Date: Tue, 25 Nov 2003 08:11:44 -0800 (PST) From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 43036 for review Message-ID: <200311251611.hAPGBi2V007795@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=43036 Change 43036 by areisse@areisse_ibook on 2003/11/25 08:11:44 chdir and exec permission checks execve handles script labels Affected files ... .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_exec.c#4 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#33 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/sys/mac.h#8 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/sys/mac_policy.h#7 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/vfs/vfs_syscalls.c#12 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#19 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_exec.c#4 (text+ko) ==== @@ -212,8 +212,8 @@ char *ws_cache_name = NULL; /* used for pre-heat */ int cred_change = 0; #ifdef MAC - struct label execlabel; - struct label *execlabelp; + struct label execlabel, scriptlabel; + struct label *execlabelp, *scriptlabelp = NULL; int no_trans = 0; int will_transition = 0; #endif @@ -247,7 +247,7 @@ error = execargs_alloc(&execargs); if (error) - return(error); + goto free_execl; savedpath = execargs; @@ -267,7 +267,7 @@ error = copyinstr(uap->fname, savedpath, MAXPATHLEN, &savedpathlen); if (error) - return (error); + goto free_execl; /* * copyinstr will put in savedpathlen, the count of * characters (including NULL) in the path. @@ -319,6 +319,11 @@ *(&vattr) = *(&origvattr); again: +#ifdef MAC + error = mac_check_vnode_exec (p->p_ucred, vp, execlabelp); + if (error) + goto bad; +#endif error = check_exec_access(p, vp, &vattr); if (error) goto bad; @@ -415,6 +420,14 @@ /* Save the name aside for future use */ execargsp = (vm_offset_t *)((char *)(execargs) + savedpathlen); + /* Copy the script label for later use. Note that + the label can be different when the script is actually + read by the interpreter. */ +#ifdef MAC + scriptlabelp = &scriptlabel; + mac_init_vnode_label (&scriptlabel); + mac_copy_vnode_label (&vp->v_label, &scriptlabel); +#endif indir = 1; vput(vp); nd.ni_cnd.cn_nameiop = LOOKUP; @@ -602,7 +615,7 @@ /* Transitions */ #ifdef MAC - will_transition = mac_execve_will_transition (p->p_ucred, vp, NULL, + will_transition = mac_execve_will_transition (p->p_ucred, vp, scriptlabelp, execlabelp); cred_change |= will_transition; #endif @@ -645,7 +658,7 @@ #ifdef MAC if (will_transition && !no_trans) - mac_execve_transition (cred, p->p_ucred, vp, NULL, execlabelp); + mac_execve_transition (cred, p->p_ucred, vp, scriptlabelp, execlabelp); #endif crfree (cred); @@ -884,8 +897,14 @@ if (!error && vfexec) { vfork_return(current_act(), p->p_pptr, p, retval); (void) thread_resume(thr_act); - return(0); } +free_execl: +#ifdef MAC + if (execlabelp) + mac_destroy_cred_label (execlabelp); + if (scriptlabelp) + mac_destroy_vnode_label (scriptlabelp); +#endif return(error); } ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#33 (text+ko) ==== @@ -1095,7 +1095,7 @@ MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs); } -static void +void mac_destroy_cred_label(struct label *label) { @@ -1593,7 +1593,7 @@ void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, - struct label *interpvnodelabel, struct label *execl) + struct label *scriptvnodelabel, struct label *execl) { ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); @@ -1601,13 +1601,17 @@ if (!mac_enforce_process && !mac_enforce_fs) return; - MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, - interpvnodelabel, execl); + if (scriptvnodelabel) + MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, + scriptvnodelabel, execl); + else + MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, + NULL, execl); } int mac_execve_will_transition(struct ucred *old, struct vnode *vp, - struct label *interpvnodelabel, struct label *execlabel) + struct label *scriptvnodelabel, struct label *execlabel) { int result; @@ -1617,8 +1621,12 @@ return (0); result = 0; - MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label, - interpvnodelabel, execlabel); + if (scriptvnodelabel) + MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label, + scriptvnodelabel, execlabel); + else + MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label, + NULL, execlabel); return (result); } @@ -1729,10 +1737,8 @@ } #endif -#if 0 int -mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, - struct image_params *imgp) +mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct label *execl) { int error; @@ -1741,12 +1747,10 @@ if (!mac_enforce_process && !mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp, - imgp->execlabel); + MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, execl); return (error); } -#endif #if 0 int ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/sys/mac.h#8 (text+ko) ==== @@ -107,7 +107,6 @@ struct devnode; struct ifnet; struct ifreq; -struct image_params; struct ipq; struct m_tag; struct mbuf; @@ -227,10 +226,10 @@ struct label *execlabel); void mac_execve_exit(struct image_params *imgp); void mac_execve_transition(struct ucred *old, struct ucred *new, - struct vnode *vp, struct label *interpvnodelabel, + struct vnode *vp, struct label *scriptvnodelabel, struct label *execlabel); int mac_execve_will_transition(struct ucred *old, struct vnode *vp, - struct label *interpvnodelabel, struct label *execlabel); + struct label *scriptvnodelabel, struct label *execlabel); void mac_create_proc0(struct ucred *cred); void mac_create_proc1(struct ucred *cred); #if 0 @@ -294,7 +293,7 @@ acl_type_t type); #endif int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, - struct image_params *imgp); + struct label *execlabel); #if 0 int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type); ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/sys/mac_policy.h#7 (text+ko) ==== @@ -395,12 +395,11 @@ struct componentname *cnp); int (*mpo_check_vnode_deleteextattr)(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name); + int (*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp, + struct label *label, struct label *execlabel); #if 0 int (*mpo_check_vnode_deleteacl)(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type); - int (*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp, - struct label *label, struct image_params *imgp, - struct label *execlabel); int (*mpo_check_vnode_getacl)(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type); #endif ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/vfs/vfs_syscalls.c#12 (text+ko) ==== @@ -998,7 +998,13 @@ if (vp->v_type != VDIR) error = ENOTDIR; else + { +#ifdef MAC + error = mac_check_vnode_chdir (p->p_ucred, ndp->ni_vp); + if (0 == error) +#endif error = VOP_ACCESS(vp, VEXEC, p->p_ucred, p); + } if (error) vput(vp); else ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#19 (text+ko) ==== @@ -1528,10 +1528,9 @@ } #endif -#ifdef HAS_IMAGE_PARAMS static int sebsd_check_vnode_exec(struct ucred *cred, struct vnode *vp, - struct label *label, struct image_params *imgp, struct label *execlabel) + struct label *label, struct label *execlabel) { struct task_security_struct *task; struct vnode_security_struct *file; @@ -1590,7 +1589,6 @@ return (0); } -#endif #ifdef HAS_ACLS static int @@ -2203,12 +2201,11 @@ .mpo_check_vnode_access = sebsd_check_vnode_access, .mpo_check_vnode_chdir = sebsd_check_vnode_chdir, .mpo_check_vnode_chroot = sebsd_check_vnode_chroot, - //.mpo_check_vnode_create = sebsd_check_vnode_create, + .mpo_check_vnode_create = sebsd_check_vnode_create, .mpo_check_vnode_delete = sebsd_check_vnode_delete, + .mpo_check_vnode_exec = sebsd_check_vnode_exec, #ifdef EXTATTR - .mpo_check_vnode_exec = sebsd_check_vnode_exec, - .mpo_check_vnode_getextattr = sebsd_check_vnode_getextattr, .mpo_check_vnode_listextattr = NOT_IMPLEMENTED, .mpo_check_vnode_deleteextattr = NOT_IMPLEMENTED,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311251611.hAPGBi2V007795>