From owner-p4-projects Thu Oct 31 8:35:10 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 890AD37B404; Thu, 31 Oct 2002 08:34:57 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EF5637B401 for ; Thu, 31 Oct 2002 08:34:57 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9BFD043E4A for ; Thu, 31 Oct 2002 08:34:56 -0800 (PST) (envelope-from green@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id g9VGXamV092638 for ; Thu, 31 Oct 2002 08:33:36 -0800 (PST) (envelope-from green@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id g9VGXZ7J092635 for perforce@freebsd.org; Thu, 31 Oct 2002 08:33:35 -0800 (PST) Date: Thu, 31 Oct 2002 08:33:35 -0800 (PST) Message-Id: <200210311633.g9VGXZ7J092635@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to green@freebsd.org using -f From: Brian Feldman Subject: PERFORCE change 20480 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://perforce.freebsd.org/chv.cgi?CH=20480 Change 20480 by green@green_laptop_2 on 2002/10/31 08:32:51 * Synchronize mac_lomac to newer mac operations declarations. * Add support for using the auxiliary label on executables to determine the single to switch to before beginning execution. * Fix locking bugs, etc. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#30 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#30 (text+ko) ==== @@ -62,6 +62,7 @@ #include #include #include +#include #include @@ -488,11 +489,21 @@ mac_lomac_copy_range(source, dest); } +static int mac_lomac_to_string(char *string, size_t size, + size_t *caller_len, struct mac_lomac *mac_lomac); + static int -maybe_demote(struct mac_lomac *subjlabel, struct mac_lomac *objlabel) +maybe_demote(struct mac_lomac *subjlabel, struct mac_lomac *objlabel, + const char *actionname, const char *objname) { + static const char xxx[] = "<>"; struct mac_lomac_proc *subj = PSLOT(&curthread->td_proc->p_label); + char *subjlabeltext, *objlabeltext, *subjtext, *text; + struct proc *p; + size_t len; + pid_t pgid; + p = curthread->td_proc; mtx_lock(&subj->mtx); if (subj->mac_lomac.ml_flags & MAC_LOMAC_FLAG_UPDATE) { /* @@ -500,8 +511,10 @@ * less severe than this one, and keep the more severe. * This can only happen for a multi-threaded application. */ - if (mac_lomac_dominate_single(objlabel, &subj->mac_lomac)) - goto out; + if (mac_lomac_dominate_single(objlabel, &subj->mac_lomac)) { + mtx_lock(&subj->mtx); + return (0); + } } bzero(&subj->mac_lomac, sizeof(subj->mac_lomac)); /* @@ -523,8 +536,43 @@ curthread->td_kse->ke_flags |= KEF_ASTPENDING; curthread->td_proc->p_sflag |= PS_MACPEND; mtx_unlock_spin(&sched_lock); -out: + subjtext = subjlabeltext = objlabeltext = xxx; + if (mac_lomac_to_string(NULL, 0, &len, &subj->mac_lomac) == 0 && + (text = malloc(len + 1, M_MACLOMAC, M_NOWAIT)) != NULL) { + if (mac_lomac_to_string(text, len + 1, &len, + &subj->mac_lomac) == 0) + subjtext = text; + else + free(text, M_MACLOMAC); + } mtx_unlock(&subj->mtx); + if (mac_lomac_to_string(NULL, 0, &len, subjlabel) == 0 && + (text = malloc(len + 1, M_MACLOMAC, M_WAITOK)) != NULL) { + if (mac_lomac_to_string(text, len + 1, &len, + subjlabel) == 0) + subjlabeltext = text; + else + free(text, M_MACLOMAC); + } + if (mac_lomac_to_string(NULL, 0, &len, objlabel) == 0 && + (text = malloc(len + 1, M_MACLOMAC, M_WAITOK)) != NULL) { + if (mac_lomac_to_string(text, len + 1, &len, + objlabel) == 0) + objlabeltext = text; + else + free(text, M_MACLOMAC); + } + pgid = p->p_pgrp->pg_id; /* XXX could be stale? */ + log(LOG_INFO, "LOMAC: level-%s subject p%dg%du%d:%s demoted to" + " level %s after %s a level-%s %s\n", + subjlabeltext, p->p_pid, pgid, curthread->td_ucred->cr_uid, + p->p_comm, subjtext, actionname, objlabeltext, objname); + if (subjlabeltext != xxx) + free(subjlabeltext, M_MACLOMAC); + if (objlabeltext != xxx) + free(objlabeltext, M_MACLOMAC); + if (subjtext != xxx) + free(subjtext, M_MACLOMAC); return (0); } @@ -623,78 +671,69 @@ mac_lomac_to_string(char *string, size_t size, size_t *caller_len, struct mac_lomac *mac_lomac) { - size_t left, len; + size_t left, len, curlen; char *curptr; - bzero(string, size); + /* + * Also accept NULL string to allow for predetermination of total + * string length. + */ + if (string != NULL) + bzero(string, size); + else if (size != 0) + return (EINVAL); curptr = string; left = size; + curlen = 0; +#define INCLEN(length, leftover) do { \ + if (string != NULL) { \ + if (length >= leftover) \ + return (EINVAL); \ + leftover -= length; \ + curptr += length; \ + } \ + curlen += length; \ +} while (0) if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_SINGLE) { len = mac_lomac_element_to_string(curptr, left, &mac_lomac->ml_single); - if (len >= left) - return (EINVAL); - left -= len; - curptr += len; + INCLEN(len, left); } if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_AUX) { len = snprintf(curptr, left, "["); - if (len >= left) - return (EINVAL); - left -= len; - curptr += len; + INCLEN(len, left); len = mac_lomac_element_to_string(curptr, left, &mac_lomac->ml_auxsingle); - if (len >= left) - return (EINVAL); - left -= len; - curptr += len; + INCLEN(len, left); len = snprintf(curptr, left, "]"); - if (len >= left) - return (EINVAL); - left -= len; - curptr += len; + INCLEN(len, left); } if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_RANGE) { len = snprintf(curptr, left, "("); - if (len >= left) - return (EINVAL); - left -= len; - curptr += len; + INCLEN(len, left); len = mac_lomac_element_to_string(curptr, left, &mac_lomac->ml_rangelow); - if (len >= left) - return (EINVAL); - left -= len; - curptr += len; + INCLEN(len, left); len = snprintf(curptr, left, "-"); - if (len >= left) - return (EINVAL); - left -= len; - curptr += len; + INCLEN(len, left); len = mac_lomac_element_to_string(curptr, left, &mac_lomac->ml_rangehigh); - if (len >= left) - return (EINVAL); - left -= len; - curptr += len; + INCLEN(len, left); len = snprintf(curptr, left, ")"); - if (len >= left) - return (EINVAL); - left -= len; - curptr += len; + INCLEN(len, left); } +#undef INCLEN - *caller_len = strlen(string); + *caller_len = curlen; return (0); } @@ -1457,13 +1496,35 @@ struct vnode *vp, struct label *vnodelabel, struct label *shellvnodelabel, struct image_params *imgp) { - struct mac_lomac *source, *dest; + struct mac_lomac *source, *dest, *obj, *robj; source = SLOT(&old->cr_label); dest = SLOT(&new->cr_label); + obj = SLOT(vnodelabel); + robj = shellvnodelabel != NULL ? SLOT(shellvnodelabel) : obj; - mac_lomac_copy_single(source, dest); - mac_lomac_copy_range(source, dest); + mac_lomac_copy(source, dest); + /* + * If there's an auxiliary label on the real object, respect it + * and assume that this level should be assumed immediately if + * a higher level is currently in place. + */ + if (robj->ml_flags & MAC_LOMAC_FLAG_AUX && + !mac_lomac_dominate_element(&robj->ml_auxsingle, &dest->ml_single) + && mac_lomac_auxsingle_in_range(robj, dest)) + mac_lomac_set_single(dest, robj->ml_auxsingle.mle_type, + robj->ml_auxsingle.mle_grade); + /* + * Restructuring to use the execve transitioning mechanism + * instead of the normal demotion mechanism here would be + * difficult, so just copy the label over and perform standard + * demotion. This is also non-optimal because it will result + * in the intermediate label "new" being created and immediately + * recycled. + */ + if (mac_lomac_enabled && revocation_enabled && + !mac_lomac_dominate_single(obj, source)) + (void)maybe_demote(source, obj, "executing", "file"); } static int @@ -1471,8 +1532,19 @@ struct label *vnodelabel, struct label *shellvnodelabel, struct image_params *imgp) { + struct mac_lomac *subj, *obj, *robj; + + if (!mac_lomac_enabled || !revocation_enabled) + return (0); + + subj = SLOT(&old->cr_label); + obj = SLOT(vnodelabel); + robj = shellvnodelabel != NULL ? SLOT(shellvnodelabel) : obj; - return (0); + return ((robj->ml_flags & MAC_LOMAC_FLAG_AUX && + !mac_lomac_dominate_element(&robj->ml_auxsingle, &subj->ml_single) + && mac_lomac_auxsingle_in_range(robj, subj)) || + !mac_lomac_dominate_single(obj, subj)); } static void @@ -1694,7 +1766,7 @@ obj = SLOT((pipelabel)); if (!mac_lomac_dominate_single(obj, subj)) - return (maybe_demote(subj, obj)); + return (maybe_demote(subj, obj, "reading", "pipe")); return (0); } @@ -2076,7 +2148,7 @@ } if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) { if (!mac_lomac_dominate_single(obj, subj)) - return (maybe_demote(subj, obj)); + return (maybe_demote(subj, obj, "mapping", "file")); } return (0); @@ -2112,7 +2184,7 @@ static void mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, - struct label *label, int *prot) + struct label *label, /* XXX vm_prot_t */ int *prot) { struct mac_lomac *subj, *obj; @@ -2164,7 +2236,7 @@ obj = SLOT(label); if (!mac_lomac_dominate_single(obj, subj)) - return (maybe_demote(subj, obj)); + return (maybe_demote(subj, obj, "reading", "file")); return (0); } @@ -2529,7 +2601,8 @@ .mpo_update_devfsdirent = mac_lomac_update_devfsdirent, .mpo_associate_vnode_devfs = mac_lomac_associate_vnode_devfs, .mpo_associate_vnode_extattr = mac_lomac_associate_vnode_extattr, - .mpo_associate_vnode_singlelabel = mac_lomac_associate_vnode_singlelabel, + .mpo_associate_vnode_singlelabel = + mac_lomac_associate_vnode_singlelabel, .mpo_create_vnode_extattr = mac_lomac_create_vnode_extattr, .mpo_setlabel_vnode_extattr = mac_lomac_setlabel_vnode_extattr, .mpo_create_mbuf_from_socket = mac_lomac_create_mbuf_from_socket, @@ -2539,7 +2612,8 @@ .mpo_relabel_pipe = mac_lomac_relabel_pipe, .mpo_relabel_socket = mac_lomac_relabel_socket, .mpo_set_socket_peer_from_mbuf = mac_lomac_set_socket_peer_from_mbuf, - .mpo_set_socket_peer_from_socket = mac_lomac_set_socket_peer_from_socket, + .mpo_set_socket_peer_from_socket = + mac_lomac_set_socket_peer_from_socket, .mpo_create_bpfdesc = mac_lomac_create_bpfdesc, .mpo_create_datagram_from_ipq = mac_lomac_create_datagram_from_ipq, .mpo_create_fragment = mac_lomac_create_fragment, @@ -2549,7 +2623,8 @@ .mpo_create_mbuf_linklayer = mac_lomac_create_mbuf_linklayer, .mpo_create_mbuf_from_bpfdesc = mac_lomac_create_mbuf_from_bpfdesc, .mpo_create_mbuf_from_ifnet = mac_lomac_create_mbuf_from_ifnet, - .mpo_create_mbuf_multicast_encap = mac_lomac_create_mbuf_multicast_encap, + .mpo_create_mbuf_multicast_encap = + mac_lomac_create_mbuf_multicast_encap, .mpo_create_mbuf_netlayer = mac_lomac_create_mbuf_netlayer, .mpo_fragment_match = mac_lomac_fragment_match, .mpo_relabel_ifnet = mac_lomac_relabel_ifnet, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message