Date: Mon, 17 Nov 2003 11:48:04 -0800 (PST) From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 42683 for review Message-ID: <200311171948.hAHJm41I044102@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=42683 Change 42683 by areisse@areisse_ibook on 2003/11/17 11:47:30 another copyinstr... allow cred relabels in sebsd. A further permission check for this operation may need to be introduced in the future. Affected files ... .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#28 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#13 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#28 (text+ko) ==== @@ -3615,6 +3615,7 @@ struct mac mac; char *buffer; int error; + size_t dummy; error = copyin(uap->mac_p, &mac, sizeof(mac)); if (error) @@ -3625,7 +3626,7 @@ return (error); MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK); - error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); + error = copyinstr(mac.m_string, buffer, mac.m_buflen, &dummy); if (error) { FREE(buffer, M_MACTEMP); return (error); ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#13 (text+ko) ==== @@ -460,8 +460,9 @@ static void sebsd_relabel_cred(struct ucred *cred, struct label *newlabel) { - - printf("sebsd_relabel_cred:: This does nothing\n"); + struct task_security_struct *task = SLOT(&cred->cr_label); + struct task_security_struct *nsec = SLOT(newlabel); + task->sid = nsec->sid; } static void @@ -956,11 +957,28 @@ sebsd_check_cred_relabel(struct ucred *cred, struct label *newlabel) { struct task_security_struct *nsec, *tsec; + int rc; nsec = SLOT(newlabel); tsec = SLOT(&cred->cr_label); + + if (nsec == NULL) + return 0; + + rc = avc_has_perm_ref_audit(tsec->sid, tsec->sid, SECCLASS_PROCESS, + FILE__RELABELFROM, NULL, NULL); + if (rc) + return (rc); + + rc = avc_has_perm_audit(tsec->sid, nsec->sid, SECCLASS_PROCESS, + FILE__RELABELTO, NULL); + if (rc) + return (rc); + + /* if (nsec != NULL && nsec->sid != tsec->sid) return EPERM; + */ return 0; } @@ -2139,6 +2157,7 @@ .mpo_internalize_vnode_label = sebsd_internalize_vnode_label, .mpo_externalize_vnode_label = sebsd_externalize_vnode_label, + .mpo_relabel_cred = sebsd_relabel_cred, .mpo_relabel_vnode = sebsd_relabel_vnode, /* Create Labels */ @@ -2158,6 +2177,7 @@ .mpo_execve_transition = sebsd_execve_transition, /* Checks */ + .mpo_check_cred_relabel = sebsd_check_cred_relabel, .mpo_check_proc_signal = sebsd_check_proc_signal, .mpo_check_vnode_access = sebsd_check_vnode_access, .mpo_check_vnode_chdir = sebsd_check_vnode_chdir,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311171948.hAHJm41I044102>