From owner-p4-projects  Sat Sep 28 10:17:26 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 442CA37B404; Sat, 28 Sep 2002 10:17:18 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E21BB37B401
	for <perforce@freebsd.org>; Sat, 28 Sep 2002 10:17:17 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 790AE43E65
	for <perforce@freebsd.org>; Sat, 28 Sep 2002 10:17:17 -0700 (PDT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g8SHHHCo060472
	for <perforce@freebsd.org>; Sat, 28 Sep 2002 10:17:17 -0700 (PDT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g8SHHHCs060463
	for perforce@freebsd.org; Sat, 28 Sep 2002 10:17:17 -0700 (PDT)
Date: Sat, 28 Sep 2002 10:17:17 -0700 (PDT)
Message-Id: <200209281717.g8SHHHCs060463@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
Subject: PERFORCE change 18277 for review
To: Perforce Change Reviews <perforce@freebsd.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=18277

Change 18277 by rwatson@rwatson_tislabs on 2002/09/28 10:16:55

	Teach Biba policy to pass strings rather than binary blobs
	between the user and kernel code.  This pushes some parsing into
	the kernel, but only a limited amount.  Remove the Biba userland
	module since it is no longer required, and modify the default
	mac.conf to point at libmac_generic since it is a string.  Some
	review of the string code here, especially snprintf and the
	parsing, would be much appreciated.  My local tests seem to
	demonstrate a faira mount of correctness, though.

Affected files ...

.. //depot/projects/trustedbsd/mac/etc/mac.conf#2 edit
.. //depot/projects/trustedbsd/mac/lib/libmac/modules/Makefile#2 edit
.. //depot/projects/trustedbsd/mac/lib/libmac/modules/mac_biba/Makefile#2 delete
.. //depot/projects/trustedbsd/mac/lib/libmac/modules/mac_biba/mac_biba.c#2 delete
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#113 edit

Differences ...

==== //depot/projects/trustedbsd/mac/etc/mac.conf#2 (text+ko) ====

@@ -17,8 +17,7 @@
 # Bind policy names to loadable shared modules
 #
 
-module mac_biba libmac_biba.so.1                # Biba integrity
-module mac_mls libmac_mls.so.1                  # MLS confidentiality
-module mac_generic libmac_generic.so.1 te       # Type enforcement
-module mac_partition libmac_partition.so.1      # Partition policy
+module mac_mls libmac_mls.so.1			# MLS confidentiality
+module mac_generic libmac_generic.so.1 biba te	# Type enforcement
+module mac_partition libmac_partition.so.1	# Partition policy
 

==== //depot/projects/trustedbsd/mac/lib/libmac/modules/Makefile#2 (text+ko) ====

@@ -1,3 +1,3 @@
-SUBDIR		= mac_biba mac_generic mac_mls mac_partition
+SUBDIR		= mac_generic mac_mls mac_partition
 
 .include <bsd.subdir.mk>

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#113 (text+ko) ====

@@ -53,6 +53,7 @@
 #include <sys/systm.h>
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
+#include <sys/systm.h>
 #include <sys/vnode.h>
 #include <sys/file.h>
 #include <sys/socket.h>
@@ -477,27 +478,104 @@
 	SLOT(label) = NULL;		/* Slightly cautious */
 }
 
+/*
+ * mac_biba_element_to_string() is basically an snprintf wrapper with
+ * the same properties as snprintf().  It returns the length it would
+ * have added to the string in the event the string is too short.
+ */
+static int
+mac_biba_element_to_string(size_t size, char *string,
+    struct mac_biba_element *element)
+{
+
+	switch (element->mbe_type) {
+	case MAC_BIBA_TYPE_HIGH:
+		return (snprintf(string, size, "high"));
+
+	case MAC_BIBA_TYPE_LOW:
+		return (snprintf(string, size, "low"));
+
+	case MAC_BIBA_TYPE_EQUAL:
+		return (snprintf(string, size, "equal"));
+
+	case MAC_BIBA_TYPE_GRADE:
+		return (snprintf(string, size, "%d", element->mbe_grade));
+
+	default:
+		panic("mac_biba_element_to_string: invalid type (%d)",
+		    element->mbe_type);
+	}
+}
+
 static int
 mac_biba_externalize_label(struct label *label, struct mac *mac,
     struct mac_element *element, int *claimed)
 {
 	struct mac_biba *mac_biba;
+	char string[MAC_MAX_LABEL_ELEMENT_DATALEN], *curptr;
+	size_t len, left;
 	int error;
 
 	if (strcmp(MAC_BIBA_LABEL_NAME, element->me_name) == 0) {
 		(*claimed)++;
 
-		if (element->me_databuflen < sizeof(struct mac_biba))
+		mac_biba = SLOT(label);
+
+		bzero(string, sizeof(string));
+		curptr = string;
+		left = MAC_MAX_LABEL_ELEMENT_DATALEN;
+
+		if (mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE) {
+			len = mac_biba_element_to_string(left, curptr,
+			    &mac_biba->mb_single);
+			if (len >= left)
+				return (EINVAL);
+			left -= len;
+			curptr += len;
+		}
+
+		if (mac_biba->mb_flags & MAC_BIBA_FLAG_RANGE) {
+			len = snprintf(curptr, left, "(");
+			if (len >= left)
+				return (EINVAL);
+			left -= len;
+			curptr += len;
+
+			len = mac_biba_element_to_string(left, curptr,
+			    &mac_biba->mb_rangelow);
+			if (len >= left)
+				return (EINVAL);
+			left -= len;
+			curptr += len;
+
+			len = snprintf(curptr, left, "-");
+			if (len >= left)
+				return (EINVAL);
+			left -= len;
+			curptr += len;
+
+			len = mac_biba_element_to_string(left, curptr,
+			    &mac_biba->mb_rangehigh);
+			if (len >= left)
+				return (EINVAL);
+			left -= len;
+			curptr += len;
+
+			len = snprintf(curptr, left, ")");
+			if (len >= left)
+				return (EINVAL);
+			left -= len;
+			curptr += len;
+		}
+
+		if (strlen(string)+1 > element->me_databuflen)
 			return (EINVAL);
 
-		mac_biba = SLOT(label);
-
-		error = copyout(mac_biba, element->me_data,
-		    sizeof(*mac_biba));
+		error = copyout(string, element->me_data, strlen(string)+1);
 		if (error)
 			return (error);
 
-		element->me_datalen = sizeof(*mac_biba);
+		element->me_datalen = sizeof(strlen(string)+1);
 	}
 
 	return (0);
@@ -521,22 +599,106 @@
 }
 
 static int
+mac_biba_parse_element(struct mac_biba_element *element, char *string)
+{
+
+	if (strcmp(string, "high") == 0 ||
+	    strcmp(string, "hi") == 0) {
+		element->mbe_type = MAC_BIBA_TYPE_HIGH;
+		element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
+	} else if (strcmp(string, "low") == 0 ||
+	    strcmp(string, "lo") == 0) {
+		element->mbe_type = MAC_BIBA_TYPE_LOW;
+		element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
+	} else if (strcmp(string, "equal") == 0 ||
+	    strcmp(string, "eq") == 0) {
+		element->mbe_type = MAC_BIBA_TYPE_EQUAL;
+		element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
+	} else {
+		int d;
+
+		d = strtol(string, NULL, 10);
+		if (d < 0 || d > 65535)
+			return (EINVAL);
+		element->mbe_type = MAC_BIBA_TYPE_GRADE;
+		element->mbe_grade = d;
+	}
+
+	return (0);
+}
+
+static int
 mac_biba_internalize_label(struct label *label, struct mac *mac,
     struct mac_element *element, int *claimed)
 {
 	struct mac_biba *mac_biba, mac_biba_temp;
+	char string[MAC_MAX_LABEL_ELEMENT_DATALEN];		/* XXX */
+	char *range, *rangeend, *rangehigh, *rangelow, *single;
 	int error;
 
 	if (strcmp(MAC_BIBA_LABEL_NAME, element->me_name) == 0) {
 		(*claimed)++;
 
-		if (element->me_datalen != sizeof(*mac_biba))
+		error = copyin(element->me_data, &string, element->me_datalen);
+		if (error)
+			return (error);
+
+		if (!strvalid(string, MAC_MAX_LABEL_ELEMENT_DATALEN))
 			return (EINVAL);
 
-		error = copyin(element->me_data, &mac_biba_temp,
-		    sizeof(mac_biba_temp));
-		if (error)
-			return (error);
+		/* Do we have a range? */
+		single = string;
+		range = index(string, '(');
+		if (range == single)
+			single = NULL;
+		rangelow = rangehigh = NULL;
+		if (range != NULL) {
+			/* Nul terminate the end of the single string. */
+			*range = '\0';
+			range++;
+			rangelow = range;
+			rangehigh = index(rangelow, '-');
+			if (rangehigh == NULL)
+				return (EINVAL);
+			rangehigh++;
+			if (*rangelow == '\0' || *rangehigh == '\0')
+				return (EINVAL);
+			rangeend = index(rangehigh, ')');
+			if (rangeend == NULL)
+				return (EINVAL);
+			if (*(rangeend + 1) != '\0')
+				return (EINVAL);
+			/* Nul terminate the ends of the ranges. */
+			*(rangehigh - 1) = '\0';
+			*rangeend = '\0';
+		}
+		KASSERT((rangelow != NULL && rangehigh != NULL) ||
+		    (rangelow == NULL && rangehigh == NULL),
+		    ("mac_biba_internalize_label: range mismatch"));
+
+		printf("Biba: single: %s, range low: %s, range high: %s\n",
+		    single, rangelow, rangehigh);
+
+		bzero(&mac_biba_temp, sizeof(mac_biba_temp));
+		if (single != NULL) {
+			error = mac_biba_parse_element(
+			    &mac_biba_temp.mb_single, single);
+			if (error)
+				return (error);
+			mac_biba_temp.mb_flags |= MAC_BIBA_FLAG_SINGLE;
+		}
+
+		if (rangelow != NULL) {
+			error = mac_biba_parse_element(
+			    &mac_biba_temp.mb_rangelow, rangelow);
+			if (error)
+				return (error);
+			error == mac_biba_parse_element(
+			    &mac_biba_temp.mb_rangehigh, rangehigh);
+			if (error)
+				return (error);
+			mac_biba_temp.mb_flags |= MAC_BIBA_FLAG_RANGE;
+		}
 
 		error = mac_biba_valid(&mac_biba_temp);
 		if (error)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message