Date: Wed, 23 Oct 2002 08:05:06 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 19962 for review Message-ID: <200210231505.g9NF56tl005635@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=19962 Change 19962 by rwatson@rwatson_tislabs on 2002/10/23 08:04:20 Add mac_check_sysctl(), a MAC Framework and MAC Policy entry point to check whether a sysctl operation is permitted. Right now, this is not a highly useful entry point, since sysctl doesn't provide useful information such as the name, rather, just the OID. This is sufficient, however, to permit policies to rote deny sysctl change requests from processes, which can support most integrity policies, even if the granularity is poor. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#325 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_sysctl.c#12 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#188 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#146 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#325 (text+ko) ==== @@ -137,6 +137,11 @@ &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_sysctl = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW, + &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations"); +TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl); + static int mac_enforce_vm = 0; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); @@ -918,6 +923,10 @@ mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; break; + case MAC_CHECK_SYSCTL: + mpc->mpc_ops->mpo_check_sysctl = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; @@ -3367,6 +3376,25 @@ } int +mac_check_sysctl(struct ucred *cred, int *name, u_int namelen, void *old, + size_t *oldlenp, int inkernel, void *new, size_t newlen) +{ + int error; + + /* + * XXXMAC: We're very much like to assert the SYSCTL_LOCK here, + * but since it's not exported from kern_sysctl.c, we can't. + */ + if (!mac_enforce_sysctl) + return (0); + + MAC_CHECK(check_sysctl, cred, name, namelen, old, oldlenp, inkernel, + new, newlen); + + return (error); +} + +int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { ==== //depot/projects/trustedbsd/mac/sys/kern/kern_sysctl.c#12 (text+ko) ==== @@ -41,11 +41,13 @@ */ #include "opt_compat.h" +#include "opt_mac.h" #include <sys/param.h> #include <sys/systm.h> #include <sys/kernel.h> #include <sys/sysctl.h> +#include <sys/mac.h> #include <sys/malloc.h> #include <sys/proc.h> #include <sys/lock.h> @@ -1238,6 +1240,15 @@ SYSCTL_LOCK(); +#ifdef MAC + error = mac_check_sysctl(td->td_ucred, name, namelen, old, oldlenp, + inkernel, new, newlen); + if (error) { + SYSCTL_UNLOCK(); + return (error); + } +#endif + do { req2 = req; error = sysctl_root(0, name, namelen, &req2); ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#188 (text+ko) ==== @@ -304,6 +304,9 @@ int mac_check_socket_receive(struct ucred *cred, struct socket *so); int mac_check_socket_send(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); +int mac_check_sysctl(struct ucred *cred, int *name, u_int namelen, + void *old, size_t *oldlenp, int inkernel, void *new, + size_t newlen); int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags); int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp); ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#146 (text+ko) ==== @@ -315,6 +315,9 @@ struct socket *so, struct label *socketlabel); int (*mpo_check_socket_visible)(struct ucred *cred, struct socket *so, struct label *socketlabel); + int (*mpo_check_sysctl)(struct ucred *cred, int *name, + u_int namelen, void *old, size_t *oldlenp, int inkernel, + void *new, size_t newlen); int (*mpo_check_vnode_access)(struct ucred *cred, struct vnode *vp, struct label *label, int flags); int (*mpo_check_vnode_chdir)(struct ucred *cred, @@ -511,6 +514,7 @@ MAC_CHECK_SOCKET_RELABEL, MAC_CHECK_SOCKET_SEND, MAC_CHECK_SOCKET_VISIBLE, + MAC_CHECK_SYSCTL, MAC_CHECK_VNODE_ACCESS, MAC_CHECK_VNODE_CHDIR, MAC_CHECK_VNODE_CHROOT, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210231505.g9NF56tl005635>