PERFORCE change 114582 for review

Thu Feb 15 20:26:09 UTC 2007

http://perforce.freebsd.org/chv.cgi?CH=114582

Change 114582 by millert at millert_p4 on 2007/02/15 20:26:02

	Add sysctl_canon_context, sysctl_compute_create, and
	sysctl_compute_member for use by new libselinux.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#12 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#12 (text+ko) ====

@@ -333,7 +333,169 @@
 	return (error);
 }
 
+/*
+ * Sysctl handler for security.mac.sebsd.canon_context.
+ * Check sid validity, returns canonical name of context.
+ */
+static int
+sysctl_canon_context(SYSCTL_HANDLER_ARGS)
+{
+	u_int32_t sid, len;
+	char *context, *canon;
+	int error;
+
+#ifdef SECURITY__COMPUTE_CHECK
+	error = thread_has_security(curthread, SECURITY__COMPUTE_CHECK);
+        if (error)
+		return (error);
+#endif
+
+	if (req->newlen < 2)
+		return (EINVAL);
+	if (req->newlen > 512)	/* arbitrary */
+		return (ENAMETOOLONG);
+	MALLOC(context, char *, req->newlen, M_SEBSD, M_WAITOK);
+	error = SYSCTL_IN(req, context, req->newlen);
+	if (error)
+		goto out;
+	if (context[req->newlen - 1] != '\0') {
+		error = EINVAL;
+		goto out;
+	}
+	/*
+	 * XXX We need POLICY_RDLOCK here, but it's not exported!
+	 */
+	error = security_context_to_sid(context, strlen(context) + 1, &sid);
+	if (error)
+		goto out;
+
+	error = security_sid_to_context(sid, &canon, &len);
+	if (error == 0) {
+		error = SYSCTL_OUT(req, canon, len);
+		FREE(canon, M_SEBSD);
+	}
+out:
+	FREE(context, M_SEBSD);
+	return (error);
+}
+
+/*
+ * Sysctl handler for security.mac.sebsd.compute_create.  Create new sid
+ * given input "scontext\0tcontext\0", tclass.
+ */
 static int
+sysctl_compute_create(SYSCTL_HANDLER_ARGS)
+{
+	u_int32_t sid, tsid, newsid, len;
+	u_int16_t tclass;
+	char *scontext, *tcontext, *newcontext;
+	int error;
+
+	error = thread_has_security(curthread, SECURITY__COMPUTE_CREATE);
+        if (error)
+		return (error);
+
+	if (req->newlen < 4 + sizeof(tclass))
+		return (EINVAL);
+	if (req->newlen > 512)	/* arbitrary */
+		return (ENAMETOOLONG);
+	MALLOC(scontext, char *, req->newlen, M_SEBSD, M_WAITOK);
+	error = SYSCTL_IN(req, scontext, req->newlen);
+	if (error)
+		goto out;
+	if (scontext[req->newlen - (1 + sizeof(tclass))] != '\0') {
+		error = EINVAL;
+		goto out;
+	}
+	tcontext = &scontext[strlen(scontext) + 1];
+	if (tcontext >= &scontext[req->newlen - (1 + sizeof(tclass))]) {
+		error = EINVAL;
+		goto out;
+	}
+	bcopy(&tcontext[strlen(tcontext) + 1], &tclass, sizeof(tclass));
+	/*
+	 * XXX We need POLICY_RDLOCK here, but it's not exported!
+	 */
+	error = security_context_to_sid(scontext, strlen(scontext) + 1, &sid);
+	if (error)
+		goto out;
+	error = security_context_to_sid(tcontext, strlen(tcontext) + 1, &tsid);
+	if (error)
+		goto out;
+
+	error = security_transition_sid(sid, tsid, tclass, &newsid);
+	if (error)
+		goto out;
+
+	error = security_sid_to_context(newsid, &newcontext, &len);
+	if (error == 0) {
+		error = SYSCTL_OUT(req, newcontext, len);
+		FREE(newcontext, M_SEBSD);
+	}
+out:
+	FREE(scontext, M_SEBSD);
+	return (error);
+}
+
+/*
+ * Sysctl handler for security.mac.sebsd.compute_member.  Compute member sid
+ * given input "scontext\0tcontext\0", tclass.
+ */
+static int
+sysctl_compute_member(SYSCTL_HANDLER_ARGS)
+{
+	u_int32_t sid, tsid, newsid, len;
+	u_int16_t tclass;
+	char *scontext, *tcontext, *newcontext;
+	int error;
+
+	error = thread_has_security(curthread, SECURITY__COMPUTE_MEMBER);
+        if (error)
+		return (error);
+
+	if (req->newlen < 4 + sizeof(tclass))
+		return (EINVAL);
+	if (req->newlen > 512)	/* arbitrary */
+		return (ENAMETOOLONG);
+	MALLOC(scontext, char *, req->newlen, M_SEBSD, M_WAITOK);
+	error = SYSCTL_IN(req, scontext, req->newlen);
+	if (error)
+		goto out;
+	if (scontext[req->newlen - (1 + sizeof(tclass))] != '\0') {
+		error = EINVAL;
+		goto out;
+	}
+	tcontext = &scontext[strlen(scontext) + 1];
+	if (tcontext >= &scontext[req->newlen - (1 + sizeof(tclass))]) {
+		error = EINVAL;
+		goto out;
+	}
+	bcopy(&tcontext[strlen(tcontext) + 1], &tclass, sizeof(tclass));
+	/*
+	 * XXX We need POLICY_RDLOCK here, but it's not exported!
+	 */
+	error = security_context_to_sid(scontext, strlen(scontext) + 1, &sid);
+	if (error)
+		goto out;
+	error = security_context_to_sid(tcontext, strlen(tcontext) + 1, &tsid);
+	if (error)
+		goto out;
+
+	error = security_member_sid(sid, tsid, tclass, &newsid);
+	if (error)
+		goto out;
+
+	error = security_sid_to_context(newsid, &newcontext, &len);
+	if (error == 0) {
+		error = SYSCTL_OUT(req, newcontext, len);
+		FREE(newcontext, M_SEBSD);
+	}
+out:
+	FREE(scontext, M_SEBSD);
+	return (error);
+}
+
+static int
 sysctl_sebsd_policypath(SYSCTL_HANDLER_ARGS)
 {
 
@@ -360,6 +522,15 @@
 SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_av, CTLTYPE_STRING |
     CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_av, "A",
     "SEBSD access vector decision query");
+SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, canon_context, CTLTYPE_STRING |
+    CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_canon_context, "A",
+    "SEBSD context verification query");
+SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_create, CTLTYPE_STRING |
+    CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_create, "A",
+    "SEBSD context computation query");
+SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_member, CTLTYPE_STRING |
+    CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_member, "A",
+    "SEBSD context member query");
 SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, auditing, CTLTYPE_INT |
     CTLFLAG_RW, NULL, 0, sysctl_sebsd_auditing, "I", "SEBSD avc auditing");
 TUNABLE_INT("security.mac.sebsd.auditing", &selinux_auditing);
