socsvn commit: r222765 -
soc2011/aalvarez/pbmac/sys/security/mac_bsdextended
aalvarez at FreeBSD.org
aalvarez at FreeBSD.org
Fri Jun 3 14:46:18 UTC 2011
Author: aalvarez
Date: Fri Jun 3 14:46:16 2011
New Revision: 222765
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=222765
Log:
- Accept and parse policies with filepaths
- Check access on policies that have filepaths
Modified:
soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c
soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h
Modified: soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c
==============================================================================
--- soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c Fri Jun 3 13:49:18 2011 (r222764)
+++ soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.c Fri Jun 3 14:46:16 2011 (r222765)
@@ -49,6 +49,7 @@
#include <sys/param.h>
#include <sys/acl.h>
+#include <sys/fcntl.h>
#include <sys/kernel.h>
#include <sys/jail.h>
#include <sys/lock.h>
@@ -56,6 +57,7 @@
#include <sys/module.h>
#include <sys/mount.h>
#include <sys/mutex.h>
+#include <sys/namei.h>
#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/systm.h>
@@ -64,6 +66,7 @@
#include <sys/syslog.h>
#include <sys/stat.h>
+
#include <security/mac/mac_policy.h>
#include <security/mac_bsdextended/mac_bsdextended.h>
#include <security/mac_bsdextended/ugidfw_internal.h>
@@ -134,6 +137,44 @@
}
static int
+ugidfw_rslv_fpath(struct mac_bsdextended_rule *ruleptr, struct mac_bsdextended_rule *temprule, struct thread *td)
+{
+ struct nameidata nd;
+ int error;
+ struct vnode* vp;
+ struct vattr vap;
+ /* Check empty paths */
+ if (temprule->mbr_object.mbo_fpath_len < 1)
+ return EINVAL;
+
+ ruleptr->mbr_object.mbo_fpath_len = temprule->mbr_object.mbo_fpath_len;
+ ruleptr = malloc(sizeof(char)*ruleptr->mbr_object.mbo_fpath_len,
+ M_MACBSDEXTENDED, M_WAITOK);
+
+ KASSERT(ruleptr == NULL, ("sysctl_rule: ruleptr != NULL"));
+ memcpy(ruleptr->mbr_object.mbo_fpath, temprule->mbr_object.mbo_fpath,
+ ruleptr->mbr_object.mbo_fpath_len);
+
+ /* Resolve path to fsid and fileid */
+ NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, ruleptr->mbr_object.mbo_fpath, td);
+ error = namei(&nd);
+ if (error)
+ goto out;
+
+ vp = nd.ni_vp;
+ error = VOP_GETATTR(vp, &vap, td->td_proc->p_ucred);
+ if (error)
+ goto out;
+
+ ruleptr->mbr_object.mbo_fsid = vp->v_mount->mnt_stat.f_fsid;
+ ruleptr->mbr_object.mbo_fid = vap.va_fileid;
+
+out:
+ NDFREE(&nd, 0);
+ return (0);
+}
+
+static int
sysctl_rule(SYSCTL_HANDLER_ARGS)
{
struct mac_bsdextended_rule temprule, *ruleptr;
@@ -170,7 +211,7 @@
}
temprule = *rules[index];
}
- if (req->newptr && req->newlen == 0) {
+ if (req->newptr && req->newlen == 0) { /* remove rule request */
KASSERT(ruleptr == NULL, ("sysctl_rule: ruleptr != NULL"));
ruleptr = rules[index];
if (ruleptr == NULL) {
@@ -185,6 +226,15 @@
goto out;
if (rules[index] == NULL) {
*ruleptr = temprule;
+ /* TODO: Check if path is defined.
+ * If it is:
+ * - resolve path to fid
+ */
+ if (ruleptr->mbr_object.mbo_flags & MBO_FSID_DEFINED) {
+ error = ugidfw_rslv_fpath(ruleptr, &temprule, req->td);
+ if (error)
+ goto out;
+ }
rules[index] = ruleptr;
ruleptr = NULL;
if (index + 1 > rule_slots)
@@ -310,6 +360,19 @@
return (0);
}
+ if (rule->mbr_object.mbo_flags & MBO_FPATH_DEFINED) {
+ match = (bcmp(&(vp->v_mount->mnt_stat.f_fsid),
+ &(rule->mbr_object.mbo_fsid),
+ sizeof(rule->mbr_object.mbo_fsid)) == 0 &&
+ bcmp(&(vap->va_fileid), &(rule->mbr_object.mbo_fid),
+ sizeof(rule->mbr_object.mbo_fid)) == 0);
+
+ if (rule->mbr_object.mbo_neg & MBO_FPATH_DEFINED)
+ match = !match;
+ if (!match)
+ return 0;
+ }
+
if (rule->mbr_object.mbo_flags & MBO_SUID) {
match = (vap->va_mode & S_ISUID);
if (rule->mbr_object.mbo_neg & MBO_SUID)
Modified: soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h
==============================================================================
--- soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h Fri Jun 3 13:49:18 2011 (r222764)
+++ soc2011/aalvarez/pbmac/sys/security/mac_bsdextended/mac_bsdextended.h Fri Jun 3 14:46:16 2011 (r222765)
@@ -70,18 +70,19 @@
int mbs_prison;
};
-#define MBO_UID_DEFINED 0x00000001 /* uid field should be matched */
-#define MBO_GID_DEFINED 0x00000002 /* gid field should be matched */
-#define MBO_FSID_DEFINED 0x00000004 /* fsid field should be matched */
-#define MBO_SUID 0x00000008 /* object must be suid */
-#define MBO_SGID 0x00000010 /* object must be sgid */
-#define MBO_UID_SUBJECT 0x00000020 /* uid must match subject */
-#define MBO_GID_SUBJECT 0x00000040 /* gid must match subject */
-#define MBO_TYPE_DEFINED 0x00000080 /* object type should be matched */
+#define MBO_UID_DEFINED 0x00000001 /* uid field should be matched */
+#define MBO_GID_DEFINED 0x00000002 /* gid field should be matched */
+#define MBO_FSID_DEFINED 0x00000004 /* fsid field should be matched */
+#define MBO_SUID 0x00000008 /* object must be suid */
+#define MBO_SGID 0x00000010 /* object must be sgid */
+#define MBO_UID_SUBJECT 0x00000020 /* uid must match subject */
+#define MBO_GID_SUBJECT 0x00000040 /* gid must match subject */
+#define MBO_TYPE_DEFINED 0x00000080 /* object type should be matched */
+#define MBO_FPATH_DEFINED 0x00000100 /* file path should me matched */
#define MBO_ALL_FLAGS (MBO_UID_DEFINED | MBO_GID_DEFINED | MBO_FSID_DEFINED | \
MBO_SUID | MBO_SGID | MBO_UID_SUBJECT | MBO_GID_SUBJECT | \
- MBO_TYPE_DEFINED)
+ MBO_TYPE_DEFINED | MBO_FPATH_DEFINED)
#define MBO_TYPE_REG 0x00000001
#define MBO_TYPE_DIR 0x00000002
@@ -103,6 +104,9 @@
gid_t mbo_gid_max;
struct fsid mbo_fsid;
int mbo_type;
+ long mbo_fid;
+ size_t mbo_fpath_len;
+ char* mbo_fpath;
};
struct mac_bsdextended_rule {
More information about the svn-soc-all
mailing list