From owner-p4-projects  Tue Sep  3 10:35:37 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id B696037B401; Tue,  3 Sep 2002 10:35:24 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2413737B400
	for <perforce@freebsd.org>; Tue,  3 Sep 2002 10:35:24 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CC5C343E42
	for <perforce@freebsd.org>; Tue,  3 Sep 2002 10:35:23 -0700 (PDT)
	(envelope-from cvance@tislabs.com)
Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g83HZNJU060129
	for <perforce@freebsd.org>; Tue, 3 Sep 2002 10:35:23 -0700 (PDT)
	(envelope-from cvance@tislabs.com)
Received: (from perforce@localhost)
	by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g83HZN13060122
	for perforce@freebsd.org; Tue, 3 Sep 2002 10:35:23 -0700 (PDT)
Date: Tue, 3 Sep 2002 10:35:23 -0700 (PDT)
Message-Id: <200209031735.g83HZN13060122@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: perforce set sender to cvance@tislabs.com using -f
From: Chris Vance <cvance@FreeBSD.org>
Subject: PERFORCE change 16999 for review
To: Perforce Change Reviews <perforce@freebsd.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=16999

Change 16999 by cvance@cvance_laptop on 2002/09/03 10:35:10

	Fix bugs that prevented compilation
	Add a few more permission checks

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#24 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#24 (text+ko) ====

@@ -306,7 +306,7 @@
 	SLOT(label) = NULL;
 }
 
-static inline security_class_t
+static __inline security_class_t
 vnode_mode_to_security_class(struct vnode *vp) 
 {
 	switch (vp->v_type) {
@@ -324,11 +324,11 @@
 		return SECCLASS_SOCK_FILE;
 	case VFIFO:
 		return SECCLASS_FIFO_FILE;
+	case VNON:
+	case VBAD:
+		return SECCLASS_FILE;
 	}
 
-	/*
-	 * VNON and VBAD
-	 */
 	return SECCLASS_FILE;
 }
 
@@ -501,11 +501,12 @@
 sebsd_check_vnode_create(struct ucred *cred, struct vnode *dvp,
 			 struct label *dlabel, struct vattr *vap)
 {
-	/* TBD: Not Implemented */
-	struct vnode_security_struct *file, *dir;
+	struct task_security_struct *task;
+	struct vnode_security_struct *dir;
 
-	file = SLOT(&cred->cr_label);
+	task = SLOT(&cred->cr_label);
 	dir = SLOT(dlabel);
+	/* TBD: Not Implemented */
 
 	return 0;
 }
@@ -589,8 +590,7 @@
 			     struct label *label, int attrnamespace, 
 			     const char *name, struct uio *uio)
 {
-	/* TBD: Not Implemented */
-	return 0;
+	return vnode_has_perm(cred, vp, FILE__GETATTR, NULL);
 }
 
 static int
@@ -637,15 +637,37 @@
 sebsd_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
 			   struct label *label)
 {
-	/* TBD: Not Implemented */
-	return 0;
+	return vnode_has_perm(cred, vp, FILE__READ, NULL);
 }
 
 static int
 sebsd_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
 			  struct label *oldlabel, struct label *newlabel)
 {
-	/* TBD: Not Implemented */
+	struct task_security_struct *task;
+	struct vnode_security_struct *old, *new;
+	int rc;
+
+	task = SLOT(&cred->cr_label);
+	old = SLOT(oldlabel);
+	new = SLOT(oldlabel);
+
+	/* TBD: audit? */
+	rc = avc_has_perm_ref(task->sid, old->sid, old->sclass, 
+			      FILE__RELABELFROM, &old->avcr);
+	if (rc)
+		return (rc);
+
+	rc = avc_has_perm(task->sid, new->sid, old->sclass, FILE__RELABELTO);
+
+	if (rc)
+		return (rc);
+	/*
+	 * TBD:
+	 * SELinux also checks the superblock for class SECCLASS_FILESYSTEM
+	 * and permission FILESYSTEM__ASSOCIATE
+	 */
+
 	return 0;
 }
 
@@ -655,7 +677,7 @@
 			      struct label *label)
 {
 	struct task_security_struct *task;
-	struct vnode_security_struct *old_dir, old_file;
+	struct vnode_security_struct *old_dir, *old_file;
 	int rc;
 
 	task = SLOT(&cred->cr_label);
@@ -665,7 +687,7 @@
 	/* TBD: audit data? */
 	rc = avc_has_perm_ref(task->sid, old_dir->sid, SECCLASS_DIR,
 			      DIR__REMOVE_NAME | DIR__SEARCH,
-			      old_dirsec->avcr);
+			      &old_dir->avcr);
 	if (rc)
 		return (rc);
 	rc = avc_has_perm_ref(task->sid, old_file->sid, old_file->sclass, 
@@ -682,7 +704,7 @@
 			    struct label *label, int samedir)
 {
 	struct task_security_struct *task;
-	struct vnode_security_struct *new_dir, new_file;
+	struct vnode_security_struct *new_dir, *new_file;
 	access_vector_t av;
 	int rc;
 
@@ -752,8 +774,7 @@
 			     struct label *label, int attrnamespace, 
 			     const char *name, struct uio *uio)
 {
-	/* TBD: Not Implemented */
-	return 0;
+	return vnode_has_perm(cred, vp, FILE__SETATTR, NULL);
 }
 
 static int

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message