Date: Sat, 26 Jul 2003 12:41:03 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 35053 for review Message-ID: <200307261941.h6QJf3QV070428@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=35053 Change 35053 by rwatson@rwatson_tislabs on 2003/07/26 12:40:56 Update Biba, BSD Extended, MLS, None, and Test policies for new extended attribute checks (delete, list). For now, leave out LOMAC and SEBSD. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#216 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#72 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#174 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#124 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#108 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#216 (text+ko) ==== @@ -2158,6 +2158,24 @@ } static int +mac_biba_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, + struct label *label, int attrnamespace, const char *name) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct label *label, struct image_params *imgp, struct label *execlabel) @@ -2250,6 +2268,24 @@ } static int +mac_biba_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, + struct label *label, int attrnamespace) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { @@ -2770,10 +2806,12 @@ .mpo_check_vnode_create = mac_biba_check_vnode_create, .mpo_check_vnode_delete = mac_biba_check_vnode_delete, .mpo_check_vnode_deleteacl = mac_biba_check_vnode_deleteacl, + .mpo_check_vnode_deleteextattr = mac_biba_check_vnode_deleteextattr, .mpo_check_vnode_exec = mac_biba_check_vnode_exec, .mpo_check_vnode_getacl = mac_biba_check_vnode_getacl, .mpo_check_vnode_getextattr = mac_biba_check_vnode_getextattr, .mpo_check_vnode_link = mac_biba_check_vnode_link, + .mpo_check_vnode_listextattr = mac_biba_check_vnode_listextattr, .mpo_check_vnode_lookup = mac_biba_check_vnode_lookup, .mpo_check_vnode_mmap = mac_biba_check_vnode_mmap, .mpo_check_vnode_mprotect = mac_biba_check_vnode_mmap, ==== //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#72 (text+ko) ==== @@ -1,6 +1,6 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson - * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. + * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -418,6 +418,22 @@ } static int +mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, + struct label *label, int attrnamespace, const char *name) +{ + struct vattr vap; + int error; + + if (!mac_bsdextended_enabled) + return (0); + + error = VOP_GETATTR(vp, &vap, cred, curthread); + if (error) + return (error); + return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE)); +} + +static int mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct label *label, struct image_params *imgp, struct label *execlabel) @@ -495,6 +511,22 @@ } static int +mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, + struct label *label, int attrnamespace) +{ + struct vattr vap; + int error; + + if (!mac_bsdextended_enabled) + return (0); + + error = VOP_GETATTR(vp, &vap, cred, curthread); + if (error) + return (error); + return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD)); +} + +static int mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { @@ -752,10 +784,12 @@ .mpo_check_vnode_create = mac_bsdextended_check_create_vnode, .mpo_check_vnode_delete = mac_bsdextended_check_vnode_delete, .mpo_check_vnode_deleteacl = mac_bsdextended_check_vnode_deleteacl, + .mpo_check_vnode_deleteextattr = mac_bsdextended_check_vnode_deleteextattr, .mpo_check_vnode_exec = mac_bsdextended_check_vnode_exec, .mpo_check_vnode_getacl = mac_bsdextended_check_vnode_getacl, .mpo_check_vnode_getextattr = mac_bsdextended_check_vnode_getextattr, .mpo_check_vnode_link = mac_bsdextended_check_vnode_link, + .mpo_check_vnode_listextattr = mac_bsdextended_check_vnode_listextattr, .mpo_check_vnode_lookup = mac_bsdextended_check_vnode_lookup, .mpo_check_vnode_open = mac_bsdextended_check_vnode_open, .mpo_check_vnode_readdir = mac_bsdextended_check_vnode_readdir, ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#174 (text+ko) ==== @@ -1930,6 +1930,24 @@ } static int +mac_mls_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, + struct label *label, int attrnamespace, const char *name) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct label *label, struct image_params *imgp, struct label *execlabel) @@ -2021,6 +2039,25 @@ } static int +mac_mls_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, + struct label *label, int attrnamespace) +{ + + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { @@ -2535,10 +2572,12 @@ .mpo_check_vnode_create = mac_mls_check_vnode_create, .mpo_check_vnode_delete = mac_mls_check_vnode_delete, .mpo_check_vnode_deleteacl = mac_mls_check_vnode_deleteacl, + .mpo_check_vnode_deleteextattr = mac_mls_check_vnode_deleteextattr, .mpo_check_vnode_exec = mac_mls_check_vnode_exec, .mpo_check_vnode_getacl = mac_mls_check_vnode_getacl, .mpo_check_vnode_getextattr = mac_mls_check_vnode_getextattr, .mpo_check_vnode_link = mac_mls_check_vnode_link, + .mpo_check_vnode_listextattr = mac_mls_check_vnode_listextattr, .mpo_check_vnode_lookup = mac_mls_check_vnode_lookup, .mpo_check_vnode_mmap = mac_mls_check_vnode_mmap, .mpo_check_vnode_mprotect = mac_mls_check_vnode_mmap, ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#124 (text+ko) ==== @@ -1,6 +1,6 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson - * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. + * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -784,6 +784,14 @@ } static int +mac_none_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, + struct label *label, int attrnamespace, const char *name) +{ + + return (0); +} + +static int mac_none_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct label *label, struct image_params *imgp, struct label *execlabel) @@ -818,6 +826,14 @@ } static int +mac_none_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, + struct label *label, int attrnamespace) +{ + + return (0); +} + +static int mac_none_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { @@ -1104,10 +1120,12 @@ .mpo_check_vnode_create = mac_none_check_vnode_create, .mpo_check_vnode_delete = mac_none_check_vnode_delete, .mpo_check_vnode_deleteacl = mac_none_check_vnode_deleteacl, + .mpo_check_vnode_deleteextattr = mac_none_check_vnode_deleteextattr, .mpo_check_vnode_exec = mac_none_check_vnode_exec, .mpo_check_vnode_getacl = mac_none_check_vnode_getacl, .mpo_check_vnode_getextattr = mac_none_check_vnode_getextattr, .mpo_check_vnode_link = mac_none_check_vnode_link, + .mpo_check_vnode_listextattr = mac_none_check_vnode_listextattr, .mpo_check_vnode_lookup = mac_none_check_vnode_lookup, .mpo_check_vnode_mmap = mac_none_check_vnode_mmap, .mpo_check_vnode_mprotect = mac_none_check_vnode_mprotect, ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#108 (text+ko) ==== @@ -1,6 +1,6 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson - * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. + * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -1456,6 +1456,17 @@ } static int +mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, + struct label *label, int attrnamespace, const char *name) +{ + + ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_VNODE_LABEL(label); + + return (0); +} + +static int mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct label *label, struct image_params *imgp, struct label *execlabel) @@ -1506,6 +1517,17 @@ } static int +mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, + struct label *label, int attrnamespace) +{ + + ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_VNODE_LABEL(label); + + return (0); +} + +static int mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { @@ -1869,10 +1891,12 @@ .mpo_check_vnode_create = mac_test_check_vnode_create, .mpo_check_vnode_delete = mac_test_check_vnode_delete, .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, + .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, .mpo_check_vnode_exec = mac_test_check_vnode_exec, .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, .mpo_check_vnode_link = mac_test_check_vnode_link, + .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, .mpo_check_vnode_mprotect = mac_test_check_vnode_mprotect,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307261941.h6QJf3QV070428>