Date: Tue, 16 Sep 2003 06:50:02 -0700 (PDT) From: Chris Vance <cvance@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 38121 for review Message-ID: <200309161350.h8GDo22R095529@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=38121 Change 38121 by cvance@cvance_osx_laptop on 2003/09/16 06:49:05 A batch of changes. Added entry points for most process checks. Also, go ahead and ifdef away the label in struct ifnet, since it breaks the network ABI and causes all sorts of trouble. Affected files ... .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/bsd_init.c#3 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_exec.c#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_exit.c#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_ktrace.c#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#17 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_prot.c#3 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_resource.c#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_sig.c#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/net/if_var.h#3 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/bsd_init.c#3 (text+ko) ==== @@ -350,6 +350,10 @@ p->p_ucred = crget(); p->p_ucred->cr_ngroups = 1; /* group 0 */ +#ifdef MAC +/* mac_create_proc0(kernproc->p_ucred); */ +#endif + /* Create the file descriptor table. */ filedesc0.fd_refcnt = 1+1; /* +1 so shutdown will not _FREE_ZONE */ p->p_fd = &filedesc0; ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_exec.c#2 (text+ko) ==== @@ -207,6 +207,12 @@ } } +#ifdef MAC_TBD + error = mac_execve_enter(NULL, NULL); + if (error) + return(error); +#endif + error = execargs_alloc(&execargs); if (error) return(error); ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_exit.c#2 (text+ko) ==== @@ -553,7 +553,7 @@ register struct proc *p, *t; int status, error; struct vnode *tvp; - + struct pcred *pcred = q->p_cred; retry: if (uap->pid == 0) uap->pid = -q->p_pgid; @@ -565,6 +565,12 @@ p->p_pid != uap->pid && p->p_pgid != -(uap->pid)) continue; + +#ifdef MAC + if ((error = mac_check_proc_wait(pcred->pc_ucred, p))) + return (error); +#endif + nfound++; if (p->p_flag & P_WAITING) { (void)tsleep(&p->p_stat, PWAIT, "waitcoll", 0); ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_ktrace.c#2 (text+ko) ==== @@ -631,6 +631,7 @@ { register struct pcred *caller = callp->p_cred; register struct pcred *target = targetp->p_cred; + int error; if (!PRISON_CHECK(callp, targetp)) return (0); @@ -642,6 +643,11 @@ caller->pc_ucred->cr_uid == 0) return (1); +#ifdef MAC + if ((error = mac_check_proc_debug(caller->pc_ucred, targetp))) + return (error); +#endif + return (0); } ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#17 (text+ko) ==== @@ -798,7 +798,7 @@ tag = m_tag_find(mbuf, PACKET_TAG_MACLABEL, NULL); label = (struct label *)(tag+1); #endif -#ifdef NO_MBUF +#ifdef HAVE_MBUFLABEL label = &mbuf->m_pkthdr.label; #endif return (label); @@ -872,7 +872,9 @@ mac_init_ifnet(struct ifnet *ifp) { +#ifdef HAVE_IFLABEL mac_init_ifnet_label(&ifp->if_label); +#endif } int @@ -943,7 +945,7 @@ } #endif #else -#ifdef NO_MBUF +#ifdef HAVE_MBUFLABEL mac_init_label(&m->m_pkthdr.label); MAC_CHECK(init_mbuf_label, &m->m_pkthdr.label, flag); if (error) { @@ -952,7 +954,7 @@ } else { MAC_DEBUG_COUNTER_INC(&nmacmbufs); } -#endif /* NO_MBUF */ +#endif /* HAVE_MBUFLABEL */ #endif return (error); } @@ -1114,7 +1116,9 @@ mac_destroy_ifnet(struct ifnet *ifp) { +#ifdef HAVE_IFLABEL mac_destroy_ifnet_label(&ifp->if_label); +#endif } void @@ -1130,10 +1134,10 @@ mac_destroy_mbuf(struct mbuf *m) { -#ifdef NO_MBUF +#ifdef HAVE_MBUFLABEL MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); mac_destroy_label(&m->m_pkthdr.label); -#endif /* NO_MBUF */ +#endif /* HAVE_MBUFLABEL */ MAC_DEBUG_COUNTER_DEC(&nmacmbufs); } @@ -1221,9 +1225,9 @@ mac_copy_mbuf(struct mbuf *src, struct mbuf *dst) { -#ifdef NO_MBUF +#ifdef HAVE_MBUFLABEL MAC_PERFORM(copy_mbuf_label, &src->m_pkthdr.label, &dst->m_pkthdr.label); -#endif /* NO_MBUF */ +#endif /* HAVE_MBUFLABEL */ } #if 0 @@ -1380,7 +1384,7 @@ mac_create_proc0(struct ucred *cred) { - MAC_PERFORM(create_proc0, cred); +/* MAC_PERFORM(create_proc0, cred); */ } /* @@ -2269,7 +2273,9 @@ mac_create_ifnet(struct ifnet *ifnet) { +#ifdef HAVE_IFLABEL MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label); +#endif } void @@ -2404,8 +2410,10 @@ label = mbuf_to_label(mbuf); +#ifdef HAVE_IFLABEL MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf, label); +#endif } void @@ -2415,8 +2423,10 @@ label = mbuf_to_label(mbuf); +#ifdef HAVE_IFLABEL MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf, label); +#endif } void @@ -2428,8 +2438,10 @@ oldmbuflabel = mbuf_to_label(oldmbuf); newmbuflabel = mbuf_to_label(newmbuf); +#ifdef HAVE_IFLABEL MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, oldmbuflabel, ifnet, &ifnet->if_label, newmbuf, newmbuflabel); +#endif } void @@ -2496,6 +2508,7 @@ label = mbuf_to_label(m); +#ifdef HAVE_IFLABEL if (m->m_pkthdr.rcvif != NULL) ifnetlabel = &m->m_pkthdr.rcvif->if_label; else @@ -2503,6 +2516,7 @@ MAC_CHECK(update_mbuf_from_cipso, m, label, m->m_pkthdr.rcvif, ifnetlabel, cp, code); +#endif return (error); } @@ -2542,8 +2556,10 @@ if (!mac_enforce_network) return (0); +#ifdef HAVE_IFLABEL MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet, &ifnet->if_label); +#endif return (error); } @@ -2584,8 +2600,10 @@ label = mbuf_to_label(mbuf); +#ifdef HAVE_IFLABEL MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, label); +#endif return (error); } @@ -3092,6 +3110,7 @@ if (error) return (error); +#ifdef HAVE_IFLABEL MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK); error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); if (error) { @@ -3107,6 +3126,7 @@ FREE(buffer, M_MACTEMP); FREE(elements, M_MACTEMP); +#endif return (error); } @@ -3157,6 +3177,7 @@ return (error); } +#ifdef HAVE_IFLABEL MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, &intlabel); if (error) { @@ -3165,6 +3186,7 @@ } MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel); +#endif mac_destroy_ifnet_label(&intlabel); return (0); ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_prot.c#3 (text+ko) ==== ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_resource.c#2 (text+ko) ==== @@ -211,12 +211,19 @@ register struct proc *curp, *chgp; register int n; { + int error; register struct pcred *pcred = curp->p_cred; if (pcred->pc_ucred->cr_uid && pcred->p_ruid && pcred->pc_ucred->cr_uid != chgp->p_ucred->cr_uid && pcred->p_ruid != chgp->p_ucred->cr_uid) return (EPERM); + +#ifdef MAC + if ((error = mac_check_proc_sched(pcred->pc_ucred, chgp))) + return (error); +#endif + if (n > PRIO_MAX) n = PRIO_MAX; if (n < PRIO_MIN) ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_sig.c#2 (text+ko) ==== @@ -198,6 +198,13 @@ struct proc *q; int signum; { + int error; + +#ifdef MAC + if ((error = mac_check_proc_signal(pc->pc_ucred, q, signum))) + return (error); +#endif + /* you can signal yourself */ if (p == q) return(1); ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/net/if_var.h#3 (text+ko) ==== @@ -287,7 +287,9 @@ #else struct ifprefixhead if_prefixhead; /* list of prefixes per if */ #endif /* __APPLE__ */ - struct label if_label; /* interface MAC label */ +#ifdef HAVE_IFLABEL + struct label if_label; /* interface MAC label */ +#endif }; typedef void if_init_f_t __P((void *));
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309161350.h8GDo22R095529>