Date: Wed, 14 Aug 2013 14:17:43 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 326099 for review Message-ID: <201308141417.r7EEHhkr049442@skunkworks.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@326099?ac=10 Change 326099 by rwatson@rwatson_cinnamon on 2013/08/14 14:17:13 Update MAC credential check TESLA assertions to allow exec() checks to authorise credential changes. Unfortunately, our current TESLA syntax is not sufficient to allow us to compare the in-hand UID and GID being changed to with the cached vnode attribute UID and GID. Hopefully a change to TESLA syntax will make it possible to make these assertions more specific. Affected files ... .. //depot/projects/ctsrd/tesla/src/sys/kern/kern_prot.c#7 edit Differences ... ==== //depot/projects/ctsrd/tesla/src/sys/kern/kern_prot.c#7 (text+ko) ==== @@ -2150,12 +2150,15 @@ euid = euip->ui_uid; #ifdef MAC #ifdef TESLA_MAC + /* XXXRW: In the exec() case, really want imgp->attr.uid. */ TESLA_SYSCALL( previously(mac_cred_check_setuid(ANY(ptr), euid) == 0) || previously(mac_cred_check_setreuid(ANY(ptr), ANY(int), euid) == 0) || previously(mac_cred_check_setresuid(ANY(ptr), ANY(int), euid, - ANY(int)) == 0)); + ANY(int)) == 0) || + previously(mac_vnode_check_exec(ANY(ptr), ANY(ptr), ANY(ptr)) + == 0)); #endif #endif #ifdef TESLA_PROC @@ -2181,12 +2184,15 @@ #ifdef MAC #ifdef TESLA_MAC + /* XXXRW: In the exec() case, really want imgp->attr.gid. */ TESLA_SYSCALL( - previously(mac_cred_check_setgid(ANY(ptr), egid) == 0) || + previously(mac_cred_check_setegid(ANY(ptr), egid) == 0) || previously(mac_cred_check_setregid(ANY(ptr), ANY(int), egid) - == 0) || + == 0) || previously(mac_cred_check_setresgid(ANY(ptr), ANY(int), egid, - ANY(int)) == 0)); + ANY(int)) == 0) || + previously(mac_vnode_check_exec(ANY(ptr), ANY(ptr), ANY(ptr)) + == 0)); #endif #endif #ifdef TESLA_PROC @@ -2212,12 +2218,15 @@ uid_t ruid = ruip->ui_uid; #ifdef MAC #ifdef TESLA_MAC + /* XXXRW: In the exec() case, really want imgp->attr.uid. */ TESLA_SYSCALL( previously(mac_cred_check_setuid(ANY(ptr), ruid) == 0) || previously(mac_cred_check_setreuid(ANY(ptr), ruid, ANY(int)) == 0) || previously(mac_cred_check_setresuid(ANY(ptr), ruid, ANY(int), - ANY(int)) == 0)); + ANY(int)) == 0) || + previously(mac_vnode_check_exec(ANY(ptr), ANY(ptr), ANY(ptr)) + == 0)); #endif #endif #ifdef TESLA_PROC @@ -2245,12 +2254,15 @@ #ifdef MAC #ifdef TESLA_MAC + /* XXXRW: In the exec() case, really want imgp->attr.gid. */ TESLA_SYSCALL( previously(mac_cred_check_setgid(ANY(ptr), rgid) == 0) || previously(mac_cred_check_setregid(ANY(ptr), rgid, ANY(int)) == 0) || previously(mac_cred_check_setresgid(ANY(ptr), rgid, ANY(int), - ANY(int)) == 0)); + ANY(int)) == 0) || + previously(mac_vnode_check_exec(ANY(ptr), ANY(ptr), ANY(ptr)) + == 0)); #endif #endif #ifdef TESLA_PROC @@ -2273,12 +2285,15 @@ #ifdef MAC #ifdef TESLA_MAC + /* XXXRW: In the exec() case, really want imgp->attr.uid. */ TESLA_SYSCALL( previously(mac_cred_check_setuid(ANY(ptr), ANY(int)) == 0) || previously(mac_cred_check_setreuid(ANY(ptr), ANY(int), ANY(int)) == 0) || previously(mac_cred_check_setresuid(ANY(ptr), ANY(int), - ANY(int), ANY(int)) == 0)); + ANY(int), ANY(int)) == 0) || + previously(mac_vnode_check_exec(ANY(ptr), ANY(ptr), ANY(ptr)) + == 0)); #endif #endif #ifdef TESLA_PROC @@ -2301,12 +2316,15 @@ #ifdef MAC #ifdef TESLA_MAC + /* XXXRW: In the exec() case, really want imgp->attr.gid. */ TESLA_SYSCALL( previously(mac_cred_check_setgid(ANY(ptr), ANY(int)) == 0) || previously(mac_cred_check_setregid(ANY(ptr), ANY(int), ANY(int)) == 0) || previously(mac_cred_check_setresgid(ANY(ptr), ANY(int), ANY(int), - ANY(int)) == 0)); + ANY(int)) == 0) || + previously(mac_vnode_check_exec(ANY(ptr), ANY(ptr), ANY(ptr)) + == 0)); #endif #endif #ifdef TESLA_PROC
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201308141417.r7EEHhkr049442>