From owner-p4-projects Tue Nov 5 10:24:53 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id AD1C437B404; Tue, 5 Nov 2002 10:24:47 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3AA2437B401 for ; Tue, 5 Nov 2002 10:24:47 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id C821B43E42 for ; Tue, 5 Nov 2002 10:24:46 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id gA5IN0mV048037 for ; Tue, 5 Nov 2002 10:23:00 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id gA5IMxZZ048034 for perforce@freebsd.org; Tue, 5 Nov 2002 10:22:59 -0800 (PST) Date: Tue, 5 Nov 2002 10:22:59 -0800 (PST) Message-Id: <200211051822.gA5IMxZZ048034@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 20708 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://perforce.freebsd.org/chv.cgi?CH=20708 Change 20708 by rwatson@rwatson_tislabs on 2002/11/05 10:22:43 Pass the execlabel into policies explicitly in the execve entry points, rather than relying on policies grubbing through imgp. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#352 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#180 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#64 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#35 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#143 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#103 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#79 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#167 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#352 (text+ko) ==== @@ -1330,7 +1330,7 @@ return; MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); } int @@ -1346,7 +1346,7 @@ result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); return (result); } @@ -1451,7 +1451,8 @@ if (!mac_enforce_process && !mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp); + MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp, + imgp->execlabel); return (error); } ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#180 (text+ko) ==== @@ -2044,7 +2044,8 @@ static int mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp, - struct label *label, struct image_params *imgp) + struct label *label, struct image_params *imgp, + struct label *execlabel) { struct mac_biba *subj, *obj; ==== //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#64 (text+ko) ==== @@ -410,7 +410,8 @@ static int mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp, - struct label *label, struct image_params *imgp) + struct label *label, struct image_params *imgp, + struct label *execlabel) { struct vattr vap; int error; ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#35 (text+ko) ==== @@ -1508,7 +1508,8 @@ static void mac_lomac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vnodelabel, - struct label *interpvnodelabel, struct image_params *imgp) + struct label *interpvnodelabel, struct image_params *imgp, + struct label *execlabel) { struct mac_lomac *source, *dest, *obj, *robj; @@ -1544,7 +1545,7 @@ static int mac_lomac_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *vnodelabel, struct label *interpvnodelabel, - struct image_params *imgp) + struct image_params *imgp, struct label *execlabel) { struct mac_lomac *subj, *obj, *robj; ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#143 (text+ko) ==== @@ -1881,7 +1881,8 @@ static int mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp, - struct label *label, struct image_params *imgp) + struct label *label, struct image_params *imgp, + struct label *execlabel) { struct mac_mls *subj, *obj; ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#103 (text+ko) ==== @@ -417,7 +417,8 @@ static void mac_none_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vnodelabel, - struct label *interpvnodelabel, struct image_params *imgp) + struct label *interpvnodelabel, struct image_params *imgp, + struct label *execlabel) { } @@ -425,7 +426,7 @@ static int mac_none_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *vnodelabel, struct label *interpvnodelabel, - struct image_params *imgp) + struct image_params *imgp, struct label *execlabel) { return (0); @@ -738,7 +739,8 @@ static int mac_none_check_vnode_exec(struct ucred *cred, struct vnode *vp, - struct label *label, struct image_params *imgp) + struct label *label, struct image_params *imgp, + struct label *execlabel) { return (0); ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#79 (text+ko) ==== @@ -796,7 +796,8 @@ static void mac_test_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *filelabel, - struct label *interpvnodelabel, struct image_params *imgp) + struct label *interpvnodelabel, struct image_params *imgp, + struct label *execlabel) { } @@ -804,7 +805,7 @@ static int mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *filelabel, struct label *interpvnodelabel, - struct image_params *imgp) + struct image_params *imgp, struct label *execlabel) { return (0); @@ -1134,7 +1135,8 @@ static int mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, - struct label *label, struct image_params *imgp) + struct label *label, struct image_params *imgp, + struct label *execlabel) { return (0); ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#167 (text+ko) ==== @@ -246,11 +246,11 @@ void (*mpo_execve_transition)(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vnodelabel, struct label *interpvnodelabel, - struct image_params *imgp); + struct image_params *imgp, struct label *execlabel); int (*mpo_execve_will_transition)(struct ucred *old, struct vnode *vp, struct label *vnodelabel, struct label *interpvnodelabel, - struct image_params *imgp); + struct image_params *imgp, struct label *execlabel); void (*mpo_create_proc0)(struct ucred *cred); void (*mpo_create_proc1)(struct ucred *cred); void (*mpo_relabel_cred)(struct ucred *cred, @@ -344,7 +344,8 @@ int (*mpo_check_vnode_deleteacl)(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type); int (*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp, - struct label *label, struct image_params *imgp); + struct label *label, struct image_params *imgp, + struct label *execlabel); int (*mpo_check_vnode_getacl)(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type); int (*mpo_check_vnode_getextattr)(struct ucred *cred, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message