From owner-p4-projects@FreeBSD.ORG Tue Jul 23 20:43:49 2013 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id D753F817; Tue, 23 Jul 2013 20:43:48 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 89F42815 for ; Tue, 23 Jul 2013 20:43:48 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [8.8.178.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 77DA32410 for ; Tue, 23 Jul 2013 20:43:48 +0000 (UTC) Received: from skunkworks.freebsd.org ([127.0.1.74]) by skunkworks.freebsd.org (8.14.7/8.14.7) with ESMTP id r6NKhmtQ093543 for ; Tue, 23 Jul 2013 20:43:48 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.7/8.14.6/Submit) id r6NKhlMG093540 for perforce@freebsd.org; Tue, 23 Jul 2013 20:43:47 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Tue, 23 Jul 2013 20:43:47 GMT Message-Id: <201307232043.r6NKhlMG093540@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 231382 for review To: Perforce Change Reviews Precedence: bulk X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.14 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jul 2013 20:43:49 -0000 http://p4web.freebsd.org/@@231382?ac=10 Change 231382 by rwatson@rwatson_cinnamon on 2013/07/23 20:43:26 Add 70-80 new TESLA assertions relating to MAC, process access-control, and sysctl privilege checking. Affected files ... .. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs.c#2 edit .. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_ctl.c#2 edit .. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_ioctl.c#2 edit .. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_note.c#2 edit .. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_osrel.c#2 edit .. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_rlimit.c#2 edit .. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_status.c#2 edit .. //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_type.c#2 edit .. //depot/projects/ctsrd/tesla/src/sys/kern/kern_cpuset.c#2 edit .. //depot/projects/ctsrd/tesla/src/sys/kern/kern_mib.c#2 edit .. //depot/projects/ctsrd/tesla/src/sys/kern/kern_prot.c#5 edit .. //depot/projects/ctsrd/tesla/src/sys/kern/ksched.c#2 edit .. //depot/projects/ctsrd/tesla/src/sys/kern/sys_process.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/kern/uipc_socket.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/modules/Makefile#4 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_cred.c#2 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_pipe.c#2 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_process.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_socket.c#2 edit .. //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_vfs.c#2 edit .. //depot/projects/ctsrd/tesla/src/sys/sys/tesla-kernel.h#7 edit .. //depot/projects/ctsrd/tesla/src/sys/ufs/ffs/ffs_vnops.c#13 edit .. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_acl.c#2 edit .. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_lookup.c#3 edit .. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_vnops.c#3 edit Differences ... ==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs.c#2 (text+ko) ==== @@ -54,6 +54,8 @@ #include #include +#include + #include #include #include @@ -72,6 +74,8 @@ struct vnode *textvp; int error; + TESLA_SYSCALL_PREVIOUSLY(p_cansee(ANY(ptr), p) == 0); + freepath = NULL; PROC_LOCK(p); textvp = p->p_textvp; ==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_ctl.c#2 (text+ko) ==== @@ -46,6 +46,7 @@ #include #include #include +#include #include #include @@ -312,6 +313,8 @@ int error; struct namemap *nm; + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0); + if (uio == NULL || uio->uio_rw != UIO_WRITE) return (EOPNOTSUPP); ==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_ioctl.c#2 (text+ko) ==== @@ -38,6 +38,7 @@ #include #include #include +#include #include #include @@ -70,6 +71,8 @@ int ival; #endif + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0); + KASSERT(p != NULL, ("%s() called without a process", __func__)); PROC_LOCK_ASSERT(p, MA_OWNED); ==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_note.c#2 (text+ko) ==== @@ -39,13 +39,20 @@ #include #include #include +#include #include #include +/* Required for TESLA assertion. */ +#include + int procfs_doprocnote(PFS_FILL_ARGS) { + + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0); + sbuf_trim(sb); sbuf_finish(sb); /* send to process's notify function */ ==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_osrel.c#2 (text+ko) ==== @@ -34,6 +34,7 @@ #include #include #include +#include #include #include @@ -44,6 +45,8 @@ const char *pp; int ov, osrel, i; + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0); + if (uio == NULL) return (EOPNOTSUPP); if (uio->uio_rw == UIO_READ) { ==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_rlimit.c#2 (text+ko) ==== @@ -55,6 +55,7 @@ #include #include #include +#include #include #include @@ -66,6 +67,8 @@ struct plimit *limp; int i; + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0); + /* * Obtain a private reference to resource limits */ ==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_status.c#2 (text+ko) ==== @@ -51,6 +51,7 @@ #include #include #include +#include #include #include @@ -73,6 +74,8 @@ int pid, ppid, pgid, sid; int i; + TESLA_SYSCALL_PREVIOUSLY(p_cansee(ANY(ptr), p) == 0); + pid = p->p_pid; PROC_LOCK(p); ppid = p->p_pptr ? p->p_pptr->p_pid : 0; ==== //depot/projects/ctsrd/tesla/src/sys/fs/procfs/procfs_type.c#2 (text+ko) ==== @@ -38,6 +38,7 @@ #include #include #include +#include #include #include @@ -47,6 +48,8 @@ { static const char *none = "Not Available"; + TESLA_SYSCALL_PREVIOUSLY(p_cansee(ANY(ptr), p) == 0); + if (p != NULL && p->p_sysent && p->p_sysent->sv_name) sbuf_printf(sb, "%s", p->p_sysent->sv_name); else ==== //depot/projects/ctsrd/tesla/src/sys/kern/kern_cpuset.c#2 (text+ko) ==== @@ -54,6 +54,7 @@ #include #include #include +#include #include @@ -538,6 +539,8 @@ } } PROC_LOCK_ASSERT(p, MA_OWNED); + TESLA_SYSCALL_PREVIOUSLY(p_cansched(ANY(ptr), p) == 0); + /* * Now that the appropriate locks are held and we have enough cpusets, * make sure the operation will succeed before applying changes. The @@ -713,6 +716,9 @@ error = cpuset_which(CPU_WHICH_TID, id, &p, &td, &set); if (error) goto out; + + TESLA_SYSCALL_PREVIOUSLY(p_cansched(ANY(ptr), p) == 0); + set = NULL; thread_lock(td); error = cpuset_shadow(td->td_cpuset, nset, mask); ==== //depot/projects/ctsrd/tesla/src/sys/kern/kern_mib.c#2 (text+ko) ==== @@ -53,8 +53,12 @@ #include #include #include +#include #include +/* Required for TESLA assertion. */ +#include + SYSCTL_NODE(, 0, sysctl, CTLFLAG_RW, 0, "Sysctl internal magic"); SYSCTL_NODE(, CTL_KERN, kern, CTLFLAG_RW|CTLFLAG_CAPRD, 0, @@ -292,6 +296,9 @@ error = sysctl_handle_string(oidp, tmpname, len, req); if (req->newptr != NULL && error == 0) { + TESLA_SYSCALL_PREVIOUSLY(priv_check(req->td, + PRIV_SYSCTL_WRITEJAIL) == 0); + /* * Copy the locally set hostname to all jails that share * this host info. @@ -349,6 +356,10 @@ error = sysctl_handle_int(oidp, &level, 0, req); if (error || !req->newptr) return (error); + + TESLA_SYSCALL_PREVIOUSLY(priv_check(req->td, PRIV_SYSCTL_WRITEJAIL) == + 0); + /* Permit update only if the new securelevel exceeds the old. */ sx_slock(&allprison_lock); mtx_lock(&pr->pr_mtx); ==== //depot/projects/ctsrd/tesla/src/sys/kern/kern_prot.c#5 (text+ko) ==== ==== //depot/projects/ctsrd/tesla/src/sys/kern/ksched.c#2 (text+ko) ==== @@ -48,6 +48,7 @@ #include #include #include +#include FEATURE(kposix_priority_scheduling, "POSIX P1003.1B realtime extensions"); @@ -136,6 +137,8 @@ int policy; int e; + TESLA_SYSCALL_PREVIOUSLY(p_cansched(ANY(ptr), td->td_proc) == 0); + e = getscheduler(ksched, td, &policy); if (e == 0) @@ -152,6 +155,8 @@ { struct rtprio rtp; + TESLA_SYSCALL_PREVIOUSLY(p_cansee(ANY(ptr), td->td_proc) == 0); + pri_to_rtp(td, &rtp); if (RTP_PRIO_IS_REALTIME(rtp.type)) param->sched_priority = rtpprio_to_p4prio(rtp.prio); @@ -182,6 +187,8 @@ int e = 0; struct rtprio rtp; + TESLA_SYSCALL_PREVIOUSLY(p_cansched(ANY(ptr), td->td_proc) == 0); + switch(policy) { case SCHED_RR: @@ -224,6 +231,9 @@ int ksched_getscheduler(struct ksched *ksched, struct thread *td, int *policy) { + + TESLA_SYSCALL_PREVIOUSLY(p_cansee(ANY(ptr), td->td_proc) == 0); + return getscheduler(ksched, td, policy); } @@ -286,6 +296,9 @@ ksched_rr_get_interval(struct ksched *ksched, struct thread *td, struct timespec *timespec) { + + TESLA_SYSCALL_PREVIOUSLY(p_cansee(ANY(ptr), td->td_proc) == 0); + *timespec = ksched->rr_interval; return 0; ==== //depot/projects/ctsrd/tesla/src/sys/kern/sys_process.c#3 (text+ko) ==== @@ -48,6 +48,7 @@ #include #include #include +#include #include @@ -140,6 +141,8 @@ proc_read_regs(struct thread *td, struct reg *regs) { + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); + PROC_ACTION(fill_regs(td, regs)); } @@ -147,6 +150,8 @@ proc_write_regs(struct thread *td, struct reg *regs) { + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); + PROC_ACTION(set_regs(td, regs)); } @@ -154,6 +159,8 @@ proc_read_dbregs(struct thread *td, struct dbreg *dbregs) { + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); + PROC_ACTION(fill_dbregs(td, dbregs)); } @@ -161,6 +168,8 @@ proc_write_dbregs(struct thread *td, struct dbreg *dbregs) { + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); + PROC_ACTION(set_dbregs(td, dbregs)); } @@ -172,6 +181,8 @@ proc_read_fpregs(struct thread *td, struct fpreg *fpregs) { + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); + PROC_ACTION(fill_fpregs(td, fpregs)); } @@ -179,6 +190,8 @@ proc_write_fpregs(struct thread *td, struct fpreg *fpregs) { + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); + PROC_ACTION(set_fpregs(td, fpregs)); } @@ -188,6 +201,8 @@ proc_read_regs32(struct thread *td, struct reg32 *regs32) { + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); + PROC_ACTION(fill_regs32(td, regs32)); } @@ -195,6 +210,8 @@ proc_write_regs32(struct thread *td, struct reg32 *regs32) { + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); + PROC_ACTION(set_regs32(td, regs32)); } @@ -202,6 +219,8 @@ proc_read_dbregs32(struct thread *td, struct dbreg32 *dbregs32) { + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); + PROC_ACTION(fill_dbregs32(td, dbregs32)); } @@ -209,6 +228,8 @@ proc_write_dbregs32(struct thread *td, struct dbreg32 *dbregs32) { + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); + PROC_ACTION(set_dbregs32(td, dbregs32)); } @@ -216,6 +237,8 @@ proc_read_fpregs32(struct thread *td, struct fpreg32 *fpregs32) { + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); + PROC_ACTION(fill_fpregs32(td, fpregs32)); } @@ -223,6 +246,8 @@ proc_write_fpregs32(struct thread *td, struct fpreg32 *fpregs32) { + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); + PROC_ACTION(set_fpregs32(td, fpregs32)); } #endif @@ -231,6 +256,8 @@ proc_sstep(struct thread *td) { + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), td->td_proc) == 0); + PROC_ACTION(ptrace_single_step(td)); } @@ -242,6 +269,8 @@ vm_prot_t reqprot; int error, fault_flags, page_offset, writing; + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0); + /* * Assert that someone has locked this vmspace. (Should be * curthread but we can't assert that.) This keeps the process @@ -337,6 +366,8 @@ u_int pathlen; int error, index; + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0); + error = 0; obj = NULL; @@ -443,6 +474,8 @@ struct ptrace_vm_entry pve; int error; + TESLA_SYSCALL_PREVIOUSLY(p_candebug(ANY(ptr), p) == 0); + pve.pve_entry = pve32->pve_entry; pve.pve_pathlen = pve32->pve_pathlen; pve.pve_path = (void *)(uintptr_t)pve32->pve_path; ==== //depot/projects/ctsrd/tesla/src/sys/kern/uipc_socket.c#3 (text+ko) ==== @@ -136,6 +136,8 @@ #include #include #include +#include + #include #include @@ -422,6 +424,11 @@ struct socket *so; int error; +#ifdef MAC + TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_create(cred, dom, type, + proto) == 0); +#endif + if (proto) prp = pffindproto(dom, proto, type); else @@ -617,6 +624,11 @@ { int error; +#ifdef MAC + TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_bind(ANY(ptr), so, nam) == + 0); +#endif + CURVNET_SET(so->so_vnet); error = (*so->so_proto->pr_usrreqs->pru_bind)(so, nam, td); CURVNET_RESTORE(); @@ -628,6 +640,11 @@ { int error; +#ifdef MAC + TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_bind(ANY(ptr), so, nam) == + 0); +#endif + CURVNET_SET(so->so_vnet); error = (*so->so_proto->pr_usrreqs->pru_bindat)(fd, so, nam, td); CURVNET_RESTORE(); @@ -651,6 +668,10 @@ { int error; +#ifdef MAC + TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_listen(ANY(ptr), so) == 0); +#endif + CURVNET_SET(so->so_vnet); error = (*so->so_proto->pr_usrreqs->pru_listen)(so, backlog, td); CURVNET_RESTORE(); @@ -898,6 +919,12 @@ { int error; +#ifdef MAC + /* Access-control check is on head rather than so. */ + TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_accept(ANY(ptr), ANY(ptr)) == + 0); +#endif + SOCK_LOCK(so); KASSERT((so->so_state & SS_NOFDREF) != 0, ("soaccept: !NOFDREF")); so->so_state &= ~SS_NOFDREF; @@ -913,6 +940,11 @@ soconnect(struct socket *so, struct sockaddr *nam, struct thread *td) { +#ifdef MAC + TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_connect(td->td_ucred, so, + nam) == 0); +#endif + return (soconnectat(AT_FDCWD, so, nam, td)); } @@ -1450,6 +1482,10 @@ { int error; +#ifdef MAC + TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_send(ANY(ptr), so) == 0); +#endif + CURVNET_SET(so->so_vnet); error = so->so_proto->pr_usrreqs->pru_sosend(so, addr, uio, top, control, flags, td); @@ -2406,6 +2442,10 @@ { int error; +#ifdef MAC + TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_receive(ANY(ptr), so) == 0); +#endif + CURVNET_SET(so->so_vnet); error = (so->so_proto->pr_usrreqs->pru_soreceive(so, psa, uio, mp0, controlp, flagsp)); @@ -3079,6 +3119,14 @@ { int revents = 0; +#ifdef MAC + /* + * XXXRW: Should be active_cred but actually fp->f_cred is getting + * passed down the stack, so the wrong cred here! + */ + TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_poll(ANY(ptr), so) == 0); +#endif + SOCKBUF_LOCK(&so->so_snd); SOCKBUF_LOCK(&so->so_rcv); if (events & (POLLIN | POLLRDNORM)) @@ -3124,6 +3172,10 @@ struct socket *so = kn->kn_fp->f_data; struct sockbuf *sb; +#ifdef MAC + TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_poll(ANY(ptr), so) == 0); +#endif + switch (kn->kn_filter) { case EVFILT_READ: if (so->so_options & SO_ACCEPTCONN) ==== //depot/projects/ctsrd/tesla/src/sys/modules/Makefile#4 (text+ko) ==== @@ -261,7 +261,6 @@ ppc \ ppi \ pps \ - procfs \ pseudofs \ ${_pst} \ pty \ @@ -359,6 +358,10 @@ ${_zfs} \ zlib \ +# XXXRW: Temporarily disable procfs build for TESLA, as the module contains +# assertions which don't build as a module. +# procfs \ + .if ${MACHINE_CPUARCH} == "i386" || ${MACHINE_CPUARCH} == "amd64" _filemon= filemon .endif ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_cred.c#2 (text+ko) ==== @@ -66,6 +66,7 @@ #include #include #include +#include #include #include @@ -195,6 +196,9 @@ mac_cred_relabel(struct ucred *cred, struct label *newlabel) { + TESLA_SYSCALL(previously(mac_cred_check_relabel(cred, newlabel) == + 0)); + MAC_POLICY_PERFORM_NOSLEEP(cred_relabel, cred, newlabel); } ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_pipe.c#2 (text+ko) ==== @@ -55,11 +55,16 @@ #include #include #include +#include #include #include #include +/* Forward declaration for TESLA. */ +static int mac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, + struct label *newlabel); + struct label * mac_pipe_label_alloc(void) { @@ -138,6 +143,9 @@ struct label *newlabel) { + TESLA_SYSCALL_PREVIOUSLY(mac_pipe_check_relabel(cred, pp, newlabel) + == 0); + MAC_POLICY_PERFORM_NOSLEEP(pipe_relabel, cred, pp, pp->pp_label, newlabel); } ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_process.c#3 (text+ko) ==== @@ -65,6 +65,7 @@ #include #include #include +#include #include #include @@ -170,12 +171,18 @@ return (error); } imgp->execlabel = label; + + TESLA_SYSCALL_EVENTUALLY(called(mac_execve_exit)); + return (0); } void mac_execve_exit(struct image_params *imgp) { + + TESLA_SYSCALL_PREVIOUSLY(called(mac_execve_enter(imgp, ANY(ptr)))); + if (imgp->execlabel != NULL) { mac_cred_label_free(imgp->execlabel); imgp->execlabel = NULL; @@ -192,14 +199,21 @@ mac_vnode_copy_label(interpvp->v_label, *interpvplabel); } else *interpvplabel = NULL; + + TESLA_SYSCALL_EVENTUALLY(called(mac_execve_interpreter_exit)); } void mac_execve_interpreter_exit(struct label *interpvplabel) { - if (interpvplabel != NULL) + if (interpvplabel != NULL) { + /* Awkwardly, _exit() may be called even if _enter() wasn't. */ + TESLA_SYSCALL_PREVIOUSLY(called( + mac_execve_interpreter_enter(ANY(ptr), ANY(ptr)))); + mac_vnode_label_free(interpvplabel); + } } /* ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_socket.c#2 (text+ko) ==== @@ -64,6 +64,7 @@ #include #include #include +#include #include #include @@ -77,6 +78,10 @@ #include #include +/* Definition required for TESLA assertion. */ +static int mac_socket_check_relabel(struct ucred *cred, struct socket *so, + struct label *newlabel); + /* * Currently, sockets hold two labels: the label of the socket itself, and a * peer label, which may be used by policies to hold a copy of the label of @@ -253,6 +258,9 @@ struct label *newlabel) { + TESLA_SYSCALL_PREVIOUSLY(mac_socket_check_relabel(cred, so, newlabel) + == 0); + SOCK_LOCK_ASSERT(so); MAC_POLICY_PERFORM_NOSLEEP(socket_relabel, cred, so, so->so_label, ==== //depot/projects/ctsrd/tesla/src/sys/security/mac/mac_vfs.c#2 (text+ko) ==== @@ -65,6 +65,7 @@ #include #include #include +#include #include #include @@ -948,6 +949,9 @@ struct label *newlabel) { + TESLA_SYSCALL(previously(mac_vnode_check_relabel(cred, vp, newlabel) + == 0)); + MAC_POLICY_PERFORM(vnode_relabel, cred, vp, vp->v_label, newlabel); } ==== //depot/projects/ctsrd/tesla/src/sys/sys/tesla-kernel.h#7 (text+ko) ==== @@ -45,6 +45,11 @@ #define incallstack(fn) TSEQUENCE(called(fn), TESLA_ASSERTION_SITE, returned(fn)) +#if 0 +/* XXXRW: This doesn't yet work. */ +struct timespec __tesla_any_timespec(); +#endif + /* * Convenient assertion wrappers for various scopes. */ ==== //depot/projects/ctsrd/tesla/src/sys/ufs/ffs/ffs_vnops.c#13 (text+ko) ==== @@ -77,13 +77,12 @@ #include #include #include +#include #include #include #include -#include - #include #include #include @@ -92,6 +91,10 @@ #include #include +/* Required for TESLA assertion. */ +struct inode; +#include + #include #include #include @@ -437,12 +440,10 @@ vp = ap->a_vp; #ifdef MAC - TESLA_SYSCALL(previously(mac_vnode_check_read(ANY(ptr), ANY(ptr), vp) - == 0) || - previously(mac_vnode_check_readdir(ANY(ptr), vp) == 0)); - TESLA_PAGE_FAULT(previously(mac_vnode_check_read(ANY(ptr), ANY(ptr), - vp) == 0) || - previously(mac_vnode_check_readdir(ANY(ptr), vp) == 0)); + TESLA_SYSCALL(incallstack(ufs_readdir) || + previously(mac_vnode_check_read(ANY(ptr), ANY(ptr), vp) == 0)); + TESLA_PAGE_FAULT(incallstack(ufs_readdir) || + previously(mac_vnode_check_read(ANY(ptr), ANY(ptr), vp) == 0)); #endif uio = ap->a_uio; @@ -1482,6 +1483,12 @@ int ealen, olen, eapad1, eapad2, error, i, easize; u_char *eae, *p; +#ifdef MAC + TESLA_SYSCALL(incallstack(ufs_setacl) || + previously(mac_vnode_check_deleteextattr(ANY(ptr), ap->a_vp, + ap->a_attrnamespace, ap->a_name) == 0)); +#endif + ip = VTOI(ap->a_vp); fs = ip->i_fs; @@ -1569,6 +1576,12 @@ unsigned easize; int error, ealen; +#ifdef MAC + TESLA_SYSCALL(incallstack(ufs_getacl) || + previously(mac_vnode_check_getextattr(ANY(ptr), ap->a_vp, + ap->a_attrnamespace, ap->a_name) == 0)); +#endif + ip = VTOI(ap->a_vp); fs = ip->i_fs; @@ -1625,6 +1638,11 @@ uint32_t ul; int error, ealen; +#ifdef MAC + TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_listextattr(ANY(ptr), + ap->a_vp, ap->a_attrnamespace) == 0); +#endif + ip = VTOI(ap->a_vp); fs = ip->i_fs; @@ -1689,6 +1707,12 @@ int olen, eapad1, eapad2, error, i, easize; u_char *eae, *p; +#ifdef MAC + TESLA_SYSCALL(incallstack(ufs_setacl) || + mac_vnode_check_setextattr(ANY(ptr), ap->a_vp, + ap->a_attrnamespace, ap->a_name) == 0); +#endif + ip = VTOI(ap->a_vp); fs = ip->i_fs; ==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_acl.c#2 (text+ko) ==== @@ -45,7 +45,11 @@ #include #include #include +#include +/* Required for TESLA assertion. */ +#include + #include #include #include @@ -359,6 +363,11 @@ } */ *ap; { +#ifdef MAC + TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_getacl(ANY(ptr), ap->a_vp, + ap->a_type) == 0); +#endif + if ((ap->a_vp->v_mount->mnt_flag & (MNT_ACLS | MNT_NFS4ACLS)) == 0) return (EOPNOTSUPP); @@ -609,6 +618,16 @@ struct thread *td; } */ *ap; { + +#ifdef MAC + if (ap->a_aclp == NULL) + TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_deleteacl(ANY(ptr), + ap->a_vp, ap->a_type) == 0); + else + TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_setacl(ANY(ptr), + ap->a_vp, ap->a_type, ap->a_aclp) == 0); +#endif + if ((ap->a_vp->v_mount->mnt_flag & (MNT_ACLS | MNT_NFS4ACLS)) == 0) return (EOPNOTSUPP); ==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_lookup.c#3 (text+ko) ==== @@ -51,6 +51,7 @@ #include #include #include +#include #include #include @@ -211,6 +212,11 @@ } */ *ap; { +#ifdef MAC + TESLA_SYSCALL_PREVIOUSLY(mac_vnode_check_lookup(ANY(ptr), ap->a_dvp, + ap->a_cnp) == 0); +#endif + return (ufs_lookup_ino(ap->a_dvp, ap->a_vpp, ap->a_cnp, NULL)); } ==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_vnops.c#3 (text+ko) ==== @@ -61,11 +61,15 @@ #include #include #include +#include #include #include /* XXX */ +/* Required for TESLA assertion. */ +#include + #include #include @@ -269,6 +273,11 @@ struct vnode *vp = ap->a_vp; struct inode *ip; +#ifdef MAC + TESLA_SYSCALL(incallstack(kern_execve) || + mac_vnode_check_open(ANY(ptr), vp, ANY(int)) == 0); +#endif + >>> TRUNCATED FOR MAIL (1000 lines) <<<