Date: Thu, 14 Jun 2007 04:10:18 GMT From: Zhouyi ZHOU <zhouzhouyi@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 121612 for review Message-ID: <200706140410.l5E4AI7u057962@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=121612 Change 121612 by zhouzhouyi@zhouzhouyi_mactest on 2007/06/14 04:09:46 Special handling in mac_test_check_vnode_read and so on to avoid recursing in read /dev/mactestpipe Affected files ... .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/zhouzhouyi_mactest_soc/sys/security/mac_test/mac_test.c#6 edit .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/zhouzhouyi_mactest_soc/sys/security/mac_test/mac_test_private.h#4 edit Differences ... ==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/zhouzhouyi_mactest_soc/sys/security/mac_test/mac_test.c#6 (text+ko) ==== @@ -61,6 +61,7 @@ #include <sys/sx.h> #include <sys/sysctl.h> #include <sys/mac.h> +#include <sys/extattr.h> #include <fs/devfs/devfs.h> #include <net/bpfdesc.h> @@ -667,19 +668,37 @@ struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { - + MACTEST_PIPE_SUBMIT_WITHPID("mac_test_associate_vnode_devfs with mplabel delabel and vplabel:", + strlen("mac_test_associate_vnode_devfs with mplabel delabel and vplabel:")); + MACTEST_PIPE_SUBMIT_LABEL3(vnode,mplabel,vnode,delabel,vnode,vplabel); + if (delabel != NULL && SLOT(delabel) == MAGIC_MACTESTPIPE) + LABEL_INIT(vplabel, MAGIC_MACTESTPIPE); LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(delabel, MAGIC_DEVFS); LABEL_CHECK(vplabel, MAGIC_VNODE); COUNTER_INC(associate_vnode_devfs); } - +/* + * To avoid recursion on reading /dev/mactestpipe to a tempory file + * we associate the file with "mac_test" mac_test extattr with + * MAGIC_MACTESTPIPE label + */ + COUNTER_DECL(associate_vnode_extattr); static int mac_test_associate_vnode_extattr(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { - + char mac_test[64]; + int error, buflen = 64; + MACTEST_PIPE_SUBMIT_WITHPID("mac_test_associate_vnode_extattr with mplabel and vplabel:", + strlen("mac_test_associate_vnode_extattr with mplabel and vplabel:")); + MACTEST_PIPE_SUBMIT_LABEL2(vnode,mplabel,vnode,vplabel); + bzero(mac_test,buflen); + error = vn_extattr_get(vp, IO_NODELOCKED, EXTATTR_NAMESPACE_SYSTEM, + "mac_test", &buflen, mac_test, curthread); + if (!error && !strncmp(mac_test,"mac_test", 8)) + LABEL_INIT(vplabel, MAGIC_MACTESTPIPE); LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(vplabel, MAGIC_VNODE); COUNTER_INC(associate_vnode_extattr); @@ -692,7 +711,9 @@ mac_test_associate_vnode_singlelabel(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { - + MACTEST_PIPE_SUBMIT_WITHPID("mac_test_associate_vnode_singlelabel with mplabel and vplabel:", + strlen("mac_test_associate_vnode_singlelabel with mplabel and vplabel:")); + MACTEST_PIPE_SUBMIT_LABEL2(vnode,mplabel,vnode,vplabel); LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(vplabel, MAGIC_VNODE); COUNTER_INC(associate_vnode_singlelabel); @@ -703,7 +724,9 @@ mac_test_create_devfs_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { - + MACTEST_PIPE_SUBMIT_WITHPID("mac_test_create_devfs_device with delabel:", + strlen("mac_test_create_devfs_device with delabel:")); + MACTEST_PIPE_SUBMIT_LABEL(vnode,delabel); if (cred != NULL) LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(delabel, MAGIC_DEVFS); @@ -726,7 +749,9 @@ struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) { - + MACTEST_PIPE_SUBMIT_WITHPID("mac_test_create_devfs_symlink with ddlabel and delabel:", + strlen("mac_test_create_devfs_symlink with ddlabel and delabel:")); + MACTEST_PIPE_SUBMIT_LABEL2(vnode,ddlabel,vnode,delabel); LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(ddlabel, MAGIC_DEVFS); LABEL_CHECK(delabel, MAGIC_DEVFS); @@ -739,7 +764,9 @@ struct label *mplabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { - + MACTEST_PIPE_SUBMIT_WITHPID("mac_test_create_vnode_extattr with mplabel dvplabel and vplabel:", + strlen("mac_test_create_vnode_extattr with mplabel dvplabel and vplabel:")); + MACTEST_PIPE_SUBMIT_LABEL3(vnode,mplabel,vnode,dvplabel,vnode,vplabel); LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(dvplabel, MAGIC_VNODE); @@ -753,7 +780,9 @@ mac_test_create_mount(struct ucred *cred, struct mount *mp, struct label *mplabel) { - + MACTEST_PIPE_SUBMIT_WITHPID("mac_test_create_mount with mplabel:", + strlen("mac_test_create_mount with mplabel:")); + MACTEST_PIPE_SUBMIT_LABEL(vnode,mplabel); LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(mplabel, MAGIC_MOUNT); COUNTER_INC(create_mount); @@ -764,7 +793,9 @@ mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *label) { - + MACTEST_PIPE_SUBMIT_WITHPID("mac_test_relabel_vnode with vplabel and label:", + strlen("mac_test_relabel_vnode with vplabel and label:")); + MACTEST_PIPE_SUBMIT_LABEL2(vnode,vplabel,vnode,label); LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); LABEL_CHECK(label, MAGIC_VNODE); @@ -776,7 +807,9 @@ mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel) { - + MACTEST_PIPE_SUBMIT_WITHPID("mac_test_setlabel_vnode_extattr with vplabel and intlabel:", + strlen("mac_test_setlabel_vnode_extattr with vplabel and intlabel:")); + MACTEST_PIPE_SUBMIT_LABEL2(vnode,vplabel,vnode,intlabel); LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); LABEL_CHECK(intlabel, MAGIC_VNODE); @@ -1629,7 +1662,7 @@ mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp, struct label *pipelabel) { - + LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); COUNTER_INC(check_pipe_read); @@ -2326,6 +2359,12 @@ struct vnode *vp, struct label *vplabel) { + if (vplabel != NULL && SLOT(vplabel) != MAGIC_MACTESTPIPE){ + MACTEST_PIPE_SUBMIT_WITHPID("mac_test_check_vnode_read with cred label and vplabel:", + strlen("mac_test_check_vnode_read with cred label and vplabel:")); + MACTEST_PIPE_SUBMIT_LABEL2(cred,active_cred->cr_label,vnode,vplabel); + } + LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); if (file_cred != NULL) LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); ==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/zhouzhouyi_mactest_soc/sys/security/mac_test/mac_test_private.h#4 (text+ko) ==== @@ -19,19 +19,78 @@ char *buffer; \ char *elements1 = malloc(256, M_MACTEST_PIPE, M_NOWAIT); \ if (!elements1) \ + goto exit1; \ + strcpy(elements1, elements); \ + buffer = malloc(256, M_MACTEST_PIPE, M_NOWAIT); \ + if (!buffer) \ goto exit; \ + MAC_EXTERNALIZE(type,label, elements1, buffer, 256); \ + strleng = strlen(buffer); \ + *(buffer + strleng) = '\n'; \ + mactest_pipe_submit(buffer, strleng + 1); \ + free(buffer, M_MACTEST_PIPE); \ +exit: \ + free(elements1, M_MACTEST_PIPE); \ +exit1: \ + ;/*extra ; to avoid label at the end of compound statement*/ \ +}while(0) + +#define MACTEST_PIPE_SUBMIT_LABEL2(type,label,type1,label1) do { \ + int error; \ + int strleng = 0; \ + char *buffer; \ + char *elements1 = malloc(256, M_MACTEST_PIPE, M_NOWAIT); \ + if (!elements1) \ + goto exit3; \ strcpy(elements1, elements); \ buffer = malloc(256, M_MACTEST_PIPE, M_NOWAIT); \ if (!buffer) \ - goto exit1; \ + goto exit2; \ + MAC_EXTERNALIZE(type,label, elements1, buffer, 256); \ + strleng = strlen(buffer); \ + mactest_pipe_submit(buffer, strleng); \ + mactest_pipe_submit(" ", 1); \ + strcpy(elements1, elements); \ + MAC_EXTERNALIZE(type1,label1, elements1, buffer, 256); \ + strleng = strlen(buffer); \ + *(buffer + strleng) = '\n'; \ + mactest_pipe_submit(buffer, strleng + 1); \ + free(buffer, M_MACTEST_PIPE); \ +exit2: \ + free(elements1, M_MACTEST_PIPE); \ +exit3: \ + ;/*extra ; to avoid label at the end of compound statement*/ \ +}while(0) + +#define MACTEST_PIPE_SUBMIT_LABEL3(type,label,type1,label1,type2,label2) do { \ + int error; \ + int strleng = 0; \ + char *buffer; \ + char *elements1 = malloc(256, M_MACTEST_PIPE, M_NOWAIT); \ + if (!elements1) \ + goto exit5; \ + strcpy(elements1, elements); \ + buffer = malloc(256, M_MACTEST_PIPE, M_NOWAIT); \ + if (!buffer) \ + goto exit4; \ MAC_EXTERNALIZE(type,label, elements1, buffer, 256); \ strleng = strlen(buffer); \ + mactest_pipe_submit(buffer, strleng); \ + mactest_pipe_submit(" ", 1); \ + strcpy(elements1, elements); \ + MAC_EXTERNALIZE(type1,label1, elements1, buffer, 256); \ + strleng = strlen(buffer); \ + mactest_pipe_submit(buffer, strleng); \ + mactest_pipe_submit(" ", 1); \ + strcpy(elements1, elements); \ + MAC_EXTERNALIZE(type2,label2, elements1, buffer, 256); \ + strleng = strlen(buffer); \ *(buffer + strleng) = '\n'; \ mactest_pipe_submit(buffer, strleng + 1); \ free(buffer, M_MACTEST_PIPE); \ -exit1: \ +exit4: \ free(elements1, M_MACTEST_PIPE); \ -exit: \ +exit5: \ ;/*extra ; to avoid label at the end of compound statement*/ \ }while(0) @@ -41,12 +100,12 @@ char *buffer; \ buffer = malloc(256, M_MACTEST_PIPE, M_NOWAIT); \ if (!buffer) \ - goto exit2; \ + goto exit6; \ sprintf(buffer,"pid = %d ", td->td_proc->p_pid); \ mactest_pipe_submit(buffer, strlen(buffer)); \ mactest_pipe_submit(string, length); \ free(buffer, M_MACTEST_PIPE); \ -exit2: \ +exit6: \ ; \ }while(0)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200706140410.l5E4AI7u057962>