PERFORCE change 91474 for review

Todd Miller millert at FreeBSD.org
Thu Feb 9 21:35:04 GMT 2006


http://perforce.freebsd.org/chv.cgi?CH=91474

Change 91474 by millert at millert_ibook on 2006/02/09 21:34:37

	Add mprotect entry point
	Add some casts to quiet gcc
	For mmap entry point, check flags for MAP_SHARED

Affected files ...

.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd.c#28 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/sebsd.c#28 (text+ko) ====

@@ -1186,13 +1186,13 @@
 	psec = SLOT(obj);
 	tsec = SLOT(subj);
 
-	cld = hashtab_search (policydb.p_classes.table, s);
+	cld = hashtab_search(policydb.p_classes.table, (void *)s);
 	if (cld == NULL)
 		return EINVAL;
 
-	p = hashtab_search (cld->permissions.table, pn);
+	p = hashtab_search(cld->permissions.table, (void *)pn);
 	if (p == NULL && cld->comdatum)
-		p = hashtab_search (cld->comdatum->permissions.table, pn);
+		p = hashtab_search(cld->comdatum->permissions.table, (void *)pn);
 	if (p == NULL)
 		return EINVAL;
 
@@ -1212,7 +1212,7 @@
 	tsec = SLOT(subj);
 	osec = SLOT(out);
 
-	cld = hashtab_search (policydb.p_classes.table, s);
+	cld = hashtab_search(policydb.p_classes.table, (void *)s);
 	if (cld == NULL)
 		return EINVAL;
 
@@ -1409,7 +1409,7 @@
 		/* loginwindow.app/MAC.loginPlugin orphaned process. */
 		dst = SLOT(p->p_ucred->cr_label);
 #ifdef SEFOS_DEBUG
-		printf("sebsd_check_proc_setlcid (orphan): pid %d, lcid %d, sid 0x%x -> 0x%x\n", pid, lcid, dst->sid, dst->osid);
+		printf("sebsd_check_proc_setlcid (orphan): pid %d, lcid %d, sid 0x%x -> 0x%x\n", pid, lcid, dst->sid, dst->osid); // XXX
 #endif
 		if (dst->sid != dst->osid) {
 			/*
@@ -1424,7 +1424,7 @@
 	case LCID_CREATE:	/* Create */
 		/* nop */
 #ifdef SEFOS_DEBUG
-		printf("sebsd_check_proc_setlcid (create): pid %d, lcid %d\n", pid, lcid);
+		printf("sebsd_check_proc_setlcid (create): pid %d, lcid %d\n", pid, lcid); // XXX
 #endif
 		break;
 
@@ -1435,7 +1435,7 @@
 		dst = SLOT(p->p_ucred->cr_label);
 
 #ifdef SEFOS_DEBUG
-		printf("sebsd_check_proc_setlcid (adopt): pid %d, lcid %d, sid 0x%x -> 0x%x\n", pid, lcid, dst->sid, src->sid);
+		printf("sebsd_check_proc_setlcid (adopt): pid %d, lcid %d, sid 0x%x -> 0x%x\n", pid, lcid, dst->sid, src->sid); // XXX
 #endif
 		if (src->sid != dst->sid) {
 			/*
@@ -2267,12 +2267,9 @@
 	return vnode_has_perm(cred, vp, FILE__WRITE, NULL);
 }
 
-/*
- * Also registered for MAC_CHECK_VNODE_MPROTECT
- */
 static int
 sebsd_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
-    struct label *label, int newmapping, int flags, int *maxprot)
+    struct label *label, int prot, int flags, int *maxprot)
 {
 	access_vector_t av;
 
@@ -2283,10 +2280,33 @@
 	if (vp) {
 		av = FILE__READ;
 
-		if (newmapping & PROT_WRITE)
+		if ((prot & PROT_WRITE) && (flags & MAP_SHARED))
+			av |= FILE__WRITE;
+
+		if (prot & PROT_EXEC)
+			av |= FILE__EXECUTE;
+
+		return (vnode_has_perm(cred, vp, av, NULL));
+	}
+	return (0);
+}
+
+static int
+sebsd_check_vnode_mprotect(struct ucred *cred, struct vnode *vp,
+    struct label *label, int prot)
+{
+	access_vector_t av;
+
+	/*
+	 * TBD: Incomplete?
+	 */
+	if (vp) {
+		av = FILE__READ;
+
+		if (prot & PROT_WRITE)
 			av |= FILE__WRITE;
 
-		if (newmapping & PROT_EXEC)
+		if (prot & PROT_EXEC)
 			av |= FILE__EXECUTE;
 
 		return (vnode_has_perm(cred, vp, av, NULL));
@@ -2614,8 +2634,8 @@
 
 	.mpo_destroy = sebsd_destroy,
 	.mpo_destroy_cred_label = sebsd_destroy_cred_label,
-	.mpo_destroy_task_label = sebsd_destroy_cred_label,
-	.mpo_destroy_port_label = sebsd_destroy_cred_label,
+	.mpo_destroy_task_label = sebsd_destroy_task_label,
+	.mpo_destroy_port_label = sebsd_destroy_port_label,
 	.mpo_destroy_vnode_label = sebsd_destroy_vnode_label,
 	.mpo_destroy_devfsdirent_label = sebsd_destroy_vnode_label,
 
@@ -2686,6 +2706,7 @@
 	.mpo_check_vnode_link = sebsd_check_vnode_link,
 	.mpo_check_vnode_lookup = sebsd_check_vnode_lookup,
 	.mpo_check_vnode_mmap = sebsd_check_vnode_mmap,
+	.mpo_check_vnode_mprotect = sebsd_check_vnode_mprotect,
 	.mpo_check_vnode_open = sebsd_check_vnode_open,
 	.mpo_check_vnode_poll = sebsd_check_vnode_poll,
 	.mpo_check_vnode_read = sebsd_check_vnode_read,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message



More information about the trustedbsd-cvs mailing list