From owner-trustedbsd-cvs@FreeBSD.ORG Wed Oct 25 19:33:12 2006 Return-Path: X-Original-To: trustedbsd-cvs@freebsd.org Delivered-To: trustedbsd-cvs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC0B416A403 for ; Wed, 25 Oct 2006 19:33:12 +0000 (UTC) (envelope-from owner-perforce@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF96443D49 for ; Wed, 25 Oct 2006 19:33:11 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by cyrus.watson.org (Postfix) with ESMTP id 42AEC46E83 for ; Wed, 25 Oct 2006 15:33:11 -0400 (EDT) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 9AFF6634AB; Wed, 25 Oct 2006 19:25:15 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id 8949C16A4D1; Wed, 25 Oct 2006 19:25:15 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C2A616A4C2 for ; Wed, 25 Oct 2006 19:25:15 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 531B543D64 for ; Wed, 25 Oct 2006 19:25:12 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k9PJPCO8058060 for ; Wed, 25 Oct 2006 19:25:12 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k9PJPBbB058057 for perforce@freebsd.org; Wed, 25 Oct 2006 19:25:11 GMT (envelope-from millert@freebsd.org) Date: Wed, 25 Oct 2006 19:25:11 GMT Message-Id: <200610251925.k9PJPBbB058057@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 108416 for review X-BeenThere: trustedbsd-cvs@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD CVS and Perforce commit message list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2006 19:33:12 -0000 http://perforce.freebsd.org/chv.cgi?CH=108416 Change 108416 by millert@millert_macbook on 2006/10/25 19:24:34 Change ikm_sender from struct ipc_labelh * to task_t. This allows us to report the correct sender in the avc audit logs for MiG-based permissions. To do this, we now pass a struct proc * to mpo_port_check_method. This change may be reverted in the future but is very useful for debugging. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_kmsg.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_kmsg.h#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_mqueue.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/mach_msg.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_mach_internal.h#8 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#16 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_port.c#7 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.h#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#25 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.h#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/ss/mach_av.c#6 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_kmsg.c#3 (text+ko) ==== @@ -294,9 +294,10 @@ ipc_port_t port; #ifdef MAC - if (kmsg->ikm_sender != NULL){ - labelh_release (kmsg->ikm_sender); - kmsg->ikm_sender = NULL; + if (kmsg->ikm_sender != NULL) { + labelh_release(kmsg->ikm_sender->label); + task_deallocate(kmsg->ikm_sender); + kmsg->ikm_sender = NULL; } #endif @@ -663,8 +664,9 @@ #ifdef MAC if (kmsg->ikm_sender != NULL) { - labelh_release (kmsg->ikm_sender); - kmsg->ikm_sender = NULL; + labelh_release(kmsg->ikm_sender->label); + task_deallocate(kmsg->ikm_sender); + kmsg->ikm_sender = NULL; } #endif } @@ -769,13 +771,13 @@ #endif #ifdef MAC - task_t cur = current_thread()->task; - if (cur) - { - labelh_reference (cur->label); - kmsg->ikm_sender = cur->label; - } - else + /* XXX - why do we zero sender labels here instead of in mach_msg()? */ + task_t cur = current_task(); + if (cur) { + task_reference(cur); + labelh_reference(cur->label); + kmsg->ikm_sender = cur; + } else trailer->msgh_labels.sender = 0; #else trailer->msgh_labels.sender = 0; @@ -869,7 +871,7 @@ trailer->msgh_labels.sender = 0; #ifdef MAC - kmsg->ikm_sender = (ipc_labelh_t)NULL; + kmsg->ikm_sender = NULL; #endif *kmsgp = kmsg; return MACH_MSG_SUCCESS; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_kmsg.h#2 (text+ko) ==== @@ -94,7 +94,7 @@ struct ipc_kmsg *ikm_prev; ipc_port_t ikm_prealloc; /* port we were preallocated from */ mach_msg_size_t ikm_size; - struct ipc_labelh *ikm_sender; + task_t ikm_sender; mach_msg_header_t *ikm_header; }; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_mqueue.c#3 (text+ko) ==== @@ -716,7 +716,7 @@ #ifdef MAC if (self->ith_kmsg != NULL && self->ith_kmsg->ikm_sender != NULL) { - lh = self->ith_kmsg->ikm_sender; + lh = self->ith_kmsg->ikm_sender->label; task = current_task(); tasklabel_lock(task); ip_lock(lh->lh_port); @@ -745,7 +745,7 @@ #ifdef MAC if (self->ith_kmsg != NULL && self->ith_kmsg->ikm_sender != NULL) { - lh = self->ith_kmsg->ikm_sender; + lh = self->ith_kmsg->ikm_sender->label; task = current_task(); tasklabel_lock(task); ip_lock(lh->lh_port); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/mach_msg.c#5 (text+ko) ==== @@ -314,7 +314,8 @@ #ifdef MAC if (kmsg->ikm_sender != NULL && IP_VALID(kmsg->ikm_header->msgh_remote_port) && - mac_port_check_method(&kmsg->ikm_sender->lh_label, + mac_port_check_method(kmsg->ikm_sender, + &kmsg->ikm_sender->maclabel, &((ipc_port_t)kmsg->ikm_header->msgh_remote_port)->ip_label, kmsg->ikm_header->msgh_id) == 0) trailer->msgh_ad = 1; @@ -331,7 +332,7 @@ if (option & MACH_RCV_TRAILER_ELEMENTS (MACH_RCV_TRAILER_LABELS)) { #ifdef MAC if (kmsg->ikm_sender != NULL) { - ipc_labelh_t lh = kmsg->ikm_sender; + ipc_labelh_t lh = kmsg->ikm_sender->label; kern_return_t kr; ip_lock(lh->lh_port); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_mach_internal.h#8 (text+ko) ==== @@ -31,7 +31,7 @@ void mac_task_label_update_internal(struct label *pl, struct task *t); int mac_port_label_compute(struct label *subj, struct label *obj, const char *serv, struct label *out); -int mac_port_check_method(struct label *task, struct label *port, int msgid); +int mac_port_check_method(task_t task, struct label *sub, struct label *obj, int msgid); #ifdef MAC void mac_policy_init(void); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#16 (text+ko) ==== @@ -2867,6 +2867,7 @@ /** @brief Compute access control check for a Mach message-based service + @param proc Sender's process structure (may be NULL) @param task Sender's task label @param port Destination port label @param msgid Message id @@ -2884,6 +2885,7 @@ */ typedef int mpo_port_check_method_t( + struct proc *proc, struct label *task, struct label *port, int msgid ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_port.c#7 (text+ko) ==== @@ -244,11 +244,11 @@ } int -mac_port_check_method(struct label *task, struct label *port, int msgid) +mac_port_check_method(task_t task, struct label *sub, struct label *obj, int msgid) { int error; - MAC_CHECK(port_check_method, task, port, msgid); + MAC_CHECK(port_check_method, get_bsdtask_info(task), sub, obj, msgid); return (error); } ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.c#3 (text+ko) ==== @@ -653,7 +653,7 @@ u16 tclass, u32 requested, struct av_decision *avd, int result, struct avc_audit_data *a) { - struct proc *tsk = current_proc(); + struct proc *tsk; u32 denied, audited; struct audit_buffer *ab; @@ -679,10 +679,10 @@ audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); avc_dump_av(ab, tclass,audited); audit_log_format(ab, " for "); -#ifdef __linux__ if (a && a->tsk) tsk = a->tsk; -#endif + else + tsk = current_proc(); /* XXX, should be set by caller */ if (tsk && tsk->p_pid) { audit_log_format(ab, " pid=%d comm=", tsk->p_pid); audit_log_untrustedstring(ab, tsk->p_comm); @@ -799,6 +799,9 @@ a->u.net.netif); #endif /* __linux__ */ break; + case AVC_AUDIT_DATA_MIG: + audit_log_format(ab, " msgid=%d", a->u.ipc_id); + break; } } audit_log_format(ab, " "); ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.h#2 (text+ko) ==== @@ -34,7 +34,7 @@ */ struct avc_entry; -struct task_struct; +struct proc; struct xsocket; /* Auxiliary data to use in generating the audit record. */ @@ -44,9 +44,8 @@ #define AVC_AUDIT_DATA_NET 2 #define AVC_AUDIT_DATA_CAP 3 #define AVC_AUDIT_DATA_IPC 4 -#ifdef __linux__ - struct task_struct *tsk; -#endif +#define AVC_AUDIT_DATA_MIG 5 + struct proc *tsk; union { struct { struct vnode *vp; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#25 (text+ko) ==== @@ -1481,14 +1481,15 @@ } static int -sebsd_port_check_method(struct label *subj, struct label *obj, int msgid) +sebsd_port_check_method(struct proc *p, struct label *subj, struct label *obj, + int msgid) { struct task_security_struct *tsec, *psec; psec = SLOT(obj); tsec = SLOT(subj); - return (sebsd_ipc_check_method1(tsec->sid,psec->sid, msgid)); + return (sebsd_ipc_check_method1(p, tsec->sid, psec->sid, msgid)); } static int ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.h#5 (text+ko) ==== @@ -57,6 +57,6 @@ extern int sebsd_syscall(struct proc *p, int call, user_addr_t args); extern int cred_has_system(struct ucred *cred, u_int32_t perm); extern int cred_has_security(struct ucred *cred, u_int32_t perm); -extern int sebsd_ipc_check_method1(int subj, int obj, int msgid); +extern int sebsd_ipc_check_method1(struct proc *p, int subj, int obj, int msgid); #endif /* _SYS_SECURITY_SEBSD_H */ ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/ss/mach_av.c#6 (text+ko) ==== @@ -154,13 +154,18 @@ int -sebsd_ipc_check_method1(int subj, int obj, int msgid) +sebsd_ipc_check_method1(struct proc *p, int subj, int obj, int msgid) { struct msgid_classinfo *mcl; u16 tclass; u32 perms, cl; int msgid_norm; + struct avc_audit_data ad; + AVC_AUDIT_DATA_INIT(&ad, MIG); + ad.u.ipc_id = msgid; + ad.tsk = p; + /* * Return allowed for messages in an unknown subsystem. * Instead, we probably should make a check against a @@ -190,5 +195,5 @@ lck_rw_unlock_shared(migscs_rwlock); perms = (u32)1 << (msgid_norm - (cl * 8 * sizeof(u32))); - return avc_has_perm(subj, obj, tclass, perms, NULL); + return avc_has_perm(subj, obj, tclass, perms, &ad); }