Date: Fri, 03 Jun 2011 14:46:16 +0000 From: aalvarez@FreeBSD.org To: svn-soc-all@FreeBSD.org Subject: socsvn commit: r222765 - soc2011/aalvarez/pbmac/sys/security/mac_bsdextended Message-ID: <20110603144616.8A6DF106567E@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: aalvarez Date: Fri Jun 3 14:46:16 2011 New Revision: 222765 URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=222765 Log: - Accept and parse policies with filepaths - Check access on policies that have filepaths Modified: soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h Modified: soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c ============================================================================== --- soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c Fri Jun 3 13:49:18 2011 (r222764) +++ soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c Fri Jun 3 14:46:16 2011 (r222765) @@ -49,6 +49,7 @@ #include <sys/param.h> #include <sys/acl.h> +#include <sys/fcntl.h> #include <sys/kernel.h> #include <sys/jail.h> #include <sys/lock.h> @@ -56,6 +57,7 @@ #include <sys/module.h> #include <sys/mount.h> #include <sys/mutex.h> +#include <sys/namei.h> #include <sys/priv.h> #include <sys/proc.h> #include <sys/systm.h> @@ -64,6 +66,7 @@ #include <sys/syslog.h> #include <sys/stat.h> + #include <security/mac/mac_policy.h> #include <security/mac_bsdextended/mac_bsdextended.h> #include <security/mac_bsdextended/ugidfw_internal.h> @@ -134,6 +137,44 @@ } static int +ugidfw_rslv_fpath(struct mac_bsdextended_rule *ruleptr, struct mac_bsdextended_rule *temprule, struct thread *td) +{ + struct nameidata nd; + int error; + struct vnode* vp; + struct vattr vap; + /* Check empty paths */ + if (temprule->mbr_object.mbo_fpath_len < 1) + return EINVAL; + + ruleptr->mbr_object.mbo_fpath_len = temprule->mbr_object.mbo_fpath_len; + ruleptr = malloc(sizeof(char)*ruleptr->mbr_object.mbo_fpath_len, + M_MACBSDEXTENDED, M_WAITOK); + + KASSERT(ruleptr == NULL, ("sysctl_rule: ruleptr != NULL")); + memcpy(ruleptr->mbr_object.mbo_fpath, temprule->mbr_object.mbo_fpath, + ruleptr->mbr_object.mbo_fpath_len); + + /* Resolve path to fsid and fileid */ + NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, ruleptr->mbr_object.mbo_fpath, td); + error = namei(&nd); + if (error) + goto out; + + vp = nd.ni_vp; + error = VOP_GETATTR(vp, &vap, td->td_proc->p_ucred); + if (error) + goto out; + + ruleptr->mbr_object.mbo_fsid = vp->v_mount->mnt_stat.f_fsid; + ruleptr->mbr_object.mbo_fid = vap.va_fileid; + +out: + NDFREE(&nd, 0); + return (0); +} + +static int sysctl_rule(SYSCTL_HANDLER_ARGS) { struct mac_bsdextended_rule temprule, *ruleptr; @@ -170,7 +211,7 @@ } temprule = *rules[index]; } - if (req->newptr && req->newlen == 0) { + if (req->newptr && req->newlen == 0) { /* remove rule request */ KASSERT(ruleptr == NULL, ("sysctl_rule: ruleptr != NULL")); ruleptr = rules[index]; if (ruleptr == NULL) { @@ -185,6 +226,15 @@ goto out; if (rules[index] == NULL) { *ruleptr = temprule; + /* TODO: Check if path is defined. + * If it is: + * - resolve path to fid + */ + if (ruleptr->mbr_object.mbo_flags & MBO_FSID_DEFINED) { + error = ugidfw_rslv_fpath(ruleptr, &temprule, req->td); + if (error) + goto out; + } rules[index] = ruleptr; ruleptr = NULL; if (index + 1 > rule_slots) @@ -310,6 +360,19 @@ return (0); } + if (rule->mbr_object.mbo_flags & MBO_FPATH_DEFINED) { + match = (bcmp(&(vp->v_mount->mnt_stat.f_fsid), + &(rule->mbr_object.mbo_fsid), + sizeof(rule->mbr_object.mbo_fsid)) == 0 && + bcmp(&(vap->va_fileid), &(rule->mbr_object.mbo_fid), + sizeof(rule->mbr_object.mbo_fid)) == 0); + + if (rule->mbr_object.mbo_neg & MBO_FPATH_DEFINED) + match = !match; + if (!match) + return 0; + } + if (rule->mbr_object.mbo_flags & MBO_SUID) { match = (vap->va_mode & S_ISUID); if (rule->mbr_object.mbo_neg & MBO_SUID) Modified: soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h ============================================================================== --- soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h Fri Jun 3 13:49:18 2011 (r222764) +++ soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h Fri Jun 3 14:46:16 2011 (r222765) @@ -70,18 +70,19 @@ int mbs_prison; }; -#define MBO_UID_DEFINED 0x00000001 /* uid field should be matched */ -#define MBO_GID_DEFINED 0x00000002 /* gid field should be matched */ -#define MBO_FSID_DEFINED 0x00000004 /* fsid field should be matched */ -#define MBO_SUID 0x00000008 /* object must be suid */ -#define MBO_SGID 0x00000010 /* object must be sgid */ -#define MBO_UID_SUBJECT 0x00000020 /* uid must match subject */ -#define MBO_GID_SUBJECT 0x00000040 /* gid must match subject */ -#define MBO_TYPE_DEFINED 0x00000080 /* object type should be matched */ +#define MBO_UID_DEFINED 0x00000001 /* uid field should be matched */ +#define MBO_GID_DEFINED 0x00000002 /* gid field should be matched */ +#define MBO_FSID_DEFINED 0x00000004 /* fsid field should be matched */ +#define MBO_SUID 0x00000008 /* object must be suid */ +#define MBO_SGID 0x00000010 /* object must be sgid */ +#define MBO_UID_SUBJECT 0x00000020 /* uid must match subject */ +#define MBO_GID_SUBJECT 0x00000040 /* gid must match subject */ +#define MBO_TYPE_DEFINED 0x00000080 /* object type should be matched */ +#define MBO_FPATH_DEFINED 0x00000100 /* file path should me matched */ #define MBO_ALL_FLAGS (MBO_UID_DEFINED | MBO_GID_DEFINED | MBO_FSID_DEFINED | \ MBO_SUID | MBO_SGID | MBO_UID_SUBJECT | MBO_GID_SUBJECT | \ - MBO_TYPE_DEFINED) + MBO_TYPE_DEFINED | MBO_FPATH_DEFINED) #define MBO_TYPE_REG 0x00000001 #define MBO_TYPE_DIR 0x00000002 @@ -103,6 +104,9 @@ gid_t mbo_gid_max; struct fsid mbo_fsid; int mbo_type; + long mbo_fid; + size_t mbo_fpath_len; + char* mbo_fpath; }; struct mac_bsdextended_rule {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110603144616.8A6DF106567E>