Date: Sat, 20 Jul 2002 07:52:03 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 14521 for review Message-ID: <200207201452.g6KEq3YZ033313@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14521 Change 14521 by rwatson@rwatson_curry on 2002/07/20 07:51:33 Teach various policies about chroot access control. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#52 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#33 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#41 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#35 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#36 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.h#5 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#5 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#52 (text+ko) ==== @@ -1338,6 +1338,24 @@ } static int +mac_biba_cred_check_chroot_vnode(struct ucred *cred, struct vnode *dvp, + struct label *dlabel) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(dlabel); + + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int mac_biba_cred_check_create_vnode(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vattr *vap) { @@ -1903,6 +1921,8 @@ (macop_t)mac_biba_cred_check_debug_proc }, { MAC_CRED_CHECK_CHDIR_VNODE, (macop_t)mac_biba_cred_check_chdir_vnode }, + { MAC_CRED_CHECK_CHROOT_VNODE, + (macop_t)mac_biba_cred_check_chroot_vnode }, { MAC_CRED_CHECK_CREATE_VNODE, (macop_t)mac_biba_cred_check_create_vnode }, { MAC_CRED_CHECK_DELETE_VNODE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#33 (text+ko) ==== @@ -321,6 +321,22 @@ } static int +mac_bsdextended_cred_check_chroot_vnode(struct ucred *cred, struct vnode *dvp, + struct mac *dlabel) +{ + struct vattr vap; + int error; + + if (!mac_bsdextended_enabled) + return (0); + + error = VOP_GETATTR(dvp, &vap, cred, curthread); + if (error) + return (error); + return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC)); +} + +static int mac_bsdextended_cred_check_create_vnode(struct ucred *cred, struct vnode *dvp, struct mac *dlabel, struct vattr *vap) { @@ -709,6 +725,8 @@ (macop_t)mac_bsdextended_cred_check_access_vnode }, { MAC_CRED_CHECK_CHDIR_VNODE, (macop_t)mac_bsdextended_cred_check_chdir_vnode }, + { MAC_CRED_CHECK_CHROOT_VNODE, + (macop_t)mac_bsdextended_cred_check_chroot_vnode }, { MAC_CRED_CHECK_CREATE_VNODE, (macop_t)mac_bsdextended_cred_check_create_vnode }, { MAC_CRED_CHECK_DELETE_VNODE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#41 (text+ko) ==== @@ -1281,6 +1281,24 @@ } static int +mac_mls_cred_check_chroot_vnode(struct ucred *cred, struct vnode *dvp, + struct label *dlabel) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(dlabel); + + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int mac_mls_cred_check_create_vnode(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vattr *vap) { @@ -1846,6 +1864,8 @@ (macop_t)mac_mls_cred_check_debug_proc }, { MAC_CRED_CHECK_CHDIR_VNODE, (macop_t)mac_mls_cred_check_chdir_vnode }, + { MAC_CRED_CHECK_CHROOT_VNODE, + (macop_t)mac_mls_cred_check_chroot_vnode }, { MAC_CRED_CHECK_CREATE_VNODE, (macop_t)mac_mls_cred_check_create_vnode }, { MAC_CRED_CHECK_DELETE_VNODE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#35 (text+ko) ==== @@ -612,6 +612,14 @@ } static int +mac_none_cred_check_chroot_vnode(struct ucred *cred, struct vnode *dvp, + struct label *dlabel) +{ + + return (0); +} + +static int mac_none_cred_check_create_vnode(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vattr *vap) { @@ -944,6 +952,8 @@ (macop_t)mac_none_cred_check_debug_proc }, { MAC_CRED_CHECK_CHDIR_VNODE, (macop_t)mac_none_cred_check_chdir_vnode }, + { MAC_CRED_CHECK_CHROOT_VNODE, + (macop_t)mac_none_cred_check_chroot_vnode }, { MAC_CRED_CHECK_CREATE_VNODE, (macop_t)mac_none_cred_check_create_vnode }, { MAC_CRED_CHECK_DELETE_VNODE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#36 (text+ko) ==== @@ -1245,6 +1245,15 @@ } static int +mac_te_cred_check_chroot_vnode(struct ucred *cred, struct vnode *dvp, + struct label *dlabel) +{ + + return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel), + MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_CHROOT)); +} + +static int mac_te_cred_check_create_vnode(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vattr *vap) { @@ -1527,6 +1536,8 @@ { MAC_CRED_CHECK_STATFS, (macop_t)mac_te_cred_check_statfs }, { MAC_CRED_CHECK_DEBUG_PROC, (macop_t)mac_te_cred_check_debug_proc }, { MAC_CRED_CHECK_CHDIR_VNODE, (macop_t)mac_te_cred_check_chdir_vnode }, + { MAC_CRED_CHECK_CHROOT_VNODE, + (macop_t)mac_te_cred_check_chroot_vnode }, { MAC_CRED_CHECK_CREATE_VNODE, (macop_t)mac_te_cred_check_create_vnode }, { MAC_RELABEL_VNODE, (macop_t)mac_te_relabel_vnode }, ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.h#5 (text+ko) ==== @@ -86,16 +86,17 @@ #define MAC_TE_CLASS_DIR 4 #define MAC_TE_OPERATION_DIR_ADMIN 1 #define MAC_TE_OPERATION_DIR_CHDIR 2 -#define MAC_TE_OPERATION_DIR_DELETE 3 -#define MAC_TE_OPERATION_DIR_DELETEACL 4 -#define MAC_TE_OPERATION_DIR_GETACL 5 -#define MAC_TE_OPERATION_DIR_GETEXTATTR 6 -#define MAC_TE_OPERATION_DIR_LOOKUP 7 -#define MAC_TE_OPERATION_DIR_READ 8 -#define MAC_TE_OPERATION_DIR_SETACL 9 -#define MAC_TE_OPERATION_DIR_SETEXTATTR 10 -#define MAC_TE_OPERATION_DIR_STAT 11 -#define MAC_TE_OPERATION_DIR_WRITE 12 +#define MAC_TE_OPERATION_DIR_CHROOT 3 +#define MAC_TE_OPERATION_DIR_DELETE 4 +#define MAC_TE_OPERATION_DIR_DELETEACL 5 +#define MAC_TE_OPERATION_DIR_GETACL 6 +#define MAC_TE_OPERATION_DIR_GETEXTATTR 7 +#define MAC_TE_OPERATION_DIR_LOOKUP 8 +#define MAC_TE_OPERATION_DIR_READ 9 +#define MAC_TE_OPERATION_DIR_SETACL 10 +#define MAC_TE_OPERATION_DIR_SETEXTATTR 11 +#define MAC_TE_OPERATION_DIR_STAT 12 +#define MAC_TE_OPERATION_DIR_WRITE 13 #define MAC_TE_CLASS_FS 5 #define MAC_TE_OPERATION_FS_STATFS 1 ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#5 (text+ko) ==== @@ -805,6 +805,14 @@ } static int +mac_test_cred_check_chroot_vnode(struct ucred *cred, struct vnode *dvp, + struct label *dlabel) +{ + + return (0); +} + +static int mac_test_cred_check_create_vnode(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vattr *vap) { @@ -1135,6 +1143,8 @@ (macop_t)mac_test_cred_check_debug_proc }, { MAC_CRED_CHECK_CHDIR_VNODE, (macop_t)mac_test_cred_check_chdir_vnode }, + { MAC_CRED_CHECK_CHROOT_VNODE, + (macop_t)mac_test_cred_check_chroot_vnode }, { MAC_CRED_CHECK_CREATE_VNODE, (macop_t)mac_test_cred_check_create_vnode }, { MAC_CRED_CHECK_DELETE_VNODE, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207201452.g6KEq3YZ033313>