From owner-p4-projects  Fri Oct 25 11:14: 7 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id AB53237B404; Fri, 25 Oct 2002 11:13:58 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5687937B401
	for <perforce@freebsd.org>; Fri, 25 Oct 2002 11:13:58 -0700 (PDT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DAB3F43E3B
	for <perforce@freebsd.org>; Fri, 25 Oct 2002 11:13:57 -0700 (PDT)
	(envelope-from green@freebsd.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id g9PID7mV016042
	for <perforce@freebsd.org>; Fri, 25 Oct 2002 11:13:07 -0700 (PDT)
	(envelope-from green@freebsd.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.12.6/8.12.6/Submit) id g9PID7Ow016039
	for perforce@freebsd.org; Fri, 25 Oct 2002 11:13:07 -0700 (PDT)
Date: Fri, 25 Oct 2002 11:13:07 -0700 (PDT)
Message-Id: <200210251813.g9PID7Ow016039@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to green@freebsd.org using -f
From: Brian Feldman <green@FreeBSD.org>
Subject: PERFORCE change 20140 for review
To: Perforce Change Reviews <perforce@freebsd.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

http://perforce.freebsd.org/chv.cgi?CH=20140

Change 20140 by green@green_laptop_2 on 2002/10/25 11:12:34

	* Add an "auxiliary single" to struct mac_lomac {} for usage
	  by directories for the inherited label and possibly for
	  execution of executables initially into lower singles via
	  transition hooks that utilize mac_lomac.ml_auxsingle.
	* Stop having the relabel_vnode hook set extattrs, and
	  additionally have it clear the entire vnode label so that
	  the case of removing auxlabels works.
	* Allow mac_lomac to accept older 16-byte labels and convert them
	  on-the-fly to 20-byte labels.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#20 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.h#9 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#20 (text+ko) ====

@@ -234,6 +234,23 @@
 }
 
 static int
+mac_lomac_auxsingle_in_range(struct mac_lomac *single, struct mac_lomac *range)
+{
+
+	KASSERT((single->ml_flags & MAC_LOMAC_FLAG_AUX) != 0,
+	    ("mac_lomac_single_in_range: a not auxsingle"));
+	KASSERT((range->ml_flags & MAC_LOMAC_FLAG_RANGE) != 0,
+	    ("mac_lomac_single_in_range: b not range"));
+
+	return (mac_lomac_dominate_element(&range->ml_rangehigh,
+	    &single->ml_auxsingle) &&
+	    mac_lomac_dominate_element(&single->ml_auxsingle,
+	    &range->ml_rangelow));
+
+	return (1);
+}
+
+static int
 mac_lomac_dominate_single(struct mac_lomac *a, struct mac_lomac *b)
 {
 	KASSERT((a->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
@@ -274,6 +291,9 @@
 	if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_SINGLE)
 		if (mac_lomac->ml_single.mle_type == MAC_LOMAC_TYPE_EQUAL)
 			return (1);
+	if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_AUX)
+		if (mac_lomac->ml_auxsingle.mle_type == MAC_LOMAC_TYPE_EQUAL)
+			return (1);
 
 	if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_RANGE) {
 		if (mac_lomac->ml_rangelow.mle_type == MAC_LOMAC_TYPE_EQUAL)
@@ -340,6 +360,22 @@
 			return (EINVAL);
 	}
 
+	if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_AUX) {
+		switch (mac_lomac->ml_auxsingle.mle_type) {
+		case MAC_LOMAC_TYPE_GRADE:
+		case MAC_LOMAC_TYPE_EQUAL:
+		case MAC_LOMAC_TYPE_HIGH:
+		case MAC_LOMAC_TYPE_LOW:
+			break;
+
+		default:
+			return (EINVAL);
+		}
+	} else {
+		if (mac_lomac->ml_auxsingle.mle_type != MAC_LOMAC_TYPE_UNDEF)
+			return (EINVAL);
+	}
+
 	if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_RANGE) {
 		switch (mac_lomac->ml_rangelow.mle_type) {
 		case MAC_LOMAC_TYPE_GRADE:
@@ -419,11 +455,24 @@
 }
 
 static void
+mac_lomac_copy_auxsingle(struct mac_lomac *labelfrom, struct mac_lomac *labelto)
+{
+
+	KASSERT((labelfrom->ml_flags & MAC_LOMAC_FLAG_AUX) != 0,
+	    ("mac_lomac_copy_auxsingle: labelfrom not auxsingle"));
+
+	labelto->ml_auxsingle = labelfrom->ml_auxsingle;
+	labelto->ml_flags |= MAC_LOMAC_FLAG_AUX;
+}
+
+static void
 mac_lomac_copy(struct mac_lomac *source, struct mac_lomac *dest)
 {
 
 	if (source->ml_flags & MAC_LOMAC_FLAG_SINGLE)
 		mac_lomac_copy_single(source, dest);
+	if (source->ml_flags & MAC_LOMAC_FLAG_AUX)
+		mac_lomac_copy_auxsingle(source, dest);
 	if (source->ml_flags & MAC_LOMAC_FLAG_RANGE)
 		mac_lomac_copy_range(source, dest);
 }
@@ -579,6 +628,27 @@
 		curptr += len;
 	}
 
+	if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_AUX) {
+		len = snprintf(curptr, left, "[");
+		if (len >= left)
+			return (EINVAL);
+		left -= len;
+		curptr += len;
+
+		len = mac_lomac_element_to_string(curptr, left,
+		    &mac_lomac->ml_auxsingle);
+		if (len >= left)
+			return (EINVAL);
+		left -= len;
+		curptr += len;
+
+		len = snprintf(curptr, left, "]");
+		if (len >= left)
+			return (EINVAL);
+		left -= len;
+		curptr += len;
+	}
+
 	if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_RANGE) {
 		len = snprintf(curptr, left, "(");
 		if (len >= left)
@@ -680,7 +750,8 @@
 static int
 mac_lomac_parse(struct mac_lomac *mac_lomac, char *string)
 {
-	char *range, *rangeend, *rangehigh, *rangelow, *single;
+	char *range, *rangeend, *rangehigh, *rangelow, *single, *auxsingle,
+	    *auxsingleend;
 	int error;
 
 	/* Do we have a range? */
@@ -688,6 +759,11 @@
 	range = index(string, '(');
 	if (range == single)
 		single = NULL;
+	auxsingle = index(string, '[');
+	if (auxsingle == single)
+		single = NULL;
+	if (range != NULL && auxsingle != NULL)
+		return (EINVAL);
 	rangelow = rangehigh = NULL;
 	if (range != NULL) {
 		/* Nul terminate the end of the single string. */
@@ -712,6 +788,18 @@
 	KASSERT((rangelow != NULL && rangehigh != NULL) ||
 	    (rangelow == NULL && rangehigh == NULL),
 	    ("mac_lomac_internalize_label: range mismatch"));
+	if (auxsingle != NULL) {
+		/* Nul terminate the end of the single string. */
+		*auxsingle = '\0';
+		auxsingle++;
+		auxsingleend = index(auxsingle, ']');
+		if (auxsingleend == NULL)
+			return (EINVAL);
+		if (*(auxsingleend + 1) != '\0')
+			return (EINVAL);
+		/* Nul terminate the end of the auxsingle. */
+		*auxsingleend = '\0';
+	}
 
 	bzero(mac_lomac, sizeof(*mac_lomac));
 	if (single != NULL) {
@@ -721,6 +809,14 @@
 		mac_lomac->ml_flags |= MAC_LOMAC_FLAG_SINGLE;
 	}
 
+	if (auxsingle != NULL) {
+		error = mac_lomac_parse_element(&mac_lomac->ml_auxsingle,
+		    auxsingle);
+		if (error)
+			return (error);
+		mac_lomac->ml_flags |= MAC_LOMAC_FLAG_AUX;
+	}
+
 	if (rangelow != NULL) {
 		error = mac_lomac_parse_element(&mac_lomac->ml_rangelow,
 		    rangelow);
@@ -859,29 +955,13 @@
 mac_lomac_relabel_vnode(struct ucred *cred, struct vnode *vp,
     struct label *vnodelabel, struct label *label)
 {
-	struct mac_lomac *source, temp;
-	size_t buflen;
-	int error;
-
-	buflen = sizeof(temp);
-	bzero(&temp, buflen);
+	struct mac_lomac *source, *dest;
 
 	source = SLOT(label);
-#ifdef notyet
-	if ((source->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
-		return (0);
-#endif
-#ifndef notyet
-	mac_lomac_copy(source, SLOT(vnodelabel));
-#endif
+	dest = SLOT(vnodelabel);
 
-	mac_lomac_copy_single(source, &temp);
-
-	error = vn_extattr_set(vp, IO_NODELOCKED, MAC_LOMAC_EXTATTR_NAMESPACE,
-	    MAC_LOMAC_EXTATTR_NAME, buflen, (char *)&temp, curthread);
-#ifdef notyet
-	return (error);
-#endif
+	bzero(dest, sizeof(*dest));
+	mac_lomac_copy(source, dest);
 }
 
 static void
@@ -933,9 +1013,16 @@
 		return (error);
 
 	if (buflen != sizeof(temp)) {
-		printf("mac_lomac_associate_vnode_extattr: bad size %d\n",
-		    buflen);
-		return (EPERM);
+		if (buflen != sizeof(temp) - sizeof(temp.ml_auxsingle)) {
+			printf("mac_lomac_associate_vnode_extattr: bad size %d\n",
+			    buflen);
+			return (EPERM);
+		}
+		bzero(&temp.ml_auxsingle, sizeof(temp.ml_auxsingle));
+		buflen = sizeof(temp);
+		(void)vn_extattr_set(vp, IO_NODELOCKED,
+		    MAC_LOMAC_EXTATTR_NAMESPACE, MAC_LOMAC_EXTATTR_NAME,
+		    buflen, (char *)&temp, curthread);
 	}
 	if (mac_lomac_valid(&temp) != 0) {
 		printf("mac_lomac_associate_vnode_extattr: invalid\n");
@@ -1811,7 +1898,6 @@
 mac_lomac_check_sysctl(struct ucred *cred, int *name, u_int namelen,
     void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
 {
-#ifdef notyet
 	struct mac_lomac *subj;
 
 	if (!mac_lomac_enabled)
@@ -1837,7 +1923,6 @@
 			return (EPERM);
 	}
 
-#endif
 	return (0);
 }
 
@@ -2053,9 +2138,10 @@
 
 	/*
 	 * If there is a LOMAC label update for the vnode, it must be a
-	 * single label.
+	 * single label, with an optional explicit auxiliary single.
 	 */
-	error = lomac_atmostflags(new, MAC_LOMAC_FLAG_SINGLE);
+	error = lomac_atmostflags(new,
+	    MAC_LOMAC_FLAG_SINGLE | MAC_LOMAC_FLAG_AUX);
 	if (error)
 		return (error);
 
@@ -2087,6 +2173,24 @@
 				return (error);
 		}
 	}
+	if (new->ml_flags & MAC_LOMAC_FLAG_AUX) {
+		/*
+		 * To change the auxiliary LOMAC label on a vnode, the new
+		 * vnode label must be in the subject range.
+		 */
+		if (!mac_lomac_auxsingle_in_range(new, subj))
+			return (EPERM);
+
+		/*
+		 * To change the auxiliary LOMAC label on the vnode to be
+		 * EQUAL, the subject must have appropriate privilege.
+		 */
+		if (mac_lomac_contains_equal(new)) {
+			error = mac_lomac_subject_equal_ok(subj);
+			if (error)
+				return (error);
+		}
+	}
 
 	return (0);
 }

==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.h#9 (text+ko) ====

@@ -47,13 +47,11 @@
 
 #define	MAC_LOMAC_LABEL_NAME		"lomac"
 
-#define	MAC_LOMAC_FLAG_SINGLE	0x00000001	/* mb_single initialized */
-#define	MAC_LOMAC_FLAG_RANGE	0x00000002	/* mb_range* initialized */
+#define	MAC_LOMAC_FLAG_SINGLE	0x00000001	/* ml_single initialized */
+#define	MAC_LOMAC_FLAG_RANGE	0x00000002	/* ml_range* initialized */
+#define	MAC_LOMAC_FLAG_AUX	0x00000004	/* ml_auxsingle initialized */
 #define	MAC_LOMAC_FLAGS_BOTH	(MAC_LOMAC_FLAG_SINGLE | MAC_LOMAC_FLAG_RANGE)
-#define	MAC_LOMAC_CFLAG_SINGLE	0x00000004	/* mb_single initialized */
-#define	MAC_LOMAC_CFLAG_RANGE	0x00000008	/* mb_range* initialized */
-#define	MAC_LOMAC_CFLAGS_BOTH	(MAC_LOMAC_CFLAG_SINGLE | MAC_LOMAC_CFLAG_RANGE)
-#define	MAC_LOMAC_FLAG_UPDATE	0x00000010	/* must demote this process */
+#define	MAC_LOMAC_FLAG_UPDATE	0x00000008	/* must demote this process */
 
 #define	MAC_LOMAC_TYPE_UNDEF	0	/* Undefined */
 #define	MAC_LOMAC_TYPE_GRADE	1	/* Hierarchal grade with mb_grade. */
@@ -78,15 +76,18 @@
 };
 
 /*
- * LOMAC labels consist of two components: a single label, and a label
- * range.  Depending on the context, one or both may be used; the mb_flags
+ * LOMAC labels start with two components: a single label, and a label
+ * range.  Depending on the context, one or both may be used; the ml_flags
  * field permits the provider to indicate what fields are intended for
- * use.
+ * use.  The auxiliary label works the same way, but is only valid on
+ * filesystem objects to provide inheritance semantics on directories
+ * and "non-demoting" execution on executable files.
  */
 struct mac_lomac {
 	int				ml_flags;
 	struct mac_lomac_element	ml_single;
 	struct mac_lomac_element	ml_rangelow, ml_rangehigh;
+	struct mac_lomac_element	ml_auxsingle;
 };
 
 #endif /* !_SYS_SECURITY_MAC_LOMAC_H */

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message