svn commit: r184412 - in head/sys/security: mac mac_lomac

Tue Oct 28 05:49:08 PDT 2008

Author: rwatson
Date: Tue Oct 28 12:49:07 2008
New Revision: 184412
URL: http://svn.freebsd.org/changeset/base/184412

Log:
  Rename mac_cred_mmapped_drop_perms(), which revokes access to virtual
  memory mappings when the MAC label on a process changes, to
  mac_proc_vm_revoke(),
  
  It now also acquires its own credential reference directly from the
  affected process rather than accepting one passed by the the caller,
  simplifying the API and consumer code.
  
  Obtained from:	TrustedBSD Project

Modified:
  head/sys/security/mac/mac_framework.h
  head/sys/security/mac/mac_process.c
  head/sys/security/mac/mac_syscalls.c
  head/sys/security/mac_lomac/mac_lomac.c

Modified: head/sys/security/mac/mac_framework.h
==============================================================================

--- head/sys/security/mac/mac_framework.h	Tue Oct 28 12:22:33 2008	(r184411)
+++ head/sys/security/mac/mac_framework.h	Tue Oct 28 12:49:07 2008	(r184412)
@@ -259,6 +259,7 @@ int	mac_proc_check_signal(struct ucred *
 int	mac_proc_check_wait(struct ucred *cred, struct proc *p);
 void	mac_proc_destroy(struct proc *);
 void	mac_proc_init(struct proc *);
+void	mac_proc_vm_revoke(struct thread *td);
 int	mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
 void	mac_execve_exit(struct image_params *imgp);
 void	mac_execve_interpreter_enter(struct vnode *interpvp,
@@ -434,8 +435,6 @@ int	mac_vnode_execve_will_transition(str
 void	mac_vnode_relabel(struct ucred *cred, struct vnode *vp,
 	    struct label *newlabel);
 
-void	mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred);
-
 /*
  * Calls to help various file systems implement labeling functionality using
  * their existing EA implementation.

Modified: head/sys/security/mac/mac_process.c
==============================================================================
--- head/sys/security/mac/mac_process.c	Tue Oct 28 12:22:33 2008	(r184411)
+++ head/sys/security/mac/mac_process.c	Tue Oct 28 12:49:07 2008	(r184412)
@@ -81,7 +81,7 @@ SYSCTL_INT(_security_mac, OID_AUTO, mmap
     &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
     "copy-on-write semantics, or by removing all write access");
 
-static void	mac_cred_mmapped_drop_perms_recurse(struct thread *td,
+static void	mac_proc_vm_revoke_recurse(struct thread *td,
 		    struct ucred *cred, struct vm_map *map);
 
 struct label *
@@ -314,13 +314,20 @@ mac_execve_interpreter_exit(struct label
  * The process lock is not held here.
  */
 void
-mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred)
+mac_proc_vm_revoke(struct thread *td)
 {
+	struct ucred *cred;
+
+	PROC_LOCK(td->td_proc);
+	cred = crhold(td->td_proc->p_ucred);
+	PROC_UNLOCK(td->td_proc);
 
 	/* XXX freeze all other threads */
-	mac_cred_mmapped_drop_perms_recurse(td, cred,
+	mac_proc_vm_revoke_recurse(td, cred,
 	    &td->td_proc->p_vmspace->vm_map);
 	/* XXX allow other threads to continue */
+
+	crfree(cred);
 }
 
 static __inline const char *
@@ -348,7 +355,7 @@ prot2str(vm_prot_t prot)
 }
 
 static void
-mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred,
+mac_proc_vm_revoke_recurse(struct thread *td, struct ucred *cred,
     struct vm_map *map)
 {
 	struct vm_map_entry *vme;
@@ -365,7 +372,7 @@ mac_cred_mmapped_drop_perms_recurse(stru
 	vm_map_lock_read(map);
 	for (vme = map->header.next; vme != &map->header; vme = vme->next) {
 		if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) {
-			mac_cred_mmapped_drop_perms_recurse(td, cred,
+			mac_proc_vm_revoke_recurse(td, cred,
 			    vme->object.sub_map);
 			continue;
 		}

Modified: head/sys/security/mac/mac_syscalls.c
==============================================================================
--- head/sys/security/mac/mac_syscalls.c	Tue Oct 28 12:22:33 2008	(r184411)
+++ head/sys/security/mac/mac_syscalls.c	Tue Oct 28 12:49:07 2008	(r184412)
@@ -203,17 +203,9 @@ __mac_set_proc(struct thread *td, struct
 	mac_cred_relabel(newcred, intlabel);
 	p->p_ucred = newcred;
 
-	/*
-	 * Grab additional reference for use while revoking mmaps, prior to
-	 * releasing the proc lock and sharing the cred.
-	 */
-	crhold(newcred);
 	PROC_UNLOCK(p);
-
-	mac_cred_mmapped_drop_perms(td, newcred);
-
-	crfree(newcred);	/* Free revocation reference. */
 	crfree(oldcred);
+	mac_proc_vm_revoke(td);
 
 out:
 	mac_cred_label_free(intlabel);

Modified: head/sys/security/mac_lomac/mac_lomac.c
==============================================================================
--- head/sys/security/mac_lomac/mac_lomac.c	Tue Oct 28 12:22:33 2008	(r184411)
+++ head/sys/security/mac_lomac/mac_lomac.c	Tue Oct 28 12:49:07 2008	(r184412)
@@ -2225,9 +2225,9 @@ lomac_thread_userret(struct thread *td)
 		mtx_unlock(&subj->mtx);
 		newcred = crget();
 		/*
-		 * Prevent a lock order reversal in
-		 * mac_cred_mmapped_drop_perms; ideally, the other user of
-		 * subj->mtx wouldn't be holding Giant.
+		 * Prevent a lock order reversal in mac_proc_vm_revoke;
+		 * ideally, the other user of subj->mtx wouldn't be holding
+		 * Giant.
 		 */
 		mtx_lock(&Giant);
 		PROC_LOCK(p);
@@ -2250,7 +2250,7 @@ lomac_thread_userret(struct thread *td)
 		mtx_unlock(&subj->mtx);
 		PROC_UNLOCK(p);
 		if (dodrop)
-			mac_cred_mmapped_drop_perms(curthread, newcred);
+			mac_proc_vm_revoke(curthread);
 		mtx_unlock(&Giant);
 	} else {
 		mtx_unlock(&subj->mtx);
