Date: Thu, 20 Apr 2006 15:47:02 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 95689 for review Message-ID: <200604201547.k3KFl2vx096673@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=95689 Change 95689 by millert@millert_g5tower on 2006/04/20 15:46:01 Convert SEBSDCALL_GETUSERSIDS, SEBSDCALL_GETFILESIDS and SEBSDCALL_CHANGE_SID to sysctls. Move struct lp_args definition to sebsd_syscalls.h Affected files ... .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd_syscall.c#14 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd_syscalls.h#9 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd_sysctl.c#9 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd_syscall.c#14 (text+ko) ==== @@ -51,11 +51,6 @@ #define MAX_UC 510 -struct lp_args { - void *data; - size_t len; -}; - static int sys_load_policy(struct proc *td, void *data, size_t len) { @@ -98,137 +93,7 @@ return (rc); } -/* - * Lists the SIDs currently available for transition to by a given - * "context\0username\0" - * - * or, lists the SIDs that a given context can relabel files to. (username is ignored) - */ -static int -sys_get_sids(int function, char *context, char *username, char *out, int *outlen) -{ - u_int32_t n, nsids, scontext_len; - u_int32_t *sids, sid; - char * scontext; - int error; - int olen = 1; - int ubufsz; - - if (copyin(outlen, &ubufsz, sizeof(int))) { - error = EFAULT; - goto out; - } - - /* - * XXX We need POLICY_RDLOCK here, but it's not exported! - */ - error = security_context_to_sid(context, strlen (context), &sid); - if (error) - goto out; - switch (function) { - case SEBSDCALL_GETUSERSIDS: - error = security_get_user_sids(sid, username, &sids, &nsids); - break; - - case SEBSDCALL_GETFILESIDS: - error = security_get_file_sids(sid, SECCLASS_FILE, &sids, - &nsids); - break; - - default: - error = ENOSYS; - break; - } - if (error) - goto out; - for (n = 0; n < nsids; n++) { - error = security_sid_to_context(sids[n], &scontext, - &scontext_len); - if (error) - goto out2; - if (out && olen + scontext_len <= ubufsz) { - error = copyout(scontext, out, scontext_len); - out += scontext_len; - } else if (out) - error = ENOMEM; - olen += scontext_len; - security_free_context(scontext); - if (error) - goto out2; - } - error = copyout(&olen, outlen, sizeof(int)); -out2: - sebsd_free(sids, M_SEBSD); -out: - return (error); -} - static int -sys_change_sid(char *domains, char *sources, char *sclasss, char *out, - int *outlen) -{ - u_int32_t domain, source; - struct class_datum *cld; - char *outc; - int error; - int ubufsz, outclen; - - if (copyin(outlen, &ubufsz, sizeof(int))) - return (EFAULT); - - /* - * XXX We need POLICY_RDLOCK here, but it's not exported! - */ - error = security_context_to_sid(sources, strlen (sources), &source); - if (error) - return (error); - - error = security_context_to_sid(domains, strlen (domains), &domain); - if (error) - return (error); - - cld = hashtab_search(policydb.p_classes.table, sclasss); - if (cld == NULL) - return (EINVAL); - - error = security_change_sid(domain, source, cld->value, &source); - if (error) - return (error); - error = security_sid_to_context(source, &outc, &outclen); - if (error) - return (error); - if (out) { - if (outclen > ubufsz) { - error = ENOMEM; - goto out; - } - error = copyout(outc, out, outclen); - if (error) - goto out; - } - error = copyout(&outclen, outlen, sizeof(int)); - -out: - security_free_context (outc); - return (error); -} - -struct getsid_args { - char *ctx; - char *usr; - char *out; - int *outlen; -}; - -struct changesid_args { - char *domain; - char *source; - char *sclass; - char *out; - int *outlen; -}; - -static int sebsd_get_bools(struct proc *td, struct sebsd_get_bools *gb) { char *out = NULL; @@ -263,74 +128,6 @@ error = sys_load_migscs(td, p.data, p.len); break; - case SEBSDCALL_GETUSERSIDS: - case SEBSDCALL_GETFILESIDS: - { - struct getsid_args uap; - size_t dummy; - char *ctx, *usr; - - error = copyin(args, &uap, sizeof(struct getsid_args)); - if (error) - return (error); - ctx = sebsd_malloc(MAX_UC, M_SEBSD, M_WAITOK); - error = copyinstr(uap.ctx, ctx, MAX_UC, &dummy); - if (error) { - sebsd_free(ctx, M_SEBSD); - return (error); - } - usr = sebsd_malloc(MAX_UC, M_SEBSD, M_WAITOK); - error = copyinstr(uap.usr, usr, MAX_UC, &dummy); - if (error) { - sebsd_free(ctx, M_SEBSD); - sebsd_free(usr, M_SEBSD); - return (error); - } - ctx[MAX_UC-1] = 0; - usr[MAX_UC-1] = 0; - error = sys_get_sids(call, ctx, usr, uap.out, uap.outlen); - sebsd_free(ctx, M_SEBSD); - sebsd_free(usr, M_SEBSD); - break; - } - - case SEBSDCALL_CHANGE_SID: - { - struct changesid_args uap; - size_t dummy; - char *doms, *srcs, *scs; - - error = copyin(args, &uap, sizeof(struct changesid_args)); - if (error) - return (error); - doms = sebsd_malloc(MAX_UC, M_SEBSD, M_WAITOK); - error = copyinstr(uap.domain, doms, MAX_UC, &dummy); - if (error) { - sebsd_free(doms, M_SEBSD); - return (error); - } - srcs = sebsd_malloc(MAX_UC, M_SEBSD, M_WAITOK); - error = copyinstr(uap.source, srcs, MAX_UC, &dummy); - if (error) { - sebsd_free(doms, M_SEBSD); - sebsd_free(srcs, M_SEBSD); - return (error); - } - scs = sebsd_malloc(MAX_UC, M_SEBSD, M_WAITOK); - error = copyinstr(uap.sclass, scs, MAX_UC, &dummy); - if (error) { - sebsd_free(doms, M_SEBSD); - sebsd_free(srcs, M_SEBSD); - sebsd_free(scs, M_SEBSD); - return (error); - } - error = sys_change_sid(doms, srcs, scs, uap.out, uap.outlen); - sebsd_free(doms, M_SEBSD); - sebsd_free(srcs, M_SEBSD); - sebsd_free(scs, M_SEBSD); - return (error); - } - case SEBSDCALL_GET_BOOLS: { struct sebsd_get_bools gb; ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd_syscalls.h#9 (text+ko) ==== @@ -12,9 +12,6 @@ #define SEBSDCALL_GET_BOOL 9 #define SEBSDCALL_SET_BOOL 10 #define SEBSDCALL_COMMIT_BOOLS 11 -#define SEBSDCALL_GETUSERSIDS 6 -#define SEBSDCALL_GETFILESIDS 5 -#define SEBSDCALL_CHANGE_SID 4 #define SEBSDCALL_NUM 7 @@ -40,4 +37,9 @@ char *out; }; +struct lp_args { + void *data; + size_t len; +}; + #endif /* _SEBSD_SYSCALLS_H_ */ ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd_sysctl.c#9 (text+ko) ==== @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002 Networks Associates Technology, Inc. - * Copyright (c) 2005, 2006 SPARTA, Inc. + * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project by NAI Labs, the @@ -55,13 +55,12 @@ extern unsigned int policydb_loaded_version; -#if 0 /* * Sysctl handler for security.mac.sebsd.sids * Lists the SIDs currently active in the security server */ static int -sysctl_list_sids(SYSCTL_HANDLER_ARGS) +sysctl_list_sids SYSCTL_HANDLER_ARGS { const int linesize = 128; /* conservative */ int i, count, error, len; @@ -71,7 +70,7 @@ char *scontext; count = sidtab.nel; - MALLOC(buffer, char *, linesize, M_TEMP, M_WAITOK); + buffer = sebsd_malloc(linesize, M_TEMP, M_WAITOK); len = snprintf(buffer, linesize, "\n SID Context\n"); error = SYSCTL_OUT(req, buffer, len); if (error) @@ -98,10 +97,9 @@ } error = SYSCTL_OUT(req, "", 1); out: - FREE(buffer, M_TEMP); + sebsd_free(buffer, M_TEMP); return (error); } -#endif /* * Sysctl handler for security.mac.sebsd.auditing. Get or set whether the @@ -167,13 +165,11 @@ return (0); } -#if 0 -/* - * Sysctl handler for security.mac.sebsd.user_sids. Lists the SIDs currently - * available for transition to by a given "context\0username\0". - */ +#define SEBSD_GETUSERSIDS 1 +#define SEBSD_GETFILESIDS 2 + static int -sysctl_user_sids(SYSCTL_HANDLER_ARGS) +sebsd_get_sids(int function, struct sysctl_req *req) { u_int32_t n, nsids, scontext_len; u_int32_t *sids, sid; @@ -193,19 +189,29 @@ error = EINVAL; goto out; } - len = strlen(context); - if (len + 1 >= req->newlen) { - error = EINVAL; - goto out; - } - username = context + len + 1; /* * XXX We need POLICY_RDLOCK here, but it's not exported! */ + len = strlen(context); error = security_context_to_sid(context, len + 1, &sid); if (error) goto out; - error = security_get_user_sids(sid, username, &sids, &nsids); + switch (function) { + case SEBSD_GETUSERSIDS: + if (len + 1 >= req->newlen) { + error = EINVAL; + goto out2; + } + username = context + len + 1; + error = security_get_user_sids(sid, username, &sids, &nsids); + break; + case SEBSD_GETFILESIDS: + error = security_get_file_sids(sid, SECCLASS_FILE, &sids, + &nsids); + break; + default: + error = EINVAL; + } if (error) goto out; for (n = 0; n < nsids; n++) { @@ -227,11 +233,33 @@ } /* + * Sysctl handler for security.mac.sebsd.user_sids. Lists the SIDs currently + * available for transition to by a given "context\0username\0". + */ +static int +sysctl_user_sids SYSCTL_HANDLER_ARGS +{ + + return (sebsd_get_sids(SEBSD_GETUSERSIDS, req)); +} + +/* + * Sysctl handler for security.mac.sebsd.file_sids. Lists the file + * SIDs available for a given "context\0". + */ +static int +sysctl_file_sids SYSCTL_HANDLER_ARGS +{ + + return (sebsd_get_sids(SEBSD_GETFILESIDS, req)); +} + +/* * Sysctl handler for security.mac.sebsd.change_sid * Report the SID to relabel to given input "scontext\0tcontext\0",tclass */ static int -sysctl_change_sid(SYSCTL_HANDLER_ARGS) +sysctl_change_sid SYSCTL_HANDLER_ARGS { u_int32_t newcontext_len; u_int32_t sid, tsid, newsid; @@ -284,7 +312,7 @@ * given input "scontext\0tcontext\0", tclass, av. */ static int -sysctl_compute_av(SYSCTL_HANDLER_ARGS) +sysctl_compute_av SYSCTL_HANDLER_ARGS { u_int32_t sid, tsid; u_int16_t tclass; @@ -333,7 +361,6 @@ sebsd_free(scontext, M_SEBSD); return (error); } -#endif SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security_mac, OID_AUTO, sebsd, CTLFLAG_RW, 0, @@ -341,19 +368,20 @@ SYSCTL_INT(_security_mac_sebsd, OID_AUTO, verbose, CTLFLAG_RW, &sebsd_verbose, 0, " SEBSD Verbose Debug Stuff"); -#if 0 SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, sids, CTLTYPE_STRING|CTLFLAG_RD, NULL, 0, sysctl_list_sids, "A", "SEBSD SIDs"); SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, user_sids, CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_user_sids, "A", "SEBSD transitionable user SIDs"); +SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, file_sids, CTLTYPE_STRING | + CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_file_sids, "A", + "SEBSD transitionable file SIDs"); SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, change_sid, CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_change_sid, "A", "SEBSD (tty) SID relabel to perform along with transition"); SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_av, CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_av, "A", "SEBSD access vector decision query"); -#endif SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, auditing, CTLTYPE_INT | CTLFLAG_RW, NULL, 0, sysctl_sebsd_auditing, "I", "SEBSD avc auditing"); SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, enforcing, CTLTYPE_INT | @@ -367,6 +395,11 @@ { sysctl_register_oid(&sysctl__security_mac_sebsd); sysctl_register_oid(&sysctl__security_mac_sebsd_verbose); + sysctl_register_oid(&sysctl__security_mac_sebsd_sids); + sysctl_register_oid(&sysctl__security_mac_sebsd_user_sids); + sysctl_register_oid(&sysctl__security_mac_sebsd_file_sids); + sysctl_register_oid(&sysctl__security_mac_sebsd_change_sid); + sysctl_register_oid(&sysctl__security_mac_sebsd_compute_av); sysctl_register_oid(&sysctl__security_mac_sebsd_auditing); sysctl_register_oid(&sysctl__security_mac_sebsd_enforcing); sysctl_register_oid(&sysctl__security_mac_sebsd_policyvers);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604201547.k3KFl2vx096673>