Date: Tue, 17 Dec 2002 15:12:54 -0800 (PST) From: Brian Feldman <green@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 22433 for review Message-ID: <200212172312.gBHNCstr043365@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=22433 Change 22433 by green@green_laptop_2 on 2002/12/17 15:12:24 Implement what's needed for SEBSD to determine the transitionable contexts in the userland processes (i.e. for login(1), newrole, etc.) Also, modify the SID-listing sysctl to not allocate the entire memory it might possibly need at once, since it only needs space for one line of printing at a time. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd_sysctl.c#4 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd_sysctl.c#4 (text+ko) ==== @@ -42,6 +42,7 @@ #include <security/sebsd/linux-compat.h> #include <security/sebsd/sebsd.h> +#include <security/sebsd/ss/global.h> #include <security/sebsd/ss/services.h> #include <security/sebsd/ss/security.h> #include <security/sebsd/ss/sidtab.h> @@ -57,53 +58,142 @@ int i, count, error, len; u_int32_t scontext_len; sidtab_node_t *cur; - char *buffer, *offset; + char *buffer; security_context_t scontext; count = sidtab.nel; - MALLOC(buffer, char *, count * linesize, M_TEMP, M_WAITOK); + MALLOC(buffer, char *, linesize, M_TEMP, M_WAITOK); len = snprintf(buffer, linesize, "\n SID Context\n"); error = SYSCTL_OUT(req, buffer, len); if (error) goto out; - offset = buffer; - for (i = 0; i < SIDTAB_SIZE; i++) { cur = sidtab.htable[i]; while (cur != NULL && count > 0) { error = security_sid_to_context(cur->sid, &scontext, &scontext_len); - len = snprintf(offset, linesize, "%7d %s\n", + len = snprintf(buffer, linesize, "%7d %s\n", cur->sid, scontext); security_free_context(scontext); - offset += len; + error = SYSCTL_OUT(req, buffer, len); + if (error) + goto out; cur = cur->next; count--; } } - *offset++ = '\0'; - error = SYSCTL_OUT(req, buffer, offset - buffer); + error = SYSCTL_OUT(req, "", 1); out: FREE(buffer, M_TEMP); return (error); } +#if 0 +/* + * Sysctl handler for security.mac.sebsd.enforcing + * Get and/or set whether the avc is in enforcement mode. + */ +static int +sysctl_sebsd_enforcing(SYSCTL_HANDLER_ARGS) +{ + int error, enforcing; + + if (req->oldptr != NULL) { + /* XXX Always allow the users to find out? */ + enforcing = !avc_debug_always_allow; + error = SYSCTL_OUT(req, &enforcing, sizeof(enforcing)); + if (error) + return (error); + } + if (req->newptr != NULL) { + error = thread_has_system(curthread, SYSTEM__AVC_TOGGLE); + if (error) + return (error); + error = SYSCTL_IN(req, &enforcing, sizeof(enforcing)); + if (error) + return (error); + if (enforcing && avc_debug_always_allow) { + avc_ss_reset(avc_cache.latest_notif); + if (!ss_initialized && security_init() != 0) + panic("SELinux: Could not initialize\n"); + } + avc_debug_always_allow = !enforcing; + } + return (0); +} +#endif + +/* + * Sysctl handler for security.mac.sebsd.user_sids + * Lists the SIDs currently available for transition to by a given + * "context\0username\0" + */ +static int +sysctl_user_sids(SYSCTL_HANDLER_ARGS) +{ + u_int32_t n, nsids, scontext_len; + security_id_t *sids, sid; + security_context_t scontext; + char *context, *username; + int error, len; + + if (req->newlen == 0) + return (EINVAL); + if (req->newlen > 512) /* arbitrary */ + return (ENAMETOOLONG); + context = sebsd_malloc(req->newlen, M_SEBSD_SS, M_WAITOK); + error = SYSCTL_IN(req, context, req->newlen); + if (error) + goto out; + if (context[req->newlen - 1] != '\0') { + error = EINVAL; + goto out; + } + len = strlen(context); + if (len + 1 >= req->newlen) { + error = EINVAL; + goto out; + } + username = context + len + 1; + error = security_context_to_sid(context, len + 1, &sid); + if (error) + goto out; + error = security_get_user_sids(sid, username, &sids, &nsids); + if (error) + goto out; + for (n = 0; n < nsids; n++) { + error = security_sid_to_context(sids[n], &scontext, + &scontext_len); + if (error) + goto out2; + error = SYSCTL_OUT(req, scontext, scontext_len); + security_free_context(scontext); + if (error) + goto out2; + } + error = SYSCTL_OUT(req, "", 1); +out2: + sebsd_free(sids, M_SEBSD_SS); +out: + sebsd_free(context, M_SEBSD_SS); + return (error); +} + SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security_mac, OID_AUTO, sebsd, CTLFLAG_RW, 0, "Security Enhanced BSD policy controls"); -#ifdef now_a_syscall -SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, debug, CTLTYPE_INT|CTLFLAG_RW, - 0, 0, sysctl_sebsd_debug, "I", - "Debug Security Enhanced BSD policy"); -TUNABLE_INT("security.mac.sebsd.debug", &avc_debug_always_allow); -#endif - SYSCTL_INT(_security_mac_sebsd, OID_AUTO, verbose, CTLFLAG_RW, &sebsd_verbose, 0, " SEBSD Verbose Debug Stuff"); TUNABLE_INT("security.mac.sebsd.verbose", &sebsd_verbose); -SYSCTL_OID(_security_mac_sebsd, OID_AUTO, sids, CTLTYPE_STRING|CTLFLAG_RD, +SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, sids, CTLTYPE_STRING|CTLFLAG_RD, NULL, 0, sysctl_list_sids, "A", "SEBSD SIDs"); +SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, user_sids, CTLTYPE_STRING | + CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_user_sids, "A", + "SEBSD transitionable user SIDs"); - +#if 0 +SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, enforcing, CTLTYPE_INT | CTLFLAG_RW, + 0, 0, sysctl_sebsd_enforcing, "I", "SEBSD avc enforcement"); +#endif To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200212172312.gBHNCstr043365>