socsvn commit: r222765 - soc2011/aalvarez/pbmac/sys/security/mac_bsdextended

aalvarez at FreeBSD.org aalvarez at FreeBSD.org
Fri Jun 3 14:46:18 UTC 2011 

Author: aalvarez
Date: Fri Jun  3 14:46:16 2011
New Revision: 222765
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=222765

Log:
  - Accept and parse policies with filepaths
  - Check access on policies that have filepaths

Modified:
  soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c
  soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h

Modified: soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c
==============================================================================
--- soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c	Fri Jun  3 13:49:18 2011	(r222764)
+++ soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c	Fri Jun  3 14:46:16 2011	(r222765)
@@ -49,6 +49,7 @@
 
 #include <sys/param.h>
 #include <sys/acl.h>
+#include <sys/fcntl.h>
 #include <sys/kernel.h>
 #include <sys/jail.h>
 #include <sys/lock.h>
@@ -56,6 +57,7 @@
 #include <sys/module.h>
 #include <sys/mount.h>
 #include <sys/mutex.h>
+#include <sys/namei.h>
 #include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/systm.h>
@@ -64,6 +66,7 @@
 #include <sys/syslog.h>
 #include <sys/stat.h>
 
+
 #include <security/mac/mac_policy.h>
 #include <security/mac_bsdextended/mac_bsdextended.h>
 #include <security/mac_bsdextended/ugidfw_internal.h>
@@ -134,6 +137,44 @@
 }
 
 static int
+ugidfw_rslv_fpath(struct mac_bsdextended_rule *ruleptr, struct mac_bsdextended_rule *temprule, struct thread *td)
+{
+	struct nameidata nd;
+	int error;
+	struct vnode* vp;
+	struct vattr vap;
+	/* Check empty paths */
+	if (temprule->mbr_object.mbo_fpath_len < 1)
+		return EINVAL;
+
+	ruleptr->mbr_object.mbo_fpath_len = temprule->mbr_object.mbo_fpath_len;
+	ruleptr = malloc(sizeof(char)*ruleptr->mbr_object.mbo_fpath_len,
+	    M_MACBSDEXTENDED, M_WAITOK);
+
+	KASSERT(ruleptr == NULL, ("sysctl_rule: ruleptr != NULL"));
+	memcpy(ruleptr->mbr_object.mbo_fpath, temprule->mbr_object.mbo_fpath, 
+	    ruleptr->mbr_object.mbo_fpath_len);
+	
+	/* Resolve path to fsid and fileid */
+	NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, ruleptr->mbr_object.mbo_fpath, td);
+	error = namei(&nd);
+	if (error)
+		goto out;
+
+	vp = nd.ni_vp;
+	error = VOP_GETATTR(vp, &vap, td->td_proc->p_ucred);
+	if (error)
+		goto out;
+
+	ruleptr->mbr_object.mbo_fsid = vp->v_mount->mnt_stat.f_fsid;
+	ruleptr->mbr_object.mbo_fid = vap.va_fileid; 
+
+out:
+	NDFREE(&nd, 0);
+	return (0);
+}
+
+static int
 sysctl_rule(SYSCTL_HANDLER_ARGS)
 {
 	struct mac_bsdextended_rule temprule, *ruleptr;
@@ -170,7 +211,7 @@
 		}
 		temprule = *rules[index];
 	}
-	if (req->newptr && req->newlen == 0) {
+	if (req->newptr && req->newlen == 0) { /* remove rule request */
 		KASSERT(ruleptr == NULL, ("sysctl_rule: ruleptr != NULL"));
 		ruleptr = rules[index];
 		if (ruleptr == NULL) {
@@ -185,6 +226,15 @@
 			goto out;
 		if (rules[index] == NULL) {
 			*ruleptr = temprule;
+			/* TODO: Check if path is defined. 
+			 * If it is: 
+			 * - resolve path to fid
+			 */
+			if (ruleptr->mbr_object.mbo_flags & MBO_FSID_DEFINED) {
+				error = ugidfw_rslv_fpath(ruleptr, &temprule, req->td);
+				if (error)
+					goto out;
+			}
 			rules[index] = ruleptr;
 			ruleptr = NULL;
 			if (index + 1 > rule_slots)
@@ -310,6 +360,19 @@
 			return (0);
 	}
 
+	if (rule->mbr_object.mbo_flags & MBO_FPATH_DEFINED) {
+		match = (bcmp(&(vp->v_mount->mnt_stat.f_fsid),
+		    &(rule->mbr_object.mbo_fsid),
+		    sizeof(rule->mbr_object.mbo_fsid)) == 0 &&
+		    bcmp(&(vap->va_fileid), &(rule->mbr_object.mbo_fid),
+		        sizeof(rule->mbr_object.mbo_fid)) == 0);
+
+		if (rule->mbr_object.mbo_neg & MBO_FPATH_DEFINED)
+			match = !match;
+		if (!match)
+			return 0;
+	}
+
 	if (rule->mbr_object.mbo_flags & MBO_SUID) {
 		match = (vap->va_mode & S_ISUID);
 		if (rule->mbr_object.mbo_neg & MBO_SUID)

Modified: soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h
==============================================================================
--- soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h	Fri Jun  3 13:49:18 2011	(r222764)
+++ soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h	Fri Jun  3 14:46:16 2011	(r222765)
@@ -70,18 +70,19 @@
 	int	mbs_prison;
 };
 
-#define	MBO_UID_DEFINED	0x00000001	/* uid field should be matched */
-#define	MBO_GID_DEFINED	0x00000002	/* gid field should be matched */
-#define	MBO_FSID_DEFINED 0x00000004	/* fsid field should be matched */
-#define	MBO_SUID	0x00000008	/* object must be suid */
-#define	MBO_SGID	0x00000010	/* object must be sgid */
-#define	MBO_UID_SUBJECT	0x00000020	/* uid must match subject */
-#define	MBO_GID_SUBJECT	0x00000040	/* gid must match subject */
-#define	MBO_TYPE_DEFINED 0x00000080	/* object type should be matched */
+#define	MBO_UID_DEFINED		0x00000001	/* uid field should be matched */
+#define	MBO_GID_DEFINED		0x00000002	/* gid field should be matched */
+#define	MBO_FSID_DEFINED 	0x00000004	/* fsid field should be matched */
+#define	MBO_SUID		0x00000008	/* object must be suid */
+#define	MBO_SGID		0x00000010	/* object must be sgid */
+#define	MBO_UID_SUBJECT		0x00000020	/* uid must match subject */
+#define	MBO_GID_SUBJECT		0x00000040	/* gid must match subject */
+#define	MBO_TYPE_DEFINED  	0x00000080	/* object type should be matched */
+#define MBO_FPATH_DEFINED 	0x00000100      /* file path should me matched */
 
 #define MBO_ALL_FLAGS (MBO_UID_DEFINED | MBO_GID_DEFINED | MBO_FSID_DEFINED | \
 	    MBO_SUID | MBO_SGID | MBO_UID_SUBJECT | MBO_GID_SUBJECT | \
-	    MBO_TYPE_DEFINED)
+	    MBO_TYPE_DEFINED | MBO_FPATH_DEFINED)
 
 #define MBO_TYPE_REG	0x00000001
 #define MBO_TYPE_DIR	0x00000002
@@ -103,6 +104,9 @@
 	gid_t	mbo_gid_max;
 	struct fsid mbo_fsid;
 	int	mbo_type;
+	long 	mbo_fid;
+	size_t	mbo_fpath_len;
+	char*	mbo_fpath;
 };
 
 struct mac_bsdextended_rule {

More information about the svn-soc-all mailing list