From owner-trustedbsd-cvs@FreeBSD.ORG Wed Feb 15 18:07:13 2006 Return-Path: X-Original-To: trustedbsd-cvs@freebsd.org Delivered-To: trustedbsd-cvs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 939D716A422 for ; Wed, 15 Feb 2006 18:07:13 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3E7D43D45 for ; Wed, 15 Feb 2006 18:07:12 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by cyrus.watson.org (Postfix) with ESMTP id BF07946BF2 for ; Wed, 15 Feb 2006 13:06:58 -0500 (EST) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id B7F1A555B5; Wed, 15 Feb 2006 18:07:11 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id A8FDD16A423; Wed, 15 Feb 2006 18:07:11 +0000 (GMT) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BEE416A420 for ; Wed, 15 Feb 2006 18:07:11 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 226B443D45 for ; Wed, 15 Feb 2006 18:07:11 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id k1FI7Bq6032747 for ; Wed, 15 Feb 2006 18:07:11 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id k1FI7AOW032744 for perforce@freebsd.org; Wed, 15 Feb 2006 18:07:10 GMT (envelope-from millert@freebsd.org) Date: Wed, 15 Feb 2006 18:07:10 GMT Message-Id: <200602151807.k1FI7AOW032744@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 91814 for review X-BeenThere: trustedbsd-cvs@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD CVS and Perforce commit message list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Feb 2006 18:07:13 -0000 http://perforce.freebsd.org/chv.cgi?CH=91814 Change 91814 by millert@millert_g4tower on 2006/02/15 18:06:52 Add mac_check_port_receive() entry point to mediate message receipt. Split off mac_check_port_move_send() from mac_check_port_copy_send(). New mac_check_port_make_send_once(), mac_check_port_move_send_once(), and mac_check_port_hold_send_once() entry points to differentiate between "send" and "send once" rights. Affected files ... .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mac_policy.h#14 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/ipc/ipc_right.c#6 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_port.c#8 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/av_perm_to_string.h#6 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/av_permissions.h#6 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/flask/access_vectors#7 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd.c#32 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mac_policy.h#14 (text+ko) ==== @@ -1953,11 +1953,11 @@ ); /** - @brief Access control check for transferring a send right + @brief Access control check for copying a send right to another task @param task Label of the sender task @param port Label of the affected port - Access control check for transferring send rights to the port out of the + Access control check for copying send rights to the port from the specified task. A complementary entry point, mpo_check_port_hold_send, handles the receiving task. check_port_copy_send is called as part of a group of policy invocations when messages with port rights are sent. @@ -1974,6 +1974,27 @@ ); /** + @brief Access control check for transferring a send right + @param task Label of the sender task + @param port Label of the affected port + + Access control check for transferring a send right from one task to the + task listening to the specified port. A complementary entry point, + mpo_check_port_hold_send, handles the receiving task. + check_port_move_send is called as part of a group of policy invocations + when messages with port rights are sent. All access control checks made + for a particular message must be successful for the message to be sent. + + The task label and the port are locked. Sleeping is permitted. + + @return Return 0 if access is granted, non-zero otherwise. +*/ +typedef int mpo_check_port_move_send_t( + struct label *task, + struct label *port +); + +/** @brief Access control check for obtaining a send right @param task Label of the receiving task @param port Label of the affected port @@ -4159,10 +4180,14 @@ mpo_check_port_relabel_t *mpo_check_port_relabel; mpo_check_port_send_t *mpo_check_port_send; mpo_check_port_make_send_t *mpo_check_port_make_send; + mpo_check_port_make_send_t *mpo_check_port_make_send_once; mpo_check_port_copy_send_t *mpo_check_port_copy_send; + mpo_check_port_move_send_t *mpo_check_port_move_send; + mpo_check_port_move_send_t *mpo_check_port_move_send_once; mpo_check_port_receive_t *mpo_check_port_receive; mpo_check_port_move_receive_t *mpo_check_port_move_receive; mpo_check_port_hold_send_t *mpo_check_port_hold_send; + mpo_check_port_hold_send_t *mpo_check_port_hold_send_once; mpo_check_port_hold_receive_t *mpo_check_port_hold_receive; mpo_check_cred_visible_t *mpo_check_cred_visible; mpo_check_fcntl_t *mpo_check_fcntl; ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/ipc/ipc_right.c#6 (text+ko) ==== @@ -1333,6 +1333,21 @@ switch (msgt_name) { case MACH_MSG_TYPE_MAKE_SEND: + if ((bits & MACH_PORT_TYPE_RECEIVE) == 0) + return FALSE; + +#ifdef MAC + port = (ipc_port_t) entry->ie_object; + ip_lock(port); + tasklabel_lock(self); + rc = mac_check_port_make_send(&self->maclabel, &port->ip_label); + tasklabel_unlock(self); + ip_unlock(port); + if (rc) + return FALSE; +#endif + break; + case MACH_MSG_TYPE_MAKE_SEND_ONCE: if ((bits & MACH_PORT_TYPE_RECEIVE) == 0) return FALSE; @@ -1341,7 +1356,7 @@ port = (ipc_port_t) entry->ie_object; ip_lock(port); tasklabel_lock(self); - rc = mac_check_port_make_send(&self->maclabel, &port->ip_label); + rc = mac_check_port_make_send_once(&self->maclabel, &port->ip_label); tasklabel_unlock(self); ip_unlock(port); if (rc) @@ -1384,7 +1399,22 @@ active = ip_active(port); #ifdef MAC tasklabel_lock(self); - rc = mac_check_port_copy_send(&self->maclabel, &port->ip_label); + switch (msgt_name) { + case MACH_MSG_TYPE_COPY_SEND: + rc = mac_check_port_copy_send(&self->maclabel, + &port->ip_label); + break; + case MACH_MSG_TYPE_MOVE_SEND: + rc = mac_check_port_move_send(&self->maclabel, + &port->ip_label); + break; + case MACH_MSG_TYPE_MOVE_SEND_ONCE: + rc = mac_check_port_move_send_once(&self->maclabel, + &port->ip_label); + break; + default: + panic("ipc_right_copyin_check: strange rights"); + } tasklabel_unlock(self); if (rc) { ip_unlock(port); @@ -1510,7 +1540,7 @@ #ifdef MAC tasklabel_lock(self); - rc = mac_check_port_make_send(&self->maclabel, &port->ip_label); + rc = mac_check_port_make_send_once(&self->maclabel, &port->ip_label); tasklabel_unlock(self); if (rc) { ip_unlock(port); @@ -1664,7 +1694,7 @@ #ifdef MAC tasklabel_lock(self); - rc = mac_check_port_copy_send(&self->maclabel, &port->ip_label); + rc = mac_check_port_move_send(&self->maclabel, &port->ip_label); tasklabel_unlock(self); if (rc) { ip_unlock(port); @@ -1742,7 +1772,8 @@ #ifdef MAC tasklabel_lock(self); - rc = mac_check_port_copy_send(&self->maclabel, &port->ip_label); + rc = mac_check_port_move_send_once(&self->maclabel, + &port->ip_label); tasklabel_unlock(self); if (rc) { ip_unlock(port); @@ -1947,7 +1978,7 @@ #ifdef MAC tasklabel_lock(self); - rc = mac_check_port_copy_send(&self->maclabel, &port->ip_label); + rc = mac_check_port_move_send(&self->maclabel, &port->ip_label); tasklabel_unlock(self); if (rc) { ip_unlock(port); @@ -2053,7 +2084,7 @@ #ifdef MAC if (space->is_task) { tasklabel_lock(space->is_task); - rc = mac_check_port_hold_send(&space->is_task->maclabel, + rc = mac_check_port_hold_send_once(&space->is_task->maclabel, &port->ip_label); tasklabel_unlock(space->is_task); ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_port.c#8 (text+ko) ==== @@ -148,6 +148,16 @@ } int +mac_check_port_make_send_once(struct label *task, struct label *port) +{ + int error; + + MAC_CHECK(check_port_make_send_once, task, port); + + return (error); +} + +int mac_check_port_copy_send(struct label *task, struct label *port) { int error; @@ -158,6 +168,26 @@ } int +mac_check_port_move_send(struct label *task, struct label *port) +{ + int error; + + MAC_CHECK(check_port_move_send, task, port); + + return (error); +} + +int +mac_check_port_move_send_once(struct label *task, struct label *port) +{ + int error; + + MAC_CHECK(check_port_move_send_once, task, port); + + return (error); +} + +int mac_check_port_move_receive(struct label *task, struct label *port) { int error; @@ -178,6 +208,16 @@ } int +mac_check_port_hold_send_once(struct label *task, struct label *port) +{ + int error; + + MAC_CHECK(check_port_hold_send_once, task, port); + + return (error); +} + +int mac_check_port_hold_receive(struct label *task, struct label *port) { int error; ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/av_perm_to_string.h#6 (text+ko) ==== @@ -129,10 +129,16 @@ { SECCLASS_MACH_PORT, MACH_PORT__SEND, "send" }, { SECCLASS_MACH_PORT, MACH_PORT__RECV, "recv" }, { SECCLASS_MACH_PORT, MACH_PORT__MAKE_SEND, "make_send" }, + { SECCLASS_MACH_PORT, MACH_PORT__MAKE_SEND_ONCE, "make_send_once" }, { SECCLASS_MACH_PORT, MACH_PORT__COPY_SEND, "copy_send" }, + { SECCLASS_MACH_PORT, MACH_PORT__MOVE_SEND, "move_send" }, + { SECCLASS_MACH_PORT, MACH_PORT__MOVE_SEND_ONCE, "move_send_once" }, { SECCLASS_MACH_PORT, MACH_PORT__MOVE_RECV, "move_recv" }, + { SECCLASS_MACH_PORT, MACH_PORT__MOVE_RECV_ONCE, "move_recv_once" }, { SECCLASS_MACH_PORT, MACH_PORT__HOLD_SEND, "hold_send" }, + { SECCLASS_MACH_PORT, MACH_PORT__HOLD_SEND_ONCE, "hold_send_once" }, { SECCLASS_MACH_PORT, MACH_PORT__HOLD_RECV, "hold_recv" }, + { SECCLASS_MACH_PORT, MACH_PORT__HOLD_RECV_ONCE, "hold_recv_once" }, { SECCLASS_MACH_TASK, MACH_TASK__TERMINATE, "terminate" }, { SECCLASS_MACH_TASK, MACH_TASK__SET_SPECIAL_PORT, "set_special_port" }, }; ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/av_permissions.h#6 (text+ko) ==== @@ -606,10 +606,16 @@ #define MACH_PORT__SEND 0x0000000000000004UL #define MACH_PORT__RECV 0x0000000000000008UL #define MACH_PORT__MAKE_SEND 0x0000000000000010UL -#define MACH_PORT__COPY_SEND 0x0000000000000020UL -#define MACH_PORT__MOVE_RECV 0x0000000000000040UL -#define MACH_PORT__HOLD_SEND 0x0000000000000080UL -#define MACH_PORT__HOLD_RECV 0x0000000000000100UL +#define MACH_PORT__MAKE_SEND_ONCE 0x0000000000000020UL +#define MACH_PORT__COPY_SEND 0x0000000000000040UL +#define MACH_PORT__MOVE_SEND 0x0000000000000080UL +#define MACH_PORT__MOVE_SEND_ONCE 0x0000000000000100UL +#define MACH_PORT__MOVE_RECV 0x0000000000000200UL +#define MACH_PORT__MOVE_RECV_ONCE 0x0000000000000400UL +#define MACH_PORT__HOLD_SEND 0x0000000000000800UL +#define MACH_PORT__HOLD_SEND_ONCE 0x0000000000001000UL +#define MACH_PORT__HOLD_RECV 0x0000000000002000UL +#define MACH_PORT__HOLD_RECV_ONCE 0x0000000000004000UL #define MACH_TASK__TERMINATE 0x0000000000000001UL #define MACH_TASK__SET_SPECIAL_PORT 0x0000000000000002UL ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/flask/access_vectors#7 (text+ko) ==== @@ -360,10 +360,16 @@ send recv make_send + make_send_once copy_send + move_send + move_send_once move_recv + move_recv_once hold_send + hold_send_once hold_recv + hold_recv_once } class mach_task ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd.c#32 (text+ko) ==== @@ -116,6 +116,8 @@ int sebsd_verbose = 0; +static struct label *last_dead_cred_label, *last_dead_task_label, *last_dead_port_label; // XXX - testing + static int slot = 1; /* TBD, dynamic */ #define SLOT(l) ((void *)LABEL_TO_SLOT((l), slot).l_ptr) @@ -483,6 +485,24 @@ static void sebsd_destroy_cred_label(struct label *label) { + // printk("sebsd_destroy_cred_label(%p)\n", &LABEL_TO_SLOT((label), slot)); + last_dead_cred_label = label; + sebsd_free (SLOT(label)); + SLOT(label) = NULL; +} + +static void +sebsd_destroy_task_label(struct label *label) +{ + last_dead_task_label = label; + sebsd_free (SLOT(label)); + SLOT(label) = NULL; +} + +static void +sebsd_destroy_port_label(struct label *label) +{ + last_dead_port_label = label; sebsd_free (SLOT(label)); SLOT(label) = NULL; } @@ -1169,9 +1189,13 @@ CHECK_SIMPLE_PERM(msg_send, MACH_PORT, SEND); CHECK_SIMPLE_PERM(msg_receive, MACH_PORT, RECV); CHECK_SIMPLE_PERM(port_make_send, MACH_PORT, MAKE_SEND); +CHECK_SIMPLE_PERM(port_make_send_once, MACH_PORT, MAKE_SEND_ONCE); CHECK_SIMPLE_PERM(port_copy_send, MACH_PORT, COPY_SEND); +CHECK_SIMPLE_PERM(port_move_send, MACH_PORT, COPY_SEND); +CHECK_SIMPLE_PERM(port_move_send_once, MACH_PORT, MOVE_SEND_ONCE); CHECK_SIMPLE_PERM(port_move_recv, MACH_PORT, MOVE_RECV); CHECK_SIMPLE_PERM(port_hold_send, MACH_PORT, HOLD_SEND); +CHECK_SIMPLE_PERM(port_hold_send_once, MACH_PORT, HOLD_SEND_ONCE); CHECK_SIMPLE_PERM(port_hold_recv, MACH_PORT, HOLD_RECV); extern struct policydb policydb; @@ -2339,7 +2363,13 @@ { struct task_security_struct *task; - task = SLOT(label); + /* XXX - SLOT should not return NULL but there is a signal race */ + /* XXX - this may be fixed... */ + if ((task = SLOT(label)) == NULL) { + printk("sebsd_externalize_cred_label: SLOT returned NULL!\n"); + printk("label: %p, last_task: %p, last_cred: %p, last_port: %p\n", label, last_dead_task_label, last_dead_cred_label, last_dead_port_label); // XXX + return (ESRCH); + } return (sebsd_externalize_sid(task->sid, element_name, sb)); } @@ -2635,8 +2665,8 @@ .mpo_destroy = sebsd_destroy, .mpo_destroy_cred_label = sebsd_destroy_cred_label, - .mpo_destroy_task_label = sebsd_destroy_cred_label, - .mpo_destroy_port_label = sebsd_destroy_cred_label, + .mpo_destroy_task_label = sebsd_destroy_task_label, + .mpo_destroy_port_label = sebsd_destroy_port_label, .mpo_destroy_vnode_label = sebsd_destroy_vnode_label, .mpo_destroy_devfsdirent_label = sebsd_destroy_vnode_label, @@ -2685,9 +2715,13 @@ .mpo_check_port_send = sebsd_check_msg_send, .mpo_check_port_receive = sebsd_check_msg_receive, .mpo_check_port_make_send = sebsd_check_port_make_send, + .mpo_check_port_make_send_once = sebsd_check_port_make_send_once, .mpo_check_port_copy_send = sebsd_check_port_copy_send, + .mpo_check_port_move_send = sebsd_check_port_move_send, + .mpo_check_port_move_send_once = sebsd_check_port_move_send_once, .mpo_check_port_move_receive = sebsd_check_port_move_recv, .mpo_check_port_hold_send = sebsd_check_port_hold_send, + .mpo_check_port_hold_send_once = sebsd_check_port_hold_send_once, .mpo_check_port_hold_receive = sebsd_check_port_hold_recv, .mpo_check_proc_setlcid = sebsd_check_proc_setlcid, .mpo_check_proc_signal = sebsd_check_proc_signal,