Date: Fri, 27 Sep 2002 13:17:45 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 18224 for review Message-ID: <200209272017.g8RKHjhK029943@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=18224 Change 18224 by rwatson@rwatson_paprika on 2002/09/27 13:17:02 Break out current mac_check_vnode_mmap_perms entry point into several entry points: mac_check_vnode_mmap() Called by mmap() to authorize the creation of a new mapping from a vnode. mac_check_vnode_mprotect() Called by mprotect() to authorize a new protection mask for the mapping on a vnode that is already mapped. mac_check_vnode_mmap_downgrade() Called during process label change operations to determine what (if any) downgrade should occur on the protections associated with a mmap'd vnode. The first two of these calls take normal access control check semantics consistent with existing policy operations; the last of these follows the model used previously in all of these situations involving requesting a composed mask of available rights across various policies. This pushes the composition logic back into the framework for the two checks that are strictly access control checks, and keeps the composition in the framework for the downgrade. The cached maxprot in a VM mapping no longer plays a part in MAC protections, since it is really about maintaining UNIX semantics for mprotect(). This also simplifies the logic in vm_mmap.c, and introduces new protection for mprotect() in vm_map.c While I'm here, make the process mmap downgrade during subject label change be twiddled by mac_enforce_vm, fix a few other enable/disable cases. Temporarily lose the ability to downgrade mappings in our current policy pool, to be reintroduced in a few minutes in a follow-up commit against the relevant modules. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#278 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#112 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#94 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#76 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#78 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#47 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#26 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#163 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#127 edit .. //depot/projects/trustedbsd/mac/sys/vm/vm_map.c#14 edit .. //depot/projects/trustedbsd/mac/sys/vm/vm_mmap.c#15 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#278 (text+ko) ==== @@ -218,6 +218,8 @@ static int mac_policy_unregister(struct mac_policy_conf *mpc); static int mac_stdcreatevnode_ea(struct vnode *vp); +static void mac_check_vnode_mmap_downgrade(struct ucred *cred, + struct vnode *vp, int *prot); static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); @@ -904,8 +906,16 @@ mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; break; - case MAC_CHECK_VNODE_MMAP_PERMS: - mpc->mpc_ops->mpo_check_vnode_mmap_perms = + case MAC_CHECK_VNODE_MMAP: + mpc->mpc_ops->mpo_check_vnode_mmap = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_MMAP_DOWNGRADE: + mpc->mpc_ops->mpo_check_vnode_mmap_downgrade = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_MPROTECT: + mpc->mpc_ops->mpo_check_vnode_mprotect = mpe->mpe_function; break; case MAC_CHECK_VNODE_OPEN: @@ -2257,21 +2267,56 @@ return (error); } -vm_prot_t -mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) +int +mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot) { - vm_prot_t result = VM_PROT_ALL; + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap"); + + if (!mac_enforce_fs || !mac_enforce_vm) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_mmap, cred, vp, &vp->v_label, prot); + return (error); +} - if (!mac_enforce_vm) - return (result); +void +mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot) +{ + int result = *prot; - /* - * This should be some sort of MAC_BITWISE, maybe :) - */ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_perms"); - MAC_BOOLEAN(check_vnode_mmap_perms, &, cred, vp, &vp->v_label, - newmapping); - return (result); + + if (!mac_enforce_fs || !mac_enforce_vm) + *prot = result; + + MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, &vp->v_label, + &result); + + *prot = result; +} + +int +mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mprotect"); + + if (!mac_enforce_fs || !mac_enforce_vm) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_mprotect, cred, vp, &vp->v_label, prot); + return (error); } int @@ -2654,7 +2699,8 @@ struct vm_map *map) { struct vm_map_entry *vme; - vm_prot_t result, revokeperms; + int result; + vm_prot_t revokeperms; vm_object_t object; vm_ooffset_t offset; struct vnode *vp; @@ -2695,7 +2741,8 @@ continue; vp = (struct vnode *)object->handle; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - result = mac_check_vnode_mmap_prot(cred, vp, 0); + result = vme->max_protection; + mac_check_vnode_mmap_downgrade(cred, vp, &result); VOP_UNLOCK(vp, 0, td); /* * Find out what maximum protection we may be allowing @@ -3699,9 +3746,11 @@ crhold(newcred); PROC_UNLOCK(p); - mtx_lock(&Giant); - mac_cred_mmapped_drop_perms(td, newcred); - mtx_unlock(&Giant); + if (mac_enforce_vm) { + mtx_lock(&Giant); + mac_cred_mmapped_drop_perms(td, newcred); + mtx_unlock(&Giant); + } crfree(newcred); /* Free revocation reference. */ crfree(oldcred); ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#112 (text+ko) ==== @@ -2147,23 +2147,31 @@ } static vm_prot_t -mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, - struct label *label, int newmapping) +mac_biba_check_vnode_mmap(struct ucred *cred, struct vnode *vp, + struct label *label, int prot) { struct mac_biba *subj, *obj; - vm_prot_t prot = 0; - if (!mac_biba_enabled || (!mac_biba_revocation_enabled && !newmapping)) - return (VM_PROT_ALL); + /* + * Rely on the use of open()-time protections to handle + * non-revocation cases. + */ + if (!mac_biba_enabled || !mac_biba_revocation_enabled) + return (0); subj = SLOT(&cred->cr_label); obj = SLOT(label); - if (mac_biba_dominate_single(obj, subj)) - prot |= VM_PROT_READ | VM_PROT_EXECUTE; - if (mac_biba_dominate_single(subj, obj)) - prot |= VM_PROT_WRITE; - return (prot); + if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) { + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + } + if (prot & VM_PROT_WRITE) { + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + } + + return (0); } static struct mac_policy_op_entry mac_biba_ops[] = @@ -2386,6 +2394,10 @@ (macop_t)mac_biba_check_vnode_link }, { MAC_CHECK_VNODE_LOOKUP, (macop_t)mac_biba_check_vnode_lookup }, + { MAC_CHECK_VNODE_MMAP, + (macop_t)mac_biba_check_vnode_mmap }, + { MAC_CHECK_VNODE_MPROTECT, + (macop_t)mac_biba_check_vnode_mmap }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_biba_check_vnode_open }, { MAC_CHECK_VNODE_POLL, @@ -2420,8 +2432,6 @@ (macop_t)mac_biba_check_vnode_stat }, { MAC_CHECK_VNODE_WRITE, (macop_t)mac_biba_check_vnode_write }, - { MAC_CHECK_VNODE_MMAP_PERMS, - (macop_t)mac_biba_check_vnode_mmap_perms }, { MAC_OP_LAST, NULL } }; ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#94 (text+ko) ==== @@ -2107,23 +2107,31 @@ } static vm_prot_t -mac_mls_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, - struct label *label, int newmapping) +mac_mls_check_vnode_mmap(struct ucred *cred, struct vnode *vp, + struct label *label, int prot) { struct mac_mls *subj, *obj; - vm_prot_t prot = 0; - if (!mac_mls_enabled || (!mac_mls_revocation_enabled && !newmapping)) - return (VM_PROT_ALL); + /* + * Rely on the use of open()-time protections to handle + * non-revocation cases. + */ + if (!mac_mls_enabled || !mac_mls_revocation_enabled) + return (0); subj = SLOT(&cred->cr_label); obj = SLOT(label); - if (mac_mls_dominate_single(subj, obj)) - prot |= VM_PROT_READ | VM_PROT_EXECUTE; - if (mac_mls_dominate_single(obj, subj)) - prot |= VM_PROT_WRITE; - return (prot); + if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) { + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + } + if (prot & VM_PROT_WRITE) { + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + } + + return (0); } static struct mac_policy_op_entry mac_mls_ops[] = @@ -2346,6 +2354,10 @@ (macop_t)mac_mls_check_vnode_link }, { MAC_CHECK_VNODE_LOOKUP, (macop_t)mac_mls_check_vnode_lookup }, + { MAC_CHECK_VNODE_MMAP, + (macop_t)mac_mls_check_vnode_mmap }, + { MAC_CHECK_VNODE_MPROTECT, + (macop_t)mac_mls_check_vnode_mmap }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_mls_check_vnode_open }, { MAC_CHECK_VNODE_POLL, @@ -2380,8 +2392,6 @@ (macop_t)mac_mls_check_vnode_stat }, { MAC_CHECK_VNODE_WRITE, (macop_t)mac_mls_check_vnode_write }, - { MAC_CHECK_VNODE_MMAP_PERMS, - (macop_t)mac_mls_check_vnode_mmap_perms }, { MAC_OP_LAST, NULL } }; ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#76 (text+ko) ==== @@ -706,7 +706,23 @@ { return (0); -} +} + +static int +mac_none_check_vnode_mmap(struct ucred *cred, struct vnode *vp, + struct label *label, int prot) +{ + + return (0); +} + +static int +mac_none_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, + struct label *label, int prot) +{ + + return (0); +} static int mac_none_check_vnode_open(struct ucred *cred, struct vnode *vp, @@ -1074,6 +1090,10 @@ (macop_t)mac_none_check_vnode_link }, { MAC_CHECK_VNODE_LOOKUP, (macop_t)mac_none_check_vnode_lookup }, + { MAC_CHECK_VNODE_MMAP, + (macop_t)mac_none_check_vnode_mmap }, + { MAC_CHECK_VNODE_MPROTECT, + (macop_t)mac_none_check_vnode_mprotect }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_none_check_vnode_open }, { MAC_CHECK_VNODE_POLL, ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#78 (text+ko) ==== @@ -1184,25 +1184,35 @@ MAC_TE_OPERATION_DIR_LOOKUP)); } -static vm_prot_t -mac_te_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, - struct label *label, int newmapping) +static int +mac_te_check_vnode_mmap(struct ucred *cred, struct vnode *vp, + struct label *label, int prot) { - vm_prot_t prot = 0; + int error; + + if (!mac_te_enabled || !mac_te_revocation_enabled) + return (0); - if (!mac_te_enabled || (!mac_te_revocation_enabled && !newmapping)) - return (VM_PROT_ALL); + if (prot & VM_PROT_READ) { + error = mac_te_check(&cred->cr_label, label, + MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_READ); + if (error) + return (error); + } + if (prot & VM_PROT_EXECUTE) { + error = mac_te_check(&cred->cr_label, label, + MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_EXEC); + if (error) + return (error); + } + if (prot & VM_PROT_WRITE) { + error = mac_te_check(&cred->cr_label, label, + MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_WRITE); + if (error) + return (error); + } - if (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, - MAC_TE_OPERATION_FILE_READ) == 0) - prot |= VM_PROT_READ; - if (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, - MAC_TE_OPERATION_FILE_EXEC) == 0) - prot |= VM_PROT_EXECUTE; - if (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, - MAC_TE_OPERATION_FILE_WRITE) == 0) - prot |= VM_PROT_WRITE; - return (prot); + return (0); } static int @@ -1811,6 +1821,10 @@ (macop_t)mac_te_check_vnode_link }, { MAC_CHECK_VNODE_LOOKUP, (macop_t)mac_te_check_vnode_lookup }, + { MAC_CHECK_VNODE_MMAP, + (macop_t)mac_te_check_vnode_mmap }, + { MAC_CHECK_VNODE_MPROTECT, + (macop_t)mac_te_check_vnode_mmap }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_te_check_vnode_open }, { MAC_CHECK_VNODE_POLL, @@ -1845,8 +1859,6 @@ (macop_t)mac_te_check_vnode_stat }, { MAC_CHECK_VNODE_WRITE, (macop_t)mac_te_check_vnode_write }, - { MAC_CHECK_VNODE_MMAP_PERMS, - (macop_t)mac_te_check_vnode_mmap_perms }, { MAC_COPY_PIPE_LABEL, (macop_t)mac_te_copy_label }, { MAC_COPY_VNODE_LABEL, ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#47 (text+ko) ==== @@ -1091,6 +1091,22 @@ } static int +mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, + struct label *label, int prot) +{ + + return (0); +} + +static int +mac_test_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, + struct label *label, int prot) +{ + + return (0); +} + +static int mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *label) { @@ -1450,6 +1466,10 @@ (macop_t)mac_test_check_vnode_link }, { MAC_CHECK_VNODE_LOOKUP, (macop_t)mac_test_check_vnode_lookup }, + { MAC_CHECK_VNODE_MMAP, + (macop_t)mac_test_check_vnode_mmap }, + { MAC_CHECK_VNODE_MPROTECT, + (macop_t)mac_test_check_vnode_mprotect }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_test_check_vnode_open }, { MAC_CHECK_VNODE_POLL, ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#26 (text+ko) ==== @@ -826,9 +826,17 @@ return 0; } -static vm_prot_t -sebsd_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, - struct label *label, int newmapping) +static int +sebsd_check_vnode_mmap(struct ucred *cred, struct vnode *vp, + struct label *label, int newmapping) +{ + /* TBD: Not Implemented */ + return 0; +} + +static int +sebsd_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, + struct label *label, int newmapping) { /* TBD: Not Implemented */ return 0; @@ -924,6 +932,10 @@ (macop_t)sebsd_check_vnode_getextattr }, { MAC_CHECK_VNODE_LOOKUP, (macop_t)sebsd_check_vnode_lookup }, + { MAC_CHECK_VNODE_MMAP, + (macop_t)sebsd_check_vnode_mmap }, + { MAC_CHECK_VNODE_MPROTECT, + (macop_t)sebsd_check_vnode_mprotect }, { MAC_CHECK_VNODE_OPEN, (macop_t)sebsd_check_vnode_open }, { MAC_CHECK_VNODE_POLL, @@ -958,8 +970,6 @@ (macop_t)sebsd_check_vnode_stat }, { MAC_CHECK_VNODE_WRITE, (macop_t)sebsd_check_vnode_write }, - { MAC_CHECK_VNODE_MMAP_PERMS, - (macop_t)sebsd_check_vnode_mmap_perms }, /* Misc */ { MAC_EXECVE_TRANSITION, ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#163 (text+ko) ==== @@ -363,9 +363,10 @@ struct vnode *vp, struct componentname *cnp); int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp); -/* XXX This u_char should be vm_prot_t! */ -u_char mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, - int newmapping); +int mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, + int prot); +int mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, + int prot); int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode); int mac_check_vnode_poll(struct ucred *active_cred, ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#127 (text+ko) ==== @@ -339,8 +339,12 @@ int (*mpo_check_vnode_lookup)(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp); - vm_prot_t (*mpo_check_vnode_mmap_perms)(struct ucred *cred, - struct vnode *vp, struct label *label, int newmapping); + int (*mpo_check_vnode_mmap)(struct ucred *cred, struct vnode *vp, + struct label *label, int prot); + void (*mpo_check_vnode_mmap_downgrade)(struct ucred *cred, + struct vnode *vp, struct label *label, int *prot); + int (*mpo_check_vnode_mprotect)(struct ucred *cred, + struct vnode *vp, struct label *label, int prot); int (*mpo_check_vnode_open)(struct ucred *cred, struct vnode *vp, struct label *label, mode_t acc_mode); int (*mpo_check_vnode_poll)(struct ucred *active_cred, @@ -511,7 +515,9 @@ MAC_CHECK_VNODE_GETEXTATTR, MAC_CHECK_VNODE_LINK, MAC_CHECK_VNODE_LOOKUP, - MAC_CHECK_VNODE_MMAP_PERMS, + MAC_CHECK_VNODE_MMAP, + MAC_CHECK_VNODE_MMAP_DOWNGRADE, + MAC_CHECK_VNODE_MPROTECT, MAC_CHECK_VNODE_OPEN, MAC_CHECK_VNODE_POLL, MAC_CHECK_VNODE_READ, ==== //depot/projects/trustedbsd/mac/sys/vm/vm_map.c#14 (text+ko) ==== @@ -68,10 +68,13 @@ * Virtual memory mapping module. */ +#include "opt_mac.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/ktr.h> #include <sys/lock.h> +#include <sys/mac.h> #include <sys/mutex.h> #include <sys/proc.h> #include <sys/vmmeter.h> @@ -1255,6 +1258,27 @@ vm_map_unlock(map); return (KERN_PROTECTION_FAILURE); } +#ifdef MAC + /* XXXMAC: Checks against MAC labels should go here. */ +#if 0 + /* Find the deepest backing object. */ + vm_object_t object; + object = vme->object.vm_object; + while (object->backing_object != NULL) + object = object->backing_object; + switch (object->type) { + case OBJT_VNODE: + struct vnode *vp = (struct vnode *)object->handle; + vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); + error = mac_check_vnode_mprotect(cred, vp, new_prot); + VOP_UNLOCK(vp, 0, td); + if (error) + return (KERN_PROTECTION_FAILURE); + break; + default: + } +#endif +#endif current = current->next; } ==== //depot/projects/trustedbsd/mac/sys/vm/vm_mmap.c#15 (text+ko) ==== @@ -431,40 +431,16 @@ } mtx_unlock(&Giant); + error = 0; #ifdef MAC - if (handle != NULL) { - if (flags & MAP_SHARED) { - /* - * Decrease maximum allowed protection that may be - * used with mprotect(2) later to that which the - * policies might allow "at the moment". This - * should possibly be revoked or limited further - * in mprotect(2). - * - * Make sure that prot is within the scope of - * what policies will allow, or fail immediately. - */ - vm_prot_t macmaxprot; - - macmaxprot = mac_check_vnode_mmap_prot(td->td_ucred, - (struct vnode *)handle, 1); - if ((prot & macmaxprot) != prot) { - error = EACCES; - goto macdone; - } - maxprot &= macmaxprot; - } - /* - * XXX Policies (e.g. LOMAC) should possibly check for a read - * operation here. - */ + if (handle != NULL && MAP_SHARED) { + error = mac_check_vnode_mmap(td->td_ucred, + (struct vnode *)handle, prot); } -#endif /* MAC */ - error = vm_mmap(&vms->vm_map, &addr, size, prot, maxprot, - flags, handle, pos); -#ifdef MAC -macdone: #endif + if (error == 0) + error = vm_mmap(&vms->vm_map, &addr, size, prot, maxprot, + flags, handle, pos); mtx_lock(&Giant); if (error == 0) td->td_retval[0] = (register_t) (addr + pageoff); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209272017.g8RKHjhK029943>