PERFORCE change 19962 for review

Robert Watson rwatson at freebsd.org
Wed Oct 23 15:05:06 GMT 2002 

http://perforce.freebsd.org/chv.cgi?CH=19962

Change 19962 by rwatson at rwatson_tislabs on 2002/10/23 08:04:20

	Add mac_check_sysctl(), a MAC Framework and MAC Policy entry
	point to check whether a sysctl operation is permitted.  Right
	now, this is not a highly useful entry point, since sysctl
	doesn't provide useful information such as the name, rather,
	just the OID.  This is sufficient, however, to permit policies
	to rote deny sysctl change requests from processes, which
	can support most integrity policies, even if the granularity
	is poor.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#325 edit
.. //depot/projects/trustedbsd/mac/sys/kern/kern_sysctl.c#12 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#188 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#146 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#325 (text+ko) ====

@@ -137,6 +137,11 @@
     &mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
 TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
 
+static int	mac_enforce_sysctl = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW,
+    &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations");
+TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl);
+
 static int	mac_enforce_vm = 0;
 SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
     &mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
@@ -918,6 +923,10 @@
 			mpc->mpc_ops->mpo_check_socket_visible =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_SYSCTL:
+			mpc->mpc_ops->mpo_check_sysctl =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_VNODE_ACCESS:
 			mpc->mpc_ops->mpo_check_vnode_access =
 			    mpe->mpe_function;
@@ -3367,6 +3376,25 @@
 }
 
 int
+mac_check_sysctl(struct ucred *cred, int *name, u_int namelen, void *old,
+    size_t *oldlenp, int inkernel, void *new, size_t newlen)
+{
+	int error;
+
+	/*
+	 * XXXMAC: We're very much like to assert the SYSCTL_LOCK here,
+	 * but since it's not exported from kern_sysctl.c, we can't.
+	 */
+	if (!mac_enforce_sysctl)
+		return (0);
+
+	MAC_CHECK(check_sysctl, cred, name, namelen, old, oldlenp, inkernel,
+	    new, newlen);
+
+	return (error);
+}
+
+int
 mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
     struct ifnet *ifnet)
 {

==== //depot/projects/trustedbsd/mac/sys/kern/kern_sysctl.c#12 (text+ko) ====

@@ -41,11 +41,13 @@
  */
 
 #include "opt_compat.h"
+#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
 #include <sys/sysctl.h>
+#include <sys/mac.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
 #include <sys/lock.h>
@@ -1238,6 +1240,15 @@
 
 	SYSCTL_LOCK();
 
+#ifdef MAC
+	error = mac_check_sysctl(td->td_ucred, name, namelen, old, oldlenp,
+	    inkernel, new, newlen);
+	if (error) {
+		SYSCTL_UNLOCK();
+		return (error);
+	}
+#endif
+
 	do {
 	    req2 = req;
 	    error = sysctl_root(0, name, namelen, &req2);

==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#188 (text+ko) ====

@@ -304,6 +304,9 @@
 int	mac_check_socket_receive(struct ucred *cred, struct socket *so);
 int	mac_check_socket_send(struct ucred *cred, struct socket *so);
 int	mac_check_socket_visible(struct ucred *cred, struct socket *so);
+int	mac_check_sysctl(struct ucred *cred, int *name, u_int namelen,
+	    void *old, size_t *oldlenp, int inkernel, void *new,
+	    size_t newlen);
 int	mac_check_vnode_access(struct ucred *cred, struct vnode *vp,
 	    int flags);
 int	mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp);

==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#146 (text+ko) ====

@@ -315,6 +315,9 @@
 		    struct socket *so, struct label *socketlabel);
 	int	(*mpo_check_socket_visible)(struct ucred *cred,
 		    struct socket *so, struct label *socketlabel);
+	int	(*mpo_check_sysctl)(struct ucred *cred, int *name,
+		    u_int namelen, void *old, size_t *oldlenp, int inkernel,
+		    void *new, size_t newlen);
 	int	(*mpo_check_vnode_access)(struct ucred *cred,
 		    struct vnode *vp, struct label *label, int flags);
 	int	(*mpo_check_vnode_chdir)(struct ucred *cred,
@@ -511,6 +514,7 @@
 	MAC_CHECK_SOCKET_RELABEL,
 	MAC_CHECK_SOCKET_SEND,
 	MAC_CHECK_SOCKET_VISIBLE,
+	MAC_CHECK_SYSCTL,
 	MAC_CHECK_VNODE_ACCESS,
 	MAC_CHECK_VNODE_CHDIR,
 	MAC_CHECK_VNODE_CHROOT,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list