PERFORCE change 114582 for review
Todd Miller
millert at FreeBSD.org
Thu Feb 15 20:26:09 UTC 2007
http://perforce.freebsd.org/chv.cgi?CH=114582
Change 114582 by millert at millert_p4 on 2007/02/15 20:26:02
Add sysctl_canon_context, sysctl_compute_create, and
sysctl_compute_member for use by new libselinux.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#12 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#12 (text+ko) ====
@@ -333,7 +333,169 @@
return (error);
}
+/*
+ * Sysctl handler for security.mac.sebsd.canon_context.
+ * Check sid validity, returns canonical name of context.
+ */
+static int
+sysctl_canon_context(SYSCTL_HANDLER_ARGS)
+{
+ u_int32_t sid, len;
+ char *context, *canon;
+ int error;
+
+#ifdef SECURITY__COMPUTE_CHECK
+ error = thread_has_security(curthread, SECURITY__COMPUTE_CHECK);
+ if (error)
+ return (error);
+#endif
+
+ if (req->newlen < 2)
+ return (EINVAL);
+ if (req->newlen > 512) /* arbitrary */
+ return (ENAMETOOLONG);
+ MALLOC(context, char *, req->newlen, M_SEBSD, M_WAITOK);
+ error = SYSCTL_IN(req, context, req->newlen);
+ if (error)
+ goto out;
+ if (context[req->newlen - 1] != '\0') {
+ error = EINVAL;
+ goto out;
+ }
+ /*
+ * XXX We need POLICY_RDLOCK here, but it's not exported!
+ */
+ error = security_context_to_sid(context, strlen(context) + 1, &sid);
+ if (error)
+ goto out;
+
+ error = security_sid_to_context(sid, &canon, &len);
+ if (error == 0) {
+ error = SYSCTL_OUT(req, canon, len);
+ FREE(canon, M_SEBSD);
+ }
+out:
+ FREE(context, M_SEBSD);
+ return (error);
+}
+
+/*
+ * Sysctl handler for security.mac.sebsd.compute_create. Create new sid
+ * given input "scontext\0tcontext\0", tclass.
+ */
static int
+sysctl_compute_create(SYSCTL_HANDLER_ARGS)
+{
+ u_int32_t sid, tsid, newsid, len;
+ u_int16_t tclass;
+ char *scontext, *tcontext, *newcontext;
+ int error;
+
+ error = thread_has_security(curthread, SECURITY__COMPUTE_CREATE);
+ if (error)
+ return (error);
+
+ if (req->newlen < 4 + sizeof(tclass))
+ return (EINVAL);
+ if (req->newlen > 512) /* arbitrary */
+ return (ENAMETOOLONG);
+ MALLOC(scontext, char *, req->newlen, M_SEBSD, M_WAITOK);
+ error = SYSCTL_IN(req, scontext, req->newlen);
+ if (error)
+ goto out;
+ if (scontext[req->newlen - (1 + sizeof(tclass))] != '\0') {
+ error = EINVAL;
+ goto out;
+ }
+ tcontext = &scontext[strlen(scontext) + 1];
+ if (tcontext >= &scontext[req->newlen - (1 + sizeof(tclass))]) {
+ error = EINVAL;
+ goto out;
+ }
+ bcopy(&tcontext[strlen(tcontext) + 1], &tclass, sizeof(tclass));
+ /*
+ * XXX We need POLICY_RDLOCK here, but it's not exported!
+ */
+ error = security_context_to_sid(scontext, strlen(scontext) + 1, &sid);
+ if (error)
+ goto out;
+ error = security_context_to_sid(tcontext, strlen(tcontext) + 1, &tsid);
+ if (error)
+ goto out;
+
+ error = security_transition_sid(sid, tsid, tclass, &newsid);
+ if (error)
+ goto out;
+
+ error = security_sid_to_context(newsid, &newcontext, &len);
+ if (error == 0) {
+ error = SYSCTL_OUT(req, newcontext, len);
+ FREE(newcontext, M_SEBSD);
+ }
+out:
+ FREE(scontext, M_SEBSD);
+ return (error);
+}
+
+/*
+ * Sysctl handler for security.mac.sebsd.compute_member. Compute member sid
+ * given input "scontext\0tcontext\0", tclass.
+ */
+static int
+sysctl_compute_member(SYSCTL_HANDLER_ARGS)
+{
+ u_int32_t sid, tsid, newsid, len;
+ u_int16_t tclass;
+ char *scontext, *tcontext, *newcontext;
+ int error;
+
+ error = thread_has_security(curthread, SECURITY__COMPUTE_MEMBER);
+ if (error)
+ return (error);
+
+ if (req->newlen < 4 + sizeof(tclass))
+ return (EINVAL);
+ if (req->newlen > 512) /* arbitrary */
+ return (ENAMETOOLONG);
+ MALLOC(scontext, char *, req->newlen, M_SEBSD, M_WAITOK);
+ error = SYSCTL_IN(req, scontext, req->newlen);
+ if (error)
+ goto out;
+ if (scontext[req->newlen - (1 + sizeof(tclass))] != '\0') {
+ error = EINVAL;
+ goto out;
+ }
+ tcontext = &scontext[strlen(scontext) + 1];
+ if (tcontext >= &scontext[req->newlen - (1 + sizeof(tclass))]) {
+ error = EINVAL;
+ goto out;
+ }
+ bcopy(&tcontext[strlen(tcontext) + 1], &tclass, sizeof(tclass));
+ /*
+ * XXX We need POLICY_RDLOCK here, but it's not exported!
+ */
+ error = security_context_to_sid(scontext, strlen(scontext) + 1, &sid);
+ if (error)
+ goto out;
+ error = security_context_to_sid(tcontext, strlen(tcontext) + 1, &tsid);
+ if (error)
+ goto out;
+
+ error = security_member_sid(sid, tsid, tclass, &newsid);
+ if (error)
+ goto out;
+
+ error = security_sid_to_context(newsid, &newcontext, &len);
+ if (error == 0) {
+ error = SYSCTL_OUT(req, newcontext, len);
+ FREE(newcontext, M_SEBSD);
+ }
+out:
+ FREE(scontext, M_SEBSD);
+ return (error);
+}
+
+static int
sysctl_sebsd_policypath(SYSCTL_HANDLER_ARGS)
{
@@ -360,6 +522,15 @@
SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_av, CTLTYPE_STRING |
CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_av, "A",
"SEBSD access vector decision query");
+SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, canon_context, CTLTYPE_STRING |
+ CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_canon_context, "A",
+ "SEBSD context verification query");
+SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_create, CTLTYPE_STRING |
+ CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_create, "A",
+ "SEBSD context computation query");
+SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, compute_member, CTLTYPE_STRING |
+ CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_compute_member, "A",
+ "SEBSD context member query");
SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, auditing, CTLTYPE_INT |
CTLFLAG_RW, NULL, 0, sysctl_sebsd_auditing, "I", "SEBSD avc auditing");
TUNABLE_INT("security.mac.sebsd.auditing", &selinux_auditing);
More information about the p4-projects
mailing list