Date: Sun, 14 Jul 2002 16:49:26 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 14235 for review Message-ID: <200207142349.g6ENnQVR037815@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14235 Change 14235 by rwatson@rwatson_paprika on 2002/07/14 16:48:46 First pass at helping extattr-backed labels work for various policies. Introduce mac_update_vnode_from_extattr() to replace the use of mac_update_vnode_from_externalized() in SEBSD, and invoke that before handling the MAC labels for other policies using centralized label support, introducing the preferred failure mode while not breaking those other policies (now fixed). I haven't added entry points for the write case nor the create case (create to come shortly), as the write case has some murky details we'll have to talk about for a bit. In the mean time, hopefully this resolves problems getting both SEBSD and other policies to live side-by-side. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#167 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#13 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#69 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#167 (text+ko) ==== @@ -347,6 +347,10 @@ mpc->mpc_ops.mpo_update_procfsvnode_from_subject = mpe->mpe_function; break; + case MAC_UPDATE_VNODE_FROM_EXTATTR: + mpc->mpc_ops.mpo_update_vnode_from_extattr = + mpe->mpe_function; + break; case MAC_UPDATE_VNODE_FROM_EXTERNALIZED: mpc->mpc_ops.mpo_update_vnode_from_externalized = mpe->mpe_function; @@ -874,6 +878,21 @@ } /* + * Support callout for policies that manage their own externalization + * using extended attributes. + */ +static int +mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp) +{ + int error; + + MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp, + &mp->mnt_fslabel); + + return (error); +} + +/* * Given an externalized mac label, internalize it and stamp it on a * vnode. */ @@ -919,6 +938,14 @@ } else mac_ea_cache_misses++; + /* + * Call out to external policies first. Order doesn't really + * matter, as long as failure of one assures failure of all. + */ + error = mac_update_vnode_from_extattr(vp, vp->v_mount); + if (error) + return (error); + buflen = sizeof(extmac); error = vn_extattr_get(vp, IO_NODELOCKED, FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen, @@ -935,8 +962,8 @@ * flag. */ mac_update_vnode_from_mount(vp, vp->v_mount); - error = 0; - break; + return (0); + case EOPNOTSUPP: default: /* Fail horribly. */ ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#13 (text+ko) ==== @@ -388,9 +388,8 @@ } static int -sebsd_update_vnode_from_externalized(struct vnode *vp, - struct label *vnodelabel, - struct mac *extmac) +sebsd_update_vnode_from_extattr(struct vnode *vp, struct label *vnodelabel, + struct mount *mp, struct label *fslabel) { struct vnode_security_struct *vsec; /* TBD: Need to limit size of contexts used in extattr labels */ @@ -398,7 +397,11 @@ u_int32_t context_len; int error; - if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { + /* + * XXX: this check is probably redundant, since we'll only get + * called here for multilabel file systems. + */ + if ((mp->mnt_flag & MNT_MULTILABEL) == 0) { return (EOPNOTSUPP); } @@ -421,7 +424,7 @@ VOP_GETATTR(vp, &va, curthread->td_ucred, curthread); VOP_UNLOCK(vp, 0, curthread); vn_fullpath(curthread, vp->v_dd, vp, &fullpath, &freepath); - printf("sebsd_vnode_from_externallize: len=%d: context=%s file=%s inode=%d, fsid=%d\n", context_len, context, fullpath, va.va_fileid, va.va_fsid); + printf("sebsd_vnode_from_extattr: len=%d: context=%s file=%s inode=%d, fsid=%d\n", context_len, context, fullpath, va.va_fileid, va.va_fsid); if (freepath) free(freepath, M_TEMP); vn_lock(vp, LK_EXCLUSIVE, curthread); @@ -430,10 +433,10 @@ vsec = SLOT(vnodelabel); error = security_context_to_sid(context, context_len, &vsec->sid); if (error) { - printf("sebsd_update_vnode_from_externalized: ERROR mapping context to sid: %s\n", context); + printf("sebsd_update_vnode_from_extattr: ERROR mapping context to sid: %s\n", context); } -/* printf("sebsd_update_vnode_from_externalized got sid %d, label size=%d: %s\n", vsec->sid, context_len, context); */ +/* printf("sebsd_update_vnode_from_extattr got sid %d, label size=%d: %s\n", vsec->sid, context_len, context); */ return (0); } @@ -495,8 +498,8 @@ (macop_t)sebsd_destroy_vnode }, { MAC_CREATE_VNODE_FROM_VNODE, (macop_t)sebsd_create_vnode_from_vnode }, - { MAC_UPDATE_VNODE_FROM_EXTERNALIZED, - (macop_t)sebsd_update_vnode_from_externalized }, + { MAC_UPDATE_VNODE_FROM_EXTATTR, + (macop_t)sebsd_update_vnode_from_extattr }, { MAC_RELABEL_VNODE, (macop_t)sebsd_relabel_vnode }, { MAC_CRED_CHECK_EXEC_VNODE, ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#69 (text+ko) ==== @@ -127,6 +127,9 @@ struct label *vnodelabel); void (*mpo_update_procfsvnode_from_subject)(struct vnode *vp, struct label *vnodelabel, struct ucred *cred); + int (*mpo_update_vnode_from_extattr)(struct vnode *vp, + struct label *vnodelabel, struct mount *mp, + struct label *fslabel); int (*mpo_update_vnode_from_externalized)(struct vnode *vp, struct label *vnodelabel, struct mac *mac); void (*mpo_update_vnode_from_mount)(struct vnode *vp, @@ -344,6 +347,7 @@ MAC_RELABEL_VNODE, MAC_UPDATE_DEVFSDIRENT_FROM_VNODE, MAC_UPDATE_PROCFSVNODE_FROM_SUBJECT, + MAC_UPDATE_VNODE_FROM_EXTATTR, MAC_UPDATE_VNODE_FROM_EXTERNALIZED, MAC_UPDATE_VNODE_FROM_MOUNT, MAC_CREATE_MBUF_FROM_SOCKET, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207142349.g6ENnQVR037815>