From owner-p4-projects@FreeBSD.ORG Thu Jun 19 13:09:16 2003 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 2FA3B37B404; Thu, 19 Jun 2003 13:09:16 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D59CB37B401 for ; Thu, 19 Jun 2003 13:09:15 -0700 (PDT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D41A43FBD for ; Thu, 19 Jun 2003 13:09:15 -0700 (PDT) (envelope-from cvance@nailabs.com) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h5JK9F0U086354 for ; Thu, 19 Jun 2003 13:09:15 -0700 (PDT) (envelope-from cvance@nailabs.com) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h5JK9EOg086351 for perforce@freebsd.org; Thu, 19 Jun 2003 13:09:14 -0700 (PDT) Date: Thu, 19 Jun 2003 13:09:14 -0700 (PDT) Message-Id: <200306192009.h5JK9EOg086351@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to cvance@nailabs.com using -f From: Chris Vance To: Perforce Change Reviews Subject: PERFORCE change 33402 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jun 2003 20:09:17 -0000 http://perforce.freebsd.org/chv.cgi?CH=33402 Change 33402 by cvance@cvance_demo on 2003/06/19 13:08:35 - Implement pipe entry points - Fix more style issues Affected files ... .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#6 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_labels.h#3 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#6 (text+ko) ==== @@ -48,6 +48,7 @@ #include #include #include +#include #include #include @@ -269,13 +270,30 @@ file->sclass = vnode_type_to_security_class(vp->v_type); if (file->sclass == 0) { printf("vnode_has_perm:: Giving up\n"); - return 0; /* TBD: debugging */ + return 1; /* TBD: debugging */ } } return avc_has_perm_ref_audit(task->sid, file->sid, file->sclass, perm, aeref ? aeref : &file->avcr, &ad); } +static int +pipe_has_perm(struct ucred *cred, struct pipe *pipe, access_vector_t perm) +{ + struct task_security_struct *task; + struct vnode_security_struct *file; + + task = SLOT(&cred->cr_label); + file = SLOT(pipe->pipe_label); + + /* + * TBD: No audit information yet + */ + + return(avc_has_perm_ref(task->sid, file->sid, file->sclass, + perm, &file->avcr)); +} + static void sebsd_init_cred_label(struct label *label) { @@ -316,6 +334,34 @@ SLOT(label) = sbsec; } + +static void +sebsd_init_network_label(struct label *label) +{ + struct network_security_struct *new; + + new = malloc(sizeof(*new), M_SEBSD, M_ZERO | M_WAITOK); + new->sid = new->task_sid = SECINITSID_UNLABELED; + SLOT(label) = new; +} + +static int +sebsd_init_network_label_waitcheck(struct label *label, int flag) +{ + struct network_security_struct *new; + + new = malloc(sizeof(*new), M_SEBSD, M_ZERO | flag); + if (new == NULL) { + SLOT(label) = NULL; + return (ENOMEM); + } + + new->sid = new->task_sid = SECINITSID_UNLABELED; + SLOT(label) = new; + + return (0); +} + static void sebsd_init_vnode_label(struct label *label) { @@ -587,6 +633,24 @@ free(path, M_SEBSD); } +/* + * Use the allocating task SID to label pipes. On Linux, pipes reside + * in a pseudo filesystem. + */ +static void +sebsd_create_pipe(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + struct task_security_struct *tsec; + struct vnode_security_struct *vsec; + + tsec = SLOT(&cred->cr_label); + vsec = SLOT(pipelabel); + + vsec->sid = vsec->task_sid = tsec->sid; + vsec->sclass = SECCLASS_FIFO_FILE; +} + static void sebsd_create_proc0(struct ucred *cred) { @@ -779,17 +843,90 @@ } static int +sebsd_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) +{ + + return (pipe_has_perm(cred, pipe, FIFO_FILE__IOCTL)); +} + +static int +sebsd_check_pipe_poll(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (pipe_has_perm(cred, pipe, FIFO_FILE__POLL)); +} + +static int +sebsd_check_pipe_read(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (pipe_has_perm(cred, pipe, FIFO_FILE__READ)); +} + +static int +sebsd_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel, struct label *newlabel) +{ + struct task_security_struct *task; + struct vnode_security_struct *file; + struct vnode_security_struct *newfile; + int rc; + + task = SLOT(&cred->cr_label); + file = SLOT(pipelabel); + newfile = SLOT(newlabel); + + rc = avc_has_perm_ref(task->sid, file->sid, file->sclass, + FIFO_FILE__RELABELFROM, &file->avcr); + + if (rc) + return (rc); + + rc = avc_has_perm(task->sid, newfile->sid, file->sclass, + FIFO_FILE__RELABELTO); + + /* + * TBD: SELinux also check filesystem associate permission: + return avc_has_perm_audit(newsid, + sbsec->sid, + SECCLASS_FILESYSTEM, + FILESYSTEM__ASSOCIATE, + &ad); + */ + return(rc); +} + +static int +sebsd_check_pipe_stat(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (pipe_has_perm(cred, pipe, FIFO_FILE__GETATTR)); +} + +static int +sebsd_check_pipe_write(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (pipe_has_perm(cred, pipe, FIFO_FILE__WRITE)); +} + +static int sebsd_check_proc_debug(struct ucred *cred, struct proc *proc) { - return(cred_has_perm(cred, proc, PROCESS__PTRACE)); + return (cred_has_perm(cred, proc, PROCESS__PTRACE)); } static int sebsd_check_proc_sched(struct ucred *cred, struct proc *proc) { - return(cred_has_perm(cred, proc, PROCESS__SETSCHED)); + return (cred_has_perm(cred, proc, PROCESS__SETSCHED)); } static int @@ -812,7 +949,7 @@ break; } - return cred_has_perm(cred, proc, perm); + return (cred_has_perm(cred, proc, perm)); } static void @@ -916,6 +1053,17 @@ } static int +sebsd_internalize_network_label(struct label *label, char *element_name, + char *element_data, int *claimed) +{ + struct network_security_struct *nsec; + + nsec = SLOT(label); + return (sebsd_internalize_sid(&nsec->sid, element_name, element_data, + claimed)); +} + +static int sebsd_internalize_vnode_label(struct label *label, char *element_name, char *element_data, int *claimed) { @@ -927,6 +1075,27 @@ } static void +sebsd_relabel_pipe(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel, struct label *newlabel) +{ + struct vnode_security_struct *source, *dest; + + source = SLOT(newlabel); + dest = SLOT(pipelabel); + + if (!source) { + printf("sebsd_relabel_pipe:: source is NULL!\n"); + return; + } + if (!dest) { + printf("sebsd_relabel_pipe:: dest is NULL!\n"); + return; + } + + dest->sid = source->sid; +} + +static void sebsd_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *label) { @@ -1492,7 +1661,7 @@ sebsd_check_system_settime(struct ucred *cred) { - return (0); + return(cred_has_capability(cred, CAPABILITY__SYS_TIME)); } static int @@ -1607,6 +1776,17 @@ size, len, claimed)); } +static int +sebsd_externalize_network_label(struct label *label, char *element_name, + char *element_data, size_t size, size_t *len, int *claimed) +{ + struct network_security_struct *nsec; + + nsec = SLOT(label); + return (sebsd_externalize_sid(nsec->sid, element_name, element_data, + size, len, claimed)); +} + static void sebsd_copy_vnode_label(struct label *src, struct label *dest) { @@ -1750,41 +1930,86 @@ static struct mac_policy_ops sebsd_ops = { /* Init Labels */ .mpo_init = sebsd_init, + .mpo_init_bpfdesc_label = sebsd_init_network_label, .mpo_init_cred_label = sebsd_init_cred_label, .mpo_init_devfsdirent_label = sebsd_init_vnode_label, .mpo_init_file_label = sebsd_init_file_label, + .mpo_init_ifnet_label = sebsd_init_network_label, + .mpo_init_ipq_label = sebsd_init_network_label, + .mpo_init_mbuf_label = sebsd_init_network_label_waitcheck, .mpo_init_mount_label = sebsd_init_mount_label, .mpo_init_mount_fs_label = sebsd_init_mount_fs_label, + .mpo_init_pipe_label = sebsd_init_vnode_label, + .mpo_init_socket_label = sebsd_init_network_label_waitcheck, + .mpo_init_socket_peer_label = sebsd_init_network_label_waitcheck, .mpo_init_vnode_label = sebsd_init_vnode_label, /* Destroy Labels */ .mpo_destroy = sebsd_destroy, + .mpo_destroy_bpfdesc_label = sebsd_destroy_label, .mpo_destroy_cred_label = sebsd_destroy_label, .mpo_destroy_devfsdirent_label = sebsd_destroy_label, + .mpo_destroy_ifnet_label = sebsd_destroy_label, + .mpo_destroy_ipq_label = sebsd_destroy_label, + .mpo_destroy_mbuf_label = sebsd_destroy_label, .mpo_destroy_file_label = sebsd_destroy_label, .mpo_destroy_mount_label = sebsd_destroy_label, .mpo_destroy_mount_fs_label = sebsd_destroy_label, + .mpo_destroy_pipe_label = sebsd_destroy_label, + .mpo_destroy_socket_label = sebsd_destroy_label, + .mpo_destroy_socket_peer_label = sebsd_destroy_label, .mpo_destroy_vnode_label = sebsd_destroy_label, /* Copy labels */ + .mpo_copy_pipe_label = sebsd_copy_vnode_label, .mpo_copy_vnode_label = sebsd_copy_vnode_label, /* In/Out */ .mpo_externalize_cred_label = sebsd_externalize_cred_label, + .mpo_externalize_ifnet_label = sebsd_externalize_network_label, + .mpo_externalize_pipe_label = sebsd_externalize_vnode_label, + .mpo_externalize_socket_label = sebsd_externalize_network_label, + .mpo_externalize_socket_peer_label = sebsd_externalize_network_label, .mpo_externalize_vnode_label = sebsd_externalize_vnode_label, .mpo_internalize_cred_label = sebsd_internalize_cred_label, + .mpo_internalize_ifnet_label = sebsd_internalize_network_label, + .mpo_internalize_pipe_label = sebsd_internalize_vnode_label, + .mpo_internalize_socket_label = sebsd_internalize_network_label, .mpo_internalize_vnode_label = sebsd_internalize_vnode_label, +#ifdef notdef + void (*mpo_create_mbuf_from_socket)(struct socket *so, + struct label *socketlabel, struct mbuf *m, + struct label *mbuflabel); + void (*mpo_create_socket)(struct ucred *cred, struct socket *so, + struct label *socketlabel); + void (*mpo_create_socket_from_socket)(struct socket *oldsocket, + struct label *oldsocketlabel, struct socket *newsocket, + struct label *newsocketlabel); + void (*mpo_relabel_socket)(struct ucred *cred, struct socket *so, + struct label *oldlabel, struct label *newlabel); + void (*mpo_set_socket_peer_from_mbuf)(struct mbuf *mbuf, + struct label *mbuflabel, struct socket *so, + struct label *socketpeerlabel); + void (*mpo_set_socket_peer_from_socket)(struct socket *oldsocket, + struct label *oldsocketlabel, struct socket *newsocket, + struct label *newsocketpeerlabel); +#endif + /* Create Labels */ .mpo_create_cred = sebsd_create_cred, .mpo_create_devfs_device = sebsd_create_devfs_device, .mpo_create_devfs_directory = sebsd_create_devfs_directory, .mpo_create_devfs_symlink = sebsd_create_devfs_symlink, .mpo_create_file = sebsd_create_file, + /* .mpo_create_mbuf_from_socket = sebsd_create_mbuf_from_socket, */ + .mpo_create_mount = sebsd_create_mount, + .mpo_create_pipe = sebsd_create_pipe, .mpo_create_proc0 = sebsd_create_proc0, .mpo_create_proc1 = sebsd_create_proc1, - .mpo_create_mount = sebsd_create_mount, .mpo_create_root_mount = sebsd_create_root_mount, + /* .mpo_create_socket = sebsd_create_socket, */ + /* .mpo_create_socket_from_socket = sebsd_create_socket_from_socket, */ .mpo_create_vnode_extattr = sebsd_create_vnode_extattr, .mpo_associate_vnode_devfs = sebsd_associate_vnode_devfs, .mpo_associate_vnode_singlelabel = sebsd_associate_vnode_singlelabel, @@ -1793,6 +2018,12 @@ /* Check Labels */ .mpo_check_cred_relabel = sebsd_check_cred_relabel, .mpo_check_file_create = sebsd_check_file_create, + /* + .mpo_check_file_dup + .mpo_check_file_inherit + .mpo_check_file_ioctl + .mpo_check_file_receive + */ .mpo_check_file_get_flags = sebsd_check_file_get_flags, .mpo_check_file_get_ofileflags = sebsd_check_file_get_ofileflags, .mpo_check_file_get_offset = sebsd_check_file_get_offset, @@ -1803,6 +2034,14 @@ .mpo_check_kld_load = sebsd_check_kld_load, .mpo_check_kld_unload = sebsd_check_kld_unload, .mpo_check_mount_stat = sebsd_check_mount_stat, + + .mpo_check_pipe_ioctl = sebsd_check_pipe_ioctl, + .mpo_check_pipe_poll = sebsd_check_pipe_poll, + .mpo_check_pipe_read = sebsd_check_pipe_read, + .mpo_check_pipe_relabel = sebsd_check_pipe_relabel, + .mpo_check_pipe_stat = sebsd_check_pipe_stat, + .mpo_check_pipe_write = sebsd_check_pipe_write, + .mpo_check_proc_debug = sebsd_check_proc_debug, .mpo_check_proc_sched = sebsd_check_proc_sched, .mpo_check_proc_signal = sebsd_check_proc_signal, @@ -1849,8 +2088,12 @@ .mpo_execve_transition = sebsd_execve_transition, .mpo_execve_will_transition = sebsd_execve_will_transition, .mpo_relabel_cred = sebsd_relabel_cred, + .mpo_relabel_pipe = sebsd_relabel_pipe, + /* .mpo_relabel_socket = sebsd_relabel_socket, */ .mpo_relabel_vnode = sebsd_relabel_vnode, .mpo_setlabel_vnode_extattr = sebsd_setlabel_vnode_extattr, + /*.mpo_set_socket_peer_from_mbuf = sebsd_set_socket_peer_from_mbuf,*/ + /*.mpo_set_socket_peer_from_socket = sebsd_set_socket_peer_from_socket,*/ .mpo_syscall = sebsd_syscall, }; ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_labels.h#3 (text+ko) ==== @@ -59,6 +59,12 @@ avc_entry_ref_t avcr; }; +struct network_security_struct { + security_id_t sid; + security_id_t task_sid; + avc_entry_ref_t avcr; +}; + struct mount_security_struct { security_id_t sid; /* SID of file system */ #ifndef __FreeBSD__