PERFORCE change 20480 for review

Brian Feldman green at freebsd.org
Thu Oct 31 16:33:35 GMT 2002


http://perforce.freebsd.org/chv.cgi?CH=20480

Change 20480 by green at green_laptop_2 on 2002/10/31 08:32:51

	* Synchronize mac_lomac to newer mac operations declarations.
	* Add support for using the auxiliary label on executables to
	  determine the single to switch to before beginning execution.
	* Fix locking bugs, etc.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#30 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#30 (text+ko) ====

@@ -62,6 +62,7 @@
 #include <sys/socketvar.h>
 #include <sys/pipe.h>
 #include <sys/sysctl.h>
+#include <sys/syslog.h>
 
 #include <fs/devfs/devfs.h>
 
@@ -488,11 +489,21 @@
 		mac_lomac_copy_range(source, dest);
 }
 
+static int	mac_lomac_to_string(char *string, size_t size,
+	    size_t *caller_len, struct mac_lomac *mac_lomac);
+
 static int
-maybe_demote(struct mac_lomac *subjlabel, struct mac_lomac *objlabel)
+maybe_demote(struct mac_lomac *subjlabel, struct mac_lomac *objlabel,
+    const char *actionname, const char *objname)
 {
+	static const char xxx[] = "<<XXX>>";
 	struct mac_lomac_proc *subj = PSLOT(&curthread->td_proc->p_label);
+	char *subjlabeltext, *objlabeltext, *subjtext, *text;
+	struct proc *p;
+	size_t len;
+	pid_t pgid;
 
+	p = curthread->td_proc;
 	mtx_lock(&subj->mtx);
         if (subj->mac_lomac.ml_flags & MAC_LOMAC_FLAG_UPDATE) {
 		/*
@@ -500,8 +511,10 @@
 		 * less severe than this one, and keep the more severe.
 		 * This can only happen for a multi-threaded application.
 		 */
-		if (mac_lomac_dominate_single(objlabel, &subj->mac_lomac))
-			goto out;
+		if (mac_lomac_dominate_single(objlabel, &subj->mac_lomac)) {
+			mtx_lock(&subj->mtx);
+			return (0);
+		}
 	}
 	bzero(&subj->mac_lomac, sizeof(subj->mac_lomac));
 	/*
@@ -523,8 +536,43 @@
 	curthread->td_kse->ke_flags |= KEF_ASTPENDING;
 	curthread->td_proc->p_sflag |= PS_MACPEND;
 	mtx_unlock_spin(&sched_lock);
-out:
+	subjtext = subjlabeltext = objlabeltext = xxx;
+	if (mac_lomac_to_string(NULL, 0, &len, &subj->mac_lomac) == 0 &&
+	    (text = malloc(len + 1, M_MACLOMAC, M_NOWAIT)) != NULL) {
+		if (mac_lomac_to_string(text, len + 1, &len,
+		    &subj->mac_lomac) == 0)
+			subjtext = text;
+		else
+			free(text, M_MACLOMAC);
+	}
 	mtx_unlock(&subj->mtx);
+	if (mac_lomac_to_string(NULL, 0, &len, subjlabel) == 0 &&
+	    (text = malloc(len + 1, M_MACLOMAC, M_WAITOK)) != NULL) {
+		if (mac_lomac_to_string(text, len + 1, &len,
+		    subjlabel) == 0)
+			subjlabeltext = text;
+		else
+			free(text, M_MACLOMAC);
+	}
+	if (mac_lomac_to_string(NULL, 0, &len, objlabel) == 0 &&
+	    (text = malloc(len + 1, M_MACLOMAC, M_WAITOK)) != NULL) {
+		if (mac_lomac_to_string(text, len + 1, &len,
+		    objlabel) == 0)
+			objlabeltext = text;
+		else
+			free(text, M_MACLOMAC);
+	}
+	pgid = p->p_pgrp->pg_id;		/* XXX could be stale? */
+	log(LOG_INFO, "LOMAC: level-%s subject p%dg%du%d:%s demoted to"
+	    " level %s after %s a level-%s %s\n",
+	    subjlabeltext, p->p_pid, pgid, curthread->td_ucred->cr_uid,
+	    p->p_comm, subjtext, actionname, objlabeltext, objname);
+	if (subjlabeltext != xxx)
+		free(subjlabeltext, M_MACLOMAC);
+	if (objlabeltext != xxx)
+		free(objlabeltext, M_MACLOMAC);
+	if (subjtext != xxx)
+		free(subjtext, M_MACLOMAC);
 	return (0);
 }
 
@@ -623,78 +671,69 @@
 mac_lomac_to_string(char *string, size_t size, size_t *caller_len,
     struct mac_lomac *mac_lomac)
 {
-	size_t left, len;
+	size_t left, len, curlen;
 	char *curptr;
 
-	bzero(string, size);
+	/*
+	 * Also accept NULL string to allow for predetermination of total
+	 * string length.
+	 */
+	if (string != NULL)
+		bzero(string, size);
+	else if (size != 0)
+		return (EINVAL);
 	curptr = string;
 	left = size;
+	curlen = 0;
 
+#define	INCLEN(length, leftover) do {					\
+	if (string != NULL) {						\
+		if (length >= leftover)					\
+			return (EINVAL);				\
+		leftover -= length;					\
+		curptr += length;					\
+	}								\
+	curlen += length;						\
+} while (0)
 	if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
 		len = mac_lomac_element_to_string(curptr, left,
 		    &mac_lomac->ml_single);
-		if (len >= left)
-			return (EINVAL);
-		left -= len;
-		curptr += len;
+		INCLEN(len, left);
 	}
 
 	if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_AUX) {
 		len = snprintf(curptr, left, "[");
-		if (len >= left)
-			return (EINVAL);
-		left -= len;
-		curptr += len;
+		INCLEN(len, left);
 
 		len = mac_lomac_element_to_string(curptr, left,
 		    &mac_lomac->ml_auxsingle);
-		if (len >= left)
-			return (EINVAL);
-		left -= len;
-		curptr += len;
+		INCLEN(len, left);
 
 		len = snprintf(curptr, left, "]");
-		if (len >= left)
-			return (EINVAL);
-		left -= len;
-		curptr += len;
+		INCLEN(len, left);
 	}
 
 	if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_RANGE) {
 		len = snprintf(curptr, left, "(");
-		if (len >= left)
-			return (EINVAL);
-		left -= len;
-		curptr += len;
+		INCLEN(len, left);
 
 		len = mac_lomac_element_to_string(curptr, left,
 		    &mac_lomac->ml_rangelow);
-		if (len >= left)
-			return (EINVAL);
-		left -= len;
-		curptr += len;
+		INCLEN(len, left);
 
 		len = snprintf(curptr, left, "-");
-		if (len >= left)
-			return (EINVAL);
-		left -= len;
-		curptr += len;
+		INCLEN(len, left);
 
 		len = mac_lomac_element_to_string(curptr, left,
 		    &mac_lomac->ml_rangehigh);
-		if (len >= left)
-			return (EINVAL);
-		left -= len;
-		curptr += len;
+		INCLEN(len, left);
 
 		len = snprintf(curptr, left, ")");
-		if (len >= left)
-			return (EINVAL);
-		left -= len;
-		curptr += len;
+		INCLEN(len, left);
 	}
+#undef INCLEN
 
-	*caller_len = strlen(string);
+	*caller_len = curlen;
 	return (0);
 }
 
@@ -1457,13 +1496,35 @@
     struct vnode *vp, struct label *vnodelabel, struct label *shellvnodelabel,
     struct image_params *imgp)
 {
-	struct mac_lomac *source, *dest;
+	struct mac_lomac *source, *dest, *obj, *robj;
 
 	source = SLOT(&old->cr_label);
 	dest = SLOT(&new->cr_label);
+	obj = SLOT(vnodelabel);
+	robj = shellvnodelabel != NULL ? SLOT(shellvnodelabel) : obj;
 
-	mac_lomac_copy_single(source, dest);
-	mac_lomac_copy_range(source, dest);
+	mac_lomac_copy(source, dest);
+	/*
+	 * If there's an auxiliary label on the real object, respect it
+	 * and assume that this level should be assumed immediately if
+	 * a higher level is currently in place.
+	 */
+	if (robj->ml_flags & MAC_LOMAC_FLAG_AUX &&
+	    !mac_lomac_dominate_element(&robj->ml_auxsingle, &dest->ml_single)
+	    && mac_lomac_auxsingle_in_range(robj, dest))
+		mac_lomac_set_single(dest, robj->ml_auxsingle.mle_type,
+		    robj->ml_auxsingle.mle_grade);
+	/*
+	 * Restructuring to use the execve transitioning mechanism
+	 * instead of the normal demotion mechanism here would be
+	 * difficult, so just copy the label over and perform standard
+	 * demotion.  This is also non-optimal because it will result
+	 * in the intermediate label "new" being created and immediately
+	 * recycled.
+	 */
+	if (mac_lomac_enabled && revocation_enabled &&
+	    !mac_lomac_dominate_single(obj, source))
+		(void)maybe_demote(source, obj, "executing", "file");
 }
 
 static int
@@ -1471,8 +1532,19 @@
     struct label *vnodelabel, struct label *shellvnodelabel,
     struct image_params *imgp)
 {
+	struct mac_lomac *subj, *obj, *robj;
+
+	if (!mac_lomac_enabled || !revocation_enabled)
+		return (0);
+
+	subj = SLOT(&old->cr_label);
+	obj = SLOT(vnodelabel);
+	robj = shellvnodelabel != NULL ? SLOT(shellvnodelabel) : obj;
 
-	return (0);
+	return ((robj->ml_flags & MAC_LOMAC_FLAG_AUX &&
+	    !mac_lomac_dominate_element(&robj->ml_auxsingle, &subj->ml_single)
+	    && mac_lomac_auxsingle_in_range(robj, subj)) ||
+	    !mac_lomac_dominate_single(obj, subj));
 }
 
 static void
@@ -1694,7 +1766,7 @@
 	obj = SLOT((pipelabel));
 
 	if (!mac_lomac_dominate_single(obj, subj))
-		return (maybe_demote(subj, obj));
+		return (maybe_demote(subj, obj, "reading", "pipe"));
 
 	return (0);
 }
@@ -2076,7 +2148,7 @@
 	}
 	if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
 		if (!mac_lomac_dominate_single(obj, subj))
-			return (maybe_demote(subj, obj));
+			return (maybe_demote(subj, obj, "mapping", "file"));
 	}
 
 	return (0);
@@ -2112,7 +2184,7 @@
 
 static void
 mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp,
-    struct label *label, int *prot)
+    struct label *label, /* XXX vm_prot_t */ int *prot)
 {
 	struct mac_lomac *subj, *obj;
 
@@ -2164,7 +2236,7 @@
 	obj = SLOT(label);
 
 	if (!mac_lomac_dominate_single(obj, subj))
-		return (maybe_demote(subj, obj));
+		return (maybe_demote(subj, obj, "reading", "file"));
 
 	return (0);
 }
@@ -2529,7 +2601,8 @@
 	.mpo_update_devfsdirent = mac_lomac_update_devfsdirent,
 	.mpo_associate_vnode_devfs = mac_lomac_associate_vnode_devfs,
 	.mpo_associate_vnode_extattr = mac_lomac_associate_vnode_extattr,
-	.mpo_associate_vnode_singlelabel = mac_lomac_associate_vnode_singlelabel,
+	.mpo_associate_vnode_singlelabel =
+	    mac_lomac_associate_vnode_singlelabel,
 	.mpo_create_vnode_extattr = mac_lomac_create_vnode_extattr,
 	.mpo_setlabel_vnode_extattr = mac_lomac_setlabel_vnode_extattr,
 	.mpo_create_mbuf_from_socket = mac_lomac_create_mbuf_from_socket,
@@ -2539,7 +2612,8 @@
 	.mpo_relabel_pipe = mac_lomac_relabel_pipe,
 	.mpo_relabel_socket = mac_lomac_relabel_socket,
 	.mpo_set_socket_peer_from_mbuf = mac_lomac_set_socket_peer_from_mbuf,
-	.mpo_set_socket_peer_from_socket = mac_lomac_set_socket_peer_from_socket,
+	.mpo_set_socket_peer_from_socket =
+	    mac_lomac_set_socket_peer_from_socket,
 	.mpo_create_bpfdesc = mac_lomac_create_bpfdesc,
 	.mpo_create_datagram_from_ipq = mac_lomac_create_datagram_from_ipq,
 	.mpo_create_fragment = mac_lomac_create_fragment,
@@ -2549,7 +2623,8 @@
 	.mpo_create_mbuf_linklayer = mac_lomac_create_mbuf_linklayer,
 	.mpo_create_mbuf_from_bpfdesc = mac_lomac_create_mbuf_from_bpfdesc,
 	.mpo_create_mbuf_from_ifnet = mac_lomac_create_mbuf_from_ifnet,
-	.mpo_create_mbuf_multicast_encap = mac_lomac_create_mbuf_multicast_encap,
+	.mpo_create_mbuf_multicast_encap =
+	    mac_lomac_create_mbuf_multicast_encap,
 	.mpo_create_mbuf_netlayer = mac_lomac_create_mbuf_netlayer,
 	.mpo_fragment_match = mac_lomac_fragment_match,
 	.mpo_relabel_ifnet = mac_lomac_relabel_ifnet,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message



More information about the trustedbsd-cvs mailing list