Date: Tue, 10 Dec 2002 12:43:13 -0800 (PST) From: Brian Feldman <green@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 22143 for review Message-ID: <200212102043.gBAKhDYV072167@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=22143 Change 22143 by green@green_laptop_2 on 2002/12/10 12:42:31 Provide the full devfs path for a given object being created to any policies that request it. Bring policies incl. SEBSD in line with reality. Affected files ... .. //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_devs.c#11 edit .. //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_vfsops.c#15 edit .. //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_vnops.c#38 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#369 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#191 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#48 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#152 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#113 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#89 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#62 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#223 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#177 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_devs.c#11 (text+ko) ==== @@ -335,7 +335,8 @@ de = devfs_vmkdir(s, q - s, dd); #ifdef MAC mac_create_devfs_directory( - dm->dm_mount, s, q - s, de); + dm->dm_mount, s, q - s, de, + dev->si_name); #endif de->de_inode = dm->dm_inode++; TAILQ_INSERT_TAIL(&dd->de_dlist, de, de_list); @@ -363,7 +364,8 @@ de->de_dirent->d_type = DT_CHR; } #ifdef MAC - mac_create_devfs_device(dm->dm_mount, dev, de); + mac_create_devfs_device(dm->dm_mount, dev, de, + dev->si_name); #endif *dep = de; de->de_dir = dd; ==== //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_vfsops.c#15 (text+ko) ==== @@ -97,7 +97,7 @@ fmp->dm_rootdir = devfs_vmkdir("(root)", 6, NULL); fmp->dm_rootdir->de_inode = 2; #ifdef MAC - mac_create_devfs_directory(mp, "", 0, fmp->dm_rootdir); + mac_create_devfs_directory(mp, "", 0, fmp->dm_rootdir, ""); #endif fmp->dm_basedir = fmp->dm_rootdir; devfs_rules_newmount(fmp, td); ==== //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_vnops.c#38 (text+ko) ==== @@ -90,21 +90,17 @@ * Construct the fully qualified path name relative to the mountpoint */ static char * -devfs_fqpn(char *buf, struct vnode *dvp, struct componentname *cnp) +devfs_fqpn(char *buf, ssize_t buflen, struct devfs_mount *dmp, + struct devfs_dirent *de, const char *name, size_t namelen) { int i; - struct devfs_dirent *de, *dd; - struct devfs_mount *dmp; - dmp = VFSTODEVFS(dvp->v_mount); - dd = dvp->v_data; - i = SPECNAMELEN; + i = buflen - 1; buf[i] = '\0'; - i -= cnp->cn_namelen; + i -= namelen; if (i < 0) return (NULL); - bcopy(cnp->cn_nameptr, buf + i, cnp->cn_namelen); - de = dd; + bcopy(name, buf + i, namelen); while (de != dmp->dm_basedir) { i--; if (i < 0) @@ -366,7 +362,8 @@ * OK, we didn't have an entry for the name we were asked for * so we try to see if anybody can create it on demand. */ - pname = devfs_fqpn(specname, dvp, cnp); + pname = devfs_fqpn(specname, sizeof(specname), dmp, de, + cnp->cn_nameptr, cnp->cn_namelen); if (pname == NULL) goto notfound; @@ -852,10 +849,17 @@ struct devfs_dirent *dd; struct devfs_dirent *de; struct devfs_mount *dmp; +#ifdef MAC + char *specname; +#endif error = suser(ap->a_cnp->cn_thread); if (error) - return(error); + return (error); +#ifdef MAC + specname = malloc(SPECNAMELEN + ap->a_cnp->cn_namelen + 1, M_DEVFS, + M_WAITOK); +#endif dmp = VFSTODEVFS(ap->a_dvp->v_mount); dd = ap->a_dvp->v_data; de = devfs_newdirent(ap->a_cnp->cn_nameptr, ap->a_cnp->cn_namelen); @@ -869,7 +873,10 @@ bcopy(ap->a_target, de->de_symlink, i); lockmgr(&dmp->dm_lock, LK_EXCLUSIVE, 0, curthread); #ifdef MAC - mac_create_devfs_symlink(ap->a_cnp->cn_cred, dmp->dm_mount, dd, de); + mac_create_devfs_symlink(ap->a_cnp->cn_cred, dmp->dm_mount, dd, de, + devfs_fqpn(specname, SPECNAMELEN + ap->a_cnp->cn_namelen + 1, + dmp, de, ap->a_cnp->cn_nameptr, ap->a_cnp->cn_namelen)); + free(specname, M_DEVFS); #endif TAILQ_INSERT_TAIL(&dd->de_dlist, de, de_list); devfs_allocv(de, ap->a_dvp->v_mount, ap->a_vpp, 0); ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#369 (text+ko) ==== @@ -2803,28 +2803,30 @@ } void -mac_create_devfs_device(struct mount *mp, dev_t dev, struct devfs_dirent *de) +mac_create_devfs_device(struct mount *mp, dev_t dev, struct devfs_dirent *de, + const char *fullpath) { - MAC_PERFORM(create_devfs_device, mp, dev, de, &de->de_label); + MAC_PERFORM(create_devfs_device, mp, dev, de, &de->de_label, + fullpath); } void mac_create_devfs_symlink(struct ucred *cred, struct mount *mp, - struct devfs_dirent *dd, struct devfs_dirent *de) + struct devfs_dirent *dd, struct devfs_dirent *de, const char *fullpath) { MAC_PERFORM(create_devfs_symlink, cred, mp, dd, &dd->de_label, de, - &de->de_label); + &de->de_label, fullpath); } void mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen, - struct devfs_dirent *de) + struct devfs_dirent *de, const char *fullpath) { MAC_PERFORM(create_devfs_directory, mp, dirname, dirnamelen, de, - &de->de_label); + &de->de_label, fullpath); } int ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#191 (text+ko) ==== @@ -828,20 +828,21 @@ */ static void mac_biba_create_devfs_device(struct mount *mp, dev_t dev, - struct devfs_dirent *devfs_dirent, struct label *label) + struct devfs_dirent *devfs_dirent, struct label *label, + const char *fullpath) { struct mac_biba *mac_biba; int biba_type; mac_biba = SLOT(label); - if (strcmp(dev->si_name, "null") == 0 || - strcmp(dev->si_name, "zero") == 0 || - strcmp(dev->si_name, "random") == 0 || - strncmp(dev->si_name, "fd/", strlen("fd/")) == 0) + if (strcmp(fullpath, "null") == 0 || + strcmp(fullpath, "zero") == 0 || + strcmp(fullpath, "random") == 0 || + strncmp(fullpath, "fd/", strlen("fd/")) == 0) biba_type = MAC_BIBA_TYPE_EQUAL; else if (ptys_equal && - (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 || - strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0)) + (strncmp(fullpath, "ttyp", strlen("ttyp")) == 0 || + strncmp(fullpath, "ptyp", strlen("ptyp")) == 0)) biba_type = MAC_BIBA_TYPE_EQUAL; else biba_type = MAC_BIBA_TYPE_HIGH; @@ -850,7 +851,8 @@ static void mac_biba_create_devfs_directory(struct mount *mp, char *dirname, - int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) + int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label, + const char *fullpath) { struct mac_biba *mac_biba; @@ -861,7 +863,7 @@ static void mac_biba_create_devfs_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, - struct label *delabel) + struct label *delabel, const char *fullpath) { struct mac_biba *source, *dest; ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#48 (text+ko) ==== @@ -953,21 +953,22 @@ */ static void mac_lomac_create_devfs_device(struct mount *mp, dev_t dev, - struct devfs_dirent *devfs_dirent, struct label *label) + struct devfs_dirent *devfs_dirent, struct label *label, + const char *fullpath) { struct mac_lomac *mac_lomac; int lomac_type; mac_lomac = SLOT(label); - if (strcmp(dev->si_name, "null") == 0 || - strcmp(dev->si_name, "zero") == 0 || - strcmp(dev->si_name, "random") == 0 || - strncmp(dev->si_name, "fd/", strlen("fd/")) == 0 || - strncmp(dev->si_name, "ttyv", strlen("ttyv")) == 0) + if (strcmp(fullpath, "null") == 0 || + strcmp(fullpath, "zero") == 0 || + strcmp(fullpath, "random") == 0 || + strncmp(fullpath, "fd/", strlen("fd/")) == 0 || + strncmp(fullpath, "ttyv", strlen("ttyv")) == 0) lomac_type = MAC_LOMAC_TYPE_EQUAL; else if (ptys_equal && - (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 || - strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0)) + (strncmp(fullpath, "ttyp", strlen("ttyp")) == 0 || + strncmp(fullpath, "ptyp", strlen("ptyp")) == 0)) lomac_type = MAC_LOMAC_TYPE_EQUAL; else lomac_type = MAC_LOMAC_TYPE_HIGH; @@ -976,7 +977,8 @@ static void mac_lomac_create_devfs_directory(struct mount *mp, char *dirname, - int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) + int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label, + const char *fullpath) { struct mac_lomac *mac_lomac; @@ -987,7 +989,7 @@ static void mac_lomac_create_devfs_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, - struct label *delabel) + struct label *delabel, const char *fullpath) { struct mac_lomac *source, *dest; ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#152 (text+ko) ==== @@ -795,23 +795,24 @@ */ static void mac_mls_create_devfs_device(struct mount *mp, dev_t dev, - struct devfs_dirent *devfs_dirent, struct label *label) + struct devfs_dirent *devfs_dirent, struct label *label, + const char *fullpath) { struct mac_mls *mac_mls; int mls_type; mac_mls = SLOT(label); - if (strcmp(dev->si_name, "null") == 0 || - strcmp(dev->si_name, "zero") == 0 || - strcmp(dev->si_name, "random") == 0 || - strncmp(dev->si_name, "fd/", strlen("fd/")) == 0) + if (strcmp(fullpath, "null") == 0 || + strcmp(fullpath, "zero") == 0 || + strcmp(fullpath, "random") == 0 || + strncmp(fullpath, "fd/", strlen("fd/")) == 0) mls_type = MAC_MLS_TYPE_EQUAL; - else if (strcmp(dev->si_name, "kmem") == 0 || - strcmp(dev->si_name, "mem") == 0) + else if (strcmp(fullpath, "kmem") == 0 || + strcmp(fullpath, "mem") == 0) mls_type = MAC_MLS_TYPE_HIGH; else if (ptys_equal && - (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 || - strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0)) + (strncmp(fullpath, "ttyp", strlen("ttyp")) == 0 || + strncmp(fullpath, "ptyp", strlen("ptyp")) == 0)) mls_type = MAC_MLS_TYPE_EQUAL; else mls_type = MAC_MLS_TYPE_LOW; @@ -820,7 +821,8 @@ static void mac_mls_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen, - struct devfs_dirent *devfs_dirent, struct label *label) + struct devfs_dirent *devfs_dirent, struct label *label, + const char *fullpath) { struct mac_mls *mac_mls; @@ -831,7 +833,7 @@ static void mac_mls_create_devfs_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, - struct label *delabel) + struct label *delabel, const char *fullpath) { struct mac_mls *source, *dest; ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#113 (text+ko) ==== @@ -170,14 +170,16 @@ static void mac_none_create_devfs_device(struct mount *mp, dev_t dev, - struct devfs_dirent *devfs_dirent, struct label *label) + struct devfs_dirent *devfs_dirent, struct label *label, + const char *fullpath) { } static void mac_none_create_devfs_directory(struct mount *mp, char *dirname, - int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) + int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label, + const char *fullpath) { } @@ -185,7 +187,7 @@ static void mac_none_create_devfs_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, - struct label *delabel) + struct label *delabel, const char *fullpath) { } ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#89 (text+ko) ==== @@ -548,14 +548,16 @@ static void mac_test_create_devfs_device(struct mount *mp, dev_t dev, - struct devfs_dirent *devfs_dirent, struct label *label) + struct devfs_dirent *devfs_dirent, struct label *label, + const char *fullpath) { } static void mac_test_create_devfs_directory(struct mount *mp, char *dirname, - int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) + int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label, + const char *fullpath) { } @@ -563,7 +565,7 @@ static void mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, - struct label *delabel) + struct label *delabel, const char *fullpath) { } ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#62 (text+ko) ==== @@ -401,7 +401,8 @@ static void sebsd_create_devfs_device(struct mount *mp, dev_t dev, - struct devfs_dirent *devfs_dirent, struct label *label) + struct devfs_dirent *devfs_dirent, struct label *label, + const char *fullpath) { char *path; int rc; @@ -419,9 +420,9 @@ dirent_type_to_security_class(devfs_dirent->de_dirent->d_type); /* Obtain a SID based on the fstype, path, and class. */ - path = malloc(strlen(dev->si_name) + 2, M_SEBSD, M_ZERO | M_WAITOK); + path = malloc(strlen(fullpath) + 2, M_SEBSD, M_ZERO | M_WAITOK); path[0] = '/'; - strcpy(&path[1], dev->si_name); + strcpy(&path[1], fullpath); rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, dirent->sclass, &newsid); if (rc == 0) @@ -439,7 +440,8 @@ static void sebsd_create_devfs_directory(struct mount *mp, char *dirname, - int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) + int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label, + const char *fullpath) { char *path; int rc; @@ -456,10 +458,9 @@ dirent->sclass = SECCLASS_DIR; /* Obtain a SID based on the fstype, path, and class. */ - path = malloc(dirnamelen + 2, M_SEBSD, M_ZERO | M_WAITOK); + path = malloc(strlen(fullpath) + 2, M_SEBSD, M_ZERO | M_WAITOK); path[0] = '/'; - strncpy(&path[1], dirname, dirnamelen); - path[dirnamelen+1] = '\0'; + strcpy(&path[1], fullpath); rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, dirent->sclass, &newsid); if (rc == 0) @@ -478,18 +479,19 @@ static void sebsd_create_devfs_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, - struct label *delabel) + struct label *delabel, const char *fullpath) { -#if 0 +#ifdef FULLY /* TBD: path info not available (and the code below is broken) */ char *path; +#endif int rc; security_id_t newsid; struct vnode_security_struct *lnksec; struct vnode_security_struct *dirsec; - dirsec= SLOT(ddlabel); + dirsec = SLOT(ddlabel); lnksec = SLOT(delabel); /* Default to the filesystem SID. */ @@ -497,13 +499,6 @@ lnksec->task_sid = SECINITSID_KERNEL; lnksec->sclass = SECCLASS_LNK_FILE; - printf("%s: dirsec->sid=%d, de->de_symlink=%s\n", - __func__, dirsec->sid, de->de_symlink?de->de_symlink:"NULL"); - - if (dd->de_dirent) { - printf("%s: dd->de_dirent->d_name=%s\n", - __func__, dd->de_dirent->d_name?dd->de_dirent->d_name:"NULL"); - } #ifdef FLUFFY /* Obtain a SID based on the fstype, path, and class. */ path = malloc(strlen(dd->si_name) + 2, M_SEBSD, M_ZERO | M_WAITOK); @@ -523,7 +518,6 @@ } free(path, M_SEBSD); #endif /* FLUFFY */ -#endif /* 0 */ } static void ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#223 (text+ko) ==== @@ -172,11 +172,12 @@ int mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp); void mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp); void mac_create_devfs_device(struct mount *mp, dev_t dev, - struct devfs_dirent *de); + struct devfs_dirent *de, const char *fullpath); void mac_create_devfs_directory(struct mount *mp, char *dirname, - int dirnamelen, struct devfs_dirent *de); + int dirnamelen, struct devfs_dirent *de, const char *fullpath); void mac_create_devfs_symlink(struct ucred *cred, struct mount *mp, - struct devfs_dirent *dd, struct devfs_dirent *de); + struct devfs_dirent *dd, struct devfs_dirent *de, + const char *fullpath); int mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); void mac_create_mount(struct ucred *cred, struct mount *mp); ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#177 (text+ko) ==== @@ -143,14 +143,15 @@ struct label *fslabel, struct vnode *vp, struct label *vlabel); void (*mpo_create_devfs_device)(struct mount *mp, dev_t dev, - struct devfs_dirent *de, struct label *label); + struct devfs_dirent *de, struct label *label, + const char *fullpath); void (*mpo_create_devfs_directory)(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, - struct label *label); + struct label *label, const char *fullpath); void (*mpo_create_devfs_symlink)(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, - struct label *delabel); + struct label *delabel, const char *fullpath); int (*mpo_create_vnode_extattr)(struct ucred *cred, struct mount *mp, struct label *fslabel, struct vnode *dvp, struct label *dlabel, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200212102043.gBAKhDYV072167>