Date: Wed, 25 Oct 2006 19:25:11 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 108416 for review Message-ID: <200610251925.k9PJPBbB058057@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=108416 Change 108416 by millert@millert_macbook on 2006/10/25 19:24:34 Change ikm_sender from struct ipc_labelh * to task_t. This allows us to report the correct sender in the avc audit logs for MiG-based permissions. To do this, we now pass a struct proc * to mpo_port_check_method. This change may be reverted in the future but is very useful for debugging. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_kmsg.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_kmsg.h#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_mqueue.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/mach_msg.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_mach_internal.h#8 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#16 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_port.c#7 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.h#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#25 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.h#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/ss/mach_av.c#6 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_kmsg.c#3 (text+ko) ==== @@ -294,9 +294,10 @@ ipc_port_t port; #ifdef MAC - if (kmsg->ikm_sender != NULL){ - labelh_release (kmsg->ikm_sender); - kmsg->ikm_sender = NULL; + if (kmsg->ikm_sender != NULL) { + labelh_release(kmsg->ikm_sender->label); + task_deallocate(kmsg->ikm_sender); + kmsg->ikm_sender = NULL; } #endif @@ -663,8 +664,9 @@ #ifdef MAC if (kmsg->ikm_sender != NULL) { - labelh_release (kmsg->ikm_sender); - kmsg->ikm_sender = NULL; + labelh_release(kmsg->ikm_sender->label); + task_deallocate(kmsg->ikm_sender); + kmsg->ikm_sender = NULL; } #endif } @@ -769,13 +771,13 @@ #endif #ifdef MAC - task_t cur = current_thread()->task; - if (cur) - { - labelh_reference (cur->label); - kmsg->ikm_sender = cur->label; - } - else + /* XXX - why do we zero sender labels here instead of in mach_msg()? */ + task_t cur = current_task(); + if (cur) { + task_reference(cur); + labelh_reference(cur->label); + kmsg->ikm_sender = cur; + } else trailer->msgh_labels.sender = 0; #else trailer->msgh_labels.sender = 0; @@ -869,7 +871,7 @@ trailer->msgh_labels.sender = 0; #ifdef MAC - kmsg->ikm_sender = (ipc_labelh_t)NULL; + kmsg->ikm_sender = NULL; #endif *kmsgp = kmsg; return MACH_MSG_SUCCESS; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_kmsg.h#2 (text+ko) ==== @@ -94,7 +94,7 @@ struct ipc_kmsg *ikm_prev; ipc_port_t ikm_prealloc; /* port we were preallocated from */ mach_msg_size_t ikm_size; - struct ipc_labelh *ikm_sender; + task_t ikm_sender; mach_msg_header_t *ikm_header; }; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_mqueue.c#3 (text+ko) ==== @@ -716,7 +716,7 @@ #ifdef MAC if (self->ith_kmsg != NULL && self->ith_kmsg->ikm_sender != NULL) { - lh = self->ith_kmsg->ikm_sender; + lh = self->ith_kmsg->ikm_sender->label; task = current_task(); tasklabel_lock(task); ip_lock(lh->lh_port); @@ -745,7 +745,7 @@ #ifdef MAC if (self->ith_kmsg != NULL && self->ith_kmsg->ikm_sender != NULL) { - lh = self->ith_kmsg->ikm_sender; + lh = self->ith_kmsg->ikm_sender->label; task = current_task(); tasklabel_lock(task); ip_lock(lh->lh_port); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/mach_msg.c#5 (text+ko) ==== @@ -314,7 +314,8 @@ #ifdef MAC if (kmsg->ikm_sender != NULL && IP_VALID(kmsg->ikm_header->msgh_remote_port) && - mac_port_check_method(&kmsg->ikm_sender->lh_label, + mac_port_check_method(kmsg->ikm_sender, + &kmsg->ikm_sender->maclabel, &((ipc_port_t)kmsg->ikm_header->msgh_remote_port)->ip_label, kmsg->ikm_header->msgh_id) == 0) trailer->msgh_ad = 1; @@ -331,7 +332,7 @@ if (option & MACH_RCV_TRAILER_ELEMENTS (MACH_RCV_TRAILER_LABELS)) { #ifdef MAC if (kmsg->ikm_sender != NULL) { - ipc_labelh_t lh = kmsg->ikm_sender; + ipc_labelh_t lh = kmsg->ikm_sender->label; kern_return_t kr; ip_lock(lh->lh_port); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_mach_internal.h#8 (text+ko) ==== @@ -31,7 +31,7 @@ void mac_task_label_update_internal(struct label *pl, struct task *t); int mac_port_label_compute(struct label *subj, struct label *obj, const char *serv, struct label *out); -int mac_port_check_method(struct label *task, struct label *port, int msgid); +int mac_port_check_method(task_t task, struct label *sub, struct label *obj, int msgid); #ifdef MAC void mac_policy_init(void); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#16 (text+ko) ==== @@ -2867,6 +2867,7 @@ /** @brief Compute access control check for a Mach message-based service + @param proc Sender's process structure (may be NULL) @param task Sender's task label @param port Destination port label @param msgid Message id @@ -2884,6 +2885,7 @@ */ typedef int mpo_port_check_method_t( + struct proc *proc, struct label *task, struct label *port, int msgid ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_port.c#7 (text+ko) ==== @@ -244,11 +244,11 @@ } int -mac_port_check_method(struct label *task, struct label *port, int msgid) +mac_port_check_method(task_t task, struct label *sub, struct label *obj, int msgid) { int error; - MAC_CHECK(port_check_method, task, port, msgid); + MAC_CHECK(port_check_method, get_bsdtask_info(task), sub, obj, msgid); return (error); } ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.c#3 (text+ko) ==== @@ -653,7 +653,7 @@ u16 tclass, u32 requested, struct av_decision *avd, int result, struct avc_audit_data *a) { - struct proc *tsk = current_proc(); + struct proc *tsk; u32 denied, audited; struct audit_buffer *ab; @@ -679,10 +679,10 @@ audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); avc_dump_av(ab, tclass,audited); audit_log_format(ab, " for "); -#ifdef __linux__ if (a && a->tsk) tsk = a->tsk; -#endif + else + tsk = current_proc(); /* XXX, should be set by caller */ if (tsk && tsk->p_pid) { audit_log_format(ab, " pid=%d comm=", tsk->p_pid); audit_log_untrustedstring(ab, tsk->p_comm); @@ -799,6 +799,9 @@ a->u.net.netif); #endif /* __linux__ */ break; + case AVC_AUDIT_DATA_MIG: + audit_log_format(ab, " msgid=%d", a->u.ipc_id); + break; } } audit_log_format(ab, " "); ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.h#2 (text+ko) ==== @@ -34,7 +34,7 @@ */ struct avc_entry; -struct task_struct; +struct proc; struct xsocket; /* Auxiliary data to use in generating the audit record. */ @@ -44,9 +44,8 @@ #define AVC_AUDIT_DATA_NET 2 #define AVC_AUDIT_DATA_CAP 3 #define AVC_AUDIT_DATA_IPC 4 -#ifdef __linux__ - struct task_struct *tsk; -#endif +#define AVC_AUDIT_DATA_MIG 5 + struct proc *tsk; union { struct { struct vnode *vp; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#25 (text+ko) ==== @@ -1481,14 +1481,15 @@ } static int -sebsd_port_check_method(struct label *subj, struct label *obj, int msgid) +sebsd_port_check_method(struct proc *p, struct label *subj, struct label *obj, + int msgid) { struct task_security_struct *tsec, *psec; psec = SLOT(obj); tsec = SLOT(subj); - return (sebsd_ipc_check_method1(tsec->sid,psec->sid, msgid)); + return (sebsd_ipc_check_method1(p, tsec->sid, psec->sid, msgid)); } static int ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.h#5 (text+ko) ==== @@ -57,6 +57,6 @@ extern int sebsd_syscall(struct proc *p, int call, user_addr_t args); extern int cred_has_system(struct ucred *cred, u_int32_t perm); extern int cred_has_security(struct ucred *cred, u_int32_t perm); -extern int sebsd_ipc_check_method1(int subj, int obj, int msgid); +extern int sebsd_ipc_check_method1(struct proc *p, int subj, int obj, int msgid); #endif /* _SYS_SECURITY_SEBSD_H */ ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/ss/mach_av.c#6 (text+ko) ==== @@ -154,13 +154,18 @@ int -sebsd_ipc_check_method1(int subj, int obj, int msgid) +sebsd_ipc_check_method1(struct proc *p, int subj, int obj, int msgid) { struct msgid_classinfo *mcl; u16 tclass; u32 perms, cl; int msgid_norm; + struct avc_audit_data ad; + AVC_AUDIT_DATA_INIT(&ad, MIG); + ad.u.ipc_id = msgid; + ad.tsk = p; + /* * Return allowed for messages in an unknown subsystem. * Instead, we probably should make a check against a @@ -190,5 +195,5 @@ lck_rw_unlock_shared(migscs_rwlock); perms = (u32)1 << (msgid_norm - (cl * 8 * sizeof(u32))); - return avc_has_perm(subj, obj, tclass, perms, NULL); + return avc_has_perm(subj, obj, tclass, perms, &ad); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610251925.k9PJPBbB058057>