PERFORCE change 78222 for review

Thu Jun 9 04:43:04 GMT 2005

http://perforce.freebsd.org/chv.cgi?CH=78222

Change 78222 by csjp at csjp_xor on 2005/06/09 04:42:31

	
	Introduce two new entry points:
	
	       mac_syscall_enter
	       mac_syscall_exit
	
	These entry points can be used for controlling access to to
	execution paths within the kernel. Currently we do not check the
	return value of mac_syscall_exit as we can only run into problems by
	allowing the mac_syscall_exit entry point to propagate return
	values back to the syscall.
	
	Currently we only support the i386 architecture, but I will be adding
	support for the others once we test this concept.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/i386/i386/trap.c#36 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_system.c#9 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#274 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#231 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/i386/i386/trap.c#36 (text+ko) ====

@@ -50,6 +50,7 @@
 #include "opt_ktrace.h"
 #include "opt_npx.h"
 #include "opt_trap.h"
+#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/bus.h>
@@ -61,6 +62,7 @@
 #include <sys/kernel.h>
 #include <sys/ktr.h>
 #include <sys/lock.h>
+#include <sys/mac.h>
 #include <sys/mutex.h>
 #include <sys/resourcevar.h>
 #include <sys/signalvar.h>
@@ -879,6 +881,9 @@
 	int narg;
 	int args[8];
 	u_int code;
+#ifdef MAC
+	int mac_error;
+#endif
 
 	/*
 	 * note: PCPU_LAZY_INC() can only be used if we can afford
@@ -933,11 +938,10 @@
 
  	if (p->p_sysent->sv_mask)
  		code &= p->p_sysent->sv_mask;
-
- 	if (code >= p->p_sysent->sv_size)
- 		callp = &p->p_sysent->sv_table[0];
-  	else
- 		callp = &p->p_sysent->sv_table[code];
+	
+	if (code >= p->p_sysent->sv_size)
+		code = 0;
+	callp = &p->p_sysent->sv_table[code];
 
 	narg = callp->sy_narg & SYF_ARGMASK;
 
@@ -972,8 +976,14 @@
 		STOPEVENT(p, S_SCE, narg);
 
 		PTRACESTOP_SC(p, td, S_PT_SCE);
-
+#ifdef MAC
+		mac_error = mac_syscall_enter(td, args, code);
+		if (mac_error == 0)
+			error = (*callp->sy_call)(td, args);
+		mac_syscall_exit(td, args, code, error, mac_error);
+#else
 		error = (*callp->sy_call)(td, args);
+#endif
 	}
 
 	switch (error) {

==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_system.c#9 (text+ko) ====

@@ -49,6 +49,10 @@
 
 #include <security/mac/mac_internal.h>
 
+static int	mac_enforce_syscall = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_syscall, CTLFLAG_RW,
+    &mac_enforce_syscall, 0, "Enforce MAC policy on system calls");
+
 static int	mac_enforce_kld = 1;
 SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW,
     &mac_enforce_kld, 0, "Enforce MAC policy on kld operations");
@@ -266,3 +270,32 @@
 
 	return (error);
 }
+
+int
+mac_syscall_enter(struct thread *td, int *args, int code)
+{
+	int error;
+
+	if (!mac_enforce_syscall)
+		return (0);
+	MAC_CHECK(syscall_enter, td, args, code);
+	return (error);
+}
+
+int
+mac_syscall_exit(struct thread *td, int *args, int code, int errcode,
+    int mac_error)
+{
+	int error;
+
+	if (!mac_enforce_syscall)
+		return (0);
+	MAC_CHECK(syscall_exit, td, args, code, errcode, mac_error);
+	/*
+	 * Since we do not care about this return value, unconditioanlly
+	 * return 0. We can only run into problems by allowing this entry
+	 * point to propagate return values back to the syscall.
+	 */
+
+	return (0);
+}

==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#274 (text+ko) ====

@@ -390,6 +390,9 @@
 int	mac_check_system_swapoff(struct ucred *cred, struct vnode *vp);
 int	mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
 	    void *arg1, int arg2, struct sysctl_req *req);
+int	mac_syscall_enter(struct thread *td, int *args, int code);
+int	mac_syscall_exit(struct thread *td, int *args, int code,
+	    int errcode, int mac_error);
 int	mac_check_vnode_access(struct ucred *cred, struct vnode *vp,
 	    int acc_mode);
 int	mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp);

==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#231 (text+ko) ====

@@ -491,6 +491,9 @@
 	int	(*mpo_check_system_sysctl)(struct ucred *cred,
 		    struct sysctl_oid *oidp, void *arg1, int arg2,
 		    struct sysctl_req *req);
+	int	(*mpo_syscall_enter)(struct thread *td, int *args, int code);
+	int	(*mpo_syscall_exit)(struct thread *td, int *args, int code,
+		    int error, int mac_error);
 	int	(*mpo_check_vnode_access)(struct ucred *cred,
 		    struct vnode *vp, struct label *label, int acc_mode);
 	int	(*mpo_check_vnode_chdir)(struct ucred *cred,
