From owner-p4-projects@FreeBSD.ORG Thu Feb 9 21:35:06 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id EC26116A422; Thu, 9 Feb 2006 21:35:05 +0000 (GMT) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93F3F16A423 for ; Thu, 9 Feb 2006 21:35:05 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1C2C43D58 for ; Thu, 9 Feb 2006 21:35:04 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id k19LZ4mu042762 for ; Thu, 9 Feb 2006 21:35:04 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id k19LZ4Td042759 for perforce@freebsd.org; Thu, 9 Feb 2006 21:35:04 GMT (envelope-from millert@freebsd.org) Date: Thu, 9 Feb 2006 21:35:04 GMT Message-Id: <200602092135.k19LZ4Td042759@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 91474 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2006 21:35:06 -0000 http://perforce.freebsd.org/chv.cgi?CH=91474 Change 91474 by millert@millert_ibook on 2006/02/09 21:34:37 Add mprotect entry point Add some casts to quiet gcc For mmap entry point, check flags for MAP_SHARED Affected files ... .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd.c#28 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd.c#28 (text+ko) ==== @@ -1186,13 +1186,13 @@ psec = SLOT(obj); tsec = SLOT(subj); - cld = hashtab_search (policydb.p_classes.table, s); + cld = hashtab_search(policydb.p_classes.table, (void *)s); if (cld == NULL) return EINVAL; - p = hashtab_search (cld->permissions.table, pn); + p = hashtab_search(cld->permissions.table, (void *)pn); if (p == NULL && cld->comdatum) - p = hashtab_search (cld->comdatum->permissions.table, pn); + p = hashtab_search(cld->comdatum->permissions.table, (void *)pn); if (p == NULL) return EINVAL; @@ -1212,7 +1212,7 @@ tsec = SLOT(subj); osec = SLOT(out); - cld = hashtab_search (policydb.p_classes.table, s); + cld = hashtab_search(policydb.p_classes.table, (void *)s); if (cld == NULL) return EINVAL; @@ -1409,7 +1409,7 @@ /* loginwindow.app/MAC.loginPlugin orphaned process. */ dst = SLOT(p->p_ucred->cr_label); #ifdef SEFOS_DEBUG - printf("sebsd_check_proc_setlcid (orphan): pid %d, lcid %d, sid 0x%x -> 0x%x\n", pid, lcid, dst->sid, dst->osid); + printf("sebsd_check_proc_setlcid (orphan): pid %d, lcid %d, sid 0x%x -> 0x%x\n", pid, lcid, dst->sid, dst->osid); // XXX #endif if (dst->sid != dst->osid) { /* @@ -1424,7 +1424,7 @@ case LCID_CREATE: /* Create */ /* nop */ #ifdef SEFOS_DEBUG - printf("sebsd_check_proc_setlcid (create): pid %d, lcid %d\n", pid, lcid); + printf("sebsd_check_proc_setlcid (create): pid %d, lcid %d\n", pid, lcid); // XXX #endif break; @@ -1435,7 +1435,7 @@ dst = SLOT(p->p_ucred->cr_label); #ifdef SEFOS_DEBUG - printf("sebsd_check_proc_setlcid (adopt): pid %d, lcid %d, sid 0x%x -> 0x%x\n", pid, lcid, dst->sid, src->sid); + printf("sebsd_check_proc_setlcid (adopt): pid %d, lcid %d, sid 0x%x -> 0x%x\n", pid, lcid, dst->sid, src->sid); // XXX #endif if (src->sid != dst->sid) { /* @@ -2267,12 +2267,9 @@ return vnode_has_perm(cred, vp, FILE__WRITE, NULL); } -/* - * Also registered for MAC_CHECK_VNODE_MPROTECT - */ static int sebsd_check_vnode_mmap(struct ucred *cred, struct vnode *vp, - struct label *label, int newmapping, int flags, int *maxprot) + struct label *label, int prot, int flags, int *maxprot) { access_vector_t av; @@ -2283,10 +2280,33 @@ if (vp) { av = FILE__READ; - if (newmapping & PROT_WRITE) + if ((prot & PROT_WRITE) && (flags & MAP_SHARED)) + av |= FILE__WRITE; + + if (prot & PROT_EXEC) + av |= FILE__EXECUTE; + + return (vnode_has_perm(cred, vp, av, NULL)); + } + return (0); +} + +static int +sebsd_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, + struct label *label, int prot) +{ + access_vector_t av; + + /* + * TBD: Incomplete? + */ + if (vp) { + av = FILE__READ; + + if (prot & PROT_WRITE) av |= FILE__WRITE; - if (newmapping & PROT_EXEC) + if (prot & PROT_EXEC) av |= FILE__EXECUTE; return (vnode_has_perm(cred, vp, av, NULL)); @@ -2614,8 +2634,8 @@ .mpo_destroy = sebsd_destroy, .mpo_destroy_cred_label = sebsd_destroy_cred_label, - .mpo_destroy_task_label = sebsd_destroy_cred_label, - .mpo_destroy_port_label = sebsd_destroy_cred_label, + .mpo_destroy_task_label = sebsd_destroy_task_label, + .mpo_destroy_port_label = sebsd_destroy_port_label, .mpo_destroy_vnode_label = sebsd_destroy_vnode_label, .mpo_destroy_devfsdirent_label = sebsd_destroy_vnode_label, @@ -2686,6 +2706,7 @@ .mpo_check_vnode_link = sebsd_check_vnode_link, .mpo_check_vnode_lookup = sebsd_check_vnode_lookup, .mpo_check_vnode_mmap = sebsd_check_vnode_mmap, + .mpo_check_vnode_mprotect = sebsd_check_vnode_mprotect, .mpo_check_vnode_open = sebsd_check_vnode_open, .mpo_check_vnode_poll = sebsd_check_vnode_poll, .mpo_check_vnode_read = sebsd_check_vnode_read,