Date: Sun, 9 Nov 2003 19:35:57 -0800 (PST) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 41856 for review Message-ID: <200311100335.hAA3ZvlF065537@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=41856 Change 41856 by rwatson@rwatson_paprika on 2003/11/09 19:35:42 Move to zone allocated credential, pipe, and vnode temporary labels. This actually observably simplifies some of the exec label contortions we go through, removing one of the arguments to mac_execve_enter(), and simplifying the interpreter label code. Remove old init/destroy interfaces from the MAC framework. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_exec.c#66 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#425 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_internal.h#12 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#8 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_pipe.c#9 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_process.c#7 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_vfs.c#6 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#227 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#249 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_exec.c#66 (text+ko) ==== @@ -167,9 +167,8 @@ int credential_changing; int textset; #ifdef MAC - struct label interplabel; /* label of the interpreted vnode */ - struct label execlabel; /* optional label argument */ - int will_transition, interplabelvalid = 0; + struct label *interplabel = NULL; + int will_transition; #endif imgp = &image_params; @@ -222,7 +221,7 @@ imgp->auxarg_size = 0; #ifdef MAC - error = mac_execve_enter(imgp, mac_p, &execlabel); + error = mac_execve_enter(imgp, mac_p); if (error) { mtx_lock(&Giant); goto exec_fail; @@ -339,9 +338,8 @@ /* free name buffer and old vnode */ NDFREE(ndp, NDF_ONLY_PNBUF); #ifdef MAC - mac_init_vnode_label(&interplabel); - mac_copy_vnode_label(ndp->ni_vp->v_label, &interplabel); - interplabelvalid = 1; + interplabel = mac_cred_label_alloc(); + mac_copy_vnode_label(ndp->ni_vp->v_label, interplabel); #endif vput(ndp->ni_vp); vm_object_deallocate(imgp->object); @@ -455,7 +453,7 @@ attr.va_gid; #ifdef MAC will_transition = mac_execve_will_transition(oldcred, imgp->vp, - interplabelvalid ? &interplabel : NULL, imgp); + interplabel, imgp); credential_changing |= will_transition; #endif @@ -505,7 +503,7 @@ #ifdef MAC if (will_transition) { mac_execve_transition(oldcred, newcred, imgp->vp, - interplabelvalid ? &interplabel : NULL, imgp); + interplabel, imgp); } #endif /* @@ -657,8 +655,8 @@ /* sorry, no more process anymore. exit gracefully */ #ifdef MAC mac_execve_exit(imgp); - if (interplabelvalid) - mac_destroy_vnode_label(&interplabel); + if (interplabel != NULL) + mac_vnode_label_free(interplabel); #endif exit1(td, W_EXITCODE(0, SIGABRT)); /* NOT REACHED */ @@ -667,8 +665,8 @@ done2: #ifdef MAC mac_execve_exit(imgp); - if (interplabelvalid) - mac_destroy_vnode_label(&interplabel); + if (interplabel != NULL) + mac_vnode_label_free(interplabel); #endif mtx_unlock(&Giant); return (error); ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#425 (text+ko) ==== @@ -643,7 +643,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { struct ucred *newcred, *oldcred; - struct label intlabel; + struct label *intlabel; struct proc *p; struct mac mac; char *buffer; @@ -664,13 +664,11 @@ return (error); } - mac_init_cred_label(&intlabel); - error = mac_internalize_cred_label(&intlabel, buffer); + intlabel = mac_cred_label_alloc(); + error = mac_internalize_cred_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_cred_label(&intlabel); - return (error); - } + if (error) + goto out; newcred = crget(); @@ -678,7 +676,7 @@ PROC_LOCK(p); oldcred = p->p_ucred; - error = mac_check_cred_relabel(oldcred, &intlabel); + error = mac_check_cred_relabel(oldcred, intlabel); if (error) { PROC_UNLOCK(p); crfree(newcred); @@ -687,7 +685,7 @@ setsugid(p); crcopy(newcred, oldcred); - mac_relabel_cred(newcred, &intlabel); + mac_relabel_cred(newcred, intlabel); p->p_ucred = newcred; /* @@ -707,7 +705,7 @@ crfree(oldcred); out: - mac_destroy_cred_label(&intlabel); + mac_cred_label_free(intlabel); return (error); } @@ -718,7 +716,7 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { char *elements, *buffer; - struct label intlabel; + struct label *intlabel; struct file *fp; struct mac mac; struct vnode *vp; @@ -753,20 +751,20 @@ case DTYPE_VNODE: vp = fp->f_vnode; - mac_init_vnode_label(&intlabel); + intlabel = mac_vnode_label_alloc(); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - mac_copy_vnode_label(vp->v_label, &intlabel); + mac_copy_vnode_label(vp->v_label, intlabel); VOP_UNLOCK(vp, 0, td); break; case DTYPE_PIPE: pipe = fp->f_data; - mac_init_pipe_label(&intlabel); + intlabel = mac_pipe_label_alloc(); PIPE_LOCK(pipe); - mac_copy_pipe_label(pipe->pipe_label, &intlabel); + mac_copy_pipe_label(pipe->pipe_label, intlabel); PIPE_UNLOCK(pipe); break; default: @@ -780,14 +778,14 @@ case DTYPE_FIFO: case DTYPE_VNODE: if (error == 0) - error = mac_externalize_vnode_label(&intlabel, + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; case DTYPE_PIPE: - error = mac_externalize_pipe_label(&intlabel, elements, + error = mac_externalize_pipe_label(intlabel, elements, buffer, mac.m_buflen); - mac_destroy_pipe_label(&intlabel); + mac_pipe_label_free(intlabel); break; default: panic("__mac_get_fd: corrupted label_type"); @@ -812,7 +810,7 @@ { char *elements, *buffer; struct nameidata nd; - struct label intlabel; + struct label *intlabel; struct mac mac; int error; @@ -839,13 +837,13 @@ if (error) goto out; - mac_init_vnode_label(&intlabel); - mac_copy_vnode_label(nd.ni_vp->v_label, &intlabel); - error = mac_externalize_vnode_label(&intlabel, elements, buffer, + intlabel = mac_vnode_label_alloc(); + mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -867,7 +865,7 @@ { char *elements, *buffer; struct nameidata nd; - struct label intlabel; + struct label *intlabel; struct mac mac; int error; @@ -894,12 +892,12 @@ if (error) goto out; - mac_init_vnode_label(&intlabel); - mac_copy_vnode_label(nd.ni_vp->v_label, &intlabel); - error = mac_externalize_vnode_label(&intlabel, elements, buffer, + intlabel = mac_vnode_label_alloc(); + mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -919,7 +917,7 @@ int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { - struct label intlabel; + struct label *intlabel; struct pipe *pipe; struct file *fp; struct mount *mp; @@ -952,40 +950,38 @@ switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); if (error) { - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; } vp = fp->f_vnode; error = vn_start_write(vp, &mp, V_WAIT | PCATCH); if (error != 0) { - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; } vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = vn_setlabel(vp, &intlabel, td->td_ucred); + error = vn_setlabel(vp, intlabel, td->td_ucred); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); - - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; case DTYPE_PIPE: - mac_init_pipe_label(&intlabel); - error = mac_internalize_pipe_label(&intlabel, buffer); + intlabel = mac_pipe_label_alloc(); + error = mac_internalize_pipe_label(intlabel, buffer); if (error == 0) { pipe = fp->f_data; PIPE_LOCK(pipe); error = mac_pipe_label_set(td->td_ucred, pipe, - &intlabel); + intlabel); PIPE_UNLOCK(pipe); } - - mac_destroy_pipe_label(&intlabel); + mac_pipe_label_free(intlabel); break; default: @@ -1007,7 +1003,7 @@ int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { - struct label intlabel; + struct label *intlabel; struct nameidata nd; struct mount *mp; struct mac mac; @@ -1029,13 +1025,11 @@ return (error); } - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_vnode_label(&intlabel); - return (error); - } + if (error) + goto out; mtx_lock(&Giant); /* VFS */ @@ -1045,15 +1039,16 @@ if (error == 0) { error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error == 0) - error = vn_setlabel(nd.ni_vp, &intlabel, + error = vn_setlabel(nd.ni_vp, intlabel, td->td_ucred); vn_finished_write(mp); } NDFREE(&nd, 0); mtx_unlock(&Giant); /* VFS */ - mac_destroy_vnode_label(&intlabel); +out: + mac_vnode_label_free(intlabel); return (error); } @@ -1063,7 +1058,7 @@ int __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) { - struct label intlabel; + struct label *intlabel; struct nameidata nd; struct mount *mp; struct mac mac; @@ -1085,13 +1080,11 @@ return (error); } - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_vnode_label(&intlabel); - return (error); - } + if (error) + goto out; mtx_lock(&Giant); /* VFS */ @@ -1101,15 +1094,15 @@ if (error == 0) { error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error == 0) - error = vn_setlabel(nd.ni_vp, &intlabel, + error = vn_setlabel(nd.ni_vp, intlabel, td->td_ucred); vn_finished_write(mp); } NDFREE(&nd, 0); mtx_unlock(&Giant); /* VFS */ - mac_destroy_vnode_label(&intlabel); - +out: + mac_vnode_label_free(intlabel); return (error); } ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_internal.h#12 (text+ko) ==== @@ -103,19 +103,18 @@ * the namespaces, etc, should work for these, so for now, sort by * object type. */ +struct label *mac_pipe_label_alloc(void); +void mac_pipe_label_free(struct label *label); + int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel); -void mac_destroy_cred_label(struct label *label); int mac_externalize_cred_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -void mac_init_cred_label(struct label *label); int mac_internalize_cred_label(struct label *label, char *string); void mac_relabel_cred(struct ucred *cred, struct label *newlabel); void mac_copy_pipe_label(struct label *src, struct label *dest); -void mac_destroy_pipe_label(struct label *label); int mac_externalize_pipe_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -void mac_init_pipe_label(struct label *label); int mac_internalize_pipe_label(struct label *label, char *string); int mac_externalize_vnode_label(struct label *label, char *elements, ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#8 (text+ko) ==== ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_pipe.c#9 (text+ko) ==== @@ -61,16 +61,7 @@ &nmacpipes, 0, "number of pipes in use"); #endif -void -mac_init_pipe_label(struct label *label) -{ - - mac_init_label(label); - MAC_PERFORM(init_pipe_label, label); - MAC_DEBUG_COUNTER_INC(&nmacpipes); -} - -static struct label * +struct label * mac_pipe_label_alloc(void) { struct label *label; @@ -90,15 +81,6 @@ } void -mac_destroy_pipe_label(struct label *label) -{ - - MAC_PERFORM(destroy_pipe_label, label); - mac_destroy_label(label); - MAC_DEBUG_COUNTER_DEC(&nmacpipes); -} - -static void mac_pipe_label_free(struct label *label) { ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_process.c#7 (text+ko) ==== @@ -96,16 +96,7 @@ static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); -void -mac_init_cred_label(struct label *label) -{ - - mac_init_label(label); - MAC_PERFORM(init_cred_label, label); - MAC_DEBUG_COUNTER_INC(&nmaccreds); -} - -static struct label * +struct label * mac_cred_label_alloc(void) { struct label *label; @@ -141,7 +132,7 @@ p->p_label = mac_proc_label_alloc(); } -static void +void mac_cred_label_free(struct label *label) { @@ -151,15 +142,6 @@ } void -mac_destroy_cred_label(struct label *label) -{ - - MAC_PERFORM(destroy_cred_label, label); - mac_destroy_label(label); - MAC_DEBUG_COUNTER_DEC(&nmaccreds); -} - -void mac_destroy_cred(struct ucred *cred) { @@ -247,9 +229,9 @@ } int -mac_execve_enter(struct image_params *imgp, struct mac *mac_p, - struct label *execlabelstorage) +mac_execve_enter(struct image_params *imgp, struct mac *mac_p) { + struct label *label; struct mac mac; char *buffer; int error; @@ -272,22 +254,24 @@ return (error); } - mac_init_cred_label(execlabelstorage); - error = mac_internalize_cred_label(execlabelstorage, buffer); + label = mac_cred_label_alloc(); + error = mac_internalize_cred_label(label, buffer); free(buffer, M_MACTEMP); if (error) { - mac_destroy_cred_label(execlabelstorage); + mac_cred_label_free(label); return (error); } - imgp->execlabel = execlabelstorage; + imgp->execlabel = label; return (0); } void mac_execve_exit(struct image_params *imgp) { - if (imgp->execlabel != NULL) - mac_destroy_cred_label(imgp->execlabel); + if (imgp->execlabel != NULL) { + mac_cred_label_free(imgp->execlabel); + imgp->execlabel = NULL; + } } /* ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_vfs.c#6 (text+ko) ==== @@ -148,16 +148,7 @@ mp->mnt_fslabel = mac_mount_fs_label_alloc(); } -void -mac_init_vnode_label(struct label *label) -{ - - mac_init_label(label); - MAC_PERFORM(init_vnode_label, label); - MAC_DEBUG_COUNTER_INC(&nmacvnodes); -} - -static struct label * +struct label * mac_vnode_label_alloc(void) { struct label *label; @@ -221,15 +212,6 @@ } void -mac_destroy_vnode_label(struct label *label) -{ - - MAC_PERFORM(destroy_vnode_label, label); - mac_destroy_label(label); - MAC_DEBUG_COUNTER_DEC(&nmacvnodes); -} - -static void mac_vnode_label_free(struct label *label) { ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#227 (text+ko) ==== ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#249 (text+ko) ==== @@ -155,7 +155,6 @@ void mac_init_mount(struct mount *); void mac_init_proc(struct proc *); void mac_init_vnode(struct vnode *); -void mac_init_vnode_label(struct label *); void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *); void mac_copy_vnode_label(struct label *, struct label *label); void mac_destroy_bpfdesc(struct bpf_d *); @@ -174,7 +173,11 @@ void mac_destroy_mbuf_tag(struct m_tag *); void mac_destroy_mount(struct mount *); void mac_destroy_vnode(struct vnode *); -void mac_destroy_vnode_label(struct label *); + +struct label *mac_cred_label_alloc(void); +void mac_cred_label_free(struct label *label); +struct label *mac_vnode_label_alloc(void); +void mac_vnode_label_free(struct label *label); /* * Labeling event operations: file system objects, and things that @@ -256,8 +259,7 @@ * Labeling event operations: processes. */ void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child); -int mac_execve_enter(struct image_params *imgp, struct mac *mac_p, - struct label *execlabel); +int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); void mac_execve_exit(struct image_params *imgp); void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *interpvnodelabel,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311100335.hAA3ZvlF065537>