Date: Fri, 14 Nov 2003 12:20:29 -0800 (PST) From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 42373 for review Message-ID: <200311142020.hAEKKTtp064685@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=42373 Change 42373 by areisse@areisse_ibook on 2003/11/14 12:19:49 enabled some permission checks Affected files ... .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/avc/avc.c#4 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#12 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/avc/avc.c#4 (text+ko) ==== @@ -577,7 +577,7 @@ struct vattr va; #ifdef __APPLE__ struct proc *curproc = current_proc(); - if (VOP_ISLOCKED(vp) && + if (/*VOP_ISLOCKED(vp) &&*/ !VOP_GETATTR(vp, &va, curproc->p_ucred, curproc)) { ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#12 (text+ko) ==== @@ -318,20 +318,20 @@ AVC_AUDIT_DATA_INIT(&ad, FS); ad.u.fs.vp = vp; -#if 0 if (file->sclass == 0) { struct vattr va; - VOP_GETATTR(vp, &va, curthread->td_ucred, curthread); + struct proc *p = current_proc(); + VOP_GETATTR (vp, &va, p->p_ucred, p); printf("vnode_has_perm:: ERROR, sid=%d, sclass=0, v_type=%d," - " inode=%ld, fsid=%d\n", - file->sid, vp->v_type, va.va_fileid, va.va_fsid); + " inode=%ld, fsid=%d, fstype=%s, mnt=%s\n", + file->sid, vp->v_type, va.va_fileid, va.va_fsid, vp->v_mount->mnt_vfc->vfc_name, vp->v_mount->mnt_stat.f_mntonname); file->sclass = vnode_type_to_security_class(vp->v_type); if (file->sclass == 0) { printf("vnode_has_perm:: Giving up\n"); return 1; /* TBD: debugging */ } } -#endif + return avc_has_perm_ref_audit(task->sid, file->sid, file->sclass, perm, aeref ? aeref : &file->avcr, &ad); } @@ -565,8 +565,16 @@ sbsec = SLOT(fslabel); vsec = SLOT(vlabel); - vsec->sid = sbsec->sid; + vsec->sclass = vnode_type_to_security_class(vp->v_type); + if (sbsec == NULL) + { + if (vp->v_mount != NULL) + printf ("create_vnode: no mount label for mnt=%s\n", + vp->v_mount->mnt_stat.f_mntonname); + } + else + vsec->sid = sbsec->sid; } static void @@ -1421,6 +1429,12 @@ if (dvp->v_mount) { /* XXX: mpo_check_vnode_create should probably pass the mntlabel */ sbsec = SLOT (&dvp->v_mount->mnt_mntlabel); + if (sbsec == NULL) + { + printf ("create_vnode: no mount label for mnt=%s\n", + dvp->v_mount->mnt_stat.f_mntonname); + return 0; + } rc = avc_has_perm_audit(newsid, sbsec->sid, SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, &ad); if (rc) @@ -2135,6 +2149,7 @@ .mpo_create_devfs_device = sebsd_create_devfs_device, + .mpo_associate_vnode_singlelabel = sebsd_associate_vnode_singlelabel, .mpo_associate_vnode_extattr = sebsd_associate_vnode_extattr, .mpo_associate_vnode_devfs = sebsd_associate_vnode_devfs, @@ -2142,6 +2157,44 @@ .mpo_execve_will_transition = sebsd_execve_will_transition, .mpo_execve_transition = sebsd_execve_transition, + /* Checks */ + .mpo_check_proc_signal = sebsd_check_proc_signal, + .mpo_check_vnode_access = sebsd_check_vnode_access, + .mpo_check_vnode_chdir = sebsd_check_vnode_chdir, + .mpo_check_vnode_chroot = sebsd_check_vnode_chroot, + //.mpo_check_vnode_create = sebsd_check_vnode_create, + .mpo_check_vnode_delete = sebsd_check_vnode_delete, + +#ifdef EXTATTR + .mpo_check_vnode_exec = sebsd_check_vnode_exec, + + .mpo_check_vnode_getextattr = sebsd_check_vnode_getextattr, + .mpo_check_vnode_listextattr = NOT_IMPLEMENTED, + .mpo_check_vnode_deleteextattr = NOT_IMPLEMENTED, +#endif + .mpo_check_vnode_link = sebsd_check_vnode_link, + .mpo_check_vnode_lookup = sebsd_check_vnode_lookup, + .mpo_check_vnode_mmap = sebsd_check_vnode_mmap, + .mpo_check_vnode_mprotect = sebsd_check_vnode_mmap, + .mpo_check_vnode_open = sebsd_check_vnode_open, + .mpo_check_vnode_poll = sebsd_check_vnode_poll, + .mpo_check_vnode_read = sebsd_check_vnode_read, + .mpo_check_vnode_readdir = sebsd_check_vnode_readdir, + .mpo_check_vnode_readlink = sebsd_check_vnode_readlink, + .mpo_check_vnode_relabel = sebsd_check_vnode_relabel, + .mpo_check_vnode_rename_from = sebsd_check_vnode_rename_from, + .mpo_check_vnode_rename_to = sebsd_check_vnode_rename_to, + .mpo_check_vnode_revoke = sebsd_check_vnode_revoke, +#ifdef HAS_EXTATTRS + .mpo_check_vnode_setextattr = sebsd_check_vnode_setextattr, +#endif + .mpo_check_vnode_setflags = sebsd_check_vnode_setflags, + .mpo_check_vnode_setmode = sebsd_check_vnode_setmode, + .mpo_check_vnode_setowner = sebsd_check_vnode_setowner, + .mpo_check_vnode_setutimes = sebsd_check_vnode_setutimes, + .mpo_check_vnode_stat = sebsd_check_vnode_stat, + .mpo_check_vnode_write = sebsd_check_vnode_write, + .mpo_syscall = sebsd_syscall };
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311142020.hAEKKTtp064685>