Date: Sun, 3 Jul 2005 23:13:30 GMT From: Samy Al Bahra <samy@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 79509 for review Message-ID: <200507032313.j63NDUqm027144@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=79509 Change 79509 by samy@samy_home on 2005/07/03 23:13:09 This patch modifies the default portacl rule API to support defining rules to be attached to a uid/gid inside a prison or exclusively non-prison context. A PID (P for prison) may be prepended to the beginning of a rule "0:uid:5:tcp:50, ...". "all" may be prepended to affect all prisons, "none", for only the system. Approved by: rwatson Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_portacl/mac_portacl.c#7 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_portacl/mac_portacl.c#7 (text+ko) ==== @@ -48,7 +48,7 @@ * you will probably want to twiddle the net.inet sysctl listed above. * Then use sysctl(8) to modify the rules string: * - * # sysctl security.mac.portacl.rules="uid:425:tcp:80,uid:425:tcp:79" + * # sysctl security.mac.portacl.rules="all:uid:425:tcp:80,uid:425:tcp:79" * * This ruleset, for example, permits uid 425 to bind TCP ports 80 (http) * and 79 (finger). User names and group names can't be used directly @@ -76,6 +76,7 @@ #include <sys/sbuf.h> #include <sys/socket.h> #include <sys/socketvar.h> +#include <sys/jail.h> #include <sys/sysctl.h> #include <netinet/in.h> @@ -117,11 +118,14 @@ #define MAC_RULE_STRING_LEN 1024 +#define RULE_IGNORE 0 +#define RULE_SYSTEM -1 #define RULE_GID 1 #define RULE_UID 2 #define RULE_PROTO_TCP 1 #define RULE_PROTO_UDP 2 struct rule { + int r_pr_id; id_t r_id; int r_idtype; u_int16_t r_port; @@ -130,6 +134,8 @@ TAILQ_ENTRY(rule) r_entries; }; +#define SYSTEM_STRING "none" +#define IGNORE_STRING "all" #define GID_STRING "gid" #define TCP_STRING "tcp" #define UID_STRING "uid" @@ -138,7 +144,7 @@ /* * Text format for the rule string is that a rule consists of a * comma-seperated list of elements. Each element is in the form - * idtype:id:protocol:portnumber, and constitutes granting of permission + * prison:idtype:id:protocol:portnumber, and constitutes granting of permission * for the specified binding. */ @@ -183,18 +189,46 @@ static int parse_rule_element(char *element, struct rule **rule) { - char *idtype, *id, *protocol, *portnumber, *p; + char *idtype, *id, *rtype, *portnumber, *prison, *p; struct rule *new; int error; error = 0; new = malloc(sizeof(*new), M_PORTACL, M_ZERO | M_WAITOK); - idtype = strsep(&element, ":"); - if (idtype == NULL) { + idtype = NULL; + + prison = strsep(&element, ":"); + if (prison == NULL) { error = EINVAL; goto out; } + + if (strcmp(prison, IGNORE_STRING) == 0) + new->r_pr_id = RULE_IGNORE; + else if (strcmp(prison, SYSTEM_STRING) == 0) + new->r_pr_id = RULE_SYSTEM; + else if (strcmp(prison, UID_STRING) && + strcmp(prison, GID_STRING)) { + new->r_pr_id = strtol(prison, &p, 10); + if (*p != '\0' || new->r_pr_id < 0) { + error = EINVAL; + goto out; + } + } else { + new->r_pr_id = RULE_IGNORE; + idtype = prison; + } + + if (idtype == NULL) { + idtype = strsep(&element, ":"); + + if (idtype == NULL) { + error = EINVAL; + goto out; + } + } + id = strsep(&element, ":"); if (id == NULL) { error = EINVAL; @@ -213,12 +247,15 @@ error = EINVAL; goto out; } + protocol = strsep(&element, ":"); if (protocol == NULL) { error = EINVAL; goto out; } - if (strcmp(protocol, TCP_STRING) == 0) + if (strcmp(protocol, IGNORE_STRING) == 0) + new->r_protocol = RULE_IGNORE; + else if (strcmp(protocol, TCP_STRING) == 0) new->r_protocol = RULE_PROTO_TCP; else if (strcmp(protocol, UDP_STRING) == 0) new->r_protocol = RULE_PROTO_UDP; @@ -292,6 +329,9 @@ } switch (rule->r_protocol) { + case RULE_IGNORE: + protocol = IGNORE_STRING; + break; case RULE_PROTO_TCP: protocol = TCP_STRING; break; @@ -302,8 +342,9 @@ panic("rule_printf: unknown protocol (%d)\n", rule->r_protocol); } - sbuf_printf(sb, "%s:%jd:%s:%d", idtype, (intmax_t)rule->r_id, - protocol, rule->r_port); + + sbuf_printf(sb, "%d:%s:%jd:%s:%d", rule->r_pr_id, idtype, + (intmax_t)rule->r_id, protocol, rule->r_port); } static char * @@ -401,12 +442,24 @@ for (rule = TAILQ_FIRST(&rule_head); rule != NULL; rule = TAILQ_NEXT(rule, r_entries)) { - if (type == SOCK_DGRAM && rule->r_protocol != RULE_PROTO_UDP) + if (rule->r_protocol != RULE_IGNORE) { + if (type == SOCK_DGRAM && rule->r_protocol != RULE_PROTO_UDP) + continue; + if (type == SOCK_STREAM && rule->r_protocol != RULE_PROTO_TCP) + continue; + } + + if (port != rule->r_port) continue; - if (type == SOCK_STREAM && rule->r_protocol != RULE_PROTO_TCP) + + if ((rule->r_pr_id == RULE_SYSTEM) && cred->cr_prison) continue; - if (port != rule->r_port) - continue; + else if (rule->r_pr_id != RULE_IGNORE) { + if (!cred->cr_prison || + (cred->cr_prison->pr_id != rule->r_pr_id)) + continue; + } + if (rule->r_idtype == RULE_UID) { if (cred->cr_uid == rule->r_id) { error = 0;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507032313.j63NDUqm027144>