PERFORCE change 35053 for review
Robert Watson
rwatson at FreeBSD.org
Sat Jul 26 12:41:06 PDT 2003
http://perforce.freebsd.org/chv.cgi?CH=35053
Change 35053 by rwatson at rwatson_tislabs on 2003/07/26 12:40:56
Update Biba, BSD Extended, MLS, None, and Test policies for
new extended attribute checks (delete, list). For now, leave
out LOMAC and SEBSD.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#216 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#72 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#174 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#124 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#108 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#216 (text+ko) ====
@@ -2158,6 +2158,24 @@
}
static int
+mac_biba_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+ struct label *label, int attrnamespace, const char *name)
+{
+ struct mac_biba *subj, *obj;
+
+ if (!mac_biba_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(label);
+
+ if (!mac_biba_dominate_single(subj, obj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp,
struct label *label, struct image_params *imgp,
struct label *execlabel)
@@ -2250,6 +2268,24 @@
}
static int
+mac_biba_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+ struct label *label, int attrnamespace)
+{
+ struct mac_biba *subj, *obj;
+
+ if (!mac_biba_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(label);
+
+ if (!mac_biba_dominate_single(obj, subj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct componentname *cnp)
{
@@ -2770,10 +2806,12 @@
.mpo_check_vnode_create = mac_biba_check_vnode_create,
.mpo_check_vnode_delete = mac_biba_check_vnode_delete,
.mpo_check_vnode_deleteacl = mac_biba_check_vnode_deleteacl,
+ .mpo_check_vnode_deleteextattr = mac_biba_check_vnode_deleteextattr,
.mpo_check_vnode_exec = mac_biba_check_vnode_exec,
.mpo_check_vnode_getacl = mac_biba_check_vnode_getacl,
.mpo_check_vnode_getextattr = mac_biba_check_vnode_getextattr,
.mpo_check_vnode_link = mac_biba_check_vnode_link,
+ .mpo_check_vnode_listextattr = mac_biba_check_vnode_listextattr,
.mpo_check_vnode_lookup = mac_biba_check_vnode_lookup,
.mpo_check_vnode_mmap = mac_biba_check_vnode_mmap,
.mpo_check_vnode_mprotect = mac_biba_check_vnode_mmap,
==== //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#72 (text+ko) ====
@@ -1,6 +1,6 @@
/*-
* Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
- * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
+ * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@@ -418,6 +418,22 @@
}
static int
+mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+ struct label *label, int attrnamespace, const char *name)
+{
+ struct vattr vap;
+ int error;
+
+ if (!mac_bsdextended_enabled)
+ return (0);
+
+ error = VOP_GETATTR(vp, &vap, cred, curthread);
+ if (error)
+ return (error);
+ return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE));
+}
+
+static int
mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp,
struct label *label, struct image_params *imgp,
struct label *execlabel)
@@ -495,6 +511,22 @@
}
static int
+mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+ struct label *label, int attrnamespace)
+{
+ struct vattr vap;
+ int error;
+
+ if (!mac_bsdextended_enabled)
+ return (0);
+
+ error = VOP_GETATTR(vp, &vap, cred, curthread);
+ if (error)
+ return (error);
+ return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD));
+}
+
+static int
mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct componentname *cnp)
{
@@ -752,10 +784,12 @@
.mpo_check_vnode_create = mac_bsdextended_check_create_vnode,
.mpo_check_vnode_delete = mac_bsdextended_check_vnode_delete,
.mpo_check_vnode_deleteacl = mac_bsdextended_check_vnode_deleteacl,
+ .mpo_check_vnode_deleteextattr = mac_bsdextended_check_vnode_deleteextattr,
.mpo_check_vnode_exec = mac_bsdextended_check_vnode_exec,
.mpo_check_vnode_getacl = mac_bsdextended_check_vnode_getacl,
.mpo_check_vnode_getextattr = mac_bsdextended_check_vnode_getextattr,
.mpo_check_vnode_link = mac_bsdextended_check_vnode_link,
+ .mpo_check_vnode_listextattr = mac_bsdextended_check_vnode_listextattr,
.mpo_check_vnode_lookup = mac_bsdextended_check_vnode_lookup,
.mpo_check_vnode_open = mac_bsdextended_check_vnode_open,
.mpo_check_vnode_readdir = mac_bsdextended_check_vnode_readdir,
==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#174 (text+ko) ====
@@ -1930,6 +1930,24 @@
}
static int
+mac_mls_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+ struct label *label, int attrnamespace, const char *name)
+{
+ struct mac_mls *subj, *obj;
+
+ if (!mac_mls_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(label);
+
+ if (!mac_mls_dominate_single(obj, subj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp,
struct label *label, struct image_params *imgp,
struct label *execlabel)
@@ -2021,6 +2039,25 @@
}
static int
+mac_mls_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+ struct label *label, int attrnamespace)
+{
+
+ struct mac_mls *subj, *obj;
+
+ if (!mac_mls_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(label);
+
+ if (!mac_mls_dominate_single(subj, obj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct componentname *cnp)
{
@@ -2535,10 +2572,12 @@
.mpo_check_vnode_create = mac_mls_check_vnode_create,
.mpo_check_vnode_delete = mac_mls_check_vnode_delete,
.mpo_check_vnode_deleteacl = mac_mls_check_vnode_deleteacl,
+ .mpo_check_vnode_deleteextattr = mac_mls_check_vnode_deleteextattr,
.mpo_check_vnode_exec = mac_mls_check_vnode_exec,
.mpo_check_vnode_getacl = mac_mls_check_vnode_getacl,
.mpo_check_vnode_getextattr = mac_mls_check_vnode_getextattr,
.mpo_check_vnode_link = mac_mls_check_vnode_link,
+ .mpo_check_vnode_listextattr = mac_mls_check_vnode_listextattr,
.mpo_check_vnode_lookup = mac_mls_check_vnode_lookup,
.mpo_check_vnode_mmap = mac_mls_check_vnode_mmap,
.mpo_check_vnode_mprotect = mac_mls_check_vnode_mmap,
==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#124 (text+ko) ====
@@ -1,6 +1,6 @@
/*-
* Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
- * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
+ * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@@ -784,6 +784,14 @@
}
static int
+mac_none_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+ struct label *label, int attrnamespace, const char *name)
+{
+
+ return (0);
+}
+
+static int
mac_none_check_vnode_exec(struct ucred *cred, struct vnode *vp,
struct label *label, struct image_params *imgp,
struct label *execlabel)
@@ -818,6 +826,14 @@
}
static int
+mac_none_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+ struct label *label, int attrnamespace)
+{
+
+ return (0);
+}
+
+static int
mac_none_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct componentname *cnp)
{
@@ -1104,10 +1120,12 @@
.mpo_check_vnode_create = mac_none_check_vnode_create,
.mpo_check_vnode_delete = mac_none_check_vnode_delete,
.mpo_check_vnode_deleteacl = mac_none_check_vnode_deleteacl,
+ .mpo_check_vnode_deleteextattr = mac_none_check_vnode_deleteextattr,
.mpo_check_vnode_exec = mac_none_check_vnode_exec,
.mpo_check_vnode_getacl = mac_none_check_vnode_getacl,
.mpo_check_vnode_getextattr = mac_none_check_vnode_getextattr,
.mpo_check_vnode_link = mac_none_check_vnode_link,
+ .mpo_check_vnode_listextattr = mac_none_check_vnode_listextattr,
.mpo_check_vnode_lookup = mac_none_check_vnode_lookup,
.mpo_check_vnode_mmap = mac_none_check_vnode_mmap,
.mpo_check_vnode_mprotect = mac_none_check_vnode_mprotect,
==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#108 (text+ko) ====
@@ -1,6 +1,6 @@
/*-
* Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
- * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
+ * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@@ -1456,6 +1456,17 @@
}
static int
+mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+ struct label *label, int attrnamespace, const char *name)
+{
+
+ ASSERT_CRED_LABEL(&cred->cr_label);
+ ASSERT_VNODE_LABEL(label);
+
+ return (0);
+}
+
+static int
mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
struct label *label, struct image_params *imgp,
struct label *execlabel)
@@ -1506,6 +1517,17 @@
}
static int
+mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+ struct label *label, int attrnamespace)
+{
+
+ ASSERT_CRED_LABEL(&cred->cr_label);
+ ASSERT_VNODE_LABEL(label);
+
+ return (0);
+}
+
+static int
mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct componentname *cnp)
{
@@ -1869,10 +1891,12 @@
.mpo_check_vnode_create = mac_test_check_vnode_create,
.mpo_check_vnode_delete = mac_test_check_vnode_delete,
.mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl,
+ .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr,
.mpo_check_vnode_exec = mac_test_check_vnode_exec,
.mpo_check_vnode_getacl = mac_test_check_vnode_getacl,
.mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr,
.mpo_check_vnode_link = mac_test_check_vnode_link,
+ .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr,
.mpo_check_vnode_lookup = mac_test_check_vnode_lookup,
.mpo_check_vnode_mmap = mac_test_check_vnode_mmap,
.mpo_check_vnode_mprotect = mac_test_check_vnode_mprotect,
More information about the p4-projects
mailing list