Date: Thu, 21 Aug 2003 07:48:29 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 36567 for review Message-ID: <200308211448.h7LEmT1E075151@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=36567 Change 36567 by rwatson@rwatson_tislabs on 2003/08/21 07:47:51 Loop back integration of deletextattr() and listextattr() MAC framework and policy entry points. Pick up a bugfix in fd handling for /dev/fd nodes while here. Affected files ... .. //depot/projects/trustedbsd/base/sys/kern/kern_mac.c#46 integrate .. //depot/projects/trustedbsd/base/sys/kern/vfs_syscalls.c#48 integrate .. //depot/projects/trustedbsd/base/sys/security/mac_biba/mac_biba.c#33 integrate .. //depot/projects/trustedbsd/base/sys/security/mac_bsdextended/mac_bsdextended.c#13 integrate .. //depot/projects/trustedbsd/base/sys/security/mac_mls/mac_mls.c#31 integrate Differences ... ==== //depot/projects/trustedbsd/base/sys/kern/kern_mac.c#46 (text+ko) ==== @@ -40,7 +40,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/sys/kern/kern_mac.c,v 1.95 2003/08/20 19:16:49 rwatson Exp $"); +__FBSDID("$FreeBSD: src/sys/kern/kern_mac.c,v 1.96 2003/08/21 13:52:59 rwatson Exp $"); #include "opt_mac.h" #include "opt_devfs.h" @@ -1614,6 +1614,22 @@ } int +mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, + int attrnamespace, const char *name) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr"); + + if (!mac_enforce_fs) + return (0); + + MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label, + attrnamespace, name); + return (error); +} + +int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct image_params *imgp) { @@ -1678,6 +1694,22 @@ } int +mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, + int attrnamespace) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr"); + + if (!mac_enforce_fs) + return (0); + + MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label, + attrnamespace); + return (error); +} + +int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { ==== //depot/projects/trustedbsd/base/sys/kern/vfs_syscalls.c#48 (text+ko) ==== @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/sys/kern/vfs_syscalls.c,v 1.329 2003/08/05 00:26:51 iedowse Exp $"); +__FBSDID("$FreeBSD: src/sys/kern/vfs_syscalls.c,v 1.331 2003/08/21 13:53:01 rwatson Exp $"); /* For 4.3 integer FS ID compatibility */ #include "opt_compat.h" @@ -679,7 +679,7 @@ fp = nfp; cmode = ((mode &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT; NDINIT(&nd, LOOKUP, FOLLOW, pathseg, path, td); - td->td_dupfd = -indx - 1; /* XXX check for fdopen */ + td->td_dupfd = -1; /* XXX check for fdopen */ /* * Bump the ref count to prevent another process from closing * the descriptor while we are blocked in vn_open() @@ -4270,8 +4270,8 @@ vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_setextattr(td->td_ucred, vp, attrnamespace, - attrname, NULL); + error = mac_check_vnode_deleteextattr(td->td_ucred, vp, attrnamespace, + attrname); if (error) goto done; #endif @@ -4418,8 +4418,7 @@ sizep = &size; #ifdef MAC - error = mac_check_vnode_getextattr(td->td_ucred, vp, attrnamespace, - "", &auio); + error = mac_check_vnode_listextattr(td->td_ucred, vp, attrnamespace); if (error) goto done; #endif ==== //depot/projects/trustedbsd/base/sys/security/mac_biba/mac_biba.c#33 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/security/mac_biba/mac_biba.c,v 1.63 2003/07/31 18:35:43 rwatson Exp $ + * $FreeBSD: src/sys/security/mac_biba/mac_biba.c,v 1.64 2003/08/21 14:34:54 rwatson Exp $ */ /* @@ -2071,6 +2071,24 @@ } static int +mac_biba_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, + struct label *label, int attrnamespace, const char *name) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct label *label, struct image_params *imgp, struct label *execlabel) @@ -2163,6 +2181,24 @@ } static int +mac_biba_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, + struct label *label, int attrnamespace) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { @@ -2683,10 +2719,12 @@ .mpo_check_vnode_create = mac_biba_check_vnode_create, .mpo_check_vnode_delete = mac_biba_check_vnode_delete, .mpo_check_vnode_deleteacl = mac_biba_check_vnode_deleteacl, + .mpo_check_vnode_deleteextattr = mac_biba_check_vnode_deleteextattr, .mpo_check_vnode_exec = mac_biba_check_vnode_exec, .mpo_check_vnode_getacl = mac_biba_check_vnode_getacl, .mpo_check_vnode_getextattr = mac_biba_check_vnode_getextattr, .mpo_check_vnode_link = mac_biba_check_vnode_link, + .mpo_check_vnode_listextattr = mac_biba_check_vnode_listextattr, .mpo_check_vnode_lookup = mac_biba_check_vnode_lookup, .mpo_check_vnode_mmap = mac_biba_check_vnode_mmap, .mpo_check_vnode_mprotect = mac_biba_check_vnode_mmap, ==== //depot/projects/trustedbsd/base/sys/security/mac_bsdextended/mac_bsdextended.c#13 (text+ko) ==== @@ -1,6 +1,6 @@ /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson - * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. + * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/security/mac_bsdextended/mac_bsdextended.c,v 1.15 2003/07/05 01:24:36 rwatson Exp $ + * $FreeBSD: src/sys/security/mac_bsdextended/mac_bsdextended.c,v 1.16 2003/08/21 14:34:54 rwatson Exp $ */ /* * Developed by the TrustedBSD Project. @@ -418,6 +418,22 @@ } static int +mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, + struct label *label, int attrnamespace, const char *name) +{ + struct vattr vap; + int error; + + if (!mac_bsdextended_enabled) + return (0); + + error = VOP_GETATTR(vp, &vap, cred, curthread); + if (error) + return (error); + return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE)); +} + +static int mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct label *label, struct image_params *imgp, struct label *execlabel) @@ -495,6 +511,22 @@ } static int +mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, + struct label *label, int attrnamespace) +{ + struct vattr vap; + int error; + + if (!mac_bsdextended_enabled) + return (0); + + error = VOP_GETATTR(vp, &vap, cred, curthread); + if (error) + return (error); + return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD)); +} + +static int mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { @@ -752,10 +784,12 @@ .mpo_check_vnode_create = mac_bsdextended_check_create_vnode, .mpo_check_vnode_delete = mac_bsdextended_check_vnode_delete, .mpo_check_vnode_deleteacl = mac_bsdextended_check_vnode_deleteacl, + .mpo_check_vnode_deleteextattr = mac_bsdextended_check_vnode_deleteextattr, .mpo_check_vnode_exec = mac_bsdextended_check_vnode_exec, .mpo_check_vnode_getacl = mac_bsdextended_check_vnode_getacl, .mpo_check_vnode_getextattr = mac_bsdextended_check_vnode_getextattr, .mpo_check_vnode_link = mac_bsdextended_check_vnode_link, + .mpo_check_vnode_listextattr = mac_bsdextended_check_vnode_listextattr, .mpo_check_vnode_lookup = mac_bsdextended_check_vnode_lookup, .mpo_check_vnode_open = mac_bsdextended_check_vnode_open, .mpo_check_vnode_readdir = mac_bsdextended_check_vnode_readdir, ==== //depot/projects/trustedbsd/base/sys/security/mac_mls/mac_mls.c#31 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/security/mac_mls/mac_mls.c,v 1.51 2003/07/31 20:00:06 rwatson Exp $ + * $FreeBSD: src/sys/security/mac_mls/mac_mls.c,v 1.52 2003/08/21 14:34:54 rwatson Exp $ */ /* @@ -1840,6 +1840,24 @@ } static int +mac_mls_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, + struct label *label, int attrnamespace, const char *name) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct label *label, struct image_params *imgp, struct label *execlabel) @@ -1931,6 +1949,25 @@ } static int +mac_mls_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, + struct label *label, int attrnamespace) +{ + + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { @@ -2445,10 +2482,12 @@ .mpo_check_vnode_create = mac_mls_check_vnode_create, .mpo_check_vnode_delete = mac_mls_check_vnode_delete, .mpo_check_vnode_deleteacl = mac_mls_check_vnode_deleteacl, + .mpo_check_vnode_deleteextattr = mac_mls_check_vnode_deleteextattr, .mpo_check_vnode_exec = mac_mls_check_vnode_exec, .mpo_check_vnode_getacl = mac_mls_check_vnode_getacl, .mpo_check_vnode_getextattr = mac_mls_check_vnode_getextattr, .mpo_check_vnode_link = mac_mls_check_vnode_link, + .mpo_check_vnode_listextattr = mac_mls_check_vnode_listextattr, .mpo_check_vnode_lookup = mac_mls_check_vnode_lookup, .mpo_check_vnode_mmap = mac_mls_check_vnode_mmap, .mpo_check_vnode_mprotect = mac_mls_check_vnode_mmap,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308211448.h7LEmT1E075151>