Date: Thu, 9 Jun 2005 04:43:02 GMT From: "Christian S.J. Peron" <csjp@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 78222 for review Message-ID: <200506090443.j594h2kT087250@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=78222 Change 78222 by csjp@csjp_xor on 2005/06/09 04:42:31 Introduce two new entry points: mac_syscall_enter mac_syscall_exit These entry points can be used for controlling access to to execution paths within the kernel. Currently we do not check the return value of mac_syscall_exit as we can only run into problems by allowing the mac_syscall_exit entry point to propagate return values back to the syscall. Currently we only support the i386 architecture, but I will be adding support for the others once we test this concept. Affected files ... .. //depot/projects/trustedbsd/mac/sys/i386/i386/trap.c#36 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_system.c#9 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#274 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#231 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/i386/i386/trap.c#36 (text+ko) ==== @@ -50,6 +50,7 @@ #include "opt_ktrace.h" #include "opt_npx.h" #include "opt_trap.h" +#include "opt_mac.h" #include <sys/param.h> #include <sys/bus.h> @@ -61,6 +62,7 @@ #include <sys/kernel.h> #include <sys/ktr.h> #include <sys/lock.h> +#include <sys/mac.h> #include <sys/mutex.h> #include <sys/resourcevar.h> #include <sys/signalvar.h> @@ -879,6 +881,9 @@ int narg; int args[8]; u_int code; +#ifdef MAC + int mac_error; +#endif /* * note: PCPU_LAZY_INC() can only be used if we can afford @@ -933,11 +938,10 @@ if (p->p_sysent->sv_mask) code &= p->p_sysent->sv_mask; - - if (code >= p->p_sysent->sv_size) - callp = &p->p_sysent->sv_table[0]; - else - callp = &p->p_sysent->sv_table[code]; + + if (code >= p->p_sysent->sv_size) + code = 0; + callp = &p->p_sysent->sv_table[code]; narg = callp->sy_narg & SYF_ARGMASK; @@ -972,8 +976,14 @@ STOPEVENT(p, S_SCE, narg); PTRACESTOP_SC(p, td, S_PT_SCE); - +#ifdef MAC + mac_error = mac_syscall_enter(td, args, code); + if (mac_error == 0) + error = (*callp->sy_call)(td, args); + mac_syscall_exit(td, args, code, error, mac_error); +#else error = (*callp->sy_call)(td, args); +#endif } switch (error) { ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_system.c#9 (text+ko) ==== @@ -49,6 +49,10 @@ #include <security/mac/mac_internal.h> +static int mac_enforce_syscall = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_syscall, CTLFLAG_RW, + &mac_enforce_syscall, 0, "Enforce MAC policy on system calls"); + static int mac_enforce_kld = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW, &mac_enforce_kld, 0, "Enforce MAC policy on kld operations"); @@ -266,3 +270,32 @@ return (error); } + +int +mac_syscall_enter(struct thread *td, int *args, int code) +{ + int error; + + if (!mac_enforce_syscall) + return (0); + MAC_CHECK(syscall_enter, td, args, code); + return (error); +} + +int +mac_syscall_exit(struct thread *td, int *args, int code, int errcode, + int mac_error) +{ + int error; + + if (!mac_enforce_syscall) + return (0); + MAC_CHECK(syscall_exit, td, args, code, errcode, mac_error); + /* + * Since we do not care about this return value, unconditioanlly + * return 0. We can only run into problems by allowing this entry + * point to propagate return values back to the syscall. + */ + + return (0); +} ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#274 (text+ko) ==== @@ -390,6 +390,9 @@ int mac_check_system_swapoff(struct ucred *cred, struct vnode *vp); int mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req); +int mac_syscall_enter(struct thread *td, int *args, int code); +int mac_syscall_exit(struct thread *td, int *args, int code, + int errcode, int mac_error); int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode); int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp); ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#231 (text+ko) ==== @@ -491,6 +491,9 @@ int (*mpo_check_system_sysctl)(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req); + int (*mpo_syscall_enter)(struct thread *td, int *args, int code); + int (*mpo_syscall_exit)(struct thread *td, int *args, int code, + int error, int mac_error); int (*mpo_check_vnode_access)(struct ucred *cred, struct vnode *vp, struct label *label, int acc_mode); int (*mpo_check_vnode_chdir)(struct ucred *cred,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200506090443.j594h2kT087250>