From owner-p4-projects@FreeBSD.ORG Tue Oct 21 09:30:06 2003 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 4FE5D16A4C0; Tue, 21 Oct 2003 09:30:06 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF78E16A4B3 for ; Tue, 21 Oct 2003 09:30:05 -0700 (PDT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 28ABB43FBD for ; Tue, 21 Oct 2003 09:30:05 -0700 (PDT) (envelope-from areisse@nailabs.com) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.9/8.12.9) with ESMTP id h9LGU4XJ086382 for ; Tue, 21 Oct 2003 09:30:04 -0700 (PDT) (envelope-from areisse@nailabs.com) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.9/8.12.9/Submit) id h9LGU4cM086379 for perforce@freebsd.org; Tue, 21 Oct 2003 09:30:04 -0700 (PDT) (envelope-from areisse@nailabs.com) Date: Tue, 21 Oct 2003 09:30:04 -0700 (PDT) Message-Id: <200310211630.h9LGU4cM086379@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to areisse@nailabs.com using -f From: Andrew Reisse To: Perforce Change Reviews Subject: PERFORCE change 40100 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2003 16:30:06 -0000 http://perforce.freebsd.org/chv.cgi?CH=40100 Change 40100 by areisse@areisse_ibook on 2003/10/21 09:29:40 some maclabel system calls Affected files ... .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/init_sysent.c#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#20 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/sys/mac.h#4 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/init_sysent.c#2 (text+ko) ==== @@ -311,6 +311,15 @@ int pthread_sigmask(); int __disable_threadsignal(); +#ifdef MAC +int __mac_get_file(); +int __mac_set_file(); +int __mac_get_link(); +int __mac_set_link(); +int __mac_get_proc(); +int __mac_set_proc(); +#endif + /* * System call switch table. */ @@ -715,10 +724,17 @@ syss(utrace,2), /* 335 = utrace */ syss(nosys,0), /* 336 */ syss(nosys,0), /* 337 */ +#ifdef MAC + syss(__mac_get_file,2), /* 338 */ + syss(__mac_get_link,2), /* 339 */ + syss(__mac_get_proc,1), /* 340 */ + syss(__mac_set_proc,1), /* 341 */ +#else syss(nosys,0), /* 338 */ syss(nosys,0), /* 339 */ syss(nosys,0), /* 340 */ syss(nosys,0), /* 341 */ +#endif syss(nosys,0), /* 342 */ syss(nosys,0), /* 343 */ syss(nosys,0), /* 344 */ ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#20 (text+ko) ==== @@ -93,6 +93,9 @@ #define PROC_LOCK_ASSERT(x, y) #define M_ASSERTPKTHDR(x) +#define PROC_LOCK(p) +#define PROC_UNLOCK(p) + #if 0 #define ASSERT_VOP_LOCKED(vp,msg) \ if (vp && !VOP_ISLOCKED(vp)) \ @@ -447,7 +450,7 @@ } else \ error = sbuf_printf(&sb, ",%s/", element_name); \ if (error == -1) { \ - error = EINVAL; /* XXX: E2BIG? */ \ + error = ENOMEM; /* XXX: E2BIG? */ \ break; \ } \ claimed = 0; \ @@ -459,7 +462,7 @@ /* Revert last label name. */ \ sbuf_setpos(&sb, savedlen); \ } else if (claimed != 1) { \ - error = EINVAL; /* XXX: ENOLABEL? */ \ + error = ENOENT; /* XXX: ENOLABEL? */ \ break; \ } \ } \ @@ -709,6 +712,7 @@ LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); /* Per-policy initialization. */ + printf ("calling mpo_init for %s\n", mpc->mpc_name); if (mpc->mpc_ops->mpo_init != NULL) (*(mpc->mpc_ops->mpo_init))(mpc); mac_policy_updateflags(); @@ -851,9 +855,11 @@ static void mac_init_cred_label(struct label *label) { - + printf ("mac_init_cred_label %d\n", label); mac_init_label(label); + printf ("mpo_init_cred_label %d\n", label); MAC_PERFORM(init_cred_label, label); + printf ("mac_init_cred_label done %d\n", label); MAC_DEBUG_COUNTER_INC(&nmaccreds); } @@ -1436,8 +1442,9 @@ void mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) { - + printf ("mpo_create_cred %d %d %d\n", parent_cred, child_cred, 0); MAC_PERFORM(create_cred, parent_cred, child_cred); + printf ("mpo_create_cred done\n"); } #if 0 @@ -3433,9 +3440,16 @@ return (0); } +#endif + +struct __mac_get_pid_args +{ + pid_t pid; + struct mac *mac_p; +}; int -__mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap) +__mac_get_pid(struct proc *td, struct __mac_get_pid_args *uap, register_t *ret) { char *elements, *buffer; struct mac mac; @@ -3456,9 +3470,11 @@ return (ESRCH); tcred = NULL; /* Satisfy gcc. */ - error = p_cansee(td, tproc); - if (error == 0) - tcred = crhold(tproc->p_ucred); + error = 0;/*p_cansee(td, tproc);*/ + if (error == 0) { + tcred = tproc->p_ucred; + crhold(tcred); + } PROC_UNLOCK(tproc); if (error) return (error); @@ -3486,12 +3502,18 @@ /* * MPSAFE */ +struct __mac_get_proc_args +{ + struct mac *mac_p; +}; + int -__mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) +__mac_get_proc(struct proc *td, struct __mac_get_proc_args *uap, register_t *ret) { char *elements, *buffer; struct mac mac; - int error; + struct ucred *cr; + int error, ulen; error = copyin(uap->mac_p, &mac, sizeof(mac)); if (error) @@ -3502,32 +3524,42 @@ return (error); MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK); - error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); + error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen); if (error) { FREE(elements, M_MACTEMP); return (error); } + PROC_LOCK(td); + cr = td->p_ucred; + crhold(cr); + PROC_UNLOCK(td); + MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_cred_label(&td->td_ucred->cr_label, + error = mac_externalize_cred_label(&cr->cr_label, elements, buffer, mac.m_buflen, M_WAITOK); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); FREE(buffer, M_MACTEMP); FREE(elements, M_MACTEMP); + crfree (cr); return (error); } /* * MPSAFE */ +struct __mac_set_proc_args +{ + struct mac *mac_p; +}; + int -__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) +__mac_set_proc(struct proc *p, struct __mac_set_proc_args *uap, register_t *ret) { struct ucred *newcred, *oldcred; struct label intlabel; - struct proc *p; struct mac mac; char *buffer; int error; @@ -3555,21 +3587,17 @@ return (error); } - newcred = crget(); - - p = td->td_proc; PROC_LOCK(p); oldcred = p->p_ucred; error = mac_check_cred_relabel(oldcred, &intlabel); if (error) { PROC_UNLOCK(p); - crfree(newcred); goto out; } - setsugid(p); - crcopy(newcred, oldcred); + /*setsugid(p);*/ + newcred = crdup(oldcred); mac_relabel_cred(newcred, &intlabel); p->p_ucred = newcred; @@ -3596,9 +3624,16 @@ return (error); } +#if 0 /* * MPSAFE */ +struct __mac_get_fd_args +{ + int fd; + struct mac *mac_p; +}; + int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { @@ -3611,7 +3646,7 @@ struct pipe *pipe; #endif short label_type; - int error; + int error, ulen; error = copyin(uap->mac_p, &mac, sizeof(mac)); if (error) @@ -3622,7 +3657,7 @@ return (error); MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK); - error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); + error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen); if (error) { FREE(elements, M_MACTEMP); return (error); @@ -3702,18 +3737,25 @@ return (error); } +#endif /* * MPSAFE */ +struct __mac_get_file_args +{ + char *path_p; + struct mac *mac_p; +}; + int -__mac_get_file(struct thread *td, struct __mac_get_file_args *uap) +__mac_get_file(struct proc *td, struct __mac_get_file_args *uap, register_t *ret) { char *elements, *buffer; struct nameidata nd; struct label intlabel; struct mac mac; - int error; + int error, ulen; error = copyin(uap->mac_p, &mac, sizeof(mac)); if (error) @@ -3724,7 +3766,7 @@ return (error); MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK); - error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); + error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen); if (error) { FREE(elements, M_MACTEMP); return (error); @@ -3745,7 +3787,9 @@ error = mac_externalize_vnode_label(&intlabel, elements, buffer, mac.m_buflen, M_WAITOK); - NDFREE(&nd, 0); + /*NDFREE(&nd, 0);*/ + FREE_ZONE(nd.ni_cnd.cn_pnbuf, nd.ni_cnd.cn_pnlen, M_NAMEI); + mac_destroy_vnode_label(&intlabel); if (error == 0) @@ -3765,6 +3809,12 @@ /* * MPSAFE */ +struct __mac_get_link_args +{ + char *path_p; + struct mac *mac_p; +}; + int __mac_get_link(struct thread *td, struct __mac_get_link_args *uap) { @@ -3772,7 +3822,7 @@ struct nameidata nd; struct label intlabel; struct mac mac; - int error; + int error, ulen; error = copyin(uap->mac_p, &mac, sizeof(mac)); if (error) @@ -3783,7 +3833,7 @@ return (error); MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK); - error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); + error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen); if (error) { FREE(elements, M_MACTEMP); return (error); @@ -3803,7 +3853,8 @@ mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); error = mac_externalize_vnode_label(&intlabel, elements, buffer, mac.m_buflen, M_WAITOK); - NDFREE(&nd, 0); + /*NDFREE(&nd, 0);*/ + FREE_ZONE(nd.ni_cnd.cn_pnbuf, nd.ni_cnd.cn_pnlen, M_NAMEI); mac_destroy_vnode_label(&intlabel); if (error == 0) @@ -3820,6 +3871,7 @@ return (error); } +#if 0 /* * MPSAFE */ @@ -3880,7 +3932,7 @@ } vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = vn_setlabel(vp, &intlabel, td->td_ucred); + error = vn_setlabel(vp, &intlabel, td->p_ucred); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); @@ -3921,8 +3973,14 @@ /* * MPSAFE */ +struct __mac_set_file_args +{ + char *path_p; + struct mac *mac_p; +}; + int -__mac_set_file(struct thread *td, struct __mac_set_file_args *uap) +__mac_set_file(struct proc *td, struct __mac_set_file_args *uap, register_t *ret) { struct label intlabel; struct nameidata nd; @@ -3965,7 +4023,7 @@ error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error == 0) error = vn_setlabel(nd.ni_vp, &intlabel, - td->td_ucred); + td->p_ucred); vn_finished_write(mp); } @@ -4038,11 +4096,20 @@ return (error); } +#endif + /* * MPSAFE */ +struct mac_syscall_args +{ + char *policy; + int call; + void *arg; +}; + int -mac_syscall(struct thread *td, struct mac_syscall_args *uap) +mac_syscall(struct proc *td, struct mac_syscall_args *uap, register_t *retv) { struct mac_policy_conf *mpc; char target[MAC_MAX_POLICY_NAME]; @@ -4076,14 +4143,12 @@ out: return (error); } -#endif /* !0 TBD/CDV*/ SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); #else /* !MAC */ -#if 0 /* TBD/CDV*/ int __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap) { @@ -4153,6 +4218,5 @@ return (ENOSYS); } -#endif /* !0 TBD/CDV*/ #endif /* !MAC */ ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/sys/mac.h#4 (text+ko) ==== @@ -63,7 +63,7 @@ typedef struct mac *mac_t; -#ifndef _KERNEL +#ifndef KERNEL /* * Location of the userland MAC framework configuration file. mac.conf @@ -86,7 +86,7 @@ int mac_get_pid(pid_t _pid, mac_t _label); int mac_get_proc(mac_t _label); int mac_is_present(const char *_policyname); -int mac_prepare(mac_t *_label, char *_elements); +int mac_prepare(mac_t *_label, const char *_elements); int mac_prepare_file_label(mac_t *_label); int mac_prepare_ifnet_label(mac_t *_label); int mac_prepare_process_label(mac_t *_label); @@ -123,7 +123,9 @@ struct vattr; struct vnode; +#if 0 #include /* XXX acl_type_t */ +#endif struct vop_setlabel_args; @@ -284,12 +286,16 @@ struct componentname *cnp, struct vattr *vap); int mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); +#if 0 int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type); +#endif int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct image_params *imgp); +#if 0 int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type); +#endif int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); int mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, @@ -313,8 +319,10 @@ int mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp); int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp); +#if 0 int mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl); +#endif int mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); int mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp,