PERFORCE change 121612 for review
Zhouyi ZHOU
zhouzhouyi at FreeBSD.org
Thu Jun 14 04:10:19 UTC 2007
http://perforce.freebsd.org/chv.cgi?CH=121612
Change 121612 by zhouzhouyi at zhouzhouyi_mactest on 2007/06/14 04:09:46
Special handling in mac_test_check_vnode_read and so on to avoid
recursing in read /dev/mactestpipe
Affected files ...
.. //depot/projects/soc2007/zhouzhouyi_mactest_soc/zhouzhouyi_mactest_soc/sys/security/mac_test/mac_test.c#6 edit
.. //depot/projects/soc2007/zhouzhouyi_mactest_soc/zhouzhouyi_mactest_soc/sys/security/mac_test/mac_test_private.h#4 edit
Differences ...
==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/zhouzhouyi_mactest_soc/sys/security/mac_test/mac_test.c#6 (text+ko) ====
@@ -61,6 +61,7 @@
#include <sys/sx.h>
#include <sys/sysctl.h>
#include <sys/mac.h>
+#include <sys/extattr.h>
#include <fs/devfs/devfs.h>
#include <net/bpfdesc.h>
@@ -667,19 +668,37 @@
struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
struct label *vplabel)
{
-
+ MACTEST_PIPE_SUBMIT_WITHPID("mac_test_associate_vnode_devfs with mplabel delabel and vplabel:",
+ strlen("mac_test_associate_vnode_devfs with mplabel delabel and vplabel:"));
+ MACTEST_PIPE_SUBMIT_LABEL3(vnode,mplabel,vnode,delabel,vnode,vplabel);
+ if (delabel != NULL && SLOT(delabel) == MAGIC_MACTESTPIPE)
+ LABEL_INIT(vplabel, MAGIC_MACTESTPIPE);
LABEL_CHECK(mplabel, MAGIC_MOUNT);
LABEL_CHECK(delabel, MAGIC_DEVFS);
LABEL_CHECK(vplabel, MAGIC_VNODE);
COUNTER_INC(associate_vnode_devfs);
}
-
+/*
+ * To avoid recursion on reading /dev/mactestpipe to a tempory file
+ * we associate the file with "mac_test" mac_test extattr with
+ * MAGIC_MACTESTPIPE label
+ */
+
COUNTER_DECL(associate_vnode_extattr);
static int
mac_test_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
struct vnode *vp, struct label *vplabel)
{
-
+ char mac_test[64];
+ int error, buflen = 64;
+ MACTEST_PIPE_SUBMIT_WITHPID("mac_test_associate_vnode_extattr with mplabel and vplabel:",
+ strlen("mac_test_associate_vnode_extattr with mplabel and vplabel:"));
+ MACTEST_PIPE_SUBMIT_LABEL2(vnode,mplabel,vnode,vplabel);
+ bzero(mac_test,buflen);
+ error = vn_extattr_get(vp, IO_NODELOCKED, EXTATTR_NAMESPACE_SYSTEM,
+ "mac_test", &buflen, mac_test, curthread);
+ if (!error && !strncmp(mac_test,"mac_test", 8))
+ LABEL_INIT(vplabel, MAGIC_MACTESTPIPE);
LABEL_CHECK(mplabel, MAGIC_MOUNT);
LABEL_CHECK(vplabel, MAGIC_VNODE);
COUNTER_INC(associate_vnode_extattr);
@@ -692,7 +711,9 @@
mac_test_associate_vnode_singlelabel(struct mount *mp, struct label *mplabel,
struct vnode *vp, struct label *vplabel)
{
-
+ MACTEST_PIPE_SUBMIT_WITHPID("mac_test_associate_vnode_singlelabel with mplabel and vplabel:",
+ strlen("mac_test_associate_vnode_singlelabel with mplabel and vplabel:"));
+ MACTEST_PIPE_SUBMIT_LABEL2(vnode,mplabel,vnode,vplabel);
LABEL_CHECK(mplabel, MAGIC_MOUNT);
LABEL_CHECK(vplabel, MAGIC_VNODE);
COUNTER_INC(associate_vnode_singlelabel);
@@ -703,7 +724,9 @@
mac_test_create_devfs_device(struct ucred *cred, struct mount *mp,
struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
{
-
+ MACTEST_PIPE_SUBMIT_WITHPID("mac_test_create_devfs_device with delabel:",
+ strlen("mac_test_create_devfs_device with delabel:"));
+ MACTEST_PIPE_SUBMIT_LABEL(vnode,delabel);
if (cred != NULL)
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
LABEL_CHECK(delabel, MAGIC_DEVFS);
@@ -726,7 +749,9 @@
struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
struct label *delabel)
{
-
+ MACTEST_PIPE_SUBMIT_WITHPID("mac_test_create_devfs_symlink with ddlabel and delabel:",
+ strlen("mac_test_create_devfs_symlink with ddlabel and delabel:"));
+ MACTEST_PIPE_SUBMIT_LABEL2(vnode,ddlabel,vnode,delabel);
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
LABEL_CHECK(ddlabel, MAGIC_DEVFS);
LABEL_CHECK(delabel, MAGIC_DEVFS);
@@ -739,7 +764,9 @@
struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
struct vnode *vp, struct label *vplabel, struct componentname *cnp)
{
-
+ MACTEST_PIPE_SUBMIT_WITHPID("mac_test_create_vnode_extattr with mplabel dvplabel and vplabel:",
+ strlen("mac_test_create_vnode_extattr with mplabel dvplabel and vplabel:"));
+ MACTEST_PIPE_SUBMIT_LABEL3(vnode,mplabel,vnode,dvplabel,vnode,vplabel);
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
LABEL_CHECK(mplabel, MAGIC_MOUNT);
LABEL_CHECK(dvplabel, MAGIC_VNODE);
@@ -753,7 +780,9 @@
mac_test_create_mount(struct ucred *cred, struct mount *mp,
struct label *mplabel)
{
-
+ MACTEST_PIPE_SUBMIT_WITHPID("mac_test_create_mount with mplabel:",
+ strlen("mac_test_create_mount with mplabel:"));
+ MACTEST_PIPE_SUBMIT_LABEL(vnode,mplabel);
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
LABEL_CHECK(mplabel, MAGIC_MOUNT);
COUNTER_INC(create_mount);
@@ -764,7 +793,9 @@
mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp,
struct label *vplabel, struct label *label)
{
-
+ MACTEST_PIPE_SUBMIT_WITHPID("mac_test_relabel_vnode with vplabel and label:",
+ strlen("mac_test_relabel_vnode with vplabel and label:"));
+ MACTEST_PIPE_SUBMIT_LABEL2(vnode,vplabel,vnode,label);
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
LABEL_CHECK(vplabel, MAGIC_VNODE);
LABEL_CHECK(label, MAGIC_VNODE);
@@ -776,7 +807,9 @@
mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
struct label *vplabel, struct label *intlabel)
{
-
+ MACTEST_PIPE_SUBMIT_WITHPID("mac_test_setlabel_vnode_extattr with vplabel and intlabel:",
+ strlen("mac_test_setlabel_vnode_extattr with vplabel and intlabel:"));
+ MACTEST_PIPE_SUBMIT_LABEL2(vnode,vplabel,vnode,intlabel);
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
LABEL_CHECK(vplabel, MAGIC_VNODE);
LABEL_CHECK(intlabel, MAGIC_VNODE);
@@ -1629,7 +1662,7 @@
mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp,
struct label *pipelabel)
{
-
+
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
LABEL_CHECK(pipelabel, MAGIC_PIPE);
COUNTER_INC(check_pipe_read);
@@ -2326,6 +2359,12 @@
struct vnode *vp, struct label *vplabel)
{
+ if (vplabel != NULL && SLOT(vplabel) != MAGIC_MACTESTPIPE){
+ MACTEST_PIPE_SUBMIT_WITHPID("mac_test_check_vnode_read with cred label and vplabel:",
+ strlen("mac_test_check_vnode_read with cred label and vplabel:"));
+ MACTEST_PIPE_SUBMIT_LABEL2(cred,active_cred->cr_label,vnode,vplabel);
+ }
+
LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
if (file_cred != NULL)
LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/zhouzhouyi_mactest_soc/sys/security/mac_test/mac_test_private.h#4 (text+ko) ====
@@ -19,19 +19,78 @@
char *buffer; \
char *elements1 = malloc(256, M_MACTEST_PIPE, M_NOWAIT); \
if (!elements1) \
+ goto exit1; \
+ strcpy(elements1, elements); \
+ buffer = malloc(256, M_MACTEST_PIPE, M_NOWAIT); \
+ if (!buffer) \
goto exit; \
+ MAC_EXTERNALIZE(type,label, elements1, buffer, 256); \
+ strleng = strlen(buffer); \
+ *(buffer + strleng) = '\n'; \
+ mactest_pipe_submit(buffer, strleng + 1); \
+ free(buffer, M_MACTEST_PIPE); \
+exit: \
+ free(elements1, M_MACTEST_PIPE); \
+exit1: \
+ ;/*extra ; to avoid label at the end of compound statement*/ \
+}while(0)
+
+#define MACTEST_PIPE_SUBMIT_LABEL2(type,label,type1,label1) do { \
+ int error; \
+ int strleng = 0; \
+ char *buffer; \
+ char *elements1 = malloc(256, M_MACTEST_PIPE, M_NOWAIT); \
+ if (!elements1) \
+ goto exit3; \
strcpy(elements1, elements); \
buffer = malloc(256, M_MACTEST_PIPE, M_NOWAIT); \
if (!buffer) \
- goto exit1; \
+ goto exit2; \
+ MAC_EXTERNALIZE(type,label, elements1, buffer, 256); \
+ strleng = strlen(buffer); \
+ mactest_pipe_submit(buffer, strleng); \
+ mactest_pipe_submit(" ", 1); \
+ strcpy(elements1, elements); \
+ MAC_EXTERNALIZE(type1,label1, elements1, buffer, 256); \
+ strleng = strlen(buffer); \
+ *(buffer + strleng) = '\n'; \
+ mactest_pipe_submit(buffer, strleng + 1); \
+ free(buffer, M_MACTEST_PIPE); \
+exit2: \
+ free(elements1, M_MACTEST_PIPE); \
+exit3: \
+ ;/*extra ; to avoid label at the end of compound statement*/ \
+}while(0)
+
+#define MACTEST_PIPE_SUBMIT_LABEL3(type,label,type1,label1,type2,label2) do { \
+ int error; \
+ int strleng = 0; \
+ char *buffer; \
+ char *elements1 = malloc(256, M_MACTEST_PIPE, M_NOWAIT); \
+ if (!elements1) \
+ goto exit5; \
+ strcpy(elements1, elements); \
+ buffer = malloc(256, M_MACTEST_PIPE, M_NOWAIT); \
+ if (!buffer) \
+ goto exit4; \
MAC_EXTERNALIZE(type,label, elements1, buffer, 256); \
strleng = strlen(buffer); \
+ mactest_pipe_submit(buffer, strleng); \
+ mactest_pipe_submit(" ", 1); \
+ strcpy(elements1, elements); \
+ MAC_EXTERNALIZE(type1,label1, elements1, buffer, 256); \
+ strleng = strlen(buffer); \
+ mactest_pipe_submit(buffer, strleng); \
+ mactest_pipe_submit(" ", 1); \
+ strcpy(elements1, elements); \
+ MAC_EXTERNALIZE(type2,label2, elements1, buffer, 256); \
+ strleng = strlen(buffer); \
*(buffer + strleng) = '\n'; \
mactest_pipe_submit(buffer, strleng + 1); \
free(buffer, M_MACTEST_PIPE); \
-exit1: \
+exit4: \
free(elements1, M_MACTEST_PIPE); \
-exit: \
+exit5: \
;/*extra ; to avoid label at the end of compound statement*/ \
}while(0)
@@ -41,12 +100,12 @@
char *buffer; \
buffer = malloc(256, M_MACTEST_PIPE, M_NOWAIT); \
if (!buffer) \
- goto exit2; \
+ goto exit6; \
sprintf(buffer,"pid = %d ", td->td_proc->p_pid); \
mactest_pipe_submit(buffer, strlen(buffer)); \
mactest_pipe_submit(string, length); \
free(buffer, M_MACTEST_PIPE); \
-exit2: \
+exit6: \
; \
}while(0)
More information about the p4-projects
mailing list