Date: Thu, 15 Feb 2007 20:26:07 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 114582 for review Message-ID: <200702152026.l1FKQ7s5073488@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=114582 Change 114582 by millert@millert_p4 on 2007/02/15 20:26:02 Add sysctl_canon_context, sysctl_compute_create, and sysctl_compute_member for use by new libselinux. Affected files ... .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#12 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#12 (text+ko) ==== @@ -333,7 +333,169 @@ return (error); } +/* + * Sysctl handler for security.mac.sebsd.canon_context. + * Check sid validity, returns canonical name of context. + */ +static int +sysctl_canon_context(SYSCTL_HANDLER_ARGS) +{ + u_int32_t sid, len; + char *context, *canon; + int error; + +#ifdef SECURITY__COMPUTE_CHECK + error = thread_has_security(curthread, SECURITY__COMPUTE_CHECK); + if (error) + return (error); +#endif + + if (req->newlen < 2) + return (EINVAL); + if (req->newlen > 512) /* arbitrary */ + return (ENAMETOOLONG); + MALLOC(context, char *, req->newlen, M_SEBSD, M_WAITOK); + error = SYSCTL_IN(req, context, req->newlen); + if (error) + goto out; + if (context[req->newlen - 1] != '\0') { + error = EINVAL; + goto out; + } + /* + * XXX We need POLICY_RDLOCK here, but it's not exported! + */ + error = security_context_to_sid(context, strlen(context) + 1, &sid); + if (error) + goto out; + + error = security_sid_to_context(sid, &canon, &len); + if (error == 0) { + error = SYSCTL_OUT(req, canon, len); + FREE(canon, M_SEBSD); + } +out: + FREE(context, M_SEBSD); + return (error); +} + +/* + * Sysctl handler for security.mac.sebsd.compute_create. Create new sid + * given input "scontext\0tcontext\0", tclass. + */ static int +sysctl_compute_create(SYSCTL_HANDLER_ARGS) +{ + u_int32_t sid, tsid, newsid, len; + u_int16_t tclass; + char *scontext, *tcontext, *newcontext; + int error; + + error = thread_has_security(curthread, SECURITY__COMPUTE_CREATE); + if (error) + return (error); + + if (req->newlen < 4 + sizeof(tclass)) + return (EINVAL); + if (req->newlen > 512) /* arbitrary */ + return (ENAMETOOLONG); + MALLOC(scontext, char *, req->newlen, M_SEBSD, M_WAITOK); + error = SYSCTL_IN(req, scontext, req->newlen); + if (error) + goto out; + if (scontext[req->newlen - (1 + sizeof(tclass))] != '\0') { + error = EINVAL; + goto out; + } + tcontext = &scontext[strlen(scontext) + 1]; + if (tcontext >= &scontext[req->newlen - (1 + sizeof(tclass))]) { + error = EINVAL; + goto out; + } + bcopy(&tcontext[strlen(tcontext) + 1], &tclass, sizeof(tclass)); + /* + * XXX We need POLICY_RDLOCK here, but it's not exported! + */ + error = security_context_to_sid(scontext, strlen(scontext) + 1, &sid); + if (error) + goto out; + error = security_context_to_sid(tcontext, strlen(tcontext) + 1, &tsid); + if (error) + goto out; + + error = security_transition_sid(sid, tsid, tclass, &newsid); + if (error) + goto out; + + error = security_sid_to_context(newsid, &newcontext, &len); + if (error == 0) { + error = SYSCTL_OUT(req, newcontext, len); + FREE(newcontext, M_SEBSD); + } +out: + FREE(scontext, M_SEBSD); + return (error); +} + +/* + * Sysctl handler for security.mac.sebsd.compute_member. Compute member sid + * given input "scontext\0tcontext\0", tclass. + */ +static int +sysctl_compute_member(SYSCTL_HANDLER_ARGS) +{ + u_int32_t sid, tsid, newsid, len; + u_int16_t tclass; + char *scontext, *tcontext, *newcontext; + int error; + + error = thread_has_security(curthread, SECURITY__COMPUTE_MEMBER); + if (error) + return (error); + + if (req->newlen < 4 + sizeof(tclass)) + return (EINVAL); + if (req->newlen > 512) /* arbitrary */ + return (ENAMETOOLONG); + MALLOC(scontext, char *, req->newlen, M_SEBSD, M_WAITOK); + error = SYSCTL_IN(req, scontext, req->newlen); + if (error) + goto out; + if (scontext[req->newlen - (1 + sizeof(tclass))] != '\0') { + error = EINVAL; + goto out; + } + tcontext = &scontext[strlen(scontext) + 1]; + if (tcontext >= &scontext[req->newlen - (1 + sizeof(tclass))]) { + error = EINVAL; + goto out; + } + bcopy(&tcontext[strlen(tcontext) + 1], &tclass, sizeof(tclass)); + /* + * XXX We need POLICY_RDLOCK here, but it's not exported! + */ + error = security_context_to_sid(scontext, strlen(scontext) + 1, &sid); + if (error) + goto out; + error = security_context_to_sid(tcontext, strlen(tcontext) + 1, &tsid); + if (error) + goto out; + + error = security_member_sid(sid, tsid, tclass, &newsid); + if (error) + goto out; + + error = security_sid_to_context(newsid, &newcontext, &len); + if (error == 0) { + error = SYSCTL_OUT(req, newcontext, len); + FREE(newcontext, M_SEBSD); + } +out: + FREE(scontext, M_SEBSD); + return (error); +} + +static int sysctl_sebsd_policypath(SYSCTL_HANDLER_ARGS) { @@ -360,6 +522,15 @@ SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_av, CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_av, "A", "SEBSD access vector decision query"); +SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, canon_context, CTLTYPE_STRING | + CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_canon_context, "A", + "SEBSD context verification query"); +SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_create, CTLTYPE_STRING | + CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_create, "A", + "SEBSD context computation query"); +SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_member, CTLTYPE_STRING | + CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_member, "A", + "SEBSD context member query"); SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, auditing, CTLTYPE_INT | CTLFLAG_RW, NULL, 0, sysctl_sebsd_auditing, "I", "SEBSD avc auditing"); TUNABLE_INT("security.mac.sebsd.auditing", &selinux_auditing);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200702152026.l1FKQ7s5073488>