Date: Wed, 8 Jan 2003 10:30:58 -0800 (PST) From: Brian Feldman <green@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 23429 for review Message-ID: <200301081830.h08IUw48094633@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=23429 Change 23429 by green@green_laptop_2 on 2003/01/08 10:30:06 * Correct a bunch of error returns in SEBSD to not be -errno. * Use the fslabel in the mountpoints so that SEBSD can handle single-label generic filesystems. * Add an entry to put all of procfs under the proc_t type. Affected files ... .. //depot/projects/trustedbsd/mac/contrib/sebsd/policy/genfs_contexts#7 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.c#14 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.h#12 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#65 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd_labels.h#3 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/ss/avtab.c#4 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/ss/hashtab.h#3 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/ss/init.c#6 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/ss/services.c#8 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/ss/services_private.h#5 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/ss/sidtab.c#8 edit Differences ... ==== //depot/projects/trustedbsd/mac/contrib/sebsd/policy/genfs_contexts#7 (text+ko) ==== @@ -24,6 +24,9 @@ genfscon proc /kmsg system_u:object_r:proc_kmsg_t genfscon proc /kcore system_u:object_r:proc_kcore_t +# procfs (FreeBSD) +genfscon procfs / system_u:object_r:proc_t + # nfs genfscon nfs / system_u:object_r:nfs_t ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.c#14 (text+ko) ==== @@ -405,7 +405,7 @@ * based on `tclass'. If a valid AVC entry exists, * then this function updates `aeref' to refer to the * entry and returns 0. Otherwise, this function - * returns -ENOENT. + * returns ENOENT. */ int avc_lookup( security_id_t ssid, /* IN */ @@ -428,7 +428,7 @@ } avc_cache_stats_incr(AVC_CAV_MISSES); - return -ENOENT; + return ENOENT; } @@ -442,7 +442,7 @@ * revocation notification, then the function copies * the access vectors into a cache entry, updates * `aeref' to refer to the entry, and returns 0. - * Otherwise, this function returns -EAGAIN. + * Otherwise, this function returns EAGAIN. */ int avc_insert(security_id_t ssid, /* IN */ security_id_t tsid, /* IN */ @@ -456,12 +456,12 @@ if (seqno < avc_cache.latest_notif) { printf("avc: seqno %d < latest_notif %d\n", seqno, avc_cache.latest_notif); - return -EAGAIN; + return EAGAIN; } node = avc_claim_node(ssid, tsid, tclass); if (!node) { - return -ENOMEM; + return ENOMEM; } node->ae.allowed = ae->allowed; @@ -555,7 +555,7 @@ M_SEBSD_AVC, M_WAITOK); if (!c) - return -ENOMEM; + return ENOMEM; c->callback = callback; c->events = events; ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.h#12 (text+ko) ==== @@ -295,7 +295,7 @@ return 0; } else { mtx_unlock(&avc_lock); - return -EACCES; + return EACCES; } } ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#65 (text+ko) ==== @@ -272,7 +272,6 @@ struct mount_security_struct *sbsec; sbsec = malloc(sizeof(*sbsec), M_SEBSD, M_ZERO | M_WAITOK); - memset(sbsec, 0, sizeof(struct mount_security_struct)); sbsec->sid = SECINITSID_UNLABELED; SLOT(label) = sbsec; } @@ -280,9 +279,11 @@ static void sebsd_init_mount_fs_label(struct label *label) { + struct mount_fs_security_struct *sbsec; - /* TBD: Currently Unecessary */ - SLOT(label) = NULL; + sbsec = malloc(sizeof(*sbsec), M_SEBSD, M_ZERO | M_WAITOK); + sbsec->sid = SECINITSID_UNLABELED; + SLOT(label) = sbsec; } static void @@ -394,8 +395,13 @@ sebsd_associate_vnode_singlelabel(struct mount *mp, struct label *fslabel, struct vnode *vp, struct label *vlabel) { + struct mount_fs_security_struct *sbsec; + struct vnode_security_struct *vsec; - /* TBD, default to SECINITSID_UNLABELED. */ + sbsec = SLOT(fslabel); + vsec = SLOT(vlabel); + vsec->sid = sbsec->sid; + vsec->sclass = vnode_type_to_security_class(vp->v_type); } static void @@ -566,16 +572,23 @@ struct label *mntlabel, struct label *fslabel) { struct mount_security_struct *sbsec; + struct mount_fs_security_struct *sbfssec; int behavior, rc; sbsec = SLOT(mntlabel); + sbfssec = SLOT(fslabel); /* TBD TBD TBD */ + /* + * Make the label for the filesystem the same as the singlelabel + * which the filesystem will use if not a "multilabel" type. + */ rc = security_fs_use(mp->mnt_vfc->vfc_name, &behavior, &sbsec->sid); if (rc) { printf("sebsd_create_mount: security_fs_use(%s) returned %d\n", mp->mnt_vfc->vfc_name, rc); behavior = SECURITY_FS_USE_NONE; } else { + sbfssec->sid = sbsec->sid; /* TBD: debugging only */ printf("sebsd_create_mount: security_fs_use(%s) behavior %d, sid %d\n", mp->mnt_vfc->vfc_name, behavior, sbsec->sid); ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd_labels.h#3 (text+ko) ==== @@ -57,12 +57,20 @@ struct mount_security_struct { security_id_t sid; /* SID of file system */ +#ifndef __FreeBSD__ struct psidtab *psidtab; /* persistent SID mapping */ +#endif unsigned char uses_psids; /* uses persistent SID flag */ +#ifndef __FreeBSD__ unsigned char initialized; /* initialization flag */ +#endif unsigned char uses_task; /* use creating task SID for inodes */ unsigned char uses_genfs; /* use security_genfs_sid for inodes */ unsigned char proc; /* call procfs_set_sid */ unsigned char uses_trans; /* call security_transition_sid */ }; + +struct mount_fs_security_struct { + security_id_t sid; /* default object SID of file system */ +}; #endif /* _SYS_SECURITY_SEBSD_LABELS_H */ ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/ss/avtab.c#4 (text+ko) ==== @@ -37,7 +37,7 @@ avtab_ptr_t prev, cur, newnode; if (!h) - return -ENOMEM; + return ENOMEM; hvalue = AVTAB_HASH(key); for (prev = NULL, cur = h->htable[hvalue]; @@ -47,7 +47,7 @@ key->target_type == cur->key.target_type && key->target_class == cur->key.target_class && (datum->specified & cur->datum.specified)) - return -EEXIST; + return EEXIST; if (key->source_type < cur->key.source_type) break; if (key->source_type == cur->key.source_type && @@ -62,7 +62,7 @@ newnode = (avtab_ptr_t)sebsd_malloc(sizeof(struct avtab_node), M_SEBSD_SS, M_WAITOK | M_ZERO); if (newnode == NULL) - return -ENOMEM; + return ENOMEM; /* memset(newnode, 0, sizeof(struct avtab_node)); */ newnode->key = *key; newnode->datum = *datum; @@ -284,9 +284,9 @@ } rc = avtab_insert(a, &avkey, &avdatum); if (rc) { - if (rc == -ENOMEM) + if (rc == ENOMEM) printf("security: avtab: out of memory\n"); - if (rc == -EEXIST) + if (rc == EEXIST) printf("security: avtab: duplicate entry\n"); goto bad; } ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/ss/hashtab.h#3 (text+ko) ==== @@ -38,9 +38,9 @@ /* Define status codes for hash table functions */ #define HASHTAB_SUCCESS 0 -#define HASHTAB_OVERFLOW -ENOMEM -#define HASHTAB_PRESENT -EEXIST -#define HASHTAB_MISSING -ENOENT +#define HASHTAB_OVERFLOW ENOMEM +#define HASHTAB_PRESENT EEXIST +#define HASHTAB_MISSING ENOENT /* Creates a new hash table with the specified characteristics. ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/ss/init.c#6 (text+ko) ==== @@ -37,14 +37,14 @@ fp = fopen(policyfile, "r"); if (!fp) { printf("security: unable to open %s, cannot initialize.\n", policyfile); - return -EINVAL; + return EINVAL; } rc = security_load_policy(fp); if (rc) { printf("security: error while loading %s, cannot initialize.\n", policyfile); fclose(fp); - return -EINVAL; + return EINVAL; } fclose(fp); ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/ss/services.c#8 (text+ko) ==== ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/ss/services_private.h#5 (text+ko) ==== @@ -28,7 +28,7 @@ sebsd_free(n, M_SEBSD_SS); return 0; } else { - return -EACCES; + return EACCES; } } @@ -44,14 +44,14 @@ sebsd_free(s, M_SEBSD_SS); return 0; } else { - return -EINVAL; + return EINVAL; } } /* TBD/CDV */ /* #else */ -/* #define compute_sid_handle_invalid_context(scontext,tcontext,tclass,newcontext) -EACCES */ -/* #define convert_context_handle_invalid_context(context) -EINVAL */ +/* #define compute_sid_handle_invalid_context(scontext,tcontext,tclass,newcontext) EACCES */ +/* #define convert_context_handle_invalid_context(context) EINVAL */ /* #endif */ #ifdef __FreeBSD__ ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/ss/sidtab.c#8 (text+ko) ==== @@ -60,7 +60,7 @@ s->htable = sebsd_malloc(sizeof(sidtab_ptr_t)*SIDTAB_SIZE, M_SEBSD_SS, M_WAITOK); if (!s->htable) - return -ENOMEM; + return ENOMEM; for (i = 0; i < SIDTAB_SIZE; i++) s->htable[i] = (sidtab_ptr_t) NULL; s->nel = 0; @@ -76,7 +76,7 @@ if (!s) - return -ENOMEM; + return ENOMEM; hvalue = SIDTAB_HASH(sid); prev = NULL; @@ -87,16 +87,16 @@ } if (cur && sid == cur->sid) - return -EEXIST; + return EEXIST; newnode = (sidtab_node_t *) sebsd_malloc(sizeof(sidtab_node_t), M_SEBSD_SS, M_NOWAIT); if (newnode == NULL) - return -ENOMEM; + return ENOMEM; newnode->sid = sid; if (context_cpy(&newnode->context, context)) { sebsd_free(newnode, M_SEBSD_SS); - return -ENOMEM; + return ENOMEM; } if (prev) { @@ -123,7 +123,7 @@ if (!s) - return -ENOENT; + return ENOENT; hvalue = SIDTAB_HASH(sid); last = NULL; @@ -134,7 +134,7 @@ } if (cur == NULL || sid != cur->sid) - return -ENOENT; + return ENOENT; if (last == NULL) s->htable[hvalue] = cur->next; @@ -275,14 +275,14 @@ if (!sid) { ret = SIDTAB_TRYLOCK(s); if (ret == 0) - return -EAGAIN; + return EAGAIN; /* Rescan now that we hold the semaphore. */ sid = sidtab_search_context(s, context); if (sid) goto up_out; /* No SID exists for the context. Allocate a new one. */ if (s->next_sid == UINT_MAX) { - ret = -ENOMEM; + ret = ENOMEM; goto up_out; } sid = s->next_sid++; @@ -376,7 +376,7 @@ mysids = (security_id_t *)sebsd_malloc(mynel*sizeof(security_id_t), M_SEBSD_SS, M_NOWAIT); if (mysids == NULL) { - rc = -ENOMEM; + rc = ENOMEM; goto out; } j = 0; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301081830.h08IUw48094633>