Date: Tue, 15 Aug 2006 17:44:19 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 104070 for review Message-ID: <200608151744.k7FHiJdB035483@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=104070 Change 104070 by millert@millert_macbook on 2006/08/15 17:44:17 Add security.mac.sebsd.compute.create, security.mac.sebsd.compute.member, and security.mac.sebsd.canon.context sysctls for use by libselinux. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd_sysctl.c#2 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd_sysctl.c#2 (text+ko) ==== @@ -366,7 +366,169 @@ return (error); } +/* + * Sysctl handler for security.mac.sebsd.canon_context. + * Check sid validity, returns canonical name of context. + */ +static int +sysctl_canon_context SYSCTL_HANDLER_ARGS +{ + u_int32_t sid, len; + char *context, *canon; + int error; + +#ifdef SECURITY__COMPUTE_CHECK + error = cred_has_security(kauth_cred_get(), SECURITY__COMPUTE_CHECK); + if (error) + return (error); +#endif + + if (req->newlen < 2) + return (EINVAL); + if (req->newlen > 512) /* arbitrary */ + return (ENAMETOOLONG); + context = sebsd_malloc(req->newlen, M_SEBSD, M_WAITOK); + error = SYSCTL_IN(req, context, req->newlen); + if (error) + goto out; + if (context[req->newlen - 1] != '\0') { + error = EINVAL; + goto out; + } + /* + * XXX We need POLICY_RDLOCK here, but it's not exported! + */ + error = security_context_to_sid(context, strlen(context) + 1, &sid); + if (error) + goto out; + + error = security_sid_to_context(sid, &canon, &len); + if (error == 0) { + error = SYSCTL_OUT(req, canon, len); + sebsd_free(canon, M_SEBSD); + } +out: + sebsd_free(context, M_SEBSD); + return (error); +} + +/* + * Sysctl handler for security.mac.sebsd.compute_create. Create new sid + * given input "scontext\0tcontext\0", tclass. + */ +static int +sysctl_compute_create SYSCTL_HANDLER_ARGS +{ + u_int32_t sid, tsid, newsid, len; + u_int16_t tclass; + char *scontext, *tcontext, *newcontext; + int error; + + error = cred_has_security(kauth_cred_get(), SECURITY__COMPUTE_CREATE); + if (error) + return (error); + + if (req->newlen < 4 + sizeof(tclass)) + return (EINVAL); + if (req->newlen > 512) /* arbitrary */ + return (ENAMETOOLONG); + scontext = sebsd_malloc(req->newlen, M_SEBSD, M_WAITOK); + error = SYSCTL_IN(req, scontext, req->newlen); + if (error) + goto out; + if (scontext[req->newlen - (1 + sizeof(tclass))] != '\0') { + error = EINVAL; + goto out; + } + tcontext = &scontext[strlen(scontext) + 1]; + if (tcontext >= &scontext[req->newlen - (1 + sizeof(tclass))]) { + error = EINVAL; + goto out; + } + bcopy(&tcontext[strlen(tcontext) + 1], &tclass, sizeof(tclass)); + /* + * XXX We need POLICY_RDLOCK here, but it's not exported! + */ + error = security_context_to_sid(scontext, strlen(scontext) + 1, &sid); + if (error) + goto out; + error = security_context_to_sid(tcontext, strlen(tcontext) + 1, &tsid); + if (error) + goto out; + + error = security_transition_sid(sid, tsid, tclass, &newsid); + if (error) + goto out; + + error = security_sid_to_context(newsid, &newcontext, &len); + if (error == 0) { + error = SYSCTL_OUT(req, newcontext, len); + sebsd_free(newcontext, M_SEBSD); + } +out: + sebsd_free(scontext, M_SEBSD); + return (error); +} + +/* + * Sysctl handler for security.mac.sebsd.compute_member. Compute member sid + * given input "scontext\0tcontext\0", tclass. + */ static int +sysctl_compute_member SYSCTL_HANDLER_ARGS +{ + u_int32_t sid, tsid, newsid, len; + u_int16_t tclass; + char *scontext, *tcontext, *newcontext; + int error; + + error = cred_has_security(kauth_cred_get(), SECURITY__COMPUTE_MEMBER); + if (error) + return (error); + + if (req->newlen < 4 + sizeof(tclass)) + return (EINVAL); + if (req->newlen > 512) /* arbitrary */ + return (ENAMETOOLONG); + scontext = sebsd_malloc(req->newlen, M_SEBSD, M_WAITOK); + error = SYSCTL_IN(req, scontext, req->newlen); + if (error) + goto out; + if (scontext[req->newlen - (1 + sizeof(tclass))] != '\0') { + error = EINVAL; + goto out; + } + tcontext = &scontext[strlen(scontext) + 1]; + if (tcontext >= &scontext[req->newlen - (1 + sizeof(tclass))]) { + error = EINVAL; + goto out; + } + bcopy(&tcontext[strlen(tcontext) + 1], &tclass, sizeof(tclass)); + /* + * XXX We need POLICY_RDLOCK here, but it's not exported! + */ + error = security_context_to_sid(scontext, strlen(scontext) + 1, &sid); + if (error) + goto out; + error = security_context_to_sid(tcontext, strlen(tcontext) + 1, &tsid); + if (error) + goto out; + + error = security_member_sid(sid, tsid, tclass, &newsid); + if (error) + goto out; + + error = security_sid_to_context(newsid, &newcontext, &len); + if (error == 0) { + error = SYSCTL_OUT(req, newcontext, len); + sebsd_free(newcontext, M_SEBSD); + } +out: + sebsd_free(scontext, M_SEBSD); + return (error); +} + +static int sysctl_sebsd_policypath SYSCTL_HANDLER_ARGS { void *path; @@ -412,6 +574,15 @@ SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_av, CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_av, "A", "SEBSD access vector decision query"); +SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, canon_context, CTLTYPE_STRING | + CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_canon_context, "A", + "SEBSD context verification query"); +SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_create, CTLTYPE_STRING | + CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_create, "A", + "SEBSD context computation query"); +SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_member, CTLTYPE_STRING | + CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_member, "A", + "SEBSD context member query"); SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, auditing, CTLTYPE_INT | CTLFLAG_RW, NULL, 0, sysctl_sebsd_auditing, "I", "SEBSD avc auditing"); SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, enforcing, CTLTYPE_INT | @@ -436,6 +607,9 @@ sysctl_register_oid(&sysctl__security_mac_sebsd_file_sids); sysctl_register_oid(&sysctl__security_mac_sebsd_change_sid); sysctl_register_oid(&sysctl__security_mac_sebsd_compute_av); + sysctl_register_oid(&sysctl__security_mac_sebsd_compute_create); + sysctl_register_oid(&sysctl__security_mac_sebsd_compute_member); + sysctl_register_oid(&sysctl__security_mac_sebsd_canon_context); sysctl_register_oid(&sysctl__security_mac_sebsd_auditing); sysctl_register_oid(&sysctl__security_mac_sebsd_enforcing); sysctl_register_oid(&sysctl__security_mac_sebsd_policyvers);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608151744.k7FHiJdB035483>