From owner-p4-projects  Thu Jan  2 12:29: 9 2003
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id D04F737B405; Thu,  2 Jan 2003 12:29:01 -0800 (PST)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5199237B401
	for <perforce@freebsd.org>; Thu,  2 Jan 2003 12:29:01 -0800 (PST)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EDB5343EA9
	for <perforce@freebsd.org>; Thu,  2 Jan 2003 12:29:00 -0800 (PST)
	(envelope-from cvance@tislabs.com)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h02KT0fh014993
	for <perforce@freebsd.org>; Thu, 2 Jan 2003 12:29:00 -0800 (PST)
	(envelope-from cvance@tislabs.com)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h02KT0nh014990
	for perforce@freebsd.org; Thu, 2 Jan 2003 12:29:00 -0800 (PST)
Date: Thu, 2 Jan 2003 12:29:00 -0800 (PST)
Message-Id: <200301022029.h02KT0nh014990@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to cvance@tislabs.com using -f
From: Chris Vance <cvance@FreeBSD.org>
Subject: PERFORCE change 23060 for review
To: Perforce Change Reviews <perforce@freebsd.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

http://perforce.freebsd.org/chv.cgi?CH=23060

Change 23060 by cvance@cvance_laptop on 2003/01/02 12:28:25

	Allow SEBSD to be pushed into enforcing mode via a sysctl.  
	We'll leave the system call intact for now as well.  This should
	permit the very special pain of booting in enforcing mode.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.c#12 edit
.. //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.h#10 edit
.. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd_sysctl.c#7 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.c#12 (text+ko) ====

@@ -875,7 +875,23 @@
 	return 0;
 }
 
+int
+sys_avc_set_enforcing(struct thread *td, int enforcing)
+{
+	int error;
+
+	error = thread_has_system(td, SYSTEM__AVC_TOGGLE);
+	if (error)
+		return (error);
+	if (enforcing && avc_debug_always_allow) {
+		avc_ss_reset(avc_cache.latest_notif);
+		if (!ss_initialized && security_init() != 0)
+			panic("SELinux:  Could not initialize\n");
+	}
+	avc_debug_always_allow = !enforcing;
 
+	return (0);
+}
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 /*
  * TBD: should have build-time non development mode that does not permit

==== //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.h#10 (text+ko) ====

@@ -344,6 +344,7 @@
 #ifdef _KERNEL
 extern int sys_avc_toggle(struct thread *td);
 extern int sys_avc_enforcing(struct thread *td);
+extern int sys_avc_set_enforcing(struct thread *td, int enforcing);
 #endif
 
 #endif /* _LINUX_AVC_H_ */

==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd_sysctl.c#7 (text+ko) ====

@@ -47,6 +47,8 @@
 #include <security/sebsd/ss/security.h>
 #include <security/sebsd/ss/sidtab.h>
 
+#include <security/sebsd/avc/avc.h>
+
 /*
  * Sysctl handler for security.mac.sebsd.sids
  * Lists the SIDs currently active in the security server
@@ -93,7 +95,6 @@
 	return (error);
 }
 
-#if 0
 /*
  * Sysctl handler for security.mac.sebsd.enforcing
  * Get and/or set whether the avc is in enforcement mode.
@@ -103,30 +104,21 @@
 {
 	int error, enforcing;
 
-	if (req->oldptr != NULL) {
-		/* XXX Always allow the users to find out? */
-		enforcing = !avc_debug_always_allow;
-		error = SYSCTL_OUT(req, &enforcing, sizeof(enforcing));
-		if (error)
-			return (error);
-	}
+	/* TBD: XXX Always allow the users to find out? */
+	enforcing = !avc_debug_always_allow;
+	error = SYSCTL_OUT(req, &enforcing, sizeof(enforcing));
+	if (error)
+		return (error);
+
 	if (req->newptr != NULL) {
-		error = thread_has_system(curthread, SYSTEM__AVC_TOGGLE);
-		if (error)
-			return (error);
 		error = SYSCTL_IN(req, &enforcing, sizeof(enforcing));
 		if (error)
 			return (error);
-		if (enforcing && avc_debug_always_allow) {
-			avc_ss_reset(avc_cache.latest_notif);
-			if (!ss_initialized && security_init() != 0)
-				panic("SELinux:  Could not initialize\n");
-		}
-		avc_debug_always_allow = !enforcing;
+		return(sys_avc_set_enforcing(curthread, enforcing));
 	}
+
 	return (0);
 }
-#endif
 
 /*
  * Sysctl handler for security.mac.sebsd.user_sids
@@ -257,8 +249,5 @@
 SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, change_sid, CTLTYPE_STRING |
  	   CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_change_sid, "A",
 	   "SEBSD (tty) SID relabel to perform along with transition");
-
-#if 0
 SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, enforcing, CTLTYPE_INT | CTLFLAG_RW,
-	   0, 0, sysctl_sebsd_enforcing, "I", "SEBSD avc enforcement");
-#endif
+	   NULL, 0, sysctl_sebsd_enforcing, "I", "SEBSD avc enforcement");

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message