Date: Thu, 1 Dec 2005 21:17:50 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 87602 for review Message-ID: <200512012117.jB1LHo11082902@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=87602 Change 87602 by millert@millert_g4tower on 2005/12/01 21:17:10 Update login context code from DSEP and implement sebsd_check_proc_setlcid() for SEDarwin. Affected files ... .. //depot/projects/trustedbsd/sedarwin7/src/darwin/Makefile#5 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/libmac/mac_get.c#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/libmac/mac_set.c#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/Makefile#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/getlcmac/Makefile#1 add .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/getlcmac/getlcmac.8#1 add .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/getlcmac/getlcmac.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/lcs/Makefile#1 add .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/lcs/lcs.8#1 add .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/lcs/lcs.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setlcmac/Makefile#1 add .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setlcmac/setlcmac.8#1 add .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setlcmac/setlcmac.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam/pam.d/login#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam/pam.d/sshd#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/PAMModule.defs#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/pam_lctx/GNUmakefile#1 add .. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/pam_lctx/Makefile#1 add .. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/pam_lctx/lctx.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/pam_lctx/pam_lctx.8#1 add .. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/pam_lctx/pam_lctx.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/init_sysent.c#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_bsm_klib.c#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_exit.c#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_fork.c#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_proc.c#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_prot.c#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_sysctl.c#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/syscalls.c#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/sysctl_init.c#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/Makefile#4 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/lctx.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mac.h#5 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mac_policy.h#11 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/proc.h#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/syscall.h#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/sysctl.h#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_base.c#6 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_internal.h#5 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_process.c#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd.c#23 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/Makefile#5 (text+ko) ==== @@ -19,6 +19,7 @@ cd mach_cmds && gnumake cd top && make cd bsm/bsm/lib && gnumake + cd pam_modules/pam_lctx && gnumake cd system_cmds/mach_init.tproj && gnumake install: @@ -38,6 +39,7 @@ cd mach_cmds && gnumake install cd top && make install cd bsm/bsm/lib && gnumake install + cd pam_modules/pam_lctx && gnumake DSTROOT=$(DESTDIR) install cd system_cmds/mach_init.tproj && gnumake install clean: @@ -57,6 +59,6 @@ cd mach_cmds && gnumake clean cd top && make clean cd bsm/bsm/lib && gnumake clean + cd pam_modules/pam_lctx && gnumake clean cd system_cmds/mach_init.tproj && gnumake clean rm -rf build/obj - ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/libmac/mac_get.c#3 (text+ko) ==== @@ -52,6 +52,20 @@ } int +mac_get_lcid(pid_t lcid, struct mac *label) +{ + + return (syscall(SYS___mac_get_lcid, lcid, label)); +} + +int +mac_get_lctx(struct mac *label) +{ + + return (syscall(SYS___mac_get_lctx, label)); +} + +int mac_get_link(const char *path, struct mac *label) { ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/libmac/mac_set.c#3 (text+ko) ==== @@ -51,6 +51,13 @@ } int +mac_set_lctx(struct mac *label) +{ + + return (syscall(SYS___mac_set_lctx, label)); +} + +int mac_set_link(const char *path, struct mac *label) { ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/Makefile#3 (text+ko) ==== @@ -1,22 +1,27 @@ include ../../Makeconfig +SUBDIR= getfmac getlcmac getpmac mexec setfsmac setlcmac setpmac lcs + all: - cd getfmac && gnumake - cd getpmac && gnumake - cd mexec && gnumake - cd setfsmac && gnumake - cd setpmac && gnumake + @for dir in $(SUBDIR); do \ + gnumake -C $$dir ; \ + if [ $$? -ne 0 ] ; then \ + exit 1 ; \ + fi ; \ + done install: - cd getfmac && gnumake install - cd getpmac && gnumake install - cd mexec && gnumake install - cd setfsmac && gnumake install - cd setpmac && gnumake install + @for dir in $(SUBDIR); do \ + gnumake -C $$dir install ; \ + if [ $$? -ne 0 ] ; then \ + exit 1 ; \ + fi ; \ + done clean: - cd getfmac && gnumake clean - cd getpmac && gnumake clean - cd mexec && gnumake clean - cd setfsmac && gnumake clean - cd setpmac && gnumake clean + @for dir in $(SUBDIR); do \ + gnumake -C $$dir clean ; \ + if [ $$? -ne 0 ] ; then \ + exit 1 ; \ + fi ; \ + done ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/pam/pam.d/login#3 (text+ko) ==== @@ -6,3 +6,4 @@ account required pam_permit.so password required pam_deny.so session required pam_uwtmp.so +session required pam_lctx.so ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/pam/pam.d/sshd#3 (text+ko) ==== @@ -6,3 +6,4 @@ account required pam_permit.so password required pam_deny.so session required pam_permit.so +session required pam_lctx.so ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/PAMModule.defs#3 (text+ko) ==== @@ -24,8 +24,8 @@ Sources = . endif -Extra_CC_Flags += -Ddarwin -no-cpp-precomp -Wall -I/usr/include/pam -arch i386 -arch ppc -Extra_LD_Libraries += -lpam -arch i386 -arch ppc +Extra_CC_Flags += -Ddarwin -no-cpp-precomp -Wall -I/usr/include/pam -arch ppc +Extra_LD_Libraries += -lpam -arch ppc include $(CoreOSMakefiles)/Standard/Standard.make ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/init_sysent.c#3 (text+ko) ==== @@ -378,6 +378,9 @@ int getlcid(); int setlcid(); +int __mac_get_lcid(); +int __mac_get_lctx(); +int __mac_set_lctx(); /* * System call switch table. @@ -907,6 +910,9 @@ syss(getlcid,1), /* 404 = getlcid */ sysp(setlcid,2), /* 405 = setlcid */ + syss(__mac_get_lcid,2), /* 406 = __mac_get_lcid */ + syss(__mac_get_lctx,1), /* 407 = __mac_get_lctx */ + syss(__mac_set_lctx,1), /* 408 = __mac_set_lctx */ /* * N.B. * The argument count numbers in this table are actually ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_bsm_klib.c#3 (text+ko) ==== @@ -468,7 +468,11 @@ * XXXMAC We may wish to add audit to these later */ AUE_NULL, /* 404 = getlcid */ - AUE_NULL /* 405 = setlcid */ + AUE_NULL, /* 405 = setlcid */ + AUE_NULL, /* 406 = __mac_get_lcid */ + AUE_NULL, /* 407 = __mac_get_lctx */ + AUE_NULL, /* 408 = __mac_set_lctx */ + }; int nsys_au_event = sizeof(sys_au_event) / sizeof(sys_au_event[0]); ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_exit.c#3 (text+ko) ==== @@ -669,6 +669,12 @@ wakeup(&p->p_stat); return (0); } +#ifdef LCTX + PROC_LOCK(p); + leavelctx(p); + PROC_UNLOCK(p); +#endif + p->p_xstat = 0; if (p->p_ru) { ruadd(&q->p_stats->p_cru, p->p_ru); @@ -715,9 +721,7 @@ * Unlink it from its process group and free it. */ leavepgrp(p); -#ifdef LCTX - leavelctx(p); -#endif + LIST_REMOVE(p, p_list); /* off zombproc */ LIST_REMOVE(p, p_sibling); p->p_flag &= ~P_WAITING; ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_fork.c#3 (text+ko) ==== @@ -582,8 +582,8 @@ p2->p_lctx = NULL; /* Add new process to login context (if any). */ if (p1->p_lctx != NULL) { - p2->p_lctx = p1->p_lctx; - LIST_INSERT_AFTER(p1, p2, p_lclist); + LCTX_LOCK(p1->p_lctx); + enterlctx(p2, p1->p_lctx, 0); } #endif ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_proc.c#3 (text+ko) ==== @@ -81,10 +81,12 @@ #include <ufs/ufs/quota.h> #include <sys/uio.h> #include <sys/malloc.h> +#include <sys/mac.h> #include <sys/mbuf.h> #include <sys/ioctl.h> #include <sys/tty.h> #include <sys/signalvar.h> +#include <sys/sysctl.h> #include <sys/syslog.h> /* @@ -110,7 +112,11 @@ struct proclist zombproc; #ifdef LCTX -static pid_t lastlcid = 1; +static pid_t lastlcid = 1; +static int alllctx_cnt; + +#define LCID_MAX 8192 /* Does this really need to be large? */ +static int maxlcid = LCID_MAX; LIST_HEAD(lctxlist, lctx); static struct lctxlist alllctx; @@ -132,6 +138,7 @@ LIST_INIT(&zombproc); #ifdef LCTX LIST_INIT(&alllctx); + alllctx_cnt = 0; #endif pidhashtbl = hashinit(maxproc / 4, M_PROC, &pidhash); pgrphashtbl = hashinit(maxproc / 4, M_PROC, &pgrphash); @@ -260,34 +267,76 @@ struct lctx * lcfind(pid_t lcid) { - struct lctx *lc; + struct lctx *l; - LIST_FOREACH(lc, &alllctx, lc_list) - if (lc->lc_id == lcid) + ALLLCTX_LOCK; + LIST_FOREACH(l, &alllctx, lc_list) { + if (l->lc_id == lcid) { + LCTX_LOCK(l); break; - return (lc); + } + } + ALLLCTX_UNLOCK; + return (l); } -#define LCID_MAX 8192 /* Does this really need to be large? */ +#define LCID_INC \ + do { \ + lastlcid++; \ + if (lastlcid > maxlcid) \ + lastlcid = 1; \ + } while (0) \ + struct lctx * lccreate(void) { - struct lctx *lc; + struct lctx *l; /* Not very efficient but this isn't a common operation. */ - while ((lc = lcfind(lastlcid)) != NULL) { - lastlcid++; - if (lastlcid > LCID_MAX) - lastlcid = 1; + while ((l = lcfind(lastlcid)) != NULL) { + LCTX_UNLOCK(l); + LCID_INC; } /* Possible race condition with lastlcid here? */ - MALLOC(lc, struct lctx *, sizeof(struct lctx), M_LCTX, M_WAITOK|M_ZERO); - lc->lc_id = lastlcid; - lastlcid++; - LIST_INIT(&lc->lc_members); - LIST_INSERT_HEAD(&alllctx, lc, lc_list); - return (lc); + MALLOC(l, struct lctx *, sizeof(struct lctx), M_LCTX, M_WAITOK|M_ZERO); + l->lc_id = lastlcid; + LCID_INC; + LIST_INIT(&l->lc_members); +#ifdef MAC + l->lc_label = mac_lctx_label_alloc(); +#endif + ALLLCTX_LOCK; + LIST_INSERT_HEAD(&alllctx, l, lc_list); + alllctx_cnt++; + ALLLCTX_UNLOCK; + + return (l); +} + +/* + * Call with proc and lctx locked. + * Will unlock lctx on return. + */ +void +enterlctx (struct proc *p, struct lctx *l, int create) +{ + if (l == NULL) + return; + + p->p_lctx = l; + LIST_INSERT_HEAD(&l->lc_members, p, p_lclist); + l->lc_mc++; + +#ifdef MAC + if (create) + mac_proc_create_lctx(p, l); + else + mac_proc_join_lctx(p, l); +#endif + LCTX_UNLOCK(l); + + return; } /* @@ -296,15 +345,32 @@ void leavelctx (struct proc *p) { + struct lctx *l; + if (p->p_lctx == NULL) return; + LCTX_LOCK(p->p_lctx); + l = p->p_lctx; + p->p_lctx = NULL; LIST_REMOVE(p, p_lclist); - if (LIST_EMPTY(&p->p_lctx->lc_members)) { - LIST_REMOVE(p->p_lctx, lc_list); - FREE(p->p_lctx, M_LCTX); - } - p->p_lctx = NULL; + l->lc_mc--; +#ifdef MAC + mac_proc_leave_lctx(p, l); +#endif + if (LIST_EMPTY(&l->lc_members)) { + ALLLCTX_LOCK; + LIST_REMOVE(l, lc_list); + alllctx_cnt--; + ALLLCTX_UNLOCK; + LCTX_UNLOCK(l); +#ifdef MAC + mac_lctx_label_free(l->lc_label); +#endif + FREE(l, M_LCTX); + } else + LCTX_UNLOCK(l); + return; } #endif /* LCTX */ @@ -605,3 +671,79 @@ FREE(temp, M_TEMP); return (NULL); } + +#ifdef LCTX + +static int +sysctl_kern_lctx SYSCTL_HANDLER_ARGS +{ + int *name = (int*) arg1; + u_int namelen = arg2; + struct kinfo_lctx kil; + struct lctx *l; + int error; + + error = 0; + + switch (oidp->oid_number) { + case KERN_LCTX_ALL: + ALLLCTX_LOCK; + /* Request for size. */ + if (!req->oldptr) { + error = SYSCTL_OUT(req, 0, + sizeof(struct kinfo_lctx) * (alllctx_cnt + 1)); + goto out; + } + break; + + case KERN_LCTX_LCID: + /* No space */ + if (req->oldlen < sizeof(struct kinfo_lctx)) + return (ENOMEM); + /* No argument */ + if (namelen != 1) + return (EINVAL); + /* No login context */ + l = lcfind((pid_t)name[0]); + if (l == NULL) + return (ENOENT); + kil.id = l->lc_id; + kil.mc = l->lc_mc; + LCTX_UNLOCK(l); + return (SYSCTL_OUT(req, (caddr_t)&kil, sizeof(kil))); + + default: + return (EINVAL); + } + + /* Provided buffer is too small. */ + if (req->oldlen < (sizeof(struct kinfo_lctx) * alllctx_cnt)) { + error = ENOMEM; + goto out; + } + + LIST_FOREACH(l, &alllctx, lc_list) { + LCTX_LOCK(l); + kil.id = l->lc_id; + kil.mc = l->lc_mc; + LCTX_UNLOCK(l); + error = SYSCTL_OUT(req, (caddr_t)&kil, sizeof(kil)); + if (error) + break; + } +out: + ALLLCTX_UNLOCK; + + return (error); +} +SYSCTL_NODE(_kern, KERN_LCTX, lctx, CTLFLAG_RD, 0, "Login Context"); +SYSCTL_PROC(_kern_lctx, KERN_LCTX_ALL, all, CTLFLAG_RD|CTLTYPE_STRUCT, + 0, 0, sysctl_kern_lctx, "S,lctx", + "Return entire login context table"); +SYSCTL_NODE(_kern_lctx, KERN_LCTX_LCID, lcid, CTLFLAG_RD, + sysctl_kern_lctx, "Login Context Table"); +SYSCTL_INT(_kern_lctx, OID_AUTO, last, CTLFLAG_RD, &lastlcid, 0, ""); +SYSCTL_INT(_kern_lctx, OID_AUTO, count, CTLFLAG_RD, &alllctx_cnt, 0, ""); +SYSCTL_INT(_kern_lctx, OID_AUTO, max, CTLFLAG_RW, &maxlcid, 0, ""); + +#endif /* LCTX */ ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_prot.c#3 (text+ko) ==== @@ -86,6 +86,7 @@ #include <sys/malloc.h> #include <bsm/audit_kernel.h> +#include <sys/lctx.h> #include <sys/mac.h> #include <sys/mount.h> @@ -140,10 +141,6 @@ #ifdef LCTX -#define LCID_PROC_SELF (0) -#define LCID_REMOVE (-1) -#define LCID_CREATE (0) - /* * Set Login Context ID */ @@ -158,40 +155,53 @@ */ /* ARGSUSED */ int -setlcid(struct proc *td, struct setlcid_args *uap, register_t *retval) +setlcid(struct proc *p0, struct setlcid_args *uap, register_t *retval) { struct proc *p; - struct lctx *lc; - - /* XXXMAC: need check here? */ + struct lctx *l; + int error; if (uap->pid == LCID_PROC_SELF) { /* Create/Join/Leave */ - p = td; + p = p0; + PROC_LOCK(p); } else { /* Adopt/Orphan */ p = pfind(uap->pid); if (p == NULL) return (ESRCH); #if 0 /* XXX: we probably need the Darwin version of this... */ - if (p_cansee(td, p)) + if (p_cansee(p0, p)) { + PROC_UNLOCK(p); return (EPERM); + } #endif } +#ifdef MAC + error = mac_check_proc_setlcid(p0, p, uap->pid, uap->lcid); + if (error) { + PROC_UNLOCK(p); + return (error); + } +#endif + switch (uap->lcid) { /* Leave/Orphan */ case LCID_REMOVE: - /* XXXMAC: need check here? */ /* Only root may Leave/Orphan. */ - if (!is_suser1()) + if (!is_suser1()) { + PROC_UNLOCK(p); return (EPERM); + } /* Process not in login context. */ - if (p->p_lctx == NULL) + if (p->p_lctx == NULL) { + PROC_UNLOCK(p); return (ENOATTR); + } - lc = NULL; + l = NULL; break; @@ -199,42 +209,48 @@ case LCID_CREATE: /* Create only valid for self! */ - if (uap->pid != 0) + if (uap->pid != LCID_PROC_SELF) { + PROC_UNLOCK(p); return (EPERM); + } /* Already in a login context. */ - if (p->p_lctx != NULL) + if (p->p_lctx != NULL) { + PROC_UNLOCK(p); return (EPERM); + } - lc = lccreate(); - if (lc == NULL) + l = lccreate(); + if (l == NULL) { + PROC_UNLOCK(p); return (ENOMEM); + } + LCTX_LOCK(l); break; /* Join/Adopt */ default: - /* XXXMAC: need check here? */ /* Only root may Join/Adopt. */ - if (!is_suser1()) + if (!is_suser1()) { + PROC_UNLOCK(p); return (EPERM); + } - lc = lcfind(uap->lcid); - if (lc == NULL) + l = lcfind(uap->lcid); + if (l == NULL) { + PROC_UNLOCK(p); return (ENOATTR); + } break; } leavelctx(p); + enterlctx(p, l, (uap->lcid == LCID_CREATE) ? 1 : 0); - /* Add process to login context. */ - if (lc != NULL) { - p->p_lctx = lc; - LIST_INSERT_HEAD(&lc->lc_members, p, p_lclist); - } - + PROC_UNLOCK(p); return (0); } @@ -251,26 +267,37 @@ */ /* ARGSUSED */ int -getlcid(struct proc *td, struct getlcid_args *uap, register_t *retval) +getlcid(struct proc *p0, struct getlcid_args *uap, register_t *retval) { struct proc *p; + int error; - /* XXXMAC: need check here? */ - - if (uap->pid == 0) { - p = td; + if (uap->pid == LCID_PROC_SELF) { + p = p0; + PROC_LOCK(p); } else { p = pfind(uap->pid); if (p == NULL) return (ESRCH); #if 0 /* XXX: we probably need the Darwin version of this... */ - if (p_cansee(td, p)) + if (p_cansee(p0, p)) { + PROC_UNLOCK(p); return (EPERM); + } #endif } +#ifdef MAC + error = mac_check_proc_getlcid(p0, p, uap->pid); + if (error) { + PROC_UNLOCK(p); + return (error); + } +#endif if (p->p_lctx == NULL) return (ENOATTR); *retval = p->p_lctx->lc_id; + + PROC_UNLOCK(p); return (0); } #endif /* LCTX */ ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_sysctl.c#3 (text+ko) ==== @@ -501,7 +501,8 @@ || name[0] == KERN_SYSV || name[0] == KERN_AFFINITY || name[0] == KERN_CLASSIC - || name[0] == KERN_PANICINFO) + || name[0] == KERN_PANICINFO + || name[0] == KERN_LCTX) ) return (ENOTDIR); /* overloaded */ @@ -1483,7 +1484,6 @@ return (0); } - /* * Validate parameters and get old / set new parameters * for max number of concurrent aio requests. Makes sure ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/syscalls.c#3 (text+ko) ==== @@ -441,5 +441,8 @@ "__mac_set_fd", /* 402 = __mac_set_fd */ "__mac_get_pid", /* 403 = __mac_get_pid */ "getlcid", /* 404 = getlcid */ - "setlcid" /* 405 = setlcid */ + "setlcid", /* 405 = setlcid */ + "__mac_get_lcid", /* 406 = __mac_get_lcid */ + "__mac_get_lctx", /* 407 = __mac_get_lctx */ + "__mac_set_lctx", /* 408 = __mac_set_lctx */ }; ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/sysctl_init.c#3 (text+ko) ==== @@ -99,6 +99,13 @@ extern struct sysctl_oid sysctl__kern_ipc_sosendminchain; extern struct sysctl_oid sysctl__kern_ipc_sorecvmincopy; extern struct sysctl_oid sysctl__kern_ipc_maxsockets; + +extern struct sysctl_oid sysctl__kern_lctx_all; +extern struct sysctl_oid sysctl__kern_lctx_lcid; +extern struct sysctl_oid sysctl__kern_lctx_last; +extern struct sysctl_oid sysctl__kern_lctx_count; +extern struct sysctl_oid sysctl__kern_lctx_max; + extern struct sysctl_oid sysctl__net_inet_icmp_icmplim; extern struct sysctl_oid sysctl__net_inet_icmp_maskrepl; extern struct sysctl_oid sysctl__net_inet_icmp_timestamp; @@ -270,6 +277,7 @@ extern struct sysctl_oid sysctl__kern_ipc; extern struct sysctl_oid sysctl__kern_sysv; +extern struct sysctl_oid sysctl__kern_lctx; extern struct sysctl_oid sysctl__net_inet; @@ -462,6 +470,11 @@ ,&sysctl__kern_ipc_sosendminchain ,&sysctl__kern_ipc_sorecvmincopy ,&sysctl__kern_ipc_maxsockets + ,&sysctl__kern_lctx_all + ,&sysctl__kern_lctx_lcid + ,&sysctl__kern_lctx_last + ,&sysctl__kern_lctx_count + ,&sysctl__kern_lctx_max ,&sysctl__hw_machine ,&sysctl__hw_model @@ -666,6 +679,7 @@ ,&sysctl__vfs_generic_nfs_client ,&sysctl__vfs_generic_nfs_client_initialdowndelay ,&sysctl__vfs_generic_nfs_client_nextdowndelay + ,&sysctl__kern_lctx ,&sysctl__kern_ipc ,&sysctl__kern_sysv ,&sysctl__net_inet ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/Makefile#4 (text+ko) ==== @@ -25,7 +25,7 @@ dir.h dirent.h disk.h disklabel.h disktab.h dkstat.h dmap.h domain.h \ errno.h ev.h event.h eventvar.h exec.h extattr.h fcntl.h file.h filedesc.h filio.h gmon.h ioccom.h ioctl.h \ ioctl_compat.h ipc.h kernel.h kern_event.h ktrace.h libkern.h loadable_fs.h lock.h lockf.h mach_swapon.h malloc.h \ - kdebug.h linker_set.h md5.h kern_control.h \ + kdebug.h lctx.h linker_set.h md5.h kern_control.h \ mac.h mac_policy.h \ mbuf.h mman.h mount.h msgbuf.h mtio.h namei.h netport.h param.h paths.h \ proc.h protosw.h ptrace.h queue.h quota.h random.h reboot.h resource.h resourcevar.h \ ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mac.h#5 (text+ko) ==== @@ -84,6 +84,8 @@ int mac_from_text(mac_t *_label, const char *_text); int mac_get_fd(int _fd, mac_t _label); int mac_get_file(const char *_path, mac_t _label); +int mac_get_lcid(pid_t _lcid, mac_t _label); +int mac_get_lctx(mac_t _label); int mac_get_link(const char *_path, mac_t _label); int mac_get_pid(pid_t _pid, mac_t _label); int mac_get_proc(mac_t _label); @@ -96,6 +98,7 @@ int mac_prepare_process_label(mac_t *_label); int mac_set_fd(int _fildes, const mac_t _label); int mac_set_file(const char *_path, mac_t _label); +int mac_set_lctx(mac_t _label); int mac_set_link(const char *_path, mac_t _label); int mac_set_proc(const mac_t _label); int mac_syscall(const char *_policyname, int _call, void *_arg); @@ -111,6 +114,7 @@ struct attrlist; struct componentname; struct devnode; +struct lctx; struct mount; struct pseminfo; struct pshminfo; @@ -167,6 +171,8 @@ void mac_vnode_label_free(struct label *label); int mac_get_vnode_audit_labels(struct vnode *vp, struct mac *mac); +struct label *mac_lctx_label_alloc(void); +void mac_lctx_label_free(struct label *label); #define mac_update_task_from_cred(cred, task) \ mac_update_task_label(((cred)->cr_label), task) @@ -256,6 +262,8 @@ void mac_thread_userret(struct uthread *td); #endif +void mac_relabel_lctx(struct lctx *l, struct label *newlabel); + /* * Label cleanup operation: This is the inverse complement for the mac_create * and associate type of hooks. This hook lets the policy module(s) perform @@ -274,6 +282,7 @@ const char *serv, const char *perm); int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel); int mac_check_cred_visible(struct ucred *u1, struct ucred *u2); +int mac_check_lctx_relabel(struct lctx *l, struct label *newlabel); int mac_check_posix_sem_create(struct ucred *cred, const char *name); int mac_check_posix_sem_open(struct ucred *cred, struct pseminfo *ps); int mac_check_posix_sem_post(struct ucred *cred, struct pseminfo *ps); @@ -326,6 +335,8 @@ int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum); int mac_check_proc_wait(struct ucred *cred, struct proc *proc); +int mac_check_proc_setlcid(struct proc *, struct proc *, pid_t, pid_t); +int mac_check_proc_getlcid(struct proc *, struct proc *, pid_t); int mac_check_set_fd(struct ucred *cred, struct file *fp, char *buf, int buflen); int mac_check_socket_accept(struct ucred *cred, struct socket *so, @@ -430,6 +441,10 @@ int mac_audit_postselect(struct ucred *cred, unsigned short syscode, void *args, int error, int retval, int mac_forced); +void mac_proc_create_lctx(struct proc *, struct lctx *); +void mac_proc_join_lctx(struct proc *, struct lctx *); +void mac_proc_leave_lctx(struct proc *, struct lctx *); + /* * Calls to help various file systems implement labeling functionality * using their existing EA implementation. ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mac_policy.h#11 (text+ko) ==== @@ -55,6 +55,7 @@ struct ifnet; struct ipq; struct label; +struct lctx; struct mac_policy_conf; struct mbuf; struct mount; @@ -219,6 +220,14 @@ ); /** + @brief Initialize Login Context label + @param label New label to initialize +*/ +typedef void mpo_init_lctx_label_t( + struct label *label +); + +/** @brief Initialize devfs label @param label New label to initialize @@ -489,6 +498,14 @@ ); /** + @brief Destroy Login Context label + @param label The label to be destroyed +*/ +typedef void mpo_destroy_lctx_label_t( + struct label *label +); + +/** @brief Destroy devfs label @param label The label to be destroyed @@ -830,6 +847,29 @@ ); /** + @brief Externalize a Login Context label + @param label Label to be externalized + @param element_name Name of the label namespace for which labels should be + externalized + @param sb String buffer to be filled with a text representation of the label + + Produce an external representation of the label on a Login Context. + An externalized label consists of a text representation + of the label contents that can be used with user applications. + Policy-agnostic user space tools will display this externalized + version. + + @return 0 on success, return non-zero if an error occurs while + externalizing the label data. + +*/ +typedef int mpo_externalize_lctx_label_t( + struct label *label, + char *element_name, + struct sbuf *sb +); + +/** @brief Externalize a vnode label @param label Label to be externalized @param element_name Name of the label namespace for which labels should be @@ -901,6 +941,32 @@ ); /** + @brief Internalize a Login Context label + @param label Label to be internalized + @param element_name Name of the label namespace for which the label should + be internalized + @param element_data Text data to be internalized + + Produce a Login Context label from an external representation. An + externalized label consists of a text representation of the label + contents that can be used with user applications. Policy-agnostic + user space tools will forward text version to the kernel for + processing by individual policy modules. + + The policy's internalize entry points will be called only if the + policy has registered interest in the label namespace. + + @return 0 on success, Otherwise, return non-zero if an error occurs + while internalizing the label data. + +*/ +typedef int mpo_internalize_lctx_label_t( + struct label *label, + char *element_name, + char *element_data +); + +/** @brief Internalize a vnode label @param label Label to be internalized @param element_name Name of the label namespace for which the label should @@ -1708,6 +1774,50 @@ /*@}*/ /** + @brief A process has created a login context + @param p Subject + @param l Login Context +*/ +typedef void mpo_proc_create_lctx_t( + struct proc *p, + struct lctx *l +); + +/** + @brief A process has joined a login context + @param p Subject >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200512012117.jB1LHo11082902>