check_revoke_vnode }, { MAC_CRED_CHECK_SEARCH_VNODE, (macop_t)mac_mls_cred_check_search_vnode }, + { MAC_CRED_CHECK_SETACL_VNODE, + (macop_t)mac_mls_cred_check_setacl_vnode }, { MAC_CRED_CHECK_SETEXTATTR_VNODE, (macop_t)mac_mls_cred_check_setextattr_vnode }, { MAC_CRED_CHECK_SETFLAGS_VNODE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#32 (text+ko) ==== @@ -44,6 +44,7 @@ #include <sys/types.h> #include <sys/param.h> +#include <sys/acl.h> #include <sys/conf.h> #include <sys/kernel.h> #include <sys/mac.h> @@ -634,6 +635,14 @@ } static int +mac_none_cred_check_deleteacl_vnode(struct ucred *cred, struct vnode *vp, + struct label *label, acl_type_t type) +{ + + return (0); +} + +static int mac_none_cred_check_exec_vnode(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -642,6 +651,14 @@ } static int +mac_none_cred_check_getacl_vnode(struct ucred *cred, struct vnode *vp, + struct label *label, acl_type_t type) +{ + + return (0); +} + +static int mac_none_cred_check_getextattr_vnode(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { @@ -698,6 +715,14 @@ } static int +mac_none_cred_check_setacl_vnode(struct ucred *cred, struct vnode *vp, + struct label *label, acl_type_t type, struct acl *acl) +{ + + return (0); +} + +static int mac_none_cred_check_setextattr_vnode(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#34 (text+ko) ==== @@ -44,6 +44,7 @@ #include <sys/types.h> #include <sys/param.h> +#include <sys/acl.h> #include <sys/conf.h> #include <sys/kernel.h> #include <sys/mac.h> @@ -1106,6 +1107,21 @@ } static int +mac_te_cred_check_getacl_vnode(struct ucred *cred, struct vnode *vp, + struct label *label, acl_type_t type) +{ + + switch (vp->v_type) { + case VDIR: + return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_GETACL)); + default: + return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_GETACL)); + } +} + +static int mac_te_cred_check_getextattr_vnode(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { @@ -1139,6 +1155,21 @@ } static int +mac_te_cred_check_setacl_vnode(struct ucred *cred, struct vnode *vp, + struct label *label, acl_type_t type, struct acl *acl) +{ + + switch (vp->v_type) { + case VDIR: + return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_SETACL)); + default: + return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_SETACL)); + } +} + +static int mac_te_cred_check_setextattr_vnode(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { @@ -1251,6 +1282,22 @@ } static int +mac_te_cred_check_deleteacl_vnode(struct ucred *cred, struct vnode *vp, + struct label *label, acl_type_t type) +{ + + switch (vp->v_type) { + case VDIR: + return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETEACL)); + default: + return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETEACL)); + } +} + + +static int mac_te_cred_check_rename_from_vnode(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label) { @@ -1496,7 +1543,11 @@ { MAC_RELABEL_VNODE, (macop_t)mac_te_relabel_vnode }, { MAC_CRED_CHECK_DELETE_VNODE, (macop_t)mac_te_cred_check_delete_vnode }, + { MAC_CRED_CHECK_DELETEACL_VNODE, + (macop_t)mac_te_cred_check_deleteacl_vnode }, { MAC_CRED_CHECK_EXEC_VNODE, (macop_t)mac_te_cred_check_exec_vnode }, + { MAC_CRED_CHECK_GETACL_VNODE, + (macop_t)mac_te_cred_check_getacl_vnode }, { MAC_CRED_CHECK_GETEXTATTR_VNODE, (macop_t)mac_te_cred_check_getextattr_vnode }, { MAC_CRED_CHECK_OPEN_VNODE, (macop_t)mac_te_cred_check_open_vnode }, @@ -1508,6 +1559,8 @@ (macop_t)mac_te_cred_check_revoke_vnode }, { MAC_CRED_CHECK_SEARCH_VNODE, (macop_t)mac_te_cred_check_search_vnode }, + { MAC_CRED_CHECK_SETACL_VNODE, + (macop_t)mac_te_cred_check_setacl_vnode }, { MAC_CRED_CHECK_SETEXTATTR_VNODE, (macop_t)mac_te_cred_check_setextattr_vnode }, { MAC_CRED_CHECK_SETFLAGS_VNODE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.h#3 (text+ko) ==== @@ -66,12 +66,15 @@ #define MAC_TE_CLASS_FILE 2 #define MAC_TE_OPERATION_FILE_ADMIN 1 #define MAC_TE_OPERATION_FILE_DELETE 2 -#define MAC_TE_OPERATION_FILE_EXEC 3 -#define MAC_TE_OPERATION_FILE_GETEXTATTR 4 -#define MAC_TE_OPERATION_FILE_READ 5 -#define MAC_TE_OPERATION_FILE_SETEXTATTR 6 -#define MAC_TE_OPERATION_FILE_STAT 7 -#define MAC_TE_OPERATION_FILE_WRITE 8 +#define MAC_TE_OPERATION_FILE_DELETEACL 3 +#define MAC_TE_OPERATION_FILE_EXEC 4 +#define MAC_TE_OPERATION_FILE_GETACL 5 +#define MAC_TE_OPERATION_FILE_GETEXTATTR 6 +#define MAC_TE_OPERATION_FILE_READ 7 +#define MAC_TE_OPERATION_FILE_SETACL 8 +#define MAC_TE_OPERATION_FILE_SETEXTATTR 9 +#define MAC_TE_OPERATION_FILE_STAT 10 +#define MAC_TE_OPERATION_FILE_WRITE 11 #define MAC_TE_CLASS_MBUF 3 #define MAC_TE_OPERATION_MBUF_RECEIVE 1 @@ -81,12 +84,15 @@ #define MAC_TE_OPERATION_DIR_ADMIN 1 #define MAC_TE_OPERATION_DIR_CHDIR 2 #define MAC_TE_OPERATION_DIR_DELETE 3 -#define MAC_TE_OPERATION_DIR_GETEXTATTR 4 -#define MAC_TE_OPERATION_DIR_LOOKUP 5 -#define MAC_TE_OPERATION_DIR_READ 6 -#define MAC_TE_OPERATION_DIR_SETEXTATTR 7 -#define MAC_TE_OPERATION_DIR_STAT 8 -#define MAC_TE_OPERATION_DIR_WRITE 9 +#define MAC_TE_OPERATION_DIR_DELETEACL 4 +#define MAC_TE_OPERATION_DIR_GETACL 5 +#define MAC_TE_OPERATION_DIR_GETEXTATTR 6 +#define MAC_TE_OPERATION_DIR_LOOKUP 7 +#define MAC_TE_OPERATION_DIR_READ 8 +#define MAC_TE_OPERATION_DIR_SETACL 9 +#define MAC_TE_OPERATION_DIR_SETEXTATTR 10 +#define MAC_TE_OPERATION_DIR_STAT 11 +#define MAC_TE_OPERATION_DIR_WRITE 12 #define MAC_TE_CLASS_FS 5 #define MAC_TE_OPERATION_FS_STATFS 1 ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#4 (text+ko) ==== @@ -44,6 +44,7 @@ #include <sys/types.h> #include <sys/param.h> +#include <sys/acl.h> #include <sys/conf.h> #include <sys/kernel.h> #include <sys/mac.h> @@ -820,6 +821,14 @@ } static int +mac_test_cred_check_deleteacl_vnode(struct ucred *cred, struct vnode *vp, + struct label *label, acl_type_t type) +{ + + return (0); +} + +static int mac_test_cred_check_exec_vnode(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -828,6 +837,14 @@ } static int +mac_test_cred_check_getacl_vnode(struct ucred *cred, struct vnode *vp, + struct label *label, acl_type_t type) +{ + + return (0); +} + +static int mac_test_cred_check_getextattr_vnode(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { @@ -884,6 +901,14 @@ } static int +mac_test_cred_check_setacl_vnode(struct ucred *cred, struct vnode *vp, + struct label *label, acl_type_t type, struct acl *acl) +{ + + return (0); +} + +static int mac_test_cred_check_setextattr_vnode(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { @@ -1114,8 +1139,12 @@ (macop_t)mac_test_cred_check_create_vnode }, { MAC_CRED_CHECK_DELETE_VNODE, (macop_t)mac_test_cred_check_delete_vnode }, + { MAC_CRED_CHECK_DELETEACL_VNODE, + (macop_t)mac_test_cred_check_deleteacl_vnode }, { MAC_CRED_CHECK_EXEC_VNODE, (macop_t)mac_test_cred_check_exec_vnode }, + { MAC_CRED_CHECK_GETACL_VNODE, + (macop_t)mac_test_cred_check_getacl_vnode }, { MAC_CRED_CHECK_GETEXTATTR_VNODE, (macop_t)mac_test_cred_check_getextattr_vnode }, { MAC_CRED_CHECK_LISTEN_SOCKET, @@ -1130,6 +1159,8 @@ (macop_t)mac_test_cred_check_revoke_vnode }, { MAC_CRED_CHECK_SEARCH_VNODE, (macop_t)mac_test_cred_check_search_vnode }, + { MAC_CRED_CHECK_SETACL_VNODE, + (macop_t)mac_test_cred_check_setacl_vnode }, { MAC_CRED_CHECK_SETEXTATTR_VNODE, (macop_t)mac_test_cred_check_setextattr_vnode }, { MAC_CRED_CHECK_SETFLAGS_VNODE, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206272113.g5RLD1v0027984>