Date: Mon, 30 Sep 2002 07:38:35 -0700 (PDT) From: Chris Vance <cvance@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 18381 for review Message-ID: <200209301438.g8UEcZo4036418@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=18381 Change 18381 by cvance@cvance_laptop on 2002/09/30 07:37:51 A collection of misc. updates: - Update/reorganize vnode init/destroy - Add debugging info on error case in vnode_has_perm, check_vnode_relabel, and check_vnode_rename_to - make vnode_mode_to_security_class more generic - Add permission checks to check_vnode_create - Add debugging info on error case in check_vnode_relabel - Update vnode_mmap funcions, and implement correct NOP Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#27 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#27 (text+ko) ==== @@ -125,6 +125,14 @@ file = SLOT(&vp->v_label); /* TBD: audit? */ + if (file->sclass == 0) { + struct vattr va; + VOP_GETATTR(vp, &va, curthread->td_ucred, curthread); + printf("vnode_has_perm:: ERROR, sid=%d, sclass=0, v_type=%d" + " inode=%d, fsid=%d\n", + file->sid, vp->v_type, va.va_fileid, va.va_fsid); + return 0; /* TBD: debugging */ + } return avc_has_perm_ref(task->sid, file->sid, file->sclass, perm, aeref ? aeref : &file->avcr); } @@ -283,33 +291,10 @@ return (newsid != task->sid); } -static void -sebsd_init_vnode_label(struct label *label) -{ - struct vnode_security_struct *vsec; - - vsec = malloc(sizeof(*vsec), M_SEBSD, M_ZERO | M_WAITOK); - vsec->sid = SECINITSID_UNLABELED; - - /* - * TBD: should actually set this from the task sid - */ - vsec->task_sid = SECINITSID_UNLABELED; - - SLOT(label) = vsec; -} - -static void -sebsd_destroy_vnode_label(struct label *label) -{ - free(SLOT(label), M_SEBSD); - SLOT(label) = NULL; -} - static __inline security_class_t -vnode_mode_to_security_class(struct vnode *vp) +vnode_type_to_security_class(enum vtype vt) { - switch (vp->v_type) { + switch (vt) { case VREG: return SECCLASS_FILE; case VDIR: @@ -333,6 +318,31 @@ } static void +sebsd_init_vnode_label(struct label *label) +{ + struct vnode_security_struct *vsec; + + vsec = malloc(sizeof(*vsec), M_SEBSD, M_ZERO | M_WAITOK); + vsec->sid = SECINITSID_UNLABELED; + /* TBD: we want this initialized! */ +/* vsec->sclass = vnode_type_to_security_class(vp->v_type); */ + + /* + * TBD: should actually set this from the task sid + */ + vsec->task_sid = SECINITSID_UNLABELED; + + SLOT(label) = vsec; +} + +static void +sebsd_destroy_vnode_label(struct label *label) +{ + free(SLOT(label), M_SEBSD); + SLOT(label) = NULL; +} + +static void sebsd_create_vnode(struct ucred *cred, struct vnode *parent, struct label *parentlabel, struct vnode *child, struct label *childlabel) @@ -352,7 +362,7 @@ &newsid); vsec->sid = newsid; vsec->task_sid = task->sid; - vsec->sclass = vnode_mode_to_security_class(child); + vsec->sclass = vnode_type_to_security_class(child->v_type); if ((child->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { return; @@ -420,7 +430,11 @@ return (0); /* TBD bad, bad, bad */ } - vsec->sclass = vnode_mode_to_security_class(vp); + /* TBD: */ + vsec->sclass = vnode_type_to_security_class(vp->v_type); + if (vsec->sclass == 0) { + printf("sebsd_update_vnode_from_extattr:: sclass is 0\n"); + } return (0); } @@ -503,11 +517,40 @@ { struct task_security_struct *task; struct vnode_security_struct *dir; + security_class_t tclass; + security_id_t newsid; + int rc; task = SLOT(&cred->cr_label); dir = SLOT(dlabel); - /* TBD: Not Implemented */ + + tclass = vnode_type_to_security_class(vap->va_type); + + /* TBD: audit? */ + rc = avc_has_perm_ref(task->sid, dir->sid, SECCLASS_DIR, + DIR__ADD_NAME | DIR__SEARCH, &dir->avcr); + if (rc) + return rc; + + rc = security_transition_sid(task->sid, dir->sid, tclass, &newsid); + if (rc) + return rc; + + rc = avc_has_perm(task->sid, newsid, tclass, FILE__CREATE); + if (rc) + return rc; +#ifdef notdef + /* + * TBD: + * No support yet. + */ + if (dir->i_sb) { + sbsec = dir->i_sb->s_security; + rc = avc_has_perm_audit(newsid, sbsec->sid, SECCLASS_FILESYSTEM, + FILESYSTEM__ASSOCIATE, &ad); +#endif + return 0; } @@ -653,6 +696,11 @@ new = SLOT(oldlabel); /* TBD: audit? */ + if (old->sclass == 0) { + printf("vnode_relabel:: ERROR, sid=%d, sclass=0, v_type=%d\n", + old->sid, vp->v_type); + return 0; /* TBD: debugging */ + } rc = avc_has_perm_ref(task->sid, old->sid, old->sclass, FILE__RELABELFROM, &old->avcr); if (rc) @@ -678,18 +726,28 @@ { struct task_security_struct *task; struct vnode_security_struct *old_dir, *old_file; + avc_audit_data_t ad; int rc; task = SLOT(&cred->cr_label); old_dir = SLOT(dlabel); old_file = SLOT(label); + printf("check_vnode_rename:: entrypoint\n"); + AVC_AUDIT_DATA_INIT(&ad, FS); + printf("check_vnode_rename:: done audit data init\n"); + /* TBD: audit data? */ - rc = avc_has_perm_ref(task->sid, old_dir->sid, SECCLASS_DIR, - DIR__REMOVE_NAME | DIR__SEARCH, - &old_dir->avcr); + rc = avc_has_perm_ref_audit(task->sid, old_dir->sid, SECCLASS_DIR, + DIR__REMOVE_NAME | DIR__SEARCH, + &old_dir->avcr, &ad); if (rc) return (rc); + if (old_file->sclass == 0) { + printf("vnode_relabel_from:: ERROR, sid=%d, sclass=0, v_type=%d\n", + old_file->sid, vp->v_type); + return 0; /* TBD: debugging */ + } rc = avc_has_perm_ref(task->sid, old_file->sid, old_file->sclass, FILE__RENAME, &old_file->avcr); if (rc) @@ -737,6 +795,11 @@ if (vp) { new_file = SLOT(label); + if (new_file->sclass == 0) { + printf("vnode_relabel_to:: ERROR, sid=%d, sclass=0, v_type=%d\n", + new_file->sid, vp->v_type); + return 0; /* TBD: debugging */ + } if (vp->v_type == VDIR) { rc = avc_has_perm_ref(task->sid, new_file->sid, new_file->sclass, @@ -839,7 +902,7 @@ struct label *label, int newmapping) { /* TBD: Not Implemented */ - return 0; + return (VM_PROT_ALL); } static int To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209301438.g8UEcZo4036418>