PERFORCE change 113367 for review

Todd Miller millert at FreeBSD.org
Mon Jan 22 16:26:31 UTC 2007


http://perforce.freebsd.org/chv.cgi?CH=113367

Change 113367 by millert at millert_macbook on 2007/01/22 16:25:40

	Add audit info for sockets and network interfaces.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/config/MACFramework.exports#9 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.c#20 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.h#10 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#77 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/config/MACFramework.exports#9 (text+ko) ====

@@ -25,6 +25,7 @@
 _kauth_cred_dup_add
 
 _sotoxsocket
+_ip6_sprintf
 
 _mac_kalloc
 _mac_kfree

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.c#20 (text+ko) ====

@@ -31,6 +31,10 @@
 #include <sys/vnode.h>
 #include <sys/vnode_internal.h>
 
+#include <net/if.h>
+#include <netinet/in.h>
+#include <netinet/in_var.h>
+
 #ifdef CAPABILITIES
 #include <sys/capability.h>
 #endif
@@ -543,26 +547,27 @@
 	return node;
 }
 
-#ifdef __linux__
 static inline void avc_print_ipv6_addr(struct audit_buffer *ab,
 				       struct in6_addr *addr, __be16 port,
-				       char *name1, char *name2)
+				       const char *name1, const char *name2)
 {
-	if (!ipv6_addr_any(addr))
-		audit_log_format(ab, " %s=" NIP6_FMT, name1, NIP6(*addr));
+	if (!IN6_IS_ADDR_UNSPECIFIED(addr))
+		audit_log_format(ab, " %s=%s", name1, ip6_sprintf(addr));
 	if (port)
 		audit_log_format(ab, " %s=%d", name2, ntohs(port));
 }
 
 static inline void avc_print_ipv4_addr(struct audit_buffer *ab, u32 addr,
-				       __be16 port, char *name1, char *name2)
+				       __be16 port, const char *name1,
+				       const char *name2)
 {
-	if (addr)
-		audit_log_format(ab, " %s=" NIPQUAD_FMT, name1, NIPQUAD(addr));
+	if (addr != INADDR_ANY)
+		audit_log_format(ab, " %s=%ld.%ld.%ld.%ld", name1,
+		    (ntohl(addr)>>24)&0xFF, (ntohl(addr)>>16)&0xFF,
+		    (ntohl(addr)>>8)&0xFF, (ntohl(addr))&0xFF);
 	if (port)
 		audit_log_format(ab, " %s=%d", name2, ntohs(port));
 }
-#endif /* __linux__ */
 
 /**
  * avc_audit - Audit the granting or denial of permissions.
@@ -680,8 +685,7 @@
 			break;
 		case AVC_AUDIT_DATA_NET:
 #ifdef __linux__
-			/* XXX - convert to xsocket */
-			if (a->u.net.sk) {
+			if (a->u.net.xso) {
 				struct sock *sk = a->u.net.sk;
 				struct unix_sock *u;
 				int len = 0;
@@ -731,6 +735,7 @@
 					break;
 				}
 			}
+#endif /* __linux__ */
 			
 			switch (a->u.net.family) {
 			case AF_INET:
@@ -751,9 +756,8 @@
 				break;
 			}
 			if (a->u.net.netif)
-				audit_log_format(ab, " netif=%s",
-					a->u.net.netif);
-#endif /* __linux__ */
+				audit_log_format(ab, " netif=%s%d",
+					a->u.net.netif, a->u.net.netif_unit);
 			break;
 		case AVC_AUDIT_DATA_MIG:
 			audit_log_format(ab, " msgid=%d", a->u.ipc_id);

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.h#10 (text+ko) ====

@@ -54,7 +54,8 @@
 			int pathlen;
 		} fs;
 		struct {
-			char *netif;
+			const char *netif;
+			u32 netif_unit;
 			struct xsocket *xso;
 			u16 family;
 			u16 dport;

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#77 (text+ko) ====

@@ -505,19 +505,21 @@
 }
 
 static int
-socket_has_perm(struct ucred *cred, struct label *socklabel, u_int32_t perm)
+socket_has_perm(struct ucred *cred, struct label *socklabel, u_int32_t perm,
+    struct xsocket *xso)
 {
 	struct task_security_struct *tsec;
 	struct network_security_struct *nsec;
+	struct avc_audit_data ad;
 
 	tsec = SLOT(cred->cr_label);
 	nsec = SLOT(socklabel);
 
-	/*
-	 * TBD: No audit information yet
-	 */
+	AVC_AUDIT_DATA_INIT(&ad, NET);
+	ad.u.net.xso = xso;
+	ad.u.net.family = xso->xso_family;
 
-	return (avc_has_perm(tsec->sid, nsec->sid, SECCLASS_SOCKET, perm, NULL));
+	return (avc_has_perm(tsec->sid, nsec->sid, SECCLASS_SOCKET, perm, &ad));
 }
 
 static void
@@ -2547,7 +2549,7 @@
 	}
 
 	/* XXX - SELinux just uses plain old SOCKET__ACCEPT */
-	return (socket_has_perm(cred, socklabel, perm));
+	return (socket_has_perm(cred, socklabel, perm, xso));
 }
 
 static int
@@ -2574,6 +2576,9 @@
 
 	/* XXX - unix domain socket-specific checks too? */
 
+	AVC_AUDIT_DATA_INIT(&ad, NET);
+	ad.u.net.family = xso->xso_family;
+
 	/*
 	 * Note that we use the xso_family instead of sa_family since
 	 * the latter has not been sanity checked yet.
@@ -2581,20 +2586,21 @@
 	if (xso->xso_family == AF_INET) {
 		sin = (struct sockaddr_in *)addr;
 		port = ntohs(sin->sin_port);
+		ad.u.net.sport = sin->sin_port;
+		ad.u.net.fam.v4.saddr = sin->sin_addr.s_addr;
 	} else /* if (xso->xso_family == AF_INET6) */ {
 		sin6 = (struct sockaddr_in6 *)addr;
 		port = ntohs(sin6->sin6_port);
+		ad.u.net.sport = sin6->sin6_port;
+		memcpy(&ad.u.net.fam.v6.saddr, &sin6->sin6_addr,
+		    sizeof(struct in6_addr));
 	}
 
 	if (port) {
-		/* XXX - check against net.inet.ip.portrange.last? */
 		error = security_port_sid(xso->xso_family, xso->so_type,
 		    xso->xso_protocol, port, &sid);
 		if (error)
 			return (error);
-		AVC_AUDIT_DATA_INIT(&ad, NET);
-		ad.u.net.sport = htons(port);
-		ad.u.net.family = xso->xso_family;
 		error = avc_has_perm(nsec->sid, sid, nsec->sclass,
 		    SOCKET__NAME_BIND, &ad);
 		if (error)
@@ -2616,10 +2622,6 @@
 	if (error)
 		return (error);
 
-	AVC_AUDIT_DATA_INIT(&ad, NET);
-	ad.u.net.sport = htons(port);
-	ad.u.net.family = xso->xso_family;
-
 	if (xso->xso_family == AF_INET)
 		ad.u.net.v4info.saddr = sin->sin_addr.s_addr;
 	else
@@ -2643,7 +2645,7 @@
 	u_int32_t sid;
 	int error;
 
-	error = socket_has_perm(cred, socklabel, SOCKET__CONNECT);
+	error = socket_has_perm(cred, socklabel, SOCKET__CONNECT, xso);
 	if (error)
 		return (error);
 
@@ -2715,7 +2717,7 @@
     struct xsocket *xso, struct label *socklabel)
 {
 
-	return (socket_has_perm(cred, socklabel, SOCKET__POLL));
+	return (socket_has_perm(cred, socklabel, SOCKET__POLL, xso));
 }
 #endif
 
@@ -2724,7 +2726,7 @@
     struct label *socklabel)
 {
 
-	return (socket_has_perm(cred, socklabel, SOCKET__LISTEN));
+	return (socket_has_perm(cred, socklabel, SOCKET__LISTEN, xso));
 }
 
 static int
@@ -2732,7 +2734,7 @@
     struct label *socklabel)
 {
 
-	return (socket_has_perm(cred, socklabel, SOCKET__READ));
+	return (socket_has_perm(cred, socklabel, SOCKET__READ, xso));
 }
 
 static int
@@ -2767,7 +2769,7 @@
     struct label *socklabel, int which)
 {
 
-	return (socket_has_perm(cred, socklabel, SOCKET__POLL));
+	return (socket_has_perm(cred, socklabel, SOCKET__POLL, xso));
 }
 #endif
 
@@ -2776,7 +2778,7 @@
     struct label *socklabel)
 {
 
-	return (socket_has_perm(cred, socklabel, SOCKET__WRITE));
+	return (socket_has_perm(cred, socklabel, SOCKET__WRITE, xso));
 }
 
 static int
@@ -2784,7 +2786,7 @@
     struct label *socklabel)
 {
 
-	return (socket_has_perm(cred, socklabel, SOCKET__GETATTR));
+	return (socket_has_perm(cred, socklabel, SOCKET__GETATTR, xso));
 }
 
 static int
@@ -3129,12 +3131,19 @@
     struct mbuf *m, struct label *mbuflabel, int family, int type)
 {
 	struct network_security_struct *ifsec, *msec;
+	struct avc_audit_data ad;
 	u_int32_t perm;
 	int error;
 
 	ifsec = SLOT(ifnetlabel);
 	msec = SLOT(mbuflabel);
 
+	AVC_AUDIT_DATA_INIT(&ad, NET);
+	ad.u.net.netif = ifnet_name(ifp);
+	ad.u.net.netif_unit = ifnet_unit(ifp);
+	ad.u.net.family = family;
+	/* XXX - if_index too? */
+
 	/* XXX - other types of perm, see selinux_sock_rcv_skb_compat() */
 	switch (type) {
 	case SOCK_STREAM:
@@ -3149,9 +3158,8 @@
 		break;
 	}
 
-	/* XXX - use an audit struct so we can log useful info */
 	error = avc_has_perm(msec->sid, ifsec->sid, SECCLASS_NETIF,
-	    perm, NULL);
+	    perm, &ad);
 	return (error);
 }
 


More information about the trustedbsd-cvs mailing list