Date: Mon, 20 Oct 2003 15:17:24 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 40029 for review Message-ID: <200310202217.h9KMHOdq094063@repoman.freebsd.org>
index | next in thread | raw e-mail
http://perforce.freebsd.org/chv.cgi?CH=40029 Change 40029 by rwatson@rwatson_tislabs on 2003/10/20 15:17:11 Include security/mac/mac_internal.h for global MAC Framework definitions. Don't SYSCTL_DECL() security, it's done in mac_internal.h. Export mac_late globally, will be needed when bits of the Framework are pulled out. Don't define debug counter macros, it's in mac_internal.h. Remove error_select() prototype, it's now mac_error_select(), and prototyped in mac_internal.h. Pull out pipe code, moved to mac_internal.h. Globalize and re-type mac_policy_list and mac_static_policy_list. Unstaticize/inline various policy list lock functions, since they are now used from outside kern_mac.c. Remove composition macros, now in mac_internal.h. Unstaticize basic label functions (init, destroy, consistency) required from per-object implementations. Hook up mac_pipe.c for MAC implementation for pipes. A similar model will be used to break out other objects from kern_mac.c. Affected files ... .. //depot/projects/trustedbsd/mac/sys/conf/files#85 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#412 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/conf/files#85 (text+ko) ==== @@ -1588,6 +1588,7 @@ posix4/p1003_1b.c standard posix4/posix4_mib.c standard kern/uipc_sem.c optional p1003_1b_semaphores +security/mac/mac_pipe.c optional mac security/mac_biba/mac_biba.c optional mac_biba security/mac_bsdextended/mac_bsdextended.c optional mac_bsdextended security/mac_ifoff/mac_ifoff.c optional mac_ifoff ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#412 (text+ko) ==== @@ -92,6 +92,8 @@ #include <netinet/in.h> #include <netinet/ip_var.h> +#include <security/mac/mac_internal.h> + #ifdef MAC /* @@ -101,8 +103,6 @@ */ MODULE_VERSION(kernel_mac_support, 1); -SYSCTL_DECL(_security); - SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, "TrustedBSD MAC policy controls"); @@ -120,7 +120,7 @@ * access to this variable is serialized during the boot process. Following * the end of serialization, we don't update this flag; no locking. */ -static int mac_late = 0; +int mac_late = 0; /* * Warn about EA transactions only the first time they happen. @@ -158,11 +158,6 @@ &mac_enforce_network, 0, "Enforce MAC policy on network packets"); TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); -static int mac_enforce_pipe = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, - &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); -TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe); - static int mac_enforce_posix_sem = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_posix_sem, CTLFLAG_RW, &mac_enforce_posix_sem, 0, "Enforce MAC policy on global POSIX semaphores"); @@ -219,12 +214,9 @@ static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, - nmacipqs, nmacpipes, nmacprocs, nmacipcmsgs, nmacipcmsqs, + nmacipqs, nmacprocs, nmacipcmsgs, nmacipcmsqs, nmacipcsemas, nmacipcshms, nmacposixksems; -#define MAC_DEBUG_COUNTER_INC(x) atomic_add_int(x, 1); -#define MAC_DEBUG_COUNTER_DEC(x) atomic_subtract_int(x, 1); - SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD, @@ -237,8 +229,6 @@ &nmacbpfdescs, 0, "number of bpfdescs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD, - &nmacpipes, 0, "number of pipes in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD, &nmacprocs, 0, "number of procs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD, @@ -259,12 +249,8 @@ &nmacipcshms, 0, "number of sysv ipc shm identifiers inuse"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, posix_ksems, CTLFLAG_RD, &nmacposixksems, 0, "number of posix global semaphores inuse"); -#else -#define MAC_DEBUG_COUNTER_INC(x) -#define MAC_DEBUG_COUNTER_DEC(x) #endif -static int error_select(int error1, int error2); static int mac_policy_register(struct mac_policy_conf *mpc); static int mac_policy_unregister(struct mac_policy_conf *mpc); @@ -278,7 +264,6 @@ static int mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, struct label *intlabel); -MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage"); /* @@ -304,8 +289,8 @@ static struct cv mac_policy_cv; static int mac_policy_count; #endif -static LIST_HEAD(, mac_policy_conf) mac_policy_list; -static LIST_HEAD(, mac_policy_conf) mac_static_policy_list; +struct mac_policy_list_head mac_policy_list; +struct mac_policy_list_head mac_static_policy_list; /* * We manually invoke WITNESS_WARN() to allow Witness to generate @@ -316,7 +301,7 @@ * framework to become quiescent so that a policy list change may * be made. */ -static __inline void +void mac_policy_grab_exclusive(void) { @@ -329,7 +314,7 @@ #endif } -static __inline void +void mac_policy_assert_exclusive(void) { @@ -340,7 +325,7 @@ #endif } -static __inline void +void mac_policy_release_exclusive(void) { @@ -352,7 +337,7 @@ #endif } -static __inline void +void mac_policy_list_busy(void) { @@ -363,7 +348,7 @@ #endif } -static __inline int +int mac_policy_list_conditional_busy(void) { #ifndef MAC_STATIC @@ -382,7 +367,7 @@ #endif } -static __inline void +void mac_policy_list_unbusy(void) { @@ -397,152 +382,6 @@ } /* - * MAC_CHECK performs the designated check by walking the policy - * module list and checking with each as to how it feels about the - * request. Note that it returns its value via 'error' in the scope - * of the caller. - */ -#define MAC_CHECK(check, args...) do { \ - struct mac_policy_conf *mpc; \ - int entrycount; \ - \ - error = 0; \ - LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \ - if (mpc->mpc_ops->mpo_ ## check != NULL) \ - error = error_select( \ - mpc->mpc_ops->mpo_ ## check (args), \ - error); \ - } \ - if ((entrycount = mac_policy_list_conditional_busy()) != 0) { \ - LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ - if (mpc->mpc_ops->mpo_ ## check != NULL) \ - error = error_select( \ - mpc->mpc_ops->mpo_ ## check (args), \ - error); \ - } \ - mac_policy_list_unbusy(); \ - } \ -} while (0) - -/* - * MAC_BOOLEAN performs the designated boolean composition by walking - * the module list, invoking each instance of the operation, and - * combining the results using the passed C operator. Note that it - * returns its value via 'result' in the scope of the caller, which - * should be initialized by the caller in a meaningful way to get - * a meaningful result. - */ -#define MAC_BOOLEAN(operation, composition, args...) do { \ - struct mac_policy_conf *mpc; \ - int entrycount; \ - \ - LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \ - if (mpc->mpc_ops->mpo_ ## operation != NULL) \ - result = result composition \ - mpc->mpc_ops->mpo_ ## operation (args); \ - } \ - if ((entrycount = mac_policy_list_conditional_busy()) != 0) { \ - LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ - if (mpc->mpc_ops->mpo_ ## operation != NULL) \ - result = result composition \ - mpc->mpc_ops->mpo_ ## operation \ - (args); \ - } \ - mac_policy_list_unbusy(); \ - } \ -} while (0) - -#define MAC_EXTERNALIZE(type, label, elementlist, outbuf, \ - outbuflen) do { \ - int claimed, first, ignorenotfound, savedlen; \ - char *element_name, *element_temp; \ - struct sbuf sb; \ - \ - error = 0; \ - first = 1; \ - sbuf_new(&sb, outbuf, outbuflen, SBUF_FIXEDLEN); \ - element_temp = elementlist; \ - while ((element_name = strsep(&element_temp, ",")) != NULL) { \ - if (element_name[0] == '?') { \ - element_name++; \ - ignorenotfound = 1; \ - } else \ - ignorenotfound = 0; \ - savedlen = sbuf_len(&sb); \ - if (first) \ - error = sbuf_printf(&sb, "%s/", element_name); \ - else \ - error = sbuf_printf(&sb, ",%s/", element_name); \ - if (error == -1) { \ - error = EINVAL; /* XXX: E2BIG? */ \ - break; \ - } \ - claimed = 0; \ - MAC_CHECK(externalize_ ## type, label, element_name, \ - &sb, &claimed); \ - if (error) \ - break; \ - if (claimed == 0 && ignorenotfound) { \ - /* Revert last label name. */ \ - sbuf_setpos(&sb, savedlen); \ - } else if (claimed != 1) { \ - error = EINVAL; /* XXX: ENOLABEL? */ \ - break; \ - } else { \ - first = 0; \ - } \ - } \ - sbuf_finish(&sb); \ -} while (0) - -#define MAC_INTERNALIZE(type, label, instring) do { \ - char *element, *element_name, *element_data; \ - int claimed; \ - \ - error = 0; \ - element = instring; \ - while ((element_name = strsep(&element, ",")) != NULL) { \ - element_data = element_name; \ - element_name = strsep(&element_data, "/"); \ - if (element_data == NULL) { \ - error = EINVAL; \ - break; \ - } \ - claimed = 0; \ - MAC_CHECK(internalize_ ## type, label, element_name, \ - element_data, &claimed); \ - if (error) \ - break; \ - if (claimed != 1) { \ - /* XXXMAC: Another error here? */ \ - error = EINVAL; \ - break; \ - } \ - } \ -} while (0) - -/* - * MAC_PERFORM performs the designated operation by walking the policy - * module list and invoking that operation for each policy. - */ -#define MAC_PERFORM(operation, args...) do { \ - struct mac_policy_conf *mpc; \ - int entrycount; \ - \ - LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \ - if (mpc->mpc_ops->mpo_ ## operation != NULL) \ - mpc->mpc_ops->mpo_ ## operation (args); \ - } \ - if ((entrycount = mac_policy_list_conditional_busy()) != 0) { \ - LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ - if (mpc->mpc_ops->mpo_ ## operation != NULL) \ - mpc->mpc_ops->mpo_ ## operation (args); \ - } \ - mac_policy_list_unbusy(); \ - } \ -} while (0) - -/* * Initialize the MAC subsystem, including appropriate SMP locks. */ static void @@ -768,8 +607,8 @@ * Define an error value precedence, and given two arguments, selects the * value with the higher precedence. */ -static int -error_select(int error1, int error2) +int +mac_error_select(int error1, int error2) { /* Certain decision-making errors take top priority. */ @@ -813,7 +652,7 @@ return (label); } -static void +void mac_init_label(struct label *label) { @@ -821,7 +660,7 @@ label->l_flags = MAC_FLAG_INITIALIZED; } -static void +void mac_destroy_label(struct label *label) { @@ -994,26 +833,6 @@ MAC_DEBUG_COUNTER_INC(&nmacmounts); } -static void -mac_init_pipe_label(struct label *label) -{ - - mac_init_label(label); - MAC_PERFORM(init_pipe_label, label); - MAC_DEBUG_COUNTER_INC(&nmacpipes); -} - -void -mac_init_pipe(struct pipe *pipe) -{ - struct label *label; - - label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); - pipe->pipe_label = label; - pipe->pipe_peer->pipe_label = label; - mac_init_pipe_label(label); -} - void mac_init_posix_ksem(struct ksem *ksemptr) { @@ -1216,23 +1035,6 @@ MAC_DEBUG_COUNTER_DEC(&nmacmounts); } -static void -mac_destroy_pipe_label(struct label *label) -{ - - MAC_PERFORM(destroy_pipe_label, label); - mac_destroy_label(label); - MAC_DEBUG_COUNTER_DEC(&nmacpipes); -} - -void -mac_destroy_pipe(struct pipe *pipe) -{ - - mac_destroy_pipe_label(pipe->pipe_label); - free(pipe->pipe_label, M_MACPIPELABEL); -} - void mac_destroy_posix_ksem(struct ksem *ksemptr) { @@ -1307,13 +1109,6 @@ MAC_PERFORM(copy_mbuf_label, src_label, dest_label); } -static void -mac_copy_pipe_label(struct label *src, struct label *dest) -{ - - MAC_PERFORM(copy_pipe_label, src, dest); -} - void mac_copy_vnode_label(struct label *src, struct label *dest) { @@ -1321,7 +1116,7 @@ MAC_PERFORM(copy_vnode_label, src, dest); } -static int +int mac_check_structmac_consistent(struct mac *mac) { @@ -1355,17 +1150,6 @@ } static int -mac_externalize_pipe_label(struct label *label, char *elements, - char *outbuf, size_t outbuflen, int flags) -{ - int error; - - MAC_EXTERNALIZE(pipe_label, label, elements, outbuf, outbuflen); - - return (error); -} - -static int mac_externalize_socket_label(struct label *label, char *elements, char *outbuf, size_t outbuflen, int flags) { @@ -1419,16 +1203,6 @@ } static int -mac_internalize_pipe_label(struct label *label, char *string) -{ - int error; - - MAC_INTERNALIZE(pipe_label, label, string); - - return (error); -} - -static int mac_internalize_socket_label(struct label *label, char *string) { int error; @@ -2416,13 +2190,6 @@ } void -mac_create_pipe(struct ucred *cred, struct pipe *pipe) -{ - - MAC_PERFORM(create_pipe, cred, pipe, pipe->pipe_label); -} - -void mac_create_socket_from_socket(struct socket *oldsocket, struct socket *newsocket) { @@ -2439,13 +2206,6 @@ MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel); } -static void -mac_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *newlabel) -{ - - MAC_PERFORM(relabel_pipe, cred, pipe, pipe->pipe_label, newlabel); -} - void mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) { @@ -3053,98 +2813,6 @@ } int -mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, - void *data) -{ - int error; - - PIPE_LOCK_ASSERT(pipe, MA_OWNED); - - if (!mac_enforce_pipe) - return (0); - - MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); - - return (error); -} - -int -mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) -{ - int error; - - PIPE_LOCK_ASSERT(pipe, MA_OWNED); - - if (!mac_enforce_pipe) - return (0); - - MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); - - return (error); -} - -int -mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) -{ - int error; - - PIPE_LOCK_ASSERT(pipe, MA_OWNED); - - if (!mac_enforce_pipe) - return (0); - - MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); - - return (error); -} - -static int -mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, - struct label *newlabel) -{ - int error; - - PIPE_LOCK_ASSERT(pipe, MA_OWNED); - - if (!mac_enforce_pipe) - return (0); - - MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); - - return (error); -} - -int -mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) -{ - int error; - - PIPE_LOCK_ASSERT(pipe, MA_OWNED); - - if (!mac_enforce_pipe) - return (0); - - MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); - - return (error); -} - -int -mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) -{ - int error; - - PIPE_LOCK_ASSERT(pipe, MA_OWNED); - - if (!mac_enforce_pipe) - return (0); - - MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); - - return (error); -} - -int mac_check_posix_sem_close(struct ucred *cred, struct ksem *ksemptr) { int error; @@ -3687,22 +3355,6 @@ } int -mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) -{ - int error; - - PIPE_LOCK_ASSERT(pipe, MA_OWNED); - - error = mac_check_pipe_relabel(cred, pipe, label); - if (error) - return (error); - - mac_relabel_pipe(cred, pipe, label); - - return (0); -} - -int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, struct mac *mac) {help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310202217.h9KMHOdq094063>