From owner-p4-projects@FreeBSD.ORG Tue Nov 14 18:54:28 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id E097A16A51A; Tue, 14 Nov 2006 18:54:27 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E61816A500 for ; Tue, 14 Nov 2006 18:54:27 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31D1343D62 for ; Tue, 14 Nov 2006 18:54:24 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id kAEIsNMt013014 for ; Tue, 14 Nov 2006 18:54:23 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id kAEIsNQW013010 for perforce@freebsd.org; Tue, 14 Nov 2006 18:54:23 GMT (envelope-from millert@freebsd.org) Date: Tue, 14 Nov 2006 18:54:23 GMT Message-Id: <200611141854.kAEIsNQW013010@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 109964 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Nov 2006 18:54:28 -0000 http://perforce.freebsd.org/chv.cgi?CH=109964 Change 109964 by millert@millert_g5tower on 2006/11/14 18:53:49 Add mac_task_check_get_port() to mediate task_for_pid(). We pass in both the task and the task label to the entrypoint, though since the task is opaque it is not good for much other than getting the associated BSD process. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#16 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#25 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_task.c#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#38 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#16 (text+ko) ==== @@ -79,6 +79,7 @@ struct m_tag; struct vop_setlabel_args; struct pipe; +struct task; /* * Framework initialization. @@ -388,6 +389,7 @@ int mac_system_check_sysctl(struct ucred *cred, int *name, u_int namelen, void *oldctl, size_t *oldlenp, int inkernel, void *newctl, size_t newlen); +int mac_task_check_get_port(struct ucred *cred, struct task *task); int mac_vnode_check_access(struct ucred *cred, struct vnode *vp, int acc_mode); int mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#25 (text+ko) ==== @@ -2150,6 +2150,26 @@ ); /** + @brief Access control check for getting a task's port + @param cred Subject credential + @param task Object task + @param tasklabel Object task's label + + Determine whether the subject identified by the credential can get + the passed task's control port. + This call is used by the task_for_pid(2) API. + + @return Return 0 if access is granted, otherwise an appropriate value for + errno should be returned. Suggested failure: EACCES for label mismatch, + EPERM for lack of privilege, or ESRCH to hide visibility of the target. +*/ +typedef int mpo_task_check_get_port_t( + struct ucred *cred, + struct task *task, + struct label *tasklabel +); + +/** @brief Update credential at exec time @param old Existing subject credential @param new New subject credential to be labeled @@ -5608,6 +5628,7 @@ mpo_system_check_swapon_t *mpo_system_check_swapon; mpo_system_check_swapoff_t *mpo_system_check_swapoff; mpo_system_check_sysctl_t *mpo_system_check_sysctl; + mpo_task_check_get_port_t *mpo_task_check_get_port; mpo_vnode_check_access_t *mpo_vnode_check_access; mpo_vnode_check_chdir_t *mpo_vnode_check_chdir; mpo_vnode_check_chroot_t *mpo_vnode_check_chroot; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_task.c#6 (text+ko) ==== @@ -107,3 +107,13 @@ return (error); } + +int +mac_task_check_get_port(struct ucred *cred, struct task *task) +{ + int error; + + MAC_CHECK(task_check_get_port, cred, task, mac_task_get_label(task)); + + return (error); +} ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#38 (text+ko) ==== @@ -1672,6 +1672,20 @@ } static int +sebsd_task_check_get_port(struct ucred *cred, struct task *task, + struct label *tasklabel) +{ + struct task_security_struct *subj, *obj; + + subj = SLOT(cred->cr_label); + obj = SLOT(tasklabel); + + /* XXX - need new perm, not PROCESS__PTRACE */ + return (avc_has_perm(subj->sid, obj->sid, + SECCLASS_PROCESS, PROCESS__PTRACE, NULL)); +} + +static int sebsd_proc_check_debug(struct ucred *cred, struct proc *proc) { @@ -3649,6 +3663,7 @@ .mpo_port_check_hold_send_once = sebsd_port_check_hold_send_once, .mpo_port_check_hold_receive = sebsd_port_check_hold_recv, .mpo_proc_check_debug = sebsd_proc_check_debug, + .mpo_task_check_get_port = sebsd_task_check_get_port, .mpo_proc_check_getaudit = sebsd_proc_check_getaudit, .mpo_proc_check_mprotect = sebsd_proc_check_mprotect, .mpo_proc_check_sched = sebsd_proc_check_sched,