PERFORCE change 14832 for review

Wed Jul 24 13:57:09 GMT 2002

On Wed, 24 Jul 2002, Robert Watson wrote:

> http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14832
> 
> Change 14832 by rwatson at rwatson_paprika on 2002/07/24 06:56:16
> 
> 	Add MAC_TE_OPERATION_FILE_POLL.

Sigh.  I committed the wrong file.  This description should read:

- Implement mac_te_cred_check_mmap_perms() for mac_te
- Implement mac_te_cred_check_vnode_op() for mac_te

> 
> Affected files ...
> 
> .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#47 edit
> 
> Differences ...
> 
> ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#47 (text+ko) ====
> 
> @@ -92,6 +92,12 @@
>  TUNABLE_INT("security.mac.te.debug_transitions",
>      &mac_te_debug_transitions);
>  
> +static int	mac_te_revocation_enabled = 0;
> +SYSCTL_INT(_security_mac_te, OID_AUTO, revocation_enabled, CTLFLAG_RW,
> +    &mac_te_revocation_enabled, 0, "Revoke access to objects on relabel");
> +TUNABLE_INT("security.mac.te.revocation_enabled",
> +    &mac_te_revocation_enabled);
> +
>  static int labelslot;
>  #define	SLOT(l) ((struct mac_te *)LABEL_TO_SLOT((l), labelslot).l_ptr)
>  
> @@ -1498,6 +1504,69 @@
>  	return (error);
>  }
>  
> +static int
> +mac_te_cred_check_mmap_perms(struct ucred *cred, struct vnode *vp,
> +    struct label *label)
> +{
> +	struct mac_te *subj, *obj;
> +	vm_prot_t prot = 0;
> +
> +	if (!mac_biba_revocation_enabled)
> +		return (VM_PROT_ALL);
> +
> +	subj = SLOT(&cred->cr_label);
> +	obj = SLOT(label);
> +
> +	if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
> +	    MAC_TE_OPERATION_FILE_READ) == 0)
> +		prot |= VM_PROT_READ;
> +	if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
> +	    MAC_TE_OPERATION_FILE_EXEC) == 0)
> +		prot |= VM_PROT_EXECUTE;
> +	if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
> +	    MAC_TE_OPERATION_FILE_WRITE) == 0)
> +		prot |= VM_PROT_WRITE;
> +	return (prot);
> +}
> +
> +static int
> +mac_te_cred_check_vnode_op(struct ucred *cred, struct vnode *vp,
> +    struct label *label, int op)
> +{
> +	struct mac_te *subj, *obj;
> +	int error, te_class, te_op;
> +
> +	if (!mac_te_revocation_enabled)
> +		return (0);
> +
> +	subj = SLOT(&cred->cr_label);
> +	obj = SLOT(label);
> +
> +	te_class = MAC_TE_CLASS_FILE;
> +	switch (op) {
> +	case MAC_OP_VNODE_POLL:
> +		te_op = MAC_TE_OPERATION_FILE_POLL;
> +		break;
> +
> +	case MAC_OP_VNODE_READ:
> +		te_op = MAC_TE_OPERATION_FILE_READ;
> +		break;
> +
> +	case MAC_OP_VNODE_WRITE:
> +		te_op = MAC_TE_OPERATION_FILE_WRITE;
> +		break;
> +
> +	default:
> +		printf("mac_te_cred_check_vnode_op: unknown operation %d\n",
> +		    op);
> +		return (EINVAL);
> +	}
> +
> +	error = mac_te_check(subj, obj, MAC_TE_CLASS_FILE, te_op);
> +
> +	return (error);
> +}
> +
>  static void
>  mac_te_update_devfsdirent_from_vnode(struct devfs_dirent *devfs_dirent,
>      struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
> @@ -1670,6 +1739,10 @@
>  	{ MAC_CRED_CHECK_SCHED_PROC, (macop_t)mac_te_cred_check_sched_proc },
>  	{ MAC_CRED_CHECK_SIGNAL_PROC, (macop_t)mac_te_cred_check_signal_proc },
>  	{ MAC_CRED_CHECK_STAT_VNODE, (macop_t)mac_te_cred_check_stat_vnode },
> +	{ MAC_CRED_CHEKC_VNODE_MMAP_PERMS,
> +	    (macop_t)mac_te_cred_check_mmap_perms },
> +	{ MAC_CRED_CHECK_VNODE_OP,
> +	    (macop_t)mac_te_cred_check_vnode_op },
>  	{ MAC_IFNET_CHECK_SEND_MBUF, (macop_t)mac_te_ifnet_check_send_mbuf },
>  	{ MAC_SOCKET_CHECK_RECEIVE_MBUF,
>  	    (macop_t)mac_te_socket_check_receive_mbuf },
> 

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message