From owner-p4-projects@FreeBSD.ORG  Mon Nov 17 11:48:06 2003
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 861BC16A4D1; Mon, 17 Nov 2003 11:48:06 -0800 (PST)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5101416A4CE
	for <perforce@freebsd.org>; Mon, 17 Nov 2003 11:48:06 -0800 (PST)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 10B2143FBD
	for <perforce@freebsd.org>; Mon, 17 Nov 2003 11:48:05 -0800 (PST)
	(envelope-from areisse@nailabs.com)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.9/8.12.9) with ESMTP id hAHJm4XJ044105
	for <perforce@freebsd.org>; Mon, 17 Nov 2003 11:48:04 -0800 (PST)
	(envelope-from areisse@nailabs.com)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.12.9/8.12.9/Submit) id hAHJm41I044102
	for perforce@freebsd.org; Mon, 17 Nov 2003 11:48:04 -0800 (PST)
	(envelope-from areisse@nailabs.com)
Date: Mon, 17 Nov 2003 11:48:04 -0800 (PST)
Message-Id: <200311171948.hAHJm41I044102@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	areisse@nailabs.com using -f
From: Andrew Reisse <areisse@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Subject: PERFORCE change 42683 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Nov 2003 19:48:06 -0000
X-List-Received-Date: Mon, 17 Nov 2003 19:48:06 -0000

http://perforce.freebsd.org/chv.cgi?CH=42683

Change 42683 by areisse@areisse_ibook on 2003/11/17 11:47:30

	another copyinstr...
	allow cred relabels in sebsd. A further permission check for this
	operation may need to be introduced in the future.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#28 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#13 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#28 (text+ko) ====

@@ -3615,6 +3615,7 @@
 	struct mac mac;
 	char *buffer;
 	int error;
+	size_t dummy;
 
 	error = copyin(uap->mac_p, &mac, sizeof(mac));
 	if (error)
@@ -3625,7 +3626,7 @@
 		return (error);
 
 	MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
-	error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
+	error = copyinstr(mac.m_string, buffer, mac.m_buflen, &dummy);
 	if (error) {
 		FREE(buffer, M_MACTEMP);
 		return (error);

==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#13 (text+ko) ====

@@ -460,8 +460,9 @@
 static void
 sebsd_relabel_cred(struct ucred *cred, struct label *newlabel)
 {
-
-	printf("sebsd_relabel_cred:: This does nothing\n");
+  struct task_security_struct *task = SLOT(&cred->cr_label);
+  struct task_security_struct *nsec = SLOT(newlabel);
+  task->sid = nsec->sid;
 }
 
 static void
@@ -956,11 +957,28 @@
 sebsd_check_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 	struct task_security_struct *nsec, *tsec;
+	int rc;
 
 	nsec = SLOT(newlabel);
 	tsec = SLOT(&cred->cr_label);
+
+	if (nsec == NULL)
+	  return 0;
+	  
+	rc = avc_has_perm_ref_audit(tsec->sid, tsec->sid, SECCLASS_PROCESS,
+				    FILE__RELABELFROM, NULL, NULL);
+	if (rc)
+	  return (rc);
+
+	rc = avc_has_perm_audit(tsec->sid, nsec->sid, SECCLASS_PROCESS,
+				FILE__RELABELTO, NULL);
+	if (rc)
+	  return (rc);
+
+	/*
 	if (nsec != NULL && nsec->sid != tsec->sid)
 		return EPERM;
+	*/
 	return 0;
 }
 
@@ -2139,6 +2157,7 @@
   .mpo_internalize_vnode_label = sebsd_internalize_vnode_label,
   .mpo_externalize_vnode_label = sebsd_externalize_vnode_label,
 
+  .mpo_relabel_cred = sebsd_relabel_cred,
   .mpo_relabel_vnode = sebsd_relabel_vnode,
 
   /* Create Labels */
@@ -2158,6 +2177,7 @@
   .mpo_execve_transition = sebsd_execve_transition,
 
   /* Checks */
+  .mpo_check_cred_relabel = sebsd_check_cred_relabel,
   .mpo_check_proc_signal = sebsd_check_proc_signal,
   .mpo_check_vnode_access = sebsd_check_vnode_access,
   .mpo_check_vnode_chdir = sebsd_check_vnode_chdir,