From owner-svn-soc-all@FreeBSD.ORG Wed Jul 6 05:48:29 2011 Return-Path: Delivered-To: svn-soc-all@FreeBSD.org Received: from socsvn.FreeBSD.org (unknown [IPv6:2001:4f8:fff6::2f]) by hub.freebsd.org (Postfix) with SMTP id 93C571065670 for ; Wed, 6 Jul 2011 05:48:27 +0000 (UTC) (envelope-from aalvarez@FreeBSD.org) Received: by socsvn.FreeBSD.org (sSMTP sendmail emulation); Wed, 06 Jul 2011 05:48:27 +0000 Date: Wed, 06 Jul 2011 05:48:27 +0000 From: aalvarez@FreeBSD.org To: svn-soc-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Message-Id: <20110706054827.93C571065670@hub.freebsd.org> Cc: Subject: socsvn commit: r223991 - in soc2011/aalvarez/pbmac: lib/libugidfw sys/security/mac_bsdextended usr.sbin/ugidfw X-BeenThere: svn-soc-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the entire Summer of Code repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2011 05:48:29 -0000 Author: aalvarez Date: Wed Jul 6 05:48:27 2011 New Revision: 223991 URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=223991 Log: Only store filepath and make checks against it with the help of vn_fullpath_global Modified: soc2011/aalvarez/pbmac/lib/libugidfw/ugidfw.c soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h soc2011/aalvarez/pbmac/usr.sbin/ugidfw/ugidfw.c Modified: soc2011/aalvarez/pbmac/lib/libugidfw/ugidfw.c ============================================================================== --- soc2011/aalvarez/pbmac/lib/libugidfw/ugidfw.c Wed Jul 6 00:50:54 2011 (r223990) +++ soc2011/aalvarez/pbmac/lib/libugidfw/ugidfw.c Wed Jul 6 05:48:27 2011 (r223991) @@ -351,9 +351,9 @@ left -= len; cur += len; } - if (rule->mbr_object.mbo_flags & MBO_FSID_DEFINED) { + if (rule->mbr_object.mbo_flags & MBO_FPATH_DEFINED) { len = snprintf(cur, left, "filepath %s ", - rule->mbr_object.mbo_fpath); + rule->mbr_object.mbo_fpath ? rule->mbr_object.mbo_fpath : "???"); if (len < 0 || len > left) goto truncated; left -= len; @@ -804,16 +804,9 @@ { size_t len; - len = strlen(spec); - *fpath = malloc(len * sizeof(*spec)); - - if (*fpath == NULL) { - len = snprintf(errstr, buflen, "Unable to allocate memory for filepath %s: %s", - spec, strerror(errno)); - return (-1); - } - - strncpy(*fpath, spec, len); + *fpath = realpath(spec, NULL); + if (*fpath == NULL) + len = snprintf(errstr, buflen, "%s", strerror(errno)); return (0); } Modified: soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c ============================================================================== --- soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c Wed Jul 6 00:50:54 2011 (r223990) +++ soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c Wed Jul 6 05:48:27 2011 (r223991) @@ -137,53 +137,13 @@ } static int -ugidfw_rslv_fpath(struct mac_bsdextended_rule *ruleptr, struct mac_bsdextended_rule *temprule, struct thread *td) -{ - struct nameidata nd; - int error; - struct vnode* vp; - struct vattr vap; - /* Check empty paths */ - if (temprule->mbr_object.mbo_fpath_len < 1) - return EINVAL; - - ruleptr->mbr_object.mbo_fpath_len = temprule->mbr_object.mbo_fpath_len; - ruleptr->mbr_object.mbo_fpath = malloc(sizeof(char)*(ruleptr->mbr_object.mbo_fpath_len+1), - M_MACBSDEXTENDED, M_WAITOK); - - KASSERT(ruleptr == NULL, ("sysctl_rule: ruleptr != NULL")); - memcpy(ruleptr->mbr_object.mbo_fpath, temprule->mbr_object.mbo_fpath, - ruleptr->mbr_object.mbo_fpath_len+1); - - /* Resolve path to fsid and fileid */ - NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_SYSSPACE, ruleptr->mbr_object.mbo_fpath, td); - error = namei(&nd); - if (error) - goto out; - - vp = nd.ni_vp; - error = VOP_GETATTR(vp, &vap, td->td_proc->p_ucred); - if (error) - goto out; - - ruleptr->mbr_object.mbo_fsid = vp->v_mount->mnt_stat.f_fsid; - ruleptr->mbr_object.mbo_fid = vap.va_fileid; - -out: - NDFREE(&nd, 0); - if (error) - KMBRFREE((*ruleptr), M_MACBSDEXTENDED); - - return error; -} - -static int sysctl_rule(SYSCTL_HANDLER_ARGS) { struct mac_bsdextended_rule temprule, *ruleptr; u_int namelen; int error, index, *name; - + char * fpath = NULL; + error = 0; name = (int *)arg1; namelen = arg2; @@ -200,10 +160,13 @@ return (error); ruleptr = malloc(sizeof(*ruleptr), M_MACBSDEXTENDED, M_WAITOK | M_ZERO); + + fpath = malloc(sizeof(*fpath)*temprule.mbr_object.mbo_fpath_len, + M_MACBSDEXTENDED, M_WAITOK | M_ZERO); } mtx_lock(&ugidfw_mtx); - if (req->oldptr) { /* Modify rule request */ + if (req->oldptr) { /* Get rule request */ if (index < 0 || index > rule_slots + 1) { error = ENOENT; goto out; @@ -229,23 +192,32 @@ goto out; if (rules[index] == NULL) { *ruleptr = temprule; - if (ruleptr->mbr_object.mbo_flags & MBO_FPATH_DEFINED) { - error = ugidfw_rslv_fpath(ruleptr, &temprule, req->td); - if (error) - goto out; - } rules[index] = ruleptr; ruleptr = NULL; if (index + 1 > rule_slots) rule_slots = index + 1; rule_count++; - } else + } else { + if (rules[index]->mbr_object.mbo_fpath != NULL) + free(rules[index]->mbr_object.mbo_fpath, M_MACBSDEXTENDED); + *rules[index] = temprule; + } + + /* If there's a filepath, make a copy */ + if (temprule.mbr_object.mbo_flags & MBO_FPATH_DEFINED && + temprule.mbr_object.mbo_fpath != NULL) { + copyinstr(temprule.mbr_object.mbo_fpath, fpath, + temprule.mbr_object.mbo_fpath_len, NULL); + rules[index]->mbr_object.mbo_fpath = fpath; + } } out: mtx_unlock(&ugidfw_mtx); - if (ruleptr != NULL) + if (ruleptr != NULL) { + KMBRFREE((*ruleptr), M_MACBSDEXTENDED); free(ruleptr, M_MACBSDEXTENDED); + } if (req->oldptr && error == 0) error = SYSCTL_OUT(req, &temprule, sizeof(temprule)); return (error); @@ -277,7 +249,7 @@ static int ugidfw_rulecheck(struct mac_bsdextended_rule *rule, - struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode) + struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode, char *fpath_hint) { int mac_granted, match, priv_granted; int i; @@ -361,12 +333,8 @@ return (0); } - if (rule->mbr_object.mbo_flags & MBO_FPATH_DEFINED) { - match = (bcmp(&(vp->v_mount->mnt_stat.f_fsid), - &(rule->mbr_object.mbo_fsid), - sizeof(rule->mbr_object.mbo_fsid)) == 0 && - bcmp(&(vap->va_fileid), &(rule->mbr_object.mbo_fid), - sizeof(rule->mbr_object.mbo_fid)) == 0); + if (rule->mbr_object.mbo_flags & MBO_FPATH_DEFINED && fpath_hint != NULL) { + match = strcmp(fpath_hint, rule->mbr_object.mbo_fpath); if (rule->mbr_object.mbo_neg & MBO_FPATH_DEFINED) match = !match; @@ -491,6 +459,8 @@ int acc_mode) { int error, i; + char * fullpath, *freepath; + fullpath = freepath = NULL; /* * Since we do not separately handle append, map append to write. @@ -503,8 +473,16 @@ for (i = 0; i < rule_slots; i++) { if (rules[i] == NULL) continue; + + if (rules[i]->mbr_object.mbo_flags & MBO_FPATH_DEFINED && fullpath == NULL) { + mtx_unlock(&ugidfw_mtx); + vn_fullpath_global(curthread, vp, &fullpath, &freepath); + mtx_lock(&ugidfw_mtx); + } + error = ugidfw_rulecheck(rules[i], cred, - vp, vap, acc_mode); + vp, vap, acc_mode, fullpath); + if (error == EJUSTRETURN) break; if (error) { @@ -513,6 +491,10 @@ } } mtx_unlock(&ugidfw_mtx); + + if (freepath) + free(freepath, M_TEMP); + return (0); } @@ -569,7 +551,7 @@ .mpo_vnode_check_getextattr = ugidfw_vnode_check_getextattr, .mpo_vnode_check_link = ugidfw_vnode_check_link, .mpo_vnode_check_listextattr = ugidfw_vnode_check_listextattr, - .mpo_vnode_check_lookup = ugidfw_vnode_check_lookup, + /* .mpo_vnode_check_lookup = ugidfw_vnode_check_lookup, */ .mpo_vnode_check_open = ugidfw_vnode_check_open, .mpo_vnode_check_readdir = ugidfw_vnode_check_readdir, .mpo_vnode_check_readlink = ugidfw_vnode_check_readdlink, Modified: soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h ============================================================================== --- soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h Wed Jul 6 00:50:54 2011 (r223990) +++ soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h Wed Jul 6 05:48:27 2011 (r223991) @@ -104,7 +104,6 @@ gid_t mbo_gid_max; struct fsid mbo_fsid; int mbo_type; - long mbo_fid; size_t mbo_fpath_len; char* mbo_fpath; }; Modified: soc2011/aalvarez/pbmac/usr.sbin/ugidfw/ugidfw.c ============================================================================== --- soc2011/aalvarez/pbmac/usr.sbin/ugidfw/ugidfw.c Wed Jul 6 00:50:54 2011 (r223990) +++ soc2011/aalvarez/pbmac/usr.sbin/ugidfw/ugidfw.c Wed Jul 6 05:48:27 2011 (r223991) @@ -78,19 +78,20 @@ error = bsde_parse_rule(argc, argv, &rule, BUFSIZ, errstr); if (error) { warnx("%s", errstr); - return; + goto out; } error = bsde_add_rule(&rulenum, &rule, BUFSIZ, errstr); if (error) { warnx("%s", errstr); - return; + goto out; } if (bsde_rule_to_string(&rule, charstr, BUFSIZ) == -1) warnx("Added rule, but unable to print string."); else printf("%d %s\n", rulenum, charstr); +out: MBRFREE(rule); } @@ -131,8 +132,6 @@ else printf("%d %s\n", i, charstr); } - - MBRFREE(rule); } void