Date: Thu, 7 Sep 2006 13:25:59 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 105778 for review Message-ID: <200609071325.k87DPxvA010630@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=105778 Change 105778 by millert@millert_g5tower on 2006/09/07 13:25:54 Add mac_task_internalize_label, mac_task_externalize_label, mac_task_copy_label and their associated entry points. This allows us to support policies where task and port labels are different. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_labelh.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_mach_internal.h#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#7 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_task.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/ipctrace/module/ipctrace.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#8 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#12 edit .. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#6 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_labelh.c#5 (text+ko) ==== @@ -91,8 +91,7 @@ kern_return_t kr; mac_task_init_label(&inl); - /* XXX - should be mac_task_internalize_label */ - if (mac_port_internalize_label(&inl, labelstr)) + if (mac_task_internalize_label(&inl, labelstr)) return (KERN_INVALID_ARGUMENT); kr = labelh_new_user(space, &inl, namep); @@ -141,8 +140,7 @@ lh = labelh_new(); ip_lock(lh->lh_port); mac_task_init_label(&lh->lh_label); - /* XXX - should be mac_task_copy_label */ - mac_port_copy_label(&old->lh_label, &lh->lh_label); + mac_task_copy_label(&old->lh_label, &lh->lh_label); ip_unlock(lh->lh_port); return (lh); } ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_mach_internal.h#3 (text+ko) ==== @@ -39,6 +39,7 @@ /* tasks */ void mac_task_init_label(struct label *); +void mac_task_copy_label(struct label *src, struct label *dest); void mac_task_destroy_label(struct label *); void mac_task_create(struct task *, struct task *, struct label *, struct label *, struct label *); @@ -70,6 +71,7 @@ int mac_port_check_hold_receive(struct label *task, struct label *port); int mac_task_externalize_label(struct label *, char *e, char *out, size_t olen, int flags); +int mac_task_internalize_label(struct label *label, char *string); int mac_port_externalize_label(struct label *, char *e, char *out, size_t olen, int flags); int mac_port_internalize_label(struct label *label, char *string); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#7 (text+ko) ==== @@ -944,6 +944,19 @@ ); /** + @brief Copy a Mach task label + @param src Source task label + @param dest Destination task label + + Copy the Mach task label information from src to dest. This is used + when duplicating label handles to implement copy-on-write semantics. +*/ +typedef void mpo_task_copy_label_t( + struct label *src, + struct label *dest +); + +/** @brief Externalize a user credential label @param label Label to be externalized @param element_name Name of the label namespace for which labels should be @@ -1013,6 +1026,28 @@ ); /** + @brief Externalize a task label + @param label Label to be externalized + @param element_name Name of the label namespace for which labels should be + externalized + @param sb String buffer to be filled with a text representation of the label + + Produce an external representation of the label on a task. An + externalized label consists of a text representation of the label + contents that can be used with user applications. Policy-agnostic + user space tools will display this externalized version. + + @return 0 on success, return non-zero if an error occurs while + externalizing the label data. + +*/ +typedef int mpo_task_externalize_label_t( + struct label *label, + char *element_name, + struct sbuf *sb +); + +/** @brief Externalize a vnode label @param label Label to be externalized @param element_name Name of the label namespace for which labels should be @@ -1161,6 +1196,32 @@ ); /** + @brief Internalize a task label + @param label Label to be internalized + @param element_name Name of the label namespace for which the label should + be internalized + @param element_data Text data to be internalized + + Produce a task label from an external representation. An + externalized label consists of a text representation of the label + contents that can be used with user applications. Policy-agnostic + user space tools will forward text version to the kernel for + processing by individual policy modules. + + The policy's internalize entry points will be called only if the + policy has registered interest in the label namespace. + + @return 0 on success, Otherwise, return non-zero if an error occurs + while internalizing the label data. + +*/ +typedef int mpo_task_internalize_label_t( + struct label *label, + char *element_name, + char *element_data +); + +/** @brief Internalize a vnode label @param label Label to be internalized @param element_name Name of the label namespace for which the label should @@ -4881,11 +4942,13 @@ mpo_port_copy_label_t *mpo_port_copy_label; mpo_socket_copy_label_t *mpo_socket_copy_label; mpo_pipe_copy_label_t *mpo_pipe_copy_label; + mpo_task_copy_label_t *mpo_task_copy_label; mpo_cred_externalize_label_t *mpo_cred_externalize_label; mpo_cred_externalize_audit_label_t *mpo_cred_externalize_audit_label; mpo_lctx_externalize_label_t *mpo_lctx_externalize_label; mpo_socket_externalize_label_t *mpo_socket_externalize_label; mpo_socket_peer_externalize_label_t *mpo_socket_peer_externalize_label; + mpo_task_externalize_label_t *mpo_task_externalize_label; mpo_vnode_externalize_label_t *mpo_vnode_externalize_label; mpo_vnode_externalize_audit_label_t *mpo_vnode_externalize_audit_label; mpo_pipe_externalize_label_t *mpo_pipe_externalize_label; @@ -4893,6 +4956,7 @@ mpo_cred_internalize_label_t *mpo_cred_internalize_label; mpo_lctx_internalize_label_t *mpo_lctx_internalize_label; mpo_socket_internalize_label_t *mpo_socket_internalize_label; + mpo_task_internalize_label_t *mpo_task_internalize_label; mpo_vnode_internalize_label_t *mpo_vnode_internalize_label; mpo_pipe_internalize_label_t *mpo_pipe_internalize_label; mpo_mount_internalize_label_t *mpo_mount_internalize_label; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_task.c#3 (text+ko) ==== @@ -54,6 +54,13 @@ } void +mac_task_copy_label(struct label *src, struct label *dest) +{ + + MAC_PERFORM(task_copy_label, src, dest); +} + +void mac_task_destroy_label(struct label *label) { @@ -88,10 +95,20 @@ if (elements[0] == '*') { int count; - MAC_EXTERNALIZE_REGISTERED_LABELS(cred, label, outbuf, + MAC_EXTERNALIZE_REGISTERED_LABELS(task, label, outbuf, outbuflen, count); } else - MAC_EXTERNALIZE_LIST(cred, label, elements, outbuf, outbuflen); + MAC_EXTERNALIZE_LIST(task, label, elements, outbuf, outbuflen); + + return (error); +} + +int +mac_task_internalize_label(struct label *label, char *string) +{ + int error; + + MAC_INTERNALIZE_LIST(task, label, string); return (error); } ==== //depot/projects/trustedbsd/sedarwin8/policies/ipctrace/module/ipctrace.c#4 (text+ko) ==== @@ -399,6 +399,7 @@ .mpo_task_destroy_label = ipctrace_destroy_label, .mpo_port_destroy_label = ipctrace_destroy_label, .mpo_port_copy_label = ipctrace_copy_label, + .mpo_task_copy_label = ipctrace_copy_label, .mpo_cred_externalize_label = ipctrace_externalize_label, /* Labeling event operations */ ==== //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#8 (text+ko) ==== @@ -4087,6 +4087,7 @@ .mpo_task_init_label = mac_mls_init_label, .mpo_port_destroy_label = mac_mls_destroy_label, .mpo_task_destroy_label = mac_mls_destroy_label, + .mpo_task_copy_label = mac_mls_copy_label, .mpo_port_copy_label = mac_mls_copy_label, .mpo_port_update_from_cred = mac_mls_port_update_from_cred, .mpo_cred_copy_to_task = mac_mls_cred_copy_to_task, ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#12 (text+ko) ==== @@ -2985,7 +2985,7 @@ #endif static void -sebsd_port_copy_label(struct label *src, struct label *dest) +sebsd_task_copy_label(struct label *src, struct label *dest) { *(struct task_security_struct *)SLOT(dest) = *(struct task_security_struct *)SLOT(src); @@ -3477,7 +3477,8 @@ /* Copy labels */ .mpo_cred_copy_to_task = sebsd_cred_copy_to_task, - .mpo_port_copy_label = sebsd_port_copy_label, + .mpo_port_copy_label = sebsd_task_copy_label, + .mpo_task_copy_label = sebsd_task_copy_label, .mpo_vnode_copy_label = sebsd_vnode_copy_label, .mpo_pipe_copy_label = sebsd_vnode_copy_label, .mpo_socket_copy_label = copy_network_label, @@ -3501,6 +3502,9 @@ .mpo_socket_externalize_label = sebsd_network_externalize_label, .mpo_socket_peer_externalize_label = sebsd_network_externalize_label, + .mpo_task_internalize_label = sebsd_cred_internalize_label, + .mpo_task_externalize_label = sebsd_cred_externalize_label, + .mpo_cred_setlabel = sebsd_cred_setlabel, .mpo_vnode_setlabel = sebsd_vnode_setlabel, .mpo_pipe_setlabel = sebsd_pipe_setlabel, ==== //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#6 (text+ko) ==== @@ -896,6 +896,13 @@ #endif } +static void +mac_test_task_copy_label(struct label *src, struct label *dest) +{ + USE_LABEL(src, TASKTYPE); + COPY_LABEL(src, dest, TASKTYPE); +} + static int mac_test_cred_externalize_label(struct label *label, char *element_name, struct sbuf *sb) @@ -3182,6 +3189,7 @@ .mpo_mbuf_copy_label = mac_test_mbuf_copy_label, .mpo_pipe_copy_label = mac_test_pipe_copy_label, .mpo_port_copy_label = mac_test_port_copy_label, + .mpo_task_copy_label = mac_test_task_copy_label, .mpo_socket_copy_label = mac_test_socket_copy_label, .mpo_cred_externalize_label = mac_test_cred_externalize_label, .mpo_cred_externalize_audit_label =
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200609071325.k87DPxvA010630>