From owner-p4-projects@FreeBSD.ORG Tue Oct 3 16:35:02 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 15B1D16A417; Tue, 3 Oct 2006 16:35:02 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7ED016A412 for ; Tue, 3 Oct 2006 16:35:01 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD81F43D49 for ; Tue, 3 Oct 2006 16:35:00 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k93GZ0a5047344 for ; Tue, 3 Oct 2006 16:35:00 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k93GZ0kg047341 for perforce@freebsd.org; Tue, 3 Oct 2006 16:35:00 GMT (envelope-from millert@freebsd.org) Date: Tue, 3 Oct 2006 16:35:00 GMT Message-Id: <200610031635.k93GZ0kg047341@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 107196 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Oct 2006 16:35:02 -0000 http://perforce.freebsd.org/chv.cgi?CH=107196 Change 107196 by millert@millert_macbook on 2006/10/03 16:34:57 Add support for labelling file descriptors; adapted from SEBSD. We may want to change some of the entry points and add others (e.g. ones specifically for locking). Currently only the test and sedarwin modules use file descriptor labels. Note that fd passing had to be reworked somewhat since we need access to the label of the sender's descriptor for the label checks. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_descrip.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sys_generic.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_usrreq.c#6 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/fdesc/fdesc_vnops.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/sys/file_internal.h#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_conf.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#10 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/config/MACFramework.exports#7 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/conf/files#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_file.c#1 add .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#6 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#12 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#9 edit .. //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#11 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policy/Makefile.install#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policy/rules#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#22 edit .. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#10 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_descrip.c#3 (text+ko) ==== @@ -381,7 +381,7 @@ pop = &fdp->fd_ofileflags[fd]; #ifdef MAC - error = mac_file_check_fcntl(fp->f_cred, fp, uap->cmd, uap->arg); + error = mac_file_check_fcntl(proc_ucred(p), fp, uap->cmd, uap->arg); if (error) goto out; #endif @@ -401,22 +401,40 @@ goto out; case F_GETFD: - *retval = (*pop & UF_EXCLOSE)? 1 : 0; - error = 0; +#ifdef MAC + error = mac_file_check_get_ofileflags(proc_ucred(p), fp, *pop); + if (error == 0) +#endif + *retval = (*pop & UF_EXCLOSE)? 1 : 0; goto out; case F_SETFD: - *pop = (*pop &~ UF_EXCLOSE) | - (uap->arg & 1)? UF_EXCLOSE : 0; - error = 0; +#ifdef MAC + error = mac_file_check_change_ofileflags(proc_ucred(p), + fp, *pop, (*pop &~ UF_EXCLOSE) | + ((uap->arg & 1) ? UF_EXCLOSE : 0)); + if (error == 0) +#endif + *pop = (*pop &~ UF_EXCLOSE) | + (uap->arg & 1)? UF_EXCLOSE : 0; goto out; case F_GETFL: - *retval = OFLAGS(fp->f_flag); - error = 0; +#ifdef MAC + error = mac_file_check_get_flags(proc_ucred(p), fp, fp->f_flag); + if (error == 0) +#endif + *retval = OFLAGS(fp->f_flag); goto out; case F_SETFL: +#ifdef MAC + error = mac_file_check_change_flags(proc_ucred(p), + fp, fp->f_flag, (fp->f_flag & ~FCNTLFLAGS) | + (FFLAGS(CAST_DOWN(int, uap->arg)) & FCNTLFLAGS)); + if (error) + goto out; +#endif fp->f_flag &= ~FCNTLFLAGS; tmp = CAST_DOWN(int, uap->arg); fp->f_flag |= FFLAGS(tmp) & FCNTLFLAGS; @@ -955,6 +973,9 @@ { struct fileproc *nfp; struct fileproc *ofp; +#ifdef MAC + int error; +#endif if ((ofp = fdp->fd_ofiles[old]) == NULL || (fdp->fd_ofileflags[old] & UF_RESERVED)) { @@ -962,6 +983,17 @@ return (EBADF); } fg_ref(ofp); + +#ifdef MAC + error = mac_file_check_dup(proc_ucred(p), ofp, new); + if (error) { + fg_drop(ofp); + _fdrelse(fdp, new); + proc_fdunlock(p); + return (error); + } +#endif + proc_fdunlock(p); MALLOC_ZONE(nfp, struct fileproc *, sizeof(struct fileproc), M_FILEPROC, M_WAITOK); @@ -971,6 +1003,10 @@ nfp->f_flags = ofp->f_flags; nfp->f_fglob = ofp->f_fglob; nfp->f_iocount = 0; +#ifdef MAC + mac_file_label_init(nfp); + mac_file_label_copy(ofp->f_label, nfp->f_label); +#endif fdp->fd_ofiles[new] = nfp; fdp->fd_ofileflags[new] = fdp->fd_ofileflags[old] &~ UF_EXCLOSE; @@ -1087,6 +1123,9 @@ if (!locked) proc_fdunlock(p); +#ifdef MAC + mac_file_label_destroy(fp); +#endif FREE_ZONE(fp, sizeof *fp, M_FILEPROC); return(error); } @@ -1438,6 +1477,9 @@ fdp->fd_ofiles[fd] == NULL && !(fdp->fd_ofileflags[fd] & UF_RESERVED)) fdp->fd_lastfile--; +#ifdef MAC + mac_file_label_destroy(fp); +#endif FREE_ZONE(fp, sizeof *fp, M_FILEPROC); } @@ -1889,6 +1931,12 @@ */ proc_fdunlock(p); +#ifdef MAC + error = mac_file_check_create(proc_ucred(p)); + if (error) + return (error); +#endif + MALLOC_ZONE(fp, struct fileproc *, sizeof(struct fileproc), M_FILEPROC, M_WAITOK); MALLOC_ZONE(fg, struct fileglob *, sizeof(struct fileglob), M_FILEGLOB, M_WAITOK); bzero(fp, sizeof(struct fileproc)); @@ -1898,10 +1946,16 @@ fp->f_iocount = 1; fg->fg_count = 1; fp->f_fglob = fg; +#ifdef MAC + mac_file_label_init(fp); +#endif proc_fdlock(p); fp->f_cred = kauth_cred_proc_ref(p); +#ifdef MAC + mac_file_label_associate(fp->f_cred, fp); +#endif lck_mtx_lock(file_flist_lock); @@ -1965,9 +2019,13 @@ proc_fdlock(p); while (i >= 0) { - if ((*flags & (UF_RESERVED|UF_EXCLOSE)) == UF_EXCLOSE) { - struct fileproc *fp = *fpp; + struct fileproc *fp = *fpp; + if ((*flags & UF_RESERVED) == 0 && ((*flags & UF_EXCLOSE) != 0 +#ifdef MAC + || (fp && mac_file_check_inherit(proc_ucred(p), fp)) +#endif + )) { if (i < fdp->fd_knlistsize) knote_fdclose(p, i); @@ -1975,8 +2033,15 @@ if (i == fdp->fd_lastfile && i > 0) fdp->fd_lastfile--; closef_locked(fp, fp->f_fglob, p); +#ifdef MAC + mac_file_label_destroy(fp); +#endif FREE_ZONE(fp, sizeof *fp, M_FILEPROC); } +#ifdef MAC + else if ((*flags & UF_RESERVED) == 0 && fp != NULL) + mac_file_label_update(proc_ucred(p), fp); +#endif i--; fpp--; flags--; } @@ -2137,6 +2202,10 @@ fp->f_iocount = 0; fp->f_fglob = ofp->f_fglob; (void)fg_ref(fp); +#ifdef MAC + mac_file_label_init(fp); + mac_file_label_copy(ofp->f_label, fp->f_label); +#endif *fpp = fp; } else { *fpp = NULL; @@ -2192,6 +2261,9 @@ if (fp->f_flags & FP_WAITEVENT) (void)waitevent_close(p, fp); (void) closef_locked(fp, fp->f_fglob, p); +#ifdef MAC + mac_file_label_destroy(fp); +#endif FREE_ZONE(fp, sizeof *fp, M_FILEPROC); } } @@ -2371,6 +2443,9 @@ proc_fdunlock(p); fg_free(fp->f_fglob); +#ifdef MAC + mac_file_label_destroy(fp); +#endif FREE_ZONE(fp, sizeof *fp, M_FILEPROC); } @@ -2409,6 +2484,12 @@ lf.l_len = 0; if (how & LOCK_UN) { lf.l_type = F_UNLCK; +#ifdef MAC + error = mac_file_check_change_flags(proc_ucred(p), fp, + fp->f_flag, fp->f_flag & ~FHASLOCK); + if (error) + goto out; +#endif fp->f_flag &= ~FHASLOCK; error = VNOP_ADVLOCK(vp, (caddr_t)fp->f_fglob, F_UNLCK, &lf, F_FLOCK, &context); goto out; @@ -2421,6 +2502,12 @@ error = EBADF; goto out; } +#ifdef MAC + error = mac_file_check_change_flags(proc_ucred(p), fp, + fp->f_flag, fp->f_flag | FHASLOCK); + if (error) + goto out; +#endif fp->f_flag |= FHASLOCK; if (how & LOCK_NB) { error = VNOP_ADVLOCK(vp, (caddr_t)fp->f_fglob, F_SETLK, &lf, F_FLOCK, &context); @@ -2471,6 +2558,9 @@ { struct fileproc *wfp; struct fileproc *fp; +#ifdef MAC + int myerror; +#endif struct proc * p = current_proc(); /* @@ -2490,6 +2580,13 @@ proc_fdunlock(p); return (EBADF); } +#ifdef MAC + myerror = mac_file_check_dup(proc_ucred(p), wfp, dfd); + if (myerror) { + proc_fdunlock(p); + return (myerror); + } +#endif /* * There are two cases of interest here. * @@ -2541,6 +2638,9 @@ proc_fdunlock(p); +#ifdef MAC + mac_file_label_destroy(wfp); +#endif FREE_ZONE(wfp, sizeof *fp, M_FILEPROC); return (0); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sys_generic.c#2 (text+ko) ==== @@ -737,6 +737,13 @@ error = EBADF; goto out; } + +#ifdef MAC + error = mac_file_check_ioctl(proc_ucred(p), fp, uap->com, + (void *)uap->data); + if (error) + goto out; +#endif #if NETAT /* @@ -762,12 +769,22 @@ switch (com = uap->com) { case FIONCLEX: - *fdflags(p, uap->fd) &= ~UF_EXCLOSE; - error =0; +#ifdef MAC + error = mac_file_check_change_ofileflags(proc_ucred(p), + fp, *fdflags(p, uap->fd), + *fdflags(p, uap->fd) & ~UF_EXCLOSE); + if (error == 0) +#endif + *fdflags(p, uap->fd) &= ~UF_EXCLOSE; goto out; case FIOCLEX: - *fdflags(p, uap->fd) |= UF_EXCLOSE; - error =0; +#ifdef MAC + error = mac_file_check_change_ofileflags(proc_ucred(p), + fp, *fdflags(p, uap->fd), + *fdflags(p, uap->fd) | UF_EXCLOSE); + if (error == 0) +#endif + *fdflags(p, uap->fd) |= UF_EXCLOSE; goto out; } @@ -831,6 +848,13 @@ switch (com) { case FIONBIO: +#ifdef MAC + error = mac_file_check_change_flags(proc_ucred(p), fp, + fp->f_flag, *(int *)datap ? fp->f_flag | FNONBLOCK : + fp->f_flag & ~FNONBLOCK); + if (error) + goto out; +#endif if ( (tmp = *(int *)datap) ) fp->f_flag |= FNONBLOCK; else @@ -839,6 +863,13 @@ break; case FIOASYNC: +#ifdef MAC + error = mac_file_check_change_flags(proc_ucred(p), fp, + fp->f_flag, *(int *)datap ? fp->f_flag | FASYNC : + fp->f_flag & ~FASYNC); + if (error) + goto out; +#endif if ( (tmp = *(int *)datap) ) fp->f_flag |= FASYNC; else ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_usrreq.c#6 (text+ko) ==== @@ -129,8 +129,8 @@ static void unp_gc(void); static void unp_scan(struct mbuf *, void (*)(struct fileglob *)); static void unp_mark(struct fileglob *); -static void unp_discard(struct fileglob *); -static void unp_discard_fdlocked(struct fileglob *, struct proc *); +static void unp_discard(struct fileproc *); +static void unp_discard_fdlocked(struct fileproc *, struct proc *); static int unp_internalize(struct mbuf *, struct proc *); static int unp_listen(struct unpcb *, struct proc *); @@ -1059,9 +1059,8 @@ struct proc *p = current_proc(); /* XXX */ int i; struct cmsghdr *cm = mtod(rights, struct cmsghdr *); - struct fileglob **rp = (struct fileglob **)(cm + 1); + struct fileproc **rp = (struct fileproc **)(cm + 1); struct fileproc *fp; - struct fileglob *fg; int newfds = (cm->cmsg_len - sizeof(*cm)) / sizeof (int); int f; @@ -1072,8 +1071,8 @@ */ if (!fdavail(p, newfds)) { for (i = 0; i < newfds; i++) { - fg = *rp; - unp_discard_fdlocked(fg, p); + fp = *rp; + unp_discard_fdlocked(fp, p); *rp++ = 0; } proc_fdunlock(p); @@ -1087,15 +1086,26 @@ * XXX this assumes a pointer and int are the same size...! */ for (i = 0; i < newfds; i++) { + fp = *rp; +#ifdef MAC + /* + * If receive access is denied, don't pass along + * and error message, just discard the descriptor. + */ + if (mac_file_check_receive(proc_ucred(p), fp)) { + *rp++ = 0; + unp_discard_fdlocked(fp, p); + continue; + } +#endif if (fdalloc(p, 0, &f)) panic("unp_externalize"); - fg = *rp; - MALLOC_ZONE(fp, struct fileproc *, sizeof(struct fileproc), M_FILEPROC, M_WAITOK); - bzero(fp, sizeof(struct fileproc)); fp->f_iocount = 0; - fp->f_fglob = fg; +#ifdef MAC + mac_file_label_update(proc_ucred(p), fp); +#endif p->p_fd->fd_ofiles[f] = fp; - fg_removeuipc(fg); + fg_removeuipc(fp->f_fglob); *fdflags(p, f) &= ~UF_RESERVED; unp_rights--; *(int *)rp++ = f; @@ -1140,8 +1150,8 @@ struct proc *p) { struct cmsghdr *cm = mtod(control, struct cmsghdr *); - struct fileglob **rp; - struct fileproc *fp; + struct fileproc **rp; + struct fileproc *fp, *ofp; register int i, error; int oldfds; int fdgetf_noref(proc_t, struct fileglob **, struct fileproc **); @@ -1153,20 +1163,28 @@ oldfds = (cm->cmsg_len - sizeof (*cm)) / sizeof (int); proc_fdlock(p); - rp = (struct fileglob **)(cm + 1); + rp = (struct fileproc **)(cm + 1); for (i = 0; i < oldfds; i++) { - if (error = fdgetf_noref(p, *(int *)rp++, (struct fileglob **)0)) { + if (error = fdgetf_noref(p, *(int *)rp++, (struct fileproc **)0)) { proc_fdunlock(p); return (error); } } - rp = (struct fileglob **)(cm + 1); + rp = (struct fileproc **)(cm + 1); for (i = 0; i < oldfds; i++) { - (void) fdgetf_noref(p, *(int *)rp, &fp); + (void) fdgetf_noref(p, *(int *)rp, &ofp); + MALLOC_ZONE(fp, struct fileproc *, sizeof(struct fileproc), + M_FILEPROC, M_WAITOK); + bzero(fp, sizeof(struct fileproc)); + fp->f_fglob = ofp->f_fglob; +#ifdef MAC + mac_file_label_init(fp); + mac_file_label_copy(ofp->f_label, fp->f_label); +#endif fg_insertuipc(fp->f_fglob); - *rp++ = fp->f_fglob; + *rp++ = fp; unp_rights++; } proc_fdunlock(p); @@ -1375,7 +1393,7 @@ { if (m) { - unp_scan(m, unp_discard); + unp_scan(m, (void (*)(struct fileglob *))unp_discard); } } @@ -1440,23 +1458,27 @@ /* should run under kernel funnel */ static void -unp_discard(fg) - struct fileglob *fg; +unp_discard(fp) + struct fileproc *fp; { struct proc *p = current_proc(); /* XXX */ proc_fdlock(p); - unp_discard_fdlocked(fg, p); + unp_discard_fdlocked(fp, p); proc_fdunlock(p); } static void -unp_discard_fdlocked(fg, p) - struct fileglob *fg; +unp_discard_fdlocked(fp, p) + struct fileproc *fp; struct proc *p; { - fg_removeuipc(fg); + fg_removeuipc(fp->f_fglob); unp_rights--; - (void) closef_locked((struct fileproc *)0, fg, p); + (void) closef_locked((struct fileproc *)0, fp->f_fglob, p); +#ifdef MAC + mac_file_label_destroy(fp); +#endif + FREE(fp, M_FILEPROC); } ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/fdesc/fdesc_vnops.c#2 (text+ko) ==== @@ -226,6 +226,10 @@ struct componentname *cnp = ap->a_cnp; char *pname = cnp->cn_nameptr; struct proc *p = vfs_context_proc(ap->a_context); +#ifdef MAC + struct filedesc *fdp = p->p_fd; + struct fileproc *fp; +#endif int numfiles = p->p_fd->fd_nfiles; int fd; int error; @@ -322,6 +326,11 @@ if (error) goto bad; VTOFDESC(fvp)->fd_fd = fd; +#ifdef MAC + fp = fdp->fd_ofiles[fd]; + mac_vnode_label_associate_file(vfs_context_ucred(ap->a_context), + fp, fvp); +#endif *vpp = fvp; return (0); } ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/sys/file_internal.h#3 (text+ko) ==== @@ -86,6 +86,7 @@ int32_t f_iocount; struct fileglob * f_fglob; void * f_waddr; + struct label *f_label; }; #define FILEPROC_NULL (struct fileproc *)0 ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_conf.c#2 (text+ko) ==== @@ -141,7 +141,7 @@ /* File Descriptor Filesystem */ #if FDESC - { &fdesc_vfsops, "fdesc", 7, 0, 0, NULL, NULL, 0, {0}, VFC_VFSGENERICARGS|VFC_VFSNOMACLABEL , 0, 0}, + { &fdesc_vfsops, "fdesc", 7, 0, 0, NULL, NULL, 0, {0}, VFC_VFSGENERICARGS , 0, 0}, #endif /* Volume ID Filesystem */ ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#10 (text+ko) ==== @@ -1737,6 +1737,12 @@ type = F_FLOCK; if ((flags & FNONBLOCK) == 0) type |= F_WAIT; +#ifdef MAC + error = mac_file_check_change_flags(vfs_context_ucred(ctx), + fp, fp->f_fglob->fg_flag, fp->f_fglob->fg_flag | FHASLOCK); + if (error) + goto bad; +#endif if ((error = VNOP_ADVLOCK(vp, (caddr_t)fp->f_fglob, F_SETLK, &lf, type, ctx))) goto bad; fp->f_fglob->fg_flag |= FHASLOCK; @@ -2461,6 +2467,21 @@ file_drop(uap->fd); return(ESPIPE); } + + context.vc_proc = p; + context.vc_ucred = kauth_cred_get(); +#ifdef MAC + if (uap->whence == L_INCR && uap->offset == 0) + error = mac_file_check_get_offset(vfs_context_ucred(&context), + fp); + else + error = mac_file_check_change_offset(vfs_context_ucred(&context), + fp); + if (error) { + file_drop(uap->fd); + return (error); + } +#endif if ( (error = vnode_getwithref(vp)) ) { file_drop(uap->fd); return(error); @@ -2471,8 +2492,6 @@ offset += fp->f_fglob->fg_offset; break; case L_XTND: - context.vc_proc = p; - context.vc_ucred = kauth_cred_get(); if ((error = vnode_size(vp, &file_size, &context)) != 0) break; offset += file_size; @@ -4468,6 +4487,15 @@ error = EBADF; goto out; } + + context.vc_proc = p; + context.vc_ucred = fp->f_fglob->fg_cred; + +#ifdef MAC + error = mac_file_check_change_offset(kauth_cred_get(), fp); + if (error) + goto out; +#endif if ( (error = vnode_getwithref(vp)) ) { goto out; } @@ -4481,9 +4509,6 @@ goto out; } - context.vc_proc = p; - context.vc_ucred = fp->f_fglob->fg_cred; - #ifdef MAC error = mac_vnode_check_readdir(vfs_context_ucred(&context), vp); if (error != 0) { @@ -4780,6 +4805,15 @@ error = EBADF; goto out; } + + context.vc_proc = p; + context.vc_ucred = kauth_cred_get(); + +#ifdef MAC + error = mac_file_check_change_offset(vfs_context_ucred(&context), fp); + if (error) + goto out; +#endif if ( (error = vnode_getwithref(vp)) ) goto out; @@ -4791,9 +4825,6 @@ goto out; } - context.vc_proc = p; - context.vc_ucred = kauth_cred_get(); - #ifdef MAC error = mac_vnode_check_readdir(vfs_context_ucred(&context), vp); if (error != 0) { ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/config/MACFramework.exports#7 (text+ko) ==== @@ -24,6 +24,8 @@ _kauth_cred_dup _kauth_cred_dup_add +_sotoxsocket + _mac_kalloc _mac_kfree _mac_wire ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/conf/files#3 (text+ko) ==== @@ -24,3 +24,4 @@ security/mac_net.c optional mac security/mac_pipe.c optional mac security/mac_iokit.c optional mac +security/mac_file.c optional mac ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#6 (text+ko) ==== @@ -89,6 +89,7 @@ */ void mac_cred_label_init(struct ucred *); void mac_devfs_label_init(struct devnode *); +void mac_file_label_init(struct fileproc *fp); int mac_mbuf_label_init(struct mbuf *, int); int mac_mbuf_tag_init(struct m_tag *, int); void mac_mount_label_init(struct mount *); @@ -104,11 +105,15 @@ void mac_vnode_label_init(struct vnode *vp); void mac_vnode_label_copy(struct label *, struct label *label); void mac_devfs_label_copy(struct label *, struct label *label); +void mac_file_label_copy(struct label *, struct label *label); void mac_mbuf_tag_copy(struct m_tag *, struct m_tag *); void mac_mbuf_label_copy(struct mbuf *m_from, struct mbuf *m_to); void mac_socket_label_copy(struct label *from, struct label *to); +void mac_file_label_associate(struct ucred *cred, struct fileproc *fp); +void mac_file_label_update(struct ucred *cred, struct fileproc *fp); void mac_cred_label_destroy(struct ucred *); void mac_devfs_label_destroy(struct devnode *); +void mac_file_label_destroy(struct fileproc *fp); void mac_mbuf_label_destroy(struct mbuf *); void mac_mbuf_tag_destroy(struct m_tag *); void mac_mount_label_destroy(struct mount *); @@ -286,11 +291,25 @@ int mac_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr, int cmd); int mac_file_check_fcntl(struct ucred *cred, struct fileproc *fp, int cmd, - int arg); + long arg); int mac_file_check_get(struct ucred *cred, struct fileproc *fp, char *elements, int len); +int mac_file_check_create(struct ucred *cred); +int mac_file_check_dup(struct ucred *cred, struct fileproc *fp, int newfd); int mac_file_check_ioctl(struct ucred *cred, struct fileproc *fp, - int com, void *data); + u_long com, void *data); +int mac_file_check_inherit(struct ucred *cred, struct fileproc *fp); +int mac_file_check_receive(struct ucred *cred, struct fileproc *fp); +int mac_file_check_get_flags(struct ucred *cred, struct fileproc *fp, + u_int flags); +int mac_file_check_get_ofileflags(struct ucred *cred, struct fileproc *fp, + char flags); +int mac_file_check_change_flags(struct ucred *cred, struct fileproc *fp, + u_int oldflags, u_int newflags); +int mac_file_check_change_ofileflags(struct ucred *cred, + struct fileproc *fp, char oldflags, char newflags); +int mac_file_check_get_offset(struct ucred *cred, struct fileproc *fp); +int mac_file_check_change_offset(struct ucred *cred, struct fileproc *fp); int mac_file_check_set(struct ucred *cred, struct fileproc *fp, char *buf, int buflen); int mac_sysvsem_check_semget(struct ucred *cred, ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#12 (text+ko) ==== @@ -287,6 +287,14 @@ ); /** + @brief Initialize file label + @param label New label to initialize +*/ +typedef void mpo_file_label_init_t( + struct label *label +); + +/** @brief Initialize Login Context label @param label New label to initialize */ @@ -530,6 +538,38 @@ ); /** + @brief Create file label + @param cred Subject credential + @param fp Fileproc structure + @param label Policy label for fp +*/ +typedef void mpo_file_label_associate_t( + struct ucred *cred, + struct fileproc *fp, + struct label *label +); + +/** + @brief Update file label + @param cred Subject credential + @param fp Fileproc structure + @param label New policy label for fp +*/ +typedef void mpo_file_label_update_t( + struct ucred *cred, + struct fileproc *fp, + struct label *label +); + +/** + @brief Destroy file label + @param label The label to be destroyed +*/ +typedef void mpo_file_label_destroy_t( + struct label *label +); + +/** @brief Destroy devfs label @param label The label to be destroyed @@ -947,6 +987,19 @@ ); /** + @brief Copy a file label + @param src Source file label + @param dest Destination file label + + Copy the file label information from src to dest. This is + used when duplicating, passing or inheriting file descriptors. +*/ +typedef void mpo_file_label_copy_t( + struct label *src, + struct label *dest +); + +/** @brief Externalize a user credential label @param label Label to be externalized @param element_name Name of the label namespace for which labels should be @@ -2727,7 +2780,7 @@ struct ucred *cred, struct fileproc *fp, int cmd, - int arg + long arg ); /** @@ -3537,6 +3590,41 @@ ); /** + @brief Access control for creating a file descriptor + @param cred Subject credential + + Determine whether the subject identified by the credential can + allocate a new file descriptor. + + @return Return 0 if access if granted, otherwise an appropriate + value for errno should be returned. +*/ +typedef int mpo_file_check_create_t( + struct ucred *cred +); + +/** + @brief Access control for duplicating a file descriptor + @param cred Subject credential + @param fp Fileproc structure + @param label Policy label for fp + @param newfd New file descriptor number + + Determine whether the subject identified by the credential can + duplicate the file structure represented by fp and as file + descriptor number newfd. + + @return Return 0 if access if granted, otherwise an appropriate + value for errno should be returned. +*/ +typedef int mpo_file_check_dup_t( + struct ucred *cred, + struct fileproc *fp, + struct label *label, + int newfd +); + +/** @brief Access control check for file ioctl @param cred Subject credential @param fp Fileproc structure @@ -3558,11 +3646,167 @@ struct ucred *cred, struct fileproc *fp, struct label *label, - unsigned int cmd, + unsigned long cmd, void *data ); /** + @brief Access control for inheriting a file descriptor + @param cred Subject credential + @param fp Fileproc structure + @param label Policy label for fp + + Determine whether the subject identified by the credential can + inherit the file structure represented by fp. + + @return Return 0 if access if granted, otherwise an appropriate + value for errno should be returned. +*/ +typedef int mpo_file_check_inherit_t( + struct ucred *cred, + struct fileproc *fp, + struct label *label +); + +/** + @brief Access control for receiving a file descriptor + @param cred Subject credential + @param fp Fileproc structure + @param label Policy label for fp + + Determine whether the subject identified by the credential can + receive the file structure represented by fp. + + @return Return 0 if access if granted, otherwise an appropriate + value for errno should be returned. +*/ +typedef int mpo_file_check_receive_t( + struct ucred *cred, + struct fileproc *fp, + struct label *label +); + +/** + @brief Access control for getting file descriptor flags + @param cred Subject credential + @param fp Fileproc structure + @param label Policy label for fp + @param flags Requested flags + + Determine whether the subject identified by the credential can + get the specified flags for the file structure represented by fp. + + @return Return 0 if access if granted, otherwise an appropriate + value for errno should be returned. +*/ +typedef int mpo_file_check_get_flags_t( + struct ucred *cred, + struct fileproc *fp, + struct label *label, + u_int flags +); + +/** + @brief Access control for getting open file flags + @param cred Subject credential + @param fp Fileproc structure + @param label Policy label for fp + @param flags Requested flags + + Determine whether the subject identified by the credential can + get the open file flags for the file structure represented by fp. + + @return Return 0 if access if granted, otherwise an appropriate + value for errno should be returned. +*/ +typedef int mpo_file_check_get_ofileflags_t( + struct ucred *cred, + struct fileproc *fp, + struct label *label, + char flags +); + +/** + @brief Access control for changing file descriptor flags + @param cred Subject credential + @param fp Fileproc structure + @param label Policy label for fp + @param oldflags Old fd flags + @param newflags New fd flags + + Determine whether the subject identified by the credential can + change the specified flags for the file structure represented by fp. + + @return Return 0 if access if granted, otherwise an appropriate + value for errno should be returned. +*/ +typedef int mpo_file_check_change_flags_t( + struct ucred *cred, + struct fileproc *fp, + struct label *label, + u_int oldflags, + u_int newflags +); + +/** + @brief Access control for changing open file flags + @param cred Subject credential + @param fp Fileproc structure + @param label Policy label for fp + @param flags Old flags + @param flags New flags + >>> TRUNCATED FOR MAIL (1000 lines) <<<