From nobody Thu Apr 3 19:32:17 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTBhL0BvLz5sLsX; Thu, 03 Apr 2025 19:32:18 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTBhK3cjMz3SQW; Thu, 03 Apr 2025 19:32:17 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1743708737; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JcjTMMu9wMZU/AHeNC/m2Q5Pc+D0UmghjUs09EBaSaA=; b=XjINQVC1VddMrRw8HYWxpvMGHtZfFOJIt0eNprXq20hrhtbSUNdqIOmeVepxQ+AVZg3ZnI CeWt5E38Xv7qUMXV92vXmZFkSfiBxAUnI8Wl3B/Mgm0PfJny8qj6eIfDZwMWAxkZEGyxLg WNdT8+Rdi5qcBiTLUwSHPyYxx9TRtaF7EcAoDV5oMuTJQAvbpDQq+wmUb8CCpsN0AOPD0t 0aaTUWog0SJyC3UgC8fhakxOovG5gRCa/IKTDKCCMr8oPFbyBgeurRe7TaxKSSe7c5+BTZ TOdZEx3XzDp1MYwvAoF4bicVCMB9zR58oiB3N53A1du2fiVsbXwMo2G5fWdWrA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1743708737; a=rsa-sha256; cv=none; b=D6BAGitkqyKXgee6PMULuObaMYDys8IH6Dst572CJEoJqKhjwLgIMBh7ZegC/Rh8B+u0MK IlHNPDjhLHiu8+fTjeJUMxjj//B0UaSK5BhDbQIn7Maf07uLiQKNuY8AhcejjypjmQBsoe /K7YHOT0uzimvm4zX3bCW/gznIXqwNQq9Zozl8+noRDyR0bzkQmZxA+IuxEVFwEvsRF0Fu e6Mi+vMDOkiQipRduiTbhieVMT0MwMhXmfhhkta2DNa+aDZ0p3D9nSj8uMZmezjAYAYwUI f/vGfUrTeyOLi10xjd/GNQ0y6DcISHys6EKrrZBifhFtDvuzNCYBANsFhYjjdw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1743708737; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JcjTMMu9wMZU/AHeNC/m2Q5Pc+D0UmghjUs09EBaSaA=; b=DhaFX9OmjWF/IKzWjJn6T1nIYscHGdtOGm6B9B5DPVK6IZIUNVpDp5X83PVLcIOXACHCin nAeL2dmOFewh1e99ihNddocjV+CbtWbpKTGvaIo1Z0P7/zGAnO/d6I11ou8znSNyGI/0ka buglk0F0u5OmKcXyhoyiZPxy89NZ6F8+8W94koCSo26hdH77dM03bgENCvsrqh2MTpxEIz NfXkhQFAW6GrKpB4LQYD949uMoZ0d6BPLPHHyc+Pzb338x13U2qqVJoerG+0/P++cXQX3b 7B6FB4gaM9arsqhIPiMv+OqTIVsdxcgTLOhsae/u3WAieFRkHjKbzBUqt1WEsQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZTBhK2yq6z1Cm2; Thu, 03 Apr 2025 19:32:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 533JWHZY040187; Thu, 3 Apr 2025 19:32:17 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 533JWH20040184; Thu, 3 Apr 2025 19:32:17 GMT (envelope-from git) Date: Thu, 3 Apr 2025 19:32:17 GMT Message-Id: <202504031932.533JWH20040184@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: f89a4b6162a8 - stable/14 - MAC/do: 'struct rule': IDs and types as 'u_int', rename fields List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: f89a4b6162a839c21061b64628e88e54fa8dddf4 Auto-Submitted: auto-generated The branch stable/14 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=f89a4b6162a839c21061b64628e88e54fa8dddf4 commit f89a4b6162a839c21061b64628e88e54fa8dddf4 Author: Olivier Certner AuthorDate: 2024-07-05 11:43:41 +0000 Commit: Olivier Certner CommitDate: 2025-04-03 19:31:02 +0000 MAC/do: 'struct rule': IDs and types as 'u_int', rename fields This is in preparation for introducing a common conversion function for IDs and to simplify code a bit by removing the from-IDs union and not having to introduce a new one for to-IDs in a later commit. Reviewed by: bapt Approved by: markj (mentor) Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D47613 (cherry picked from commit 6aadc7b2ee055fba58984fec715b6e2a754f9d3e) --- sys/security/mac_do/mac_do.c | 102 ++++++++++++++++++------------------------- 1 file changed, 43 insertions(+), 59 deletions(-) diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c index edd728ea070a..bfd5eb136fc1 100644 --- a/sys/security/mac_do/mac_do.c +++ b/sys/security/mac_do/mac_do.c @@ -40,14 +40,19 @@ static unsigned mac_do_osd_jail_slot; #define RULE_GID 2 #define RULE_ANY 3 +/* + * We assume that 'uid_t' and 'gid_t' are aliases to 'u_int' in conversions + * required for parsing rules specification strings. + */ +_Static_assert(sizeof(uid_t) == sizeof(u_int) && (uid_t)-1 >= 0 && + sizeof(gid_t) == sizeof(u_int) && (gid_t)-1 >= 0, + "mac_do(4) assumes that 'uid_t' and 'gid_t' are aliases to 'u_int'"); + struct rule { - int from_type; - union { - uid_t f_uid; - gid_t f_gid; - }; - int to_type; - uid_t t_uid; + u_int from_type; + u_int from_id; + u_int to_type; + u_int to_id; TAILQ_ENTRY(rule) r_entries; }; @@ -83,71 +88,50 @@ alloc_rules(void) static int parse_rule_element(char *element, struct rule **rule) { - int error = 0; - char *type, *id, *p; + const char *from_type, *from_id, *to; + char *p; struct rule *new; new = malloc(sizeof(*new), M_DO, M_ZERO|M_WAITOK); - type = strsep(&element, "="); - if (type == NULL) { - error = EINVAL; - goto error; - } + from_type = strsep(&element, "="); + if (from_type == NULL) + goto einval; - if (strcmp(type, "uid") == 0) + if (strcmp(from_type, "uid") == 0) new->from_type = RULE_UID; - else if (strcmp(type, "gid") == 0) + else if (strcmp(from_type, "gid") == 0) new->from_type = RULE_GID; - else { - error = EINVAL; - goto error; - } + else + goto einval; - id = strsep(&element, ":"); - if (id == NULL || *id == '\0') { - error = EINVAL; - goto error; - } + from_id = strsep(&element, ":"); + if (from_id == NULL || *from_id == '\0') + goto einval; - switch (new->from_type) { - case RULE_UID: - new->f_uid = strtol(id, &p, 10); - break; - case RULE_GID: - new->f_gid = strtol(id, &p, 10); - break; - default: - __assert_unreachable(); - } - if (*p != '\0') { - error = EINVAL; - goto error; - } + new->from_id = strtol(from_id, &p, 10); + if (*p != '\0') + goto einval; - if (element == NULL || *element == '\0') { - error = EINVAL; - goto error; - } - if (strcmp(element, "any") == 0 || strcmp(element, "*") == 0) + to = element; + if (to == NULL || *to == '\0') + goto einval; + + if (strcmp(to, "any") == 0 || strcmp(to, "*") == 0) new->to_type = RULE_ANY; else { new->to_type = RULE_UID; - new->t_uid = strtol(element, &p, 10); - if (*p != '\0') { - error = EINVAL; - goto error; - } + new->to_id = strtol(to, &p, 10); + if (*p != '\0') + goto einval; } - MPASS(error == 0); *rule = new; return (0); -error: - MPASS(error != 0); +einval: free(new, M_DO); *rule = NULL; - return (error); + return (EINVAL); } /* @@ -568,9 +552,9 @@ mac_do_destroy(struct mac_policy_conf *mpc) static bool rule_applies(struct ucred *cred, struct rule *r) { - if (r->from_type == RULE_UID && r->f_uid == cred->cr_uid) + if (r->from_type == RULE_UID && r->from_id == cred->cr_uid) return (true); - if (r->from_type == RULE_GID && groupmember(r->f_gid, cred)) + if (r->from_type == RULE_GID && groupmember(r->from_id, cred)) return (true); return (false); } @@ -663,25 +647,25 @@ mac_do_check_setuid(struct ucred *cred, uid_t uid) rule = find_rules(cred->cr_prison, &pr); TAILQ_FOREACH(r, &rule->head, r_entries) { if (r->from_type == RULE_UID) { - if (cred->cr_uid != r->f_uid) + if (cred->cr_uid != r->from_id) continue; if (r->to_type == RULE_ANY) { error = 0; break; } - if (r->to_type == RULE_UID && uid == r->t_uid) { + if (r->to_type == RULE_UID && uid == r->to_id) { error = 0; break; } } if (r->from_type == RULE_GID) { - if (!groupmember(r->f_gid, cred)) + if (!groupmember(r->from_id, cred)) continue; if (r->to_type == RULE_ANY) { error = 0; break; } - if (r->to_type == RULE_UID && uid == r->t_uid) { + if (r->to_type == RULE_UID && uid == r->to_id) { error = 0; break; }