Date: Mon, 22 Jan 2007 16:26:24 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 113367 for review Message-ID: <200701221626.l0MGQOTw031955@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=113367 Change 113367 by millert@millert_macbook on 2007/01/22 16:25:40 Add audit info for sockets and network interfaces. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/config/MACFramework.exports#9 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.c#20 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.h#10 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#77 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/config/MACFramework.exports#9 (text+ko) ==== @@ -25,6 +25,7 @@ _kauth_cred_dup_add _sotoxsocket +_ip6_sprintf _mac_kalloc _mac_kfree ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.c#20 (text+ko) ==== @@ -31,6 +31,10 @@ #include <sys/vnode.h> #include <sys/vnode_internal.h> +#include <net/if.h> +#include <netinet/in.h> +#include <netinet/in_var.h> + #ifdef CAPABILITIES #include <sys/capability.h> #endif @@ -543,26 +547,27 @@ return node; } -#ifdef __linux__ static inline void avc_print_ipv6_addr(struct audit_buffer *ab, struct in6_addr *addr, __be16 port, - char *name1, char *name2) + const char *name1, const char *name2) { - if (!ipv6_addr_any(addr)) - audit_log_format(ab, " %s=" NIP6_FMT, name1, NIP6(*addr)); + if (!IN6_IS_ADDR_UNSPECIFIED(addr)) + audit_log_format(ab, " %s=%s", name1, ip6_sprintf(addr)); if (port) audit_log_format(ab, " %s=%d", name2, ntohs(port)); } static inline void avc_print_ipv4_addr(struct audit_buffer *ab, u32 addr, - __be16 port, char *name1, char *name2) + __be16 port, const char *name1, + const char *name2) { - if (addr) - audit_log_format(ab, " %s=" NIPQUAD_FMT, name1, NIPQUAD(addr)); + if (addr != INADDR_ANY) + audit_log_format(ab, " %s=%ld.%ld.%ld.%ld", name1, + (ntohl(addr)>>24)&0xFF, (ntohl(addr)>>16)&0xFF, + (ntohl(addr)>>8)&0xFF, (ntohl(addr))&0xFF); if (port) audit_log_format(ab, " %s=%d", name2, ntohs(port)); } -#endif /* __linux__ */ /** * avc_audit - Audit the granting or denial of permissions. @@ -680,8 +685,7 @@ break; case AVC_AUDIT_DATA_NET: #ifdef __linux__ - /* XXX - convert to xsocket */ - if (a->u.net.sk) { + if (a->u.net.xso) { struct sock *sk = a->u.net.sk; struct unix_sock *u; int len = 0; @@ -731,6 +735,7 @@ break; } } +#endif /* __linux__ */ switch (a->u.net.family) { case AF_INET: @@ -751,9 +756,8 @@ break; } if (a->u.net.netif) - audit_log_format(ab, " netif=%s", - a->u.net.netif); -#endif /* __linux__ */ + audit_log_format(ab, " netif=%s%d", + a->u.net.netif, a->u.net.netif_unit); break; case AVC_AUDIT_DATA_MIG: audit_log_format(ab, " msgid=%d", a->u.ipc_id); ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.h#10 (text+ko) ==== @@ -54,7 +54,8 @@ int pathlen; } fs; struct { - char *netif; + const char *netif; + u32 netif_unit; struct xsocket *xso; u16 family; u16 dport; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#77 (text+ko) ==== @@ -505,19 +505,21 @@ } static int -socket_has_perm(struct ucred *cred, struct label *socklabel, u_int32_t perm) +socket_has_perm(struct ucred *cred, struct label *socklabel, u_int32_t perm, + struct xsocket *xso) { struct task_security_struct *tsec; struct network_security_struct *nsec; + struct avc_audit_data ad; tsec = SLOT(cred->cr_label); nsec = SLOT(socklabel); - /* - * TBD: No audit information yet - */ + AVC_AUDIT_DATA_INIT(&ad, NET); + ad.u.net.xso = xso; + ad.u.net.family = xso->xso_family; - return (avc_has_perm(tsec->sid, nsec->sid, SECCLASS_SOCKET, perm, NULL)); + return (avc_has_perm(tsec->sid, nsec->sid, SECCLASS_SOCKET, perm, &ad)); } static void @@ -2547,7 +2549,7 @@ } /* XXX - SELinux just uses plain old SOCKET__ACCEPT */ - return (socket_has_perm(cred, socklabel, perm)); + return (socket_has_perm(cred, socklabel, perm, xso)); } static int @@ -2574,6 +2576,9 @@ /* XXX - unix domain socket-specific checks too? */ + AVC_AUDIT_DATA_INIT(&ad, NET); + ad.u.net.family = xso->xso_family; + /* * Note that we use the xso_family instead of sa_family since * the latter has not been sanity checked yet. @@ -2581,20 +2586,21 @@ if (xso->xso_family == AF_INET) { sin = (struct sockaddr_in *)addr; port = ntohs(sin->sin_port); + ad.u.net.sport = sin->sin_port; + ad.u.net.fam.v4.saddr = sin->sin_addr.s_addr; } else /* if (xso->xso_family == AF_INET6) */ { sin6 = (struct sockaddr_in6 *)addr; port = ntohs(sin6->sin6_port); + ad.u.net.sport = sin6->sin6_port; + memcpy(&ad.u.net.fam.v6.saddr, &sin6->sin6_addr, + sizeof(struct in6_addr)); } if (port) { - /* XXX - check against net.inet.ip.portrange.last? */ error = security_port_sid(xso->xso_family, xso->so_type, xso->xso_protocol, port, &sid); if (error) return (error); - AVC_AUDIT_DATA_INIT(&ad, NET); - ad.u.net.sport = htons(port); - ad.u.net.family = xso->xso_family; error = avc_has_perm(nsec->sid, sid, nsec->sclass, SOCKET__NAME_BIND, &ad); if (error) @@ -2616,10 +2622,6 @@ if (error) return (error); - AVC_AUDIT_DATA_INIT(&ad, NET); - ad.u.net.sport = htons(port); - ad.u.net.family = xso->xso_family; - if (xso->xso_family == AF_INET) ad.u.net.v4info.saddr = sin->sin_addr.s_addr; else @@ -2643,7 +2645,7 @@ u_int32_t sid; int error; - error = socket_has_perm(cred, socklabel, SOCKET__CONNECT); + error = socket_has_perm(cred, socklabel, SOCKET__CONNECT, xso); if (error) return (error); @@ -2715,7 +2717,7 @@ struct xsocket *xso, struct label *socklabel) { - return (socket_has_perm(cred, socklabel, SOCKET__POLL)); + return (socket_has_perm(cred, socklabel, SOCKET__POLL, xso)); } #endif @@ -2724,7 +2726,7 @@ struct label *socklabel) { - return (socket_has_perm(cred, socklabel, SOCKET__LISTEN)); + return (socket_has_perm(cred, socklabel, SOCKET__LISTEN, xso)); } static int @@ -2732,7 +2734,7 @@ struct label *socklabel) { - return (socket_has_perm(cred, socklabel, SOCKET__READ)); + return (socket_has_perm(cred, socklabel, SOCKET__READ, xso)); } static int @@ -2767,7 +2769,7 @@ struct label *socklabel, int which) { - return (socket_has_perm(cred, socklabel, SOCKET__POLL)); + return (socket_has_perm(cred, socklabel, SOCKET__POLL, xso)); } #endif @@ -2776,7 +2778,7 @@ struct label *socklabel) { - return (socket_has_perm(cred, socklabel, SOCKET__WRITE)); + return (socket_has_perm(cred, socklabel, SOCKET__WRITE, xso)); } static int @@ -2784,7 +2786,7 @@ struct label *socklabel) { - return (socket_has_perm(cred, socklabel, SOCKET__GETATTR)); + return (socket_has_perm(cred, socklabel, SOCKET__GETATTR, xso)); } static int @@ -3129,12 +3131,19 @@ struct mbuf *m, struct label *mbuflabel, int family, int type) { struct network_security_struct *ifsec, *msec; + struct avc_audit_data ad; u_int32_t perm; int error; ifsec = SLOT(ifnetlabel); msec = SLOT(mbuflabel); + AVC_AUDIT_DATA_INIT(&ad, NET); + ad.u.net.netif = ifnet_name(ifp); + ad.u.net.netif_unit = ifnet_unit(ifp); + ad.u.net.family = family; + /* XXX - if_index too? */ + /* XXX - other types of perm, see selinux_sock_rcv_skb_compat() */ switch (type) { case SOCK_STREAM: @@ -3149,9 +3158,8 @@ break; } - /* XXX - use an audit struct so we can log useful info */ error = avc_has_perm(msec->sid, ifsec->sid, SECCLASS_NETIF, - perm, NULL); + perm, &ad); return (error); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701221626.l0MGQOTw031955>