Date: Tue, 7 Oct 2003 12:15:21 -0700 (PDT) From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 39326 for review Message-ID: <200310071915.h97JFLc2070006@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=39326 Change 39326 by areisse@areisse_tislabs on 2003/10/07 12:15:06 Initial support for mountpoint labelling. New MAC checks: mount,umount,remount. New MAC syscall mac_get_fs() returns mount label. sebsd checks mount and associate permissions. temporary lmount() syscall allows specifing the mount label. mount updated to use lmount() for ufs. Affected files ... .. //depot/projects/trustedbsd/sebsd/sbin/mount/extern.h#2 edit .. //depot/projects/trustedbsd/sebsd/sbin/mount/mount.c#4 edit .. //depot/projects/trustedbsd/sebsd/sbin/mount/mount_ufs.c#2 edit .. //depot/projects/trustedbsd/sebsd/sys/compat/linux/linux_file.c#6 edit .. //depot/projects/trustedbsd/sebsd/sys/kern/kern_mac.c#12 edit .. //depot/projects/trustedbsd/sebsd/sys/kern/syscalls.master#5 edit .. //depot/projects/trustedbsd/sebsd/sys/kern/vfs_mount.c#5 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#22 edit .. //depot/projects/trustedbsd/sebsd/sys/sys/mac.h#9 edit .. //depot/projects/trustedbsd/sebsd/sys/sys/mac_policy.h#9 edit .. //depot/projects/trustedbsd/sebsd/sys/sys/mount.h#5 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#6 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/macros/user_macros.te#3 edit .. //depot/projects/trustedbsd/sebsd_policy/policy/types/file.te#3 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/sbin/mount/extern.h#2 (text+ko) ==== @@ -31,4 +31,4 @@ const char **makevfslist(char *); /* mount_ufs.c */ -int mount_ufs(int, char *const *); +int mount_ufs(int, char *const *, const char *); ==== //depot/projects/trustedbsd/sebsd/sbin/mount/mount.c#4 (text+ko) ==== @@ -80,7 +80,7 @@ void mangle(char *, int *, const char **); char *update_options(char *, char *, int); int mountfs(const char *, const char *, const char *, - int, const char *, const char *); + int, const char *, const char *, const char *); void remopt(char *, const char *); void prmount(struct statfs *); void putfsent(const struct statfs *); @@ -136,12 +136,13 @@ pid_t pid; int all, ch, i, init_flags, mntsize, rval, have_fstab; char *cp, *ep, *options; + char *ltext = NULL; all = init_flags = 0; options = NULL; vfslist = NULL; vfstype = "ufs"; - while ((ch = getopt(argc, argv, "adF:fo:prwt:uv")) != -1) + while ((ch = getopt(argc, argv, "adF:fo:prwt:uvl:")) != -1) switch (ch) { case 'a': all = 1; @@ -181,6 +182,9 @@ case 'w': options = catopt(options, "noro"); break; + case 'l': + ltext = strdup (optarg); + break; case '?': default: usage(); @@ -211,7 +215,7 @@ continue; if (mountfs(fs->fs_vfstype, fs->fs_spec, fs->fs_file, init_flags, options, - fs->fs_mntops)) + fs->fs_mntops, NULL)) rval = 1; } } else if (fstab_style) { @@ -268,7 +272,7 @@ mntbuf->f_flags); } rval = mountfs(mntbuf->f_fstypename, mntfromname, - mntbuf->f_mntonname, init_flags, options, 0); + mntbuf->f_mntonname, init_flags, options, 0, NULL); break; } rmslashes(*argv, *argv); @@ -280,7 +284,7 @@ errx(1, "%s has unknown file system type", *argv); rval = mountfs(fs->fs_vfstype, fs->fs_spec, fs->fs_file, - init_flags, options, fs->fs_mntops); + init_flags, options, fs->fs_mntops, ltext); break; case 2: /* @@ -309,7 +313,7 @@ vfstype = "nfs"; } rval = mountfs(vfstype, - argv[0], argv[1], init_flags, options, NULL); + argv[0], argv[1], init_flags, options, NULL, ltext); break; default: usage(); @@ -389,8 +393,8 @@ } int -mountfs(vfstype, spec, name, flags, options, mntopts) - const char *vfstype, *spec, *name, *options, *mntopts; +mountfs(vfstype, spec, name, flags, options, mntopts, ltext) + const char *vfstype, *spec, *name, *options, *mntopts, *ltext; int flags; { const char *argv[100], **edir; @@ -462,7 +466,7 @@ return (1); case 0: /* Child. */ if (strcmp(vfstype, "ufs") == 0) - exit(mount_ufs(argc, (char * const *) argv)); + exit(mount_ufs(argc, (char * const *) argv, ltext)); /* Go find an executable. */ (void)snprintf(execname, sizeof(execname), "mount_%s", vfstype); ==== //depot/projects/trustedbsd/sebsd/sbin/mount/mount_ufs.c#2 (text+ko) ==== @@ -55,6 +55,7 @@ #include <unistd.h> #include <ufs/ufs/ufsmount.h> +#include <sys/mac.h> #include "extern.h" #include "mntopts.h" @@ -72,13 +73,15 @@ }; int -mount_ufs(argc, argv) +mount_ufs(argc, argv, ltext) int argc; char * const argv[]; + const char *ltext; { struct ufs_args args; int ch, mntflags; char *fs_name; + int rc; mntflags = 0; optind = optreset = 1; /* Reset for parse of new argv. */ @@ -107,7 +110,20 @@ else args.export.ex_flags = 0; - if (mount("ufs", fs_name, mntflags, &args) < 0) { + if (ltext) { + mac_t mac; + rc = mac_from_text (&mac, ltext); + if (rc) { + warn("%s", ltext); + return 1; + } + + rc = syscall(396, "ufs", fs_name, mntflags, &args, mac); + } + else + rc = mount("ufs", fs_name, mntflags, &args); + + if (rc < 0) { switch (errno) { case EMFILE: warnx("%s on %s: mount table full", ==== //depot/projects/trustedbsd/sebsd/sys/compat/linux/linux_file.c#6 (text+ko) ==== @@ -801,7 +801,7 @@ fsflags |= MNT_UPDATE; } - return (vfs_mount(td, fstype, mntonname, fsflags, fsdata)); + return (vfs_mount(td, fstype, mntonname, fsflags, fsdata, NULL)); } int ==== //depot/projects/trustedbsd/sebsd/sys/kern/kern_mac.c#12 (text+ko) ==== @@ -1108,6 +1108,14 @@ } void +mac_init_mount_label(struct label *label) +{ + + mac_init_label(label); + MAC_PERFORM(init_mount_label, label); +} + +void mac_init_vnode(struct vnode *vp) { @@ -1318,6 +1326,14 @@ } void +mac_destroy_mount_label(struct label *label) +{ + + MAC_PERFORM(destroy_mount_label, label); + mac_destroy_label(label); +} + +void mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest) { struct label *src_label, *dest_label; @@ -1346,6 +1362,12 @@ MAC_PERFORM(copy_vnode_label, src, dest); } +void +mac_copy_mount_label(struct label *src, struct label *dest) +{ + MAC_PERFORM(copy_mount_label, src, dest); +} + static int mac_check_structmac_consistent(struct mac *mac) { @@ -1424,6 +1446,17 @@ } static int +mac_externalize_mount_label(struct label *label, char *elements, + char *outbuf, size_t outbuflen, int flags) +{ + int error; + + MAC_EXTERNALIZE(mount_label, label, elements, outbuf, outbuflen); + + return (error); +} + +static int mac_internalize_cred_label(struct label *label, char *string) { int error; @@ -1473,6 +1506,16 @@ return (error); } +static int +mac_internalize_mount_label(struct label *label, char *string) +{ + int error; + + MAC_INTERNALIZE(mount_label, label, string); + + return (error); +} + /* * Initialize MAC label for the first kernel process, from which other * kernel processes and threads are spawned. @@ -2801,11 +2844,11 @@ } void -mac_create_mount(struct ucred *cred, struct mount *mp) +mac_create_mount(struct ucred *cred, struct mount *mp, struct label *mount_arg_label) { MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel, - &mp->mnt_fslabel); + &mp->mnt_fslabel, mount_arg_label); } void @@ -3207,6 +3250,45 @@ } int +mac_check_mount(struct ucred *cred, struct vnode *vp, const char *vfc_name, struct label *mntlabel) +{ + int error; + + if (!mac_enforce_fs) + return (0); + + MAC_CHECK(check_mount, cred, vp, &vp->v_label, vfc_name, mntlabel); + + return (error); +} + +int +mac_check_umount(struct ucred *cred, struct mount *mp) +{ + int error; + + if (!mac_enforce_fs) + return (0); + + MAC_CHECK(check_umount, cred, mp, &mp->mnt_mntlabel); + + return (error); +} + +int +mac_check_remount(struct ucred *cred, struct mount *mp, struct label *mount_arg_label) +{ + int error; + + if (!mac_enforce_fs) + return (0); + + MAC_CHECK(check_remount, cred, mp, &mp->mnt_mntlabel, mount_arg_label); + + return (error); +} + +int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; @@ -4360,6 +4442,61 @@ return (error); } +int +__mac_get_fs(struct thread *td, struct __mac_get_fs_args *uap) +{ + char *elements, *buffer; + struct nameidata nd; + struct label intlabel; + struct mac mac; + int error; + struct mount *mp; + + error = copyin(uap->mac_p, &mac, sizeof(mac)); + if (error) + return (error); + + error = mac_check_structmac_consistent(&mac); + if (error) + return (error); + + elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); + error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); + if (error) { + free(elements, M_MACTEMP); + return (error); + } + + buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); + mtx_lock(&Giant); /* VFS */ + NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, uap->path_p, + td); + error = namei(&nd); + if (error) + goto out; + + mp = nd.ni_vp->v_mount; + + mac_init_mount_label(&intlabel); + mac_copy_mount_label(&mp->mnt_mntlabel, &intlabel); + error = mac_externalize_mount_label(&intlabel, elements, buffer, + mac.m_buflen, M_WAITOK); + + NDFREE(&nd, 0); + mac_destroy_mount_label(&intlabel); + + if (error == 0) + error = copyout(buffer, mac.m_string, strlen(buffer)+1); + +out: + mtx_unlock(&Giant); /* VFS */ + + free(buffer, M_MACTEMP); + free(elements, M_MACTEMP); + + return (error); +} + /* * MPSAFE */ @@ -4599,6 +4736,63 @@ return (error); } +int +lmount(td, uap) + struct thread *td; + struct lmount_args /* { + char *type; + char *path; + int flags; + caddr_t data; + } */ *uap; +{ + char *fstype; + char *fspath; + char *buffer; + int error; + struct mac mac; + struct label intlabel; + + error = copyin(uap->mac_p, &mac, sizeof(mac)); + if (error) + return (error); + + error = mac_check_structmac_consistent(&mac); + if (error) + return (error); + + buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); + error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); + if (error) { + free(buffer, M_MACTEMP); + return (error); + } + + mac_init_mount_label(&intlabel); + error = mac_internalize_mount_label(&intlabel, buffer); + free(buffer, M_MACTEMP); + if (error) { + mac_destroy_mount_label(&intlabel); + return (error); + } + + fstype = malloc(MFSNAMELEN, M_TEMP, M_WAITOK); + fspath = malloc(MNAMELEN, M_TEMP, M_WAITOK); + + /* + * vfs_mount() actually takes a kernel string for `type' and + * `path' now, so extract them. + */ + error = copyinstr(uap->type, fstype, MFSNAMELEN, NULL); + if (error == 0) + error = copyinstr(uap->path, fspath, MNAMELEN, NULL); + if (error == 0) + error = vfs_mount(td, fstype, fspath, uap->flags, uap->data, &intlabel); + free(fstype, M_TEMP); + free(fspath, M_TEMP); + return (error); +} + SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); @@ -4674,4 +4868,12 @@ return (ENOSYS); } +int +lmount(td, uap) + struct thread *td; + struct lmount_args *uap; +{ + return EINVAL; +} + #endif /* !MAC */ ==== //depot/projects/trustedbsd/sebsd/sys/kern/syscalls.master#5 (text+ko) ==== @@ -574,8 +574,9 @@ struct sf_hdtr *hdtr, off_t *sbytes, int flags); } 394 MSTD BSD { int mac_syscall(const char *policy, int call, \ void *arg); } -395 UNIMPL NOHIDE nosys -396 UNIMPL NOHIDE nosys +395 MSTD BSD { int __mac_get_fs(const char *path_p, struct mac *mac_p); } +396 STD BSD { int lmount(char *type, char *path, int flags, \ + caddr_t data, struct mac *mac_p); } 397 UNIMPL NOHIDE nosys 398 UNIMPL NOHIDE nosys 399 UNIMPL NOHIDE nosys ==== //depot/projects/trustedbsd/sebsd/sys/kern/vfs_mount.c#5 (text+ko) ==== @@ -682,7 +682,7 @@ mp->mnt_iosize_max = DFLTPHYS; #ifdef MAC mac_init_mount(mp); - mac_create_mount(td->td_ucred, mp); + mac_create_mount(td->td_ucred, mp, NULL); #endif VOP_UNLOCK(vp, 0, td); mp->mnt_optnew = optlist; /* XXXMAC: should this be above? */ @@ -848,7 +848,7 @@ if (error == 0) error = copyinstr(uap->path, fspath, MNAMELEN, NULL); if (error == 0) - error = vfs_mount(td, fstype, fspath, uap->flags, uap->data); + error = vfs_mount(td, fstype, fspath, uap->flags, uap->data, NULL); free(fstype, M_TEMP); free(fspath, M_TEMP); return (error); @@ -863,12 +863,13 @@ * into userspace. */ int -vfs_mount(td, fstype, fspath, fsflags, fsdata) +vfs_mount(td, fstype, fspath, fsflags, fsdata, mntlabel) struct thread *td; const char *fstype; char *fspath; int fsflags; void *fsdata; + struct label *mntlabel; { linker_file_t lf; struct vnode *vp; @@ -940,6 +941,13 @@ return (error); } } +#ifdef MAC + error = mac_check_remount (td->td_ucred, mp, mntlabel); + if (error) { + vput(vp); + return (error); + } +#endif if (vfs_busy(mp, LK_NOWAIT, 0, td)) { vput(vp); return (EBUSY); @@ -1017,6 +1025,13 @@ return (ENODEV); } } +#ifdef MAC + error = mac_check_mount (td->td_ucred, vp, vfsp->vfc_name, mntlabel); + if (error) { + vput(vp); + return (error); + } +#endif VI_LOCK(vp); if ((vp->v_iflag & VI_MOUNT) != 0 || vp->v_mountedhere != NULL) { @@ -1049,7 +1064,7 @@ mp->mnt_iosize_max = DFLTPHYS; #ifdef MAC mac_init_mount(mp); - mac_create_mount(td->td_ucred, mp); + mac_create_mount(td->td_ucred, mp, mntlabel); #endif VOP_UNLOCK(vp, 0, td); update: @@ -1272,6 +1287,12 @@ return (error); } +#ifdef MAC + error = mac_check_umount (td->td_ucred, mp); + if (error) + return (error); +#endif + /* * Don't allow unmounting the root filesystem. */ @@ -1426,7 +1447,7 @@ strlcpy(mp->mnt_stat.f_mntfromname, devname, MNAMELEN); #ifdef MAC mac_init_mount(mp); - mac_create_mount(td->td_ucred, mp); + mac_create_mount(td->td_ucred, mp, NULL); #endif *mpp = mp; return (0); ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#22 (text+ko) ==== @@ -696,9 +696,9 @@ static void sebsd_create_mount(struct ucred *cred, struct mount *mp, - struct label *mntlabel, struct label *fslabel) + struct label *mntlabel, struct label *fslabel, struct label *mount_arg_label) { - struct mount_security_struct *sbsec; + struct mount_security_struct *sbsec, *mntsec; struct mount_fs_security_struct *sbfssec; int behavior, rc; @@ -763,6 +763,11 @@ behavior = SECURITY_FS_USE_NONE; break; } + + if (mount_arg_label) { + mntsec = SLOT(mount_arg_label); + sbsec->sid = mntsec->sid; + } } /* @@ -859,6 +864,45 @@ } static int +sebsd_check_mount (struct ucred *cred, struct vnode *vp, struct label *vl, + const char *vfc_name, struct label *mntlabel) +{ + int rc; + security_id_t sid; + int behavior; + struct vnode_security_struct *vsec; + struct task_security_struct *task; + struct mount_security_struct *sbsec; + + vsec = SLOT(vl); + task = SLOT(&cred->cr_label); + + rc = vnode_has_perm (cred, vp, FILE__MOUNTON, NULL); + if (rc) + return rc; + + if (mntlabel) { + sbsec = SLOT(mntlabel); + sid = sbsec->sid; + + rc = avc_has_perm_ref_audit (task->sid, sid, SECCLASS_FILE, + COMMON_FILE__RELABELTO, NULL, NULL); + if (rc) + return rc; + } + else { + rc = security_fs_use (vfc_name, &behavior, &sid); + if (rc) + return rc; + } + + rc = avc_has_perm_ref_audit (task->sid, sid, SECCLASS_FILESYSTEM, + FILESYSTEM__MOUNT, NULL, NULL); + + return rc; +} + +static int sebsd_check_mount_stat(struct ucred *cred, struct mount *mp, struct label *mntlabel) { @@ -867,6 +911,28 @@ } static int +sebsd_check_remount(struct ucred *cred, struct mount *mp, struct label *mntlabel, + struct label *mount_arg_label) +{ + + /* cannot change labels on filesystems */ + if (mount_arg_label) { + struct mount_security_struct *mla = SLOT(mntlabel); + struct mount_security_struct *mlb = SLOT(mount_arg_label); + if (mla->sid != mlb->sid) + return EINVAL; + } + return (mount_has_perm(cred, mp, FILESYSTEM__REMOUNT, NULL)); +} + +static int +sebsd_check_umount(struct ucred *cred, struct mount *mp, struct label *mntlabel) +{ + + return (mount_has_perm(cred, mp, FILESYSTEM__UNMOUNT, NULL)); +} + +static int sebsd_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) { @@ -1098,6 +1164,17 @@ claimed)); } +static int +sebsd_internalize_mount_label(struct label *label, char *element_name, + char *element_data, int *claimed) +{ + struct mount_security_struct *vsec; + + vsec = SLOT(label); + return (sebsd_internalize_sid(&vsec->sid, element_name, element_data, + claimed)); +} + static void sebsd_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) @@ -1201,6 +1278,7 @@ { struct task_security_struct *task; struct vnode_security_struct *dir; + struct mount_security_struct *sbsec; security_class_t tclass; security_id_t newsid; struct avc_audit_data ad; @@ -1228,16 +1306,14 @@ if (rc) return rc; -#ifdef notdef - /* - * TBD: - * No support yet. - */ - if (dir->i_sb) { - sbsec = dir->i_sb->s_security; - rc = avc_has_perm_audit(newsid, sbsec->sid, SECCLASS_FILESYSTEM, - FILESYSTEM__ASSOCIATE, &ad); -#endif + if (dvp->v_mount) { + /* XXX: mpo_check_vnode_create should probably pass the mntlabel */ + sbsec = SLOT (&dvp->v_mount->mnt_mntlabel); + rc = avc_has_perm_audit(newsid, sbsec->sid, SECCLASS_FILESYSTEM, + FILESYSTEM__ASSOCIATE, &ad); + if (rc) + return rc; + } return 0; } @@ -1449,6 +1525,7 @@ struct label *oldlabel, struct label *newlabel) { struct task_security_struct *task; + struct mount_security_struct *sbsec; struct vnode_security_struct *old, *new; struct avc_audit_data ad; int rc; @@ -1475,11 +1552,15 @@ if (rc) return (rc); - /* - * TBD: - * SELinux also checks the superblock for class SECCLASS_FILESYSTEM - * and permission FILESYSTEM__ASSOCIATE - */ + + if (vp->v_mount) { + /* XXX: mpo_check_vnode_relabel should probably pass the mntlabel */ + sbsec = SLOT (&vp->v_mount->mnt_mntlabel); + rc = avc_has_perm_audit (new->sid, sbsec->sid, SECCLASS_FILESYSTEM, + FILESYSTEM__ASSOCIATE, &ad); + if (rc) + return rc; + } return 0; } @@ -1767,6 +1848,16 @@ } static int +sebsd_externalize_mount_label(struct label *label, char *element_name, + struct sbuf *sb, int *claimed) +{ + struct mount_security_struct *vsec; + + vsec = SLOT(label); + return (sebsd_externalize_sid(vsec->sid, element_name, sb, claimed)); +} + +static int sebsd_externalize_network_label(struct label *label, char *element_name, struct sbuf *sb, int *claimed) { @@ -1784,6 +1875,14 @@ *(struct vnode_security_struct *)SLOT(src); } +static void +sebsd_copy_mount_label(struct label *src, struct label *dest) +{ + + *(struct mount_security_struct *)SLOT(dest) = + *(struct mount_security_struct *)SLOT(src); +} + static int sebsd_check_file_create(struct ucred *cred) { @@ -1913,6 +2012,7 @@ /* Copy labels */ .mpo_copy_pipe_label = sebsd_copy_vnode_label, .mpo_copy_vnode_label = sebsd_copy_vnode_label, + .mpo_copy_mount_label = sebsd_copy_mount_label, /* In/Out */ .mpo_externalize_cred_label = sebsd_externalize_cred_label, @@ -1921,11 +2021,13 @@ .mpo_externalize_socket_label = sebsd_externalize_network_label, .mpo_externalize_socket_peer_label = sebsd_externalize_network_label, .mpo_externalize_vnode_label = sebsd_externalize_vnode_label, + .mpo_externalize_mount_label = sebsd_externalize_mount_label, .mpo_internalize_cred_label = sebsd_internalize_cred_label, .mpo_internalize_ifnet_label = sebsd_internalize_network_label, .mpo_internalize_pipe_label = sebsd_internalize_vnode_label, .mpo_internalize_socket_label = sebsd_internalize_network_label, .mpo_internalize_vnode_label = sebsd_internalize_vnode_label, + .mpo_internalize_mount_label = sebsd_internalize_mount_label, #ifdef notdef void (*mpo_create_mbuf_from_socket)(struct socket *so, @@ -1981,6 +2083,9 @@ .mpo_check_file_change_flags = sebsd_check_file_change_flags, .mpo_check_file_change_ofileflags = sebsd_check_file_change_ofileflags, .mpo_check_file_change_offset = sebsd_check_file_change_offset, + .mpo_check_mount = sebsd_check_mount, + .mpo_check_umount = sebsd_check_umount, + .mpo_check_remount = sebsd_check_remount, .mpo_check_mount_stat = sebsd_check_mount_stat, .mpo_check_pipe_ioctl = sebsd_check_pipe_ioctl, ==== //depot/projects/trustedbsd/sebsd/sys/sys/mac.h#9 (text+ko) ==== @@ -157,8 +157,10 @@ void mac_init_proc(struct proc *); void mac_init_vnode(struct vnode *); void mac_init_vnode_label(struct label *); +void mac_init_mount_label(struct label *); void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *); void mac_copy_vnode_label(struct label *, struct label *label); +void mac_copy_mount_label(struct label *, struct label *label); void mac_destroy_bpfdesc(struct bpf_d *); void mac_destroy_cred(struct ucred *); void mac_destroy_devfsdirent(struct devfs_dirent *); @@ -177,6 +179,7 @@ void mac_destroy_mount(struct mount *); void mac_destroy_vnode(struct vnode *); void mac_destroy_vnode_label(struct label *); +void mac_destroy_mount_label(struct label *); /* * Labeling event operations: file system objects, and things that @@ -196,7 +199,7 @@ void mac_create_file(struct ucred *cred, struct file *fp); int mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); -void mac_create_mount(struct ucred *cred, struct mount *mp); +void mac_create_mount(struct ucred *cred, struct mount *mp, struct label *mount_arg_label); void mac_create_root_mount(struct ucred *cred, struct mount *mp); void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel); @@ -338,6 +341,11 @@ int mac_check_kld_load(struct ucred *cred, struct vnode *vp); int mac_check_kld_stat(struct ucred *cred); int mac_check_kld_unload(struct ucred *cred); +int mac_check_mount(struct ucred *cred, struct vnode *dir, const char *vfc_name, + struct label *mount_arg_label); +int mac_check_remount(struct ucred *cred, struct mount *mp, + struct label *mount_arg_label); +int mac_check_umount(struct ucred *cred, struct mount *mp); int mac_check_mount_stat(struct ucred *cred, struct mount *mp); int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, void *data); ==== //depot/projects/trustedbsd/sebsd/sys/sys/mac_policy.h#9 (text+ko) ==== @@ -130,6 +130,8 @@ struct label *dest); void (*mpo_copy_vnode_label)(struct label *src, struct label *dest); + void (*mpo_copy_mount_label)(struct label *src, + struct label *dest); int (*mpo_externalize_cred_label)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); int (*mpo_externalize_ifnet_label)(struct label *label, @@ -142,6 +144,8 @@ char *element_name, struct sbuf *sb, int *claimed); int (*mpo_externalize_vnode_label)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); + int (*mpo_externalize_mount_label)(struct label *label, + char *element_name, struct sbuf *sb, int *claimed); int (*mpo_internalize_cred_label)(struct label *label, char *element_name, char *element_data, int *claimed); int (*mpo_internalize_ifnet_label)(struct label *label, @@ -152,6 +156,8 @@ char *element_name, char *element_data, int *claimed); int (*mpo_internalize_vnode_label)(struct label *label, char *element_name, char *element_data, int *claimed); + int (*mpo_internalize_mount_label)(struct label *label, + char *element_name, char *element_data, int *claimed); /* * Labeling event operations: file system objects, and things that @@ -186,7 +192,7 @@ struct vnode *vp, struct label *vlabel, struct componentname *cnp); void (*mpo_create_mount)(struct ucred *cred, struct mount *mp, - struct label *mntlabel, struct label *fslabel); + struct label *mntlabel, struct label *fslabel, struct label *mount_arg_label); void (*mpo_create_root_mount)(struct ucred *cred, struct mount *mp, struct label *mountlabel, struct label *fslabel); void (*mpo_relabel_vnode)(struct ucred *cred, struct vnode *vp, @@ -335,7 +341,7 @@ struct label *ifnetlabel); int (*mpo_check_cap) (struct ucred *ucred, cap_value_t capv); int (*mpo_check_cred_relabel)(struct ucred *cred, - struct label *newlabel); + struct label *newlabel); int (*mpo_check_cred_visible)(struct ucred *u1, struct ucred *u2); int (*mpo_check_file_create)(struct ucred *cred); int (*mpo_check_file_dup)(struct ucred *cred, struct file *fp, @@ -403,6 +409,11 @@ struct label *vlabel); int (*mpo_check_kld_stat)(struct ucred *cred); int (*mpo_check_kld_unload)(struct ucred *cred); + int (*mpo_check_mount)(struct ucred *cred, struct vnode *dir, + struct label *dirlabel, const char *vfc_name, struct label *mount_arg_label); + int (*mpo_check_remount)(struct ucred *cred, struct mount *mp, struct label *ml, + struct label *mount_arg_label); + int (*mpo_check_umount)(struct ucred *cred, struct mount *mp, struct label *ml); int (*mpo_check_mount_stat)(struct ucred *cred, struct mount *mp, struct label *mntlabel); int (*mpo_check_pipe_ioctl)(struct ucred *cred, struct pipe *pipe, ==== //depot/projects/trustedbsd/sebsd/sys/sys/mount.h#5 (text+ko) ==== @@ -368,6 +368,7 @@ */ struct mount_args; struct nameidata; +struct label; typedef int vfs_mount_t(struct mount *mp, char *path, caddr_t data, struct nameidata *ndp, struct thread *td); @@ -460,7 +461,7 @@ int vfs_getopt(struct vfsoptlist *, const char *, void **, int *); int vfs_copyopt(struct vfsoptlist *, const char *, void *, int); int vfs_mount(struct thread *td, const char *type, char *path, - int flags, void *data); + int flags, void *data, struct label *mntlabel); int vfs_setpublicfs /* set publicly exported fs */ (struct mount *, struct netexport *, struct export_args *); int vfs_lock(struct mount *); /* lock a vfs */ ==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/global_macros.te#6 (text+ko) ==== @@ -640,7 +640,10 @@ type $1_devpts_t, file_type, sysadmfile, ptyfile $2; # Allow the pty to be associated with the file system. -allow $1_devpts_t devpts_t:filesystem associate; +#allow $1_devpts_t devpts_t:filesystem associate; + +# FreeBSD doesn't use /dev/pts. +allow $1_devpts_t device_t:filesystem associate; # Label pty files with a derived type. type_transition $1_t devpts_t:chr_file $1_devpts_t; ==== //depot/projects/trustedbsd/sebsd_policy/policy/macros/user_macros.te#3 (text+ko) ==== @@ -45,6 +45,8 @@ # Access ttys. allow $1_t privfd:fd use; allow $1_t $1_tty_device_t:chr_file { poll setattr rw_file_perms }; +allow $1_tty_device_t device_t:filesystem associate; + # Use the type when relabeling terminal devices. type_change $1_t tty_device_t:chr_file $1_tty_device_t; ifdef(`dpkg.te', ` ==== //depot/projects/trustedbsd/sebsd_policy/policy/types/file.te#3 (text+ko) ==== @@ -255,6 +255,7 @@ # Allow the pty to be associated with the file system. allow devpts_t devpts_t:filesystem associate; +allow tty_device_t device_t:filesystem associate; type tmpfs_t, file_type, sysadmfile, fs_type, root_dir_type; allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310071915.h97JFLc2070006>