Date: Mon, 18 Apr 2005 16:47:26 GMT From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 75499 for review Message-ID: <200504181647.j3IGlQgU012253@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=75499 Change 75499 by areisse@areisse_ibook on 2005/04/18 16:46:31 Fix the include file path used by mkflask. Add support for check_ipc_methods, in a very simple manner. Four extra classes are introduced, port_methods1..4. Any denied permissions in those classes are removed from the permitted set managed by check_ipc_methods. Affected files ... .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/flask.h#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/flask/mkflask.sh#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/flask/security_classes#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd.c#2 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/flask.h#2 (text+ko) ==== @@ -37,6 +37,11 @@ #define SECCLASS_SHM 28 #define SECCLASS_IPC 29 #define SECCLASS_MACH_PORT 30 +#define SECCLASS_PORT_METHODS1 31 +#define SECCLASS_PORT_METHODS2 32 +#define SECCLASS_PORT_METHODS3 33 +#define SECCLASS_PORT_METHODS4 34 +#define SECCLASS_MACH_TASK 35 /* * Security identifier indices for initial entities ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/flask/mkflask.sh#2 (text+ko) ==== @@ -25,7 +25,7 @@ printf("#ifndef _LINUX_FLASK_H_\n") > outfile; printf("#define _LINUX_FLASK_H_\n") > outfile; - printf("\n#include <security/sebsd/flask_types.h>\n") > outfile; + printf("\n#include <sedarwin/flask_types.h>\n") > outfile; printf("\n/*\n * Security object class definitions\n */\n") > outfile; printf("/* This file is automatically generated. Do not edit. */\n") > debugfile; ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/flask/security_classes#2 (text+ko) ==== @@ -42,6 +42,11 @@ class mach_port +class port_methods1 +class port_methods2 +class port_methods3 +class port_methods4 + #classes only used by name class mach_task ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd.c#2 (text+ko) ==== @@ -1249,6 +1249,32 @@ NULL, NULL); } +extern int selinux_enforcing; + +static void +sebsd_check_ipc_methods(struct label *subj, struct label *obj, + msg_access_vector_t *av) +{ + struct task_security_struct *tsec, *psec; + int i; + + psec = SLOT(obj); + tsec = SLOT(subj); + + if (!selinux_enforcing) + return; + + for (i = 0; i < 4; i++) + { + struct av_decision avd; + security_class_t tclass = SECCLASS_PORT_METHODS1 + i; + + avc_has_perm_noaudit (tsec->sid, psec->sid, tclass, 0xffffffff, NULL, &avd); + + av->av[i] &= avd.allowed; + } +} + static int sebsd_check_mount (struct ucred *cred, struct vnode *vp, struct label *vl, const char *vfc_name, struct label *mntlabel) @@ -2673,6 +2699,8 @@ // .mpo_check_sysv_shmdt = sebsd_check_sysv_shmdt, .mpo_check_sysv_shmget = sebsd_check_sysv_shmget, + .mpo_check_ipc_methods = sebsd_check_ipc_methods, + .mpo_syscall = sebsd_syscall };
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504181647.j3IGlQgU012253>