Date: Tue, 15 Oct 2002 18:50:53 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.org> To: Brian Feldman <green@FreeBSD.org> Cc: Perforce Change Reviews <perforce@FreeBSD.org> Subject: Re: PERFORCE change 19355 for review Message-ID: <Pine.NEB.3.96L.1021015184357.36711A-100000@fledge.watson.org> In-Reply-To: <200210152203.g9FM3Fu1012887@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
It looks like you committed a lot of stuff here without meaning to. Please finish fixing your last few integs before committing more new features, and make sure you do some p4 opens/resolves to make sure you don't have any surprises in your local tree :-). Comments on what you meant to commit below. On Tue, 15 Oct 2002, Brian Feldman wrote: > #ifdef MAC > - will_transition = mac_execve_will_transition(oldcred, imgp->vp); > + if (imgp->interpvp != NULL) /* XXX Could this ever deadlock? */ > + vn_lock(imgp->interpvp, LK_EXCLUSIVE | LK_RETRY, td); If this lock is grabbed while holding any other file vnode lock, yes. You cannot hold vnode locks on more than one file at a time, since there is no defined lock order between any two files. The lock order is only defined between directories and their children -- since files are leaf nodes, you can't grab more than one or you risk deadlock. You'll need to find another way to accomplish this. > + will_transition = mac_execve_will_transition(oldcred, imgp->vp, > + imgp->interpvp); > + if (imgp->interpvp != NULL) > + VOP_UNLOCK(imgp->interpvp, 0, td); > credential_changing |= will_transition; > #endif > > @@ -498,7 +505,13 @@ > change_egid(newcred, attr.va_gid); > #ifdef MAC > if (will_transition) { > - mac_execve_transition(oldcred, newcred, imgp->vp); > + if (imgp->interpvp != NULL) > + vn_lock(imgp->interpvp, LK_EXCLUSIVE | > + LK_RETRY, td); > + mac_execve_transition(oldcred, newcred, imgp->vp, > + imgp->interpvp); > + if (imgp->interpvp != NULL) > + VOP_UNLOCK(imgp->interpvp, 0, td); You'll need a similar XXX here if you're holding another lock here. > } > #endif > /* > @@ -630,6 +643,8 @@ > vput(imgp->vp); > vrele(ndp->ni_dvp); > } > + if (imgp->interpvp != NULL) > + vrele(imgp->interpvp); > > if (imgp->object) > vm_object_deallocate(imgp->object); > > ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#310 (text+ko) ==== > > @@ -2057,7 +2057,8 @@ > } > > void > -mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp) > +mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, > + struct vnode *shellvp) > { > int error; > > @@ -2069,21 +2070,31 @@ > error); > printf("mac_execve_transition: using old vnode label\n"); > } > + if (shellvp != NULL) > + (void)vn_refreshlabel(shellvp, old); > > - MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label); > + MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, shellvp, > + shellvp != NULL ? &shellvp->v_label : NULL); > } > > int > -mac_execve_will_transition(struct ucred *old, struct vnode *vp) > +mac_execve_will_transition(struct ucred *old, struct vnode *vp, > + struct vnode *shellvp) > { > int error, result; > > error = vn_refreshlabel(vp, old); > if (error) > return (error); > + if (shellvp != NULL) { > + error = vn_refreshlabel(shellvp, old); > + if (error) > + return (error); > + } > > result = 0; > - MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); > + MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label, > + shellvp, shellvp != NULL ? &shellvp->v_label : NULL); > > return (result); > } > > ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#132 (text+ko) ==== > > @@ -1236,7 +1236,8 @@ > > static void > mac_biba_execve_transition(struct ucred *old, struct ucred *new, > - struct vnode *vp, struct mac *vnodelabel) > + struct vnode *vp, struct mac *vnodelabel, struct vnode *shellvp, > + struct mac *shellvnodelabel) > { > struct mac_biba *source, *dest; > > @@ -1249,7 +1250,8 @@ > > static int > mac_biba_execve_will_transition(struct ucred *old, struct vnode *vp, > - struct mac *vnodelabel) > + struct mac *vnodelabel, struct vnode *shellvp, > + struct vnode *shellvnodelabel) > { > > return (0); > > ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/kernel_plm.c#3 (text+ko) ==== > > @@ -43,11 +43,11 @@ > #include <sys/systm.h> > #include <sys/vnode.h> > #include <sys/namei.h> > +#include <sys/mac.h> > > -#include "kernel_interface.h" > -#include "kernel_plm.h" > -#include "lomacfs.h" > -#include "policy_plm.h" > +#include <security/mac_lomac/mac_lomac.h> > +#include <security/mac_lomac/kernel_plm.h> > +#include <security/mac_lomac/policy_plm.h> > > MALLOC_DEFINE(M_LOMACPLM, "LOMAC_PLM", "LOMAC PLM nodes and strings"); > char *strsep(register char **stringp, register const char *delim); > @@ -227,7 +227,7 @@ > return (sl->string); > } > > -static int > +int > lomac_plm_initialize(void) { > struct lomac_node_entry *plne, *lne; > plm_rule_t *pr; > > ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/kernel_plm.h#3 (text+ko) ==== > > @@ -72,7 +72,8 @@ > struct lomac_node_entry *ln_entry; > }; > > -void lomac_plm_init_lomacfs_vnode(struct vnode *dvp, struct vnode *vp, > - struct componentname *cnp, lattr_t *subjlattr); > +void lomac_plm_init_lomacfs_vnode(struct vnode *dvp, struct lomac_node *dln, > + struct vnode *vp, struct lomac_node *ln, struct componentname *cnp); > +int lomac_plm_initialize(void); > > #endif /* KERNEL_PLM_H */ > > ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#7 (text+ko) ==== > > @@ -75,6 +75,7 @@ > #include <sys/mac_policy.h> > > #include <security/mac_lomac/mac_lomac.h> > +#include <security/mac_lomac/kernel_plm.h> > > SYSCTL_DECL(_security_mac); > > @@ -111,6 +112,8 @@ > #define SLOT(l) ((struct mac_biba *)LABEL_TO_SLOT((l), mac_lomac_slot).l_ptr) > #define PSLOT(l) ((struct mac_biba_proc *) \ > LABEL_TO_SLOT((l), mac_lomac_slot).l_ptr) > +#define VSLOT(l) ((struct lomac_node *) LABEL_TO_SLOT((l), \ > + mac_lomac_slot).l_ptr) > > struct mac_biba_proc { > struct mac_biba mac_biba; > @@ -212,9 +215,9 @@ > mac_biba_single_in_range(struct mac_biba *single, struct mac_biba *range) > { > > - KASSERT((single->mb_flag & MAC_BIBA_FLAG_SINGLE) != 0, > + KASSERT((single->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0, > ("mac_biba_single_in_range: a not single")); > - KASSERT((range->mb_flag & MAC_BIBA_FLAG_RANGE) != 0, > + KASSERT((range->mb_flags & MAC_BIBA_FLAG_RANGE) != 0, > ("mac_biba_single_in_range: b not range")); > > return (mac_biba_dominate_element(&range->mb_rangehigh, > @@ -301,8 +304,8 @@ > mac_biba_subject_equal_ok(struct mac_biba *mac_biba) > { > > - KASSERT((mac_biba->mb_flags & MAC_BIBA_FLAGS_BOTH == > - MAC_BIBA_FLAGS_BOTH), > + KASSERT((mac_biba->mb_flags & MAC_BIBA_FLAGS_BOTH) == > + MAC_BIBA_FLAGS_BOTH, > ("mac_biba_subject_equal_ok: subject doesn't have both labels")); > > /* If the single is EQUAL, it's ok */ > @@ -401,7 +404,7 @@ > mac_biba->mb_flags |= MAC_BIBA_FLAG_RANGE; > } > > -static void > +void > mac_biba_set_single(struct mac_biba *mac_biba, u_short type, u_short grade) > { > > @@ -445,7 +448,7 @@ > labelto->mb_flags |= MAC_BIBA_FLAG_RANGE; > } > > -static void > +void > mac_biba_copy(struct mac_biba *source, struct mac_biba *dest) > { > > @@ -468,6 +471,11 @@ > mac_biba_init(struct mac_policy_conf *conf) > { > > + /* > + * XXX This can fail, resulting in all files in the system > + * being high integrity. > + */ > + (void)lomac_plm_initialize(); > } > > static void > @@ -489,6 +497,11 @@ > mac_biba_copy_single(objlabel, &subj->mac_biba); > mac_biba_copy_single_to_range(objlabel, &subj->mac_biba); > subj->mac_biba.mb_flags |= MAC_BIBA_FLAG_UPDATESUBJ; > + mtx_lock_spin(&sched_lock); > + curthread->td_kse->ke_flags |= KEF_ASTPENDING; > + curthread->td_proc->p_sflag |= PS_MACPEND; > + mtx_unlock_spin(&sched_lock); > + mac_set_ast_pending(); > out: > mtx_unlock(&subj->mtx); > } > @@ -588,7 +601,8 @@ > mac_biba_init_vnode(struct vnode *vp, struct label *label) > { > > - SLOT(label) = biba_alloc(M_WAITOK); > + VSLOT(label) = malloc(sizeof(struct lomac_node), M_MACLOMAC, > + M_ZERO | M_WAITOK); > } > > static void > @@ -775,15 +789,13 @@ > } > > static void > -mac_biba_create_vnode(struct ucred *cred, struct vnode *parent, > - struct label *parentlabel, struct vnode *child, struct label *childlabel) > +mac_lomac_create_vnode(struct ucred *cred, struct vnode *parent, > + struct label *parentlabel, struct vnode *child, struct label *childlabel, > + struct componentname *cnp) > { > - struct mac_biba *source, *dest; > > - source = SLOT(&cred->cr_label); > - dest = SLOT(childlabel); > - > - mac_biba_copy_single(source, dest); > + lomac_plm_init_lomacfs_vnode(parent, VSLOT(parentlabel), child, > + VSLOT(childlabel), cnp); > } > > static void > @@ -2385,8 +2397,10 @@ > (macop_t)mac_biba_create_devfs_directory }, > { MAC_CREATE_DEVFS_VNODE, > (macop_t)mac_biba_create_devfs_vnode }, > - { MAC_CREATE_VNODE, > - (macop_t)mac_biba_create_vnode }, > + { MAC_CREATE_NEW_VNODE, > + (macop_t)mac_lomac_create_vnode }, > + { MAC_CREATE_OLD_VNODE, > + (macop_t)mac_lomac_create_vnode }, > { MAC_CREATE_MOUNT, > (macop_t)mac_biba_create_mount }, > { MAC_CREATE_ROOT_MOUNT, > > ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.h#3 (text+ko) ==== > > @@ -34,7 +34,7 @@ > * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF > * SUCH DAMAGE. > * > - * $FreeBSD: src/sys/security/mac_biba/mac_biba.h,v 1.1 2002/07/31 18:07:43 rwatson Exp $ > + * $FreeBSD: src/sys/security/mac_lomac/mac_lomac.h,v 1.1 2002/07/31 18:07:43 rwatson Exp $ > */ > /* > * Definitions for the TrustedBSD Lomac floating-label integrity policy module. > @@ -43,20 +43,46 @@ > #define _SYS_SECURITY_MAC_LOMAC_H > > #define MAC_LOMAC_EXTATTR_NAMESPACE EXTATTR_NAMESPACE_SYSTEM > -#define MAC_LOMAC_EXTATTR_NAME "mac_biba" > +#define MAC_LOMAC_EXTATTR_NAME "mac_lomac" > + > +struct mac_lomac_element { > + u_short mle_type; > + u_short mle_grade; > +}; > + > +struct mac_lomac { > + int ml_flags; > + struct mac_lomac_element ml_single; > + struct mac_lomac_element ml_rangelow, ml_rangehigh; > +}; > + > +/* > + * This represents both the on-disk representation of a LOMAC label > + * and the internal representation. > + */ > + > +struct mac_lomac_label { > + struct mac_lomac mll_self; /* integrity of this object */ > + struct mac_lomac mll_children; /* default for this object's children */ > +}; > > -#define MAC_BIBA_FLAG_SINGLE 0x00000001 /* mb_single initialized */ > -#define MAC_BIBA_FLAG_RANGE 0x00000002 /* mb_range* initialized */ > -#define MAC_BIBA_FLAGS_BOTH (MAC_BIBA_FLAG_SINGLE | MAC_BIBA_FLAG_RANGE) > -#define MAC_BIBA_FLAG_UPDATESUBJ 0x00000003 /* update subject label from proc */ > +#define MAC_LOMAC_FLAG_SINGLE 0x00000001 /* ml_single initialized */ > +#define MAC_LOMAC_FLAG_RANGE 0x00000002 /* ml_range* initialized */ > +#define MAC_LOMAC_FLAGS_BOTH (MAC_LOMAC_FLAG_SINGLE | MAC_LOMAC_FLAG_RANGE) > +#define MAC_LOMAC_FLAG_UPDATESUBJ 0x00000003 /* update subject label from proc */ > > -#define MAC_BIBA_TYPE_UNDEF 0 /* Undefined */ > -#define MAC_BIBA_TYPE_GRADE 1 /* Hierarchal grade with mb_grade. */ > -#define MAC_BIBA_TYPE_LOW 2 /* Dominated by any > - * MAC_BIBA_TYPE_LABEL. */ > -#define MAC_BIBA_TYPE_HIGH 3 /* Dominates any > - * MAC_BIBA_TYPE_LABEL. */ > -#define MAC_BIBA_TYPE_EQUAL 4 /* Equivilent to any > - * MAC_BIBA_TYPE_LABEL. */ > +#define MAC_LOMAC_TYPE_UNDEF 0 /* Undefined */ > +#define MAC_LOMAC_TYPE_GRADE 1 /* Hierarchal grade with ml_grade. */ > +#define MAC_LOMAC_TYPE_LOW 2 /* Dominated by any > + * MAC_LOMAC_TYPE_LABEL. */ > +#define MAC_LOMAC_TYPE_HIGH 3 /* Dominates any > + * MAC_LOMAC_TYPE_LABEL. */ > +#define MAC_LOMAC_TYPE_EQUAL 4 /* Equivilent to any > + * MAC_LOMAC_TYPE_LABEL. */ > +#ifdef _KERNEL > +void mac_lomac_copy(struct mac_lomac *source, struct mac_lomac *dest); > +void mac_lomac_set_single(struct mac_lomac *mac_lomac, u_short type, > + u_short grade); > +#endif /* _KERNEL */ > > #endif /* !_SYS_SECURITY_MAC_LOMAC_H */ > > ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/policy_plm.h#3 (text+ko) ==== > > @@ -45,10 +45,10 @@ > PLM_NOFLAGS, /* rule applies to this node and its children */ > PLM_CHILDOF /* rule applies to node's children, not the node */ > }; > -#define LOWWRITE LN_ATTR_LOWWRITE > -#define LOWNOOPEN LN_ATTR_LOWNOOPEN > -#define NONETDEMOTE LN_ATTR_NONETDEMOTE > -#define NODEMOTE LN_ATTR_NODEMOTE > +#define LOWWRITE 0x01 > +#define LOWNOOPEN 0x02 > +#define NONETDEMOTE 0x04 > +#define NODEMOTE 0x08 > > typedef struct plm_rule { > /* struct mac_biba_element ... */ > > ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#112 (text+ko) ==== > > @@ -1278,7 +1278,8 @@ > > static void > mac_mls_execve_transition(struct ucred *old, struct ucred *new, > - struct vnode *vp, struct mac *vnodelabel) > + struct vnode *vp, struct mac *vnodelabel, struct vnode *shellvp, > + struct vnode *shellvnodelabel) > { > struct mac_mls *source, *dest; > > @@ -1291,7 +1292,8 @@ > > static int > mac_mls_execve_will_transition(struct ucred *old, struct vnode *vp, > - struct mac *vnodelabel) > + struct mac *vnodelabel, struct vnode *shellvp, > + struct vnode *shellvnodelabel) > { > > return (0); > > ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#83 (text+ko) ==== > > @@ -415,14 +415,16 @@ > > static void > mac_none_execve_transition(struct ucred *old, struct ucred *new, > - struct vnode *vp, struct label *vnodelabel) > + struct vnode *vp, struct label *vnodelabel, struct vnode *shellvp, > + struct vnode *shellvnodelabel) > { > > } > > static int > mac_none_execve_will_transition(struct ucred *old, struct vnode *vp, > - struct label *vnodelabel) > + struct label *vnodelabel, struct vnode *shellvp, > + struct vnode *shellvnodelabel) > { > > return (0); > > ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#85 (text+ko) ==== > > @@ -1534,7 +1534,8 @@ > > static void > mac_te_execve_transition(struct ucred *old, struct ucred *new, > - struct vnode *vp, struct label *filelabel) > + struct vnode *vp, struct label *filelabel, struct vp *shellvp, > + struct label *shellfilelabel) > { > int rule; > > @@ -1566,7 +1567,8 @@ > > static int > mac_te_execve_will_transition(struct ucred *old, struct vnode *vp, > - struct label *filelabel) > + struct label *filelabel, struct vnode *shellvp, > + struct label *shellfilelabel) > { > int rule; > > > ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#56 (text+ko) ==== > > @@ -794,14 +794,16 @@ > > static void > mac_test_execve_transition(struct ucred *old, struct ucred *new, > - struct vnode *vp, struct label *filelabel) > + struct vnode *vp, struct label *filelabel, > + struct vnode *shellvp, struct vnode *shellfilelabel) > { > > } > > static int > mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, > - struct label *filelabel) > + struct label *filelabel, struct vnode *shellvp, > + struct vnode *shellfilelabel) > { > > return (0); > > ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#40 (text+ko) ==== > > @@ -297,7 +297,8 @@ > > static void > sebsd_execve_transition(struct ucred *old, struct ucred *new, > - struct vnode *vp, struct mac *vnodelabel) > + struct vnode *vp, struct mac *vnodelabel, > + struct vnode *shellvp, struct mac *shellvnodelabel) > { > struct task_security_struct *otask, *ntask; > struct vnode_security_struct *file; > @@ -305,7 +306,10 @@ > > otask = SLOT(&old->cr_label); > ntask = SLOT(&new->cr_label); > - file = SLOT(&vp->v_label); > + if (shellvp != NULL) > + file = SLOT(&shellvp->v_label); > + else > + file = SLOT(&vp->v_label); > > /* > * Should have already checked all the permissions > @@ -331,7 +335,8 @@ > > static int > sebsd_execve_will_transition(struct ucred *old, struct vnode *vp, > - struct mac *vnodelabel) > + struct mac *vnodelabel, struct vnode *shellvp, > + struct mac *shellvnodelabel) > { > struct task_security_struct *task; > struct vnode_security_struct *file; > @@ -339,7 +344,10 @@ > int rc; > > task = SLOT(&old->cr_label); > - file = SLOT(&vp->v_label); > + if (shellvp != NULL) > + file = SLOT(&shellvp->v_label); > + else > + file = SLOT(&vp->v_label); > > /* > * Should have already checked all the permissions, so just see if > > ==== //depot/projects/trustedbsd/mac/sys/sys/imgact.h#10 (text+ko) ==== > > @@ -46,6 +46,7 @@ > struct proc *proc; /* our process struct */ > struct execve_args *uap; /* syscall arguments */ > struct vnode *vp; /* pointer to vnode of file to exec */ > + struct vnode *interpvp; /* vnode of the shell script, if interpreted */ > struct vm_object *object; /* The vm object for this vp */ > struct vattr *attr; /* attributes of file */ > const char *image_header; /* head of file to exec */ > > ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#178 (text+ko) ==== > > @@ -307,8 +307,9 @@ > */ > void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child); > void mac_execve_transition(struct ucred *old, struct ucred *new, > - struct vnode *vp); > -int mac_execve_will_transition(struct ucred *old, struct vnode *vp); > + struct vnode *vp, struct vnode *shellvp); > +int mac_execve_will_transition(struct ucred *old, struct vnode *vp, > + struct vnode *shellvp); > void mac_create_proc0(struct ucred *cred); > void mac_create_proc1(struct ucred *cred); > void mac_thread_userret(struct thread *td); > > ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#139 (text+ko) ==== > > @@ -251,9 +251,11 @@ > void (*mpo_create_cred)(struct ucred *parent_cred, > struct ucred *child_cred); > void (*mpo_execve_transition)(struct ucred *old, struct ucred *new, > - struct vnode *vp, struct label *vnodelabel); > + struct vnode *vp, struct label *vnodelabel, > + struct vnode *shellvp, struct label *shellvnodelabel); > int (*mpo_execve_will_transition)(struct ucred *old, > - struct vnode *vp, struct label *vnodelabel); > + struct vnode *vp, struct label *vnodelabel, > + struct vnode *shellvp, struct label *shellvnodelabel); > void (*mpo_create_proc0)(struct ucred *cred); > void (*mpo_create_proc1)(struct ucred *cred); > void (*mpo_relabel_cred)(struct ucred *cred, > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1021015184357.36711A-100000>