PERFORCE change 14845 for review

Brian Feldman green at freebsd.org
Wed Jul 24 15:57:32 GMT 2002 

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14845

Change 14845 by green at green_laptop_2 on 2002/07/24 08:56:44

	Add an "int newmapping" argument to MAC_CRED_CHECK_MMAP_VNODE_PERMS.
	Use vm_prot_t instead of u_char in mac_policy.h, and include vm/vm.h
	in places where sys/mac_policy.h is included.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#193 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#68 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#43 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c#9 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#56 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#45 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#5 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_seeotheruids/mac_seeotheruids.c#10 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#50 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#15 edit
.. //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.c#3 edit
.. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#14 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#121 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#86 edit
.. //depot/projects/trustedbsd/mac/sys/vm/vm_mmap.c#9 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#193 (text+ko) ====

@@ -57,7 +57,6 @@
 #include <sys/sysent.h>
 #include <sys/vnode.h>
 #include <sys/mount.h>
-#include <sys/mac_policy.h>
 #include <sys/file.h>
 #include <sys/namei.h>
 #include <sys/socket.h>
@@ -70,6 +69,8 @@
 #include <vm/vm_map.h>
 #include <vm/vm_object.h>
 
+#include <sys/mac_policy.h>
+
 #include <fs/devfs/devfs.h>
 
 #include <net/bpf.h>
@@ -145,6 +146,10 @@
 static int	mac_vnode_label_cache_misses = 0;
 SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD,
     &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels");
+static int	mac_mmap_revocation_via_cow = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW,
+    &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
+    "copy-on-write semantics, or by removing all write access");
 
 static int	error_select(int error1, int error2);
 static int	mac_externalize(struct label *label, struct mac *mac);
@@ -330,13 +335,8 @@
 		if (object->type != OBJT_VNODE)
 			continue;
 		vp = (struct vnode *)object->handle;
-		result = VM_PROT_ALL;
-		/*
-		 * This should be some sort of MAC_BITWISE, maybe :)
-		 */
 		vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
-		MAC_BOOLEAN(cred_check_vnode_mmap_perms, &, cred,
-		    vp, &vp->v_label);
+		result = mac_cred_check_mmap_vnode_prot(cred, vp, 0);
 		VOP_UNLOCK(vp, 0, td);
 		/*
 		 * Find out what maximum protection we may be allowing
@@ -377,11 +377,14 @@
 				vm_object_deallocate(object);
 				/*
 				 * Why bother if there's no read permissions
-				 * anymore?  For the rest of it, we need to
-				 * leave the write permissions on for COW
-				 * to happen.
+				 * anymore?  For the rest, we need to leave
+				 * the write permissions on for COW, or
+				 * remove them entirely if configured to.
 				 */
-				if ((revokeperms & VM_PROT_READ) == 0)
+				if (!mac_mmap_revocation_via_cow) {
+					vme->max_protection &= ~VM_PROT_WRITE;
+					vme->protection &= ~VM_PROT_WRITE;
+				} if ((revokeperms & VM_PROT_READ) == 0)
 					vme->eflags |= MAP_ENTRY_COW |
 					    MAP_ENTRY_NEEDS_COPY;
 			}
@@ -1864,6 +1867,21 @@
 	return (error);
 }
 
+vm_prot_t
+mac_cred_check_mmap_vnode_prot(struct ucred *cred, struct vnode *vp,
+    int newmapping)
+{
+	vm_prot_t result = VM_PROT_ALL;
+
+	/*
+	 * This should be some sort of MAC_BITWISE, maybe :)
+	 */
+	ASSERT_VOP_LOCKED(vp, "mac_cred_check_mmap_vnode_perms");
+	MAC_BOOLEAN(cred_check_vnode_mmap_perms, &, cred, vp, &vp->v_label,
+	    newmapping);
+	return (result);
+}
+
 int
 mac_cred_check_open_vnode(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
 {

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#68 (text+ko) ====

@@ -54,7 +54,6 @@
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
 #include <sys/vnode.h>
-#include <sys/mac_policy.h>
 #include <sys/file.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -72,6 +71,8 @@
 
 #include <vm/vm.h>
 
+#include <sys/mac_policy.h>
+
 #include <security/mac_biba/mac_biba.h>
 
 SYSCTL_DECL(_security_mac);
@@ -1836,14 +1837,14 @@
 	return (mac_biba_equal_single(p, s) ? 0 : EACCES);
 }
 
-static int
+static vm_prot_t
 mac_biba_cred_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
-    struct label *label)
+    struct label *label, int newmapping)
 {
 	struct mac_biba *subj, *obj;
 	vm_prot_t prot = 0;
 
-	if (!mac_biba_enabled || !mac_biba_revocation_enabled)
+	if (!mac_biba_enabled || (!mac_biba_revocation_enabled && !newmapping))
 		return (VM_PROT_ALL);
 
 	subj = SLOT(&cred->cr_label);

==== //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#43 (text+ko) ====

@@ -57,7 +57,6 @@
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
 #include <sys/vnode.h>
-#include <sys/mac_policy.h>
 #include <sys/file.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -68,6 +67,10 @@
 #include <net/if_types.h>
 #include <net/if_var.h>
 
+#include <vm/vm.h>
+
+#include <sys/mac_policy.h>
+
 #include <security/mac_bsdextended/mac_bsdextended.h>
 
 SYSCTL_DECL(_security_mac);

==== //depot/projects/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c#9 (text+ko) ====

@@ -55,7 +55,6 @@
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
 #include <sys/vnode.h>
-#include <sys/mac_policy.h>
 #include <sys/file.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -66,6 +65,10 @@
 #include <net/if_types.h>
 #include <net/if_var.h>
 
+#include <vm/vm.h>
+
+#include <sys/mac_policy.h>
+
 SYSCTL_DECL(_security_mac);
 
 SYSCTL_NODE(_security_mac, OID_AUTO, ifoff, CTLFLAG_RW, 0,

==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#56 (text+ko) ====

@@ -54,7 +54,6 @@
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
 #include <sys/vnode.h>
-#include <sys/mac_policy.h>
 #include <sys/file.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -72,6 +71,8 @@
 
 #include <vm/vm.h>
 
+#include <sys/mac_policy.h>
+
 #include <security/mac_mls/mac_mls.h>
 
 SYSCTL_DECL(_security_mac);
@@ -1775,14 +1776,14 @@
 	return (mac_mls_equal_single(p, s) ? 0 : EACCES);
 }
 
-static int
+static vm_prot_t
 mac_mls_cred_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
-    struct label *label)
+    struct label *label, int newmapping)
 {
 	struct mac_mls *subj, *obj;
 	vm_prot_t prot = 0;
 
-	if (!mac_mls_enabled || !mac_mls_revocation_enabled)
+	if (!mac_mls_enabled || (!mac_mls_revocation_enabled && !newmapping))
 		return (VM_PROT_ALL);
 
 	subj = SLOT(&cred->cr_label);

==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#45 (text+ko) ====

@@ -54,7 +54,6 @@
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
 #include <sys/vnode.h>
-#include <sys/mac_policy.h>
 #include <sys/file.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -70,6 +69,10 @@
 #include <netinet/in.h>
 #include <netinet/ip_var.h>
 
+#include <vm/vm.h>
+
+#include <sys/mac_policy.h>
+
 SYSCTL_DECL(_security_mac);
 
 SYSCTL_NODE(_security_mac, OID_AUTO, none, CTLFLAG_RW, 0,

==== //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#5 (text+ko) ====

@@ -53,7 +53,6 @@
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
 #include <sys/vnode.h>
-#include <sys/mac_policy.h>
 #include <sys/file.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -66,6 +65,10 @@
 #include <net/if_types.h>
 #include <net/if_var.h>
 
+#include <vm/vm.h>
+
+#include <sys/mac_policy.h>
+
 SYSCTL_DECL(_security_mac);
 
 SYSCTL_NODE(_security_mac, OID_AUTO, partition, CTLFLAG_RW, 0,

==== //depot/projects/trustedbsd/mac/sys/security/mac_seeotheruids/mac_seeotheruids.c#10 (text+ko) ====

@@ -54,7 +54,6 @@
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
 #include <sys/vnode.h>
-#include <sys/mac_policy.h>
 #include <sys/file.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -65,6 +64,10 @@
 #include <net/if_types.h>
 #include <net/if_var.h>
 
+#include <vm/vm.h>
+
+#include <sys/mac_policy.h>
+
 SYSCTL_DECL(_security_mac);
 
 SYSCTL_NODE(_security_mac, OID_AUTO, seeotheruids, CTLFLAG_RW, 0,

==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#50 (text+ko) ====

@@ -54,7 +54,6 @@
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
 #include <sys/vnode.h>
-#include <sys/mac_policy.h>
 #include <sys/file.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -65,6 +64,10 @@
 #include <net/if_types.h>
 #include <net/if_var.h>
 
+#include <vm/vm.h>
+
+#include <sys/mac_policy.h>
+
 #include <security/mac_te/mac_te.h>
 
 #include <vm/vm.h>
@@ -1506,14 +1509,14 @@
 	return (error);
 }
 
-static int
-mac_te_cred_check_mmap_perms(struct ucred *cred, struct vnode *vp,
-    struct label *label)
+static vm_prot_t
+mac_te_cred_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
+    struct label *label, int newmapping)
 {
 	struct mac_te *subj, *obj;
 	vm_prot_t prot = 0;
 
-	if (!mac_te_revocation_enabled)
+	if (!mac_te_enabled || (!mac_te_revocation_enabled && !newmapping))
 		return (VM_PROT_ALL);
 
 	subj = SLOT(&cred->cr_label);
@@ -1742,7 +1745,7 @@
 	{ MAC_CRED_CHECK_SIGNAL_PROC, (macop_t)mac_te_cred_check_signal_proc },
 	{ MAC_CRED_CHECK_STAT_VNODE, (macop_t)mac_te_cred_check_stat_vnode },
 	{ MAC_CRED_CHECK_VNODE_MMAP_PERMS,
-	    (macop_t)mac_te_cred_check_mmap_perms },
+	    (macop_t)mac_te_cred_check_vnode_mmap_perms },
 	{ MAC_CRED_CHECK_VNODE_OP,
 	    (macop_t)mac_te_cred_check_vnode_op },
 	{ MAC_IFNET_CHECK_SEND_MBUF, (macop_t)mac_te_ifnet_check_send_mbuf },

==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#15 (text+ko) ====

@@ -54,7 +54,6 @@
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
 #include <sys/vnode.h>
-#include <sys/mac_policy.h>
 #include <sys/file.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -67,6 +66,10 @@
 #include <net/if_types.h>
 #include <net/if_var.h>
 
+#include <vm/vm.h>
+
+#include <sys/mac_policy.h>
+
 SYSCTL_DECL(_security_mac);
 
 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0,

==== //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.c#3 (text+ko) ====

@@ -25,6 +25,9 @@
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
 #include <sys/vnode.h>
+
+#include <vm/vm.h>
+
 #include <sys/mac_policy.h>
 
 #include <security/sebsd/avc/avc.h>

==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#14 (text+ko) ====

@@ -47,6 +47,9 @@
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
 #include <sys/vnode.h>
+
+#include <vm/vm.h>
+
 #include <sys/mac_policy.h>
 
 #include <security/sebsd/sebsd.h>

==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#121 (text+ko) ====

@@ -286,6 +286,9 @@
 	    struct vnode *vp, struct componentname *cnp);
 int	mac_cred_check_rename_to_vnode(struct ucred *cred, struct vnode *dvp,
 	    struct vnode *vp, int samedir, struct componentname *cnp);
+/* XXX This u_char should be vm_prot_t! */
+u_char	mac_cred_check_mmap_vnode_prot(struct ucred *cred, struct vnode *vp,
+	    int newmapping);
 int	mac_cred_check_open_vnode(struct ucred *cred, struct vnode *vp,
 	    mode_t acc_mode);
 int	mac_cred_check_readdir_vnode(struct ucred *cred, struct vnode *vp);

==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#86 (text+ko) ====

@@ -313,9 +313,8 @@
 		    struct proc *proc, int signum);
 	int	(*mpo_cred_check_stat_vnode)(struct ucred *cred,
 		    struct vnode *vp, struct label *label);
-	/* XXX should be vm_prot_t, not u_char directly */
-	u_char	(*mpo_cred_check_vnode_mmap_perms)(struct ucred *cred,
-		    struct vnode *vp, struct label *label);
+	vm_prot_t	(*mpo_cred_check_vnode_mmap_perms)(struct ucred *cred,
+		    struct vnode *vp, struct label *label, int newmapping);
 	int	(*mpo_cred_check_vnode_op)(struct ucred *cred,
 		    struct vnode *vp, struct label *label, int op);
 	int	(*mpo_ifnet_check_send_mbuf)(struct ifnet *ifnet,

==== //depot/projects/trustedbsd/mac/sys/vm/vm_mmap.c#9 (text+ko) ====

@@ -46,6 +46,7 @@
  */
 
 #include "opt_compat.h"
+#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -60,6 +61,7 @@
 #include <sys/vnode.h>
 #include <sys/fcntl.h>
 #include <sys/file.h>
+#include <sys/mac.h>
 #include <sys/mman.h>
 #include <sys/conf.h>
 #include <sys/stat.h>
@@ -421,6 +423,24 @@
 	}
 
 	mtx_unlock(&Giant);
+#ifdef MAC
+	if (handle != NULL) {
+		if (flags & MAP_SHARED) {
+			vm_prot_t macmaxprot;
+
+			macmaxprot = mac_cred_check_mmap_vnode_prot(
+			    td->td_ucred, (struct vnode *)handle, 1);
+			if ((maxprot & macmaxprot) != maxprot) {
+				error = EPERM;
+				goto done;
+			}
+		}
+		/*
+		 * XXX Policies (e.g. LOMAC) should possibly check for a read
+		 * operation here.
+		 */
+	}
+#endif /* MAC */
 	error = vm_mmap(&vms->vm_map, &addr, size, prot, maxprot,
 	    flags, handle, pos);
 	if (error == 0)
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list