PERFORCE change 36942 for review
Andrew Reisse
areisse at FreeBSD.org
Tue Aug 26 13:16:33 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=36942
Change 36942 by areisse at areisse_tislabs on 2003/08/26 06:15:32
64-bit access vector in binary policy files.
Updated flask configuration in sample policy.
display auditallow as well as allow in checkpolicy -d.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.c#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_parse.y#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/Makefile#4 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/access_vectors#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/global_macros.te#2 edit
.. //depot/projects/trustedbsd/sebsd/lib/libsebsd/security_compute_av.c#2 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/avtab.c#3 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/avtab.h#3 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/policydb.h#3 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.c#2 (text+ko) ====
@@ -490,8 +490,25 @@
switch (ret) {
case 0:
printf("\nallowed {");
+ /*printf (" <%qx> ", allowed);*/
+ for (i = 1; i <= sizeof(allowed) * 8; i++) {
+ if (allowed & (((access_vector_t)1) << (i - 1))) {
+ perm = (char *) hashtab_map(cladatum->permissions.table,
+ find_perm, &i);
+
+ if (!perm && cladatum->comdatum) {
+ perm = (char *) hashtab_map(cladatum->comdatum->permissions.table,
+ find_perm, &i);
+ }
+ if (perm)
+ printf(" %s", perm);
+ }
+ }
+ printf(" }\n");
+
+ printf("audit-allowed {");
for (i = 1; i <= sizeof(allowed) * 8; i++) {
- if (allowed & (1 << (i - 1))) {
+ if (auditallow & (((access_vector_t)1) << (i - 1))) {
perm = (char *) hashtab_map(cladatum->permissions.table,
find_perm, &i);
@@ -504,6 +521,7 @@
}
}
printf(" }\n");
+
break;
case -EINVAL:
printf("\ninvalid sid\n");
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_parse.y#2 (text+ko) ====
@@ -2013,7 +2013,7 @@
continue;
}
- avp[i] |= (1 << (perdatum->value - 1));
+ avp[i] |= (((__u64)1) << (perdatum->value - 1));
}
free(id);
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/Makefile#4 (text+ko) ====
@@ -35,8 +35,8 @@
ALLDOMAINS != echo domains/*.te domains/misc/*.te domains/program/*.te
-policy.11: policy.conf $(FC)
- ${CHECKPOLICY} -o policy.11 policy.conf
+policy.13: policy.conf $(FC)
+ ${CHECKPOLICY} -o policy.13 policy.conf
policy.conf: tmp $(FLASKFILES) $(POLICYFILES) $(MACROFILES)
$(M4) $(FLASKFILES) $(POLICYFILES) > policy.conf
@@ -44,7 +44,7 @@
tmp:
@mkdir tmp
-install: policy.11
+install: policy.13
install -c -o root -g wheel -m 400 $> $(INSTALLDIR)
tmp/macro_used_flags.te: $(MACROPROGRAMFILES)
@@ -72,4 +72,7 @@
cat $> > $@
clean:
- rm -f policy.11 policy.conf file_contexts/file_contexts tmp/*
+ rm -f policy.13 policy.conf file_contexts/file_contexts tmp/*
+
+install-src:
+ cd ..; tar cf - policy | (cd $(INSTALLDIR); tar xf -)
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/access_vectors#2 (text+ko) ====
@@ -315,14 +315,29 @@
# those definitions. (Order matters)
chown
- dac_override
+ dac_execute
+ dac_write
dac_read_search
fowner
fsetid
- kill
+ kill
+ link_dir
+ setfcap
setgid
- setuid
- setpcap
+ setuid
+ mac_downgrade
+ mac_read
+ mac_relabel_subj
+ mac_upgrade
+ mac_write
+ inf_nofloat_obj
+ inf_nofloat_subj
+ inf_relabel_obj
+ inf_relabel_subj
+ audit_control
+ audit_write
+ setpcap
+ xxx_invalid1
linux_immutable
net_bind_service
net_broadcast
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/global_macros.te#2 (text+ko) ====
@@ -167,6 +167,12 @@
define(`r_shm_perms', `{ associate getattr read unix_read }')
define(`rw_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
+#
+# Mimic the dac_override capability from linux
+#
+define(`dac_override', `{ dac_read_search dac_execute dac_write }')
+
+
#################################
#
# Macros for type transition rules and
==== //depot/projects/trustedbsd/sebsd/lib/libsebsd/security_compute_av.c#2 (text+ko) ====
@@ -45,7 +45,7 @@
#include "sebsd.h"
typedef char __assert_class_size[sizeof(security_class_t) == 2 ? 1 : -1];
-typedef char __assert_av_size[sizeof(access_vector_t) == 4 ? 1 : -1];
+typedef char __assert_av_size[sizeof(access_vector_t) == 8 ? 1 : -1];
/*
* Return the decisions SEBSD makes given a specific access vector.
@@ -60,10 +60,10 @@
int error;
arguments_len = asprintf(&arguments, "%s%c%s%c%s", query->scontext, 0,
- query->tcontext, 0, "121234");
+ query->tcontext, 0, "1212345678");
if (arguments_len == -1)
return (-1);
- memcpy(&arguments[arguments_len - (2 + 4)], &query->tclass,
+ memcpy(&arguments[arguments_len - (2 + 8)], &query->tclass,
sizeof(query->tclass));
memcpy(&arguments[arguments_len - 2], &query->requested,
sizeof(query->requested));
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/avtab.c#3 (text+ko) ====
@@ -264,12 +264,24 @@
goto bad;
}
if (avdatum.specified & AVTAB_AV) {
- if (avdatum.specified & AVTAB_ALLOWED)
- avtab_allowed(&avdatum) = le32_to_cpu(buf[items++]);
+ if (avdatum.specified & AVTAB_ALLOWED)
+ {
+ __u32 b1 = le32_to_cpu (buf[items++]);
+ __u32 b2 = le32_to_cpu (buf[items++]);
+ avtab_allowed(&avdatum) = (((__u64) b1) << 32) | b2;
+ }
if (avdatum.specified & AVTAB_AUDITDENY)
- avtab_auditdeny(&avdatum) = le32_to_cpu(buf[items++]);
+ {
+ __u32 b1 = le32_to_cpu (buf[items++]);
+ __u32 b2 = le32_to_cpu (buf[items++]);
+ avtab_auditdeny(&avdatum) = (((__u64) b1) << 32) | b2;
+ }
if (avdatum.specified & AVTAB_AUDITALLOW)
- avtab_auditallow(&avdatum) = le32_to_cpu(buf[items++]);
+ {
+ __u32 b1 = le32_to_cpu (buf[items++]);
+ __u32 b2 = le32_to_cpu (buf[items++]);
+ avtab_auditallow(&avdatum) = (((__u64) b1) << 32) | b2;
+ }
} else {
if (avdatum.specified & AVTAB_TRANSITION)
avtab_transition(&avdatum) = le32_to_cpu(buf[items++]);
@@ -331,12 +343,18 @@
return -1;
}
if (cur->datum.specified & AVTAB_AV) {
- if (cur->datum.specified & AVTAB_ALLOWED)
- buf[items++] = cpu_to_le32(avtab_allowed(&cur->datum));
- if (cur->datum.specified & AVTAB_AUDITDENY)
- buf[items++] = cpu_to_le32(avtab_auditdeny(&cur->datum));
- if (cur->datum.specified & AVTAB_AUDITALLOW)
- buf[items++] = cpu_to_le32(avtab_auditallow(&cur->datum));
+ if (cur->datum.specified & AVTAB_ALLOWED) {
+ buf[items++] = cpu_to_le32(avtab_allowed(&cur->datum) >> 32);
+ buf[items++] = cpu_to_le32(avtab_allowed(&cur->datum) & 0xffffffff);
+ }
+ if (cur->datum.specified & AVTAB_AUDITDENY) {
+ buf[items++] = cpu_to_le32(avtab_auditdeny(&cur->datum) >> 32);
+ buf[items++] = cpu_to_le32(avtab_auditdeny(&cur->datum) & 0xffffffff);
+ }
+ if (cur->datum.specified & AVTAB_AUDITALLOW) {
+ buf[items++] = cpu_to_le32(avtab_auditallow(&cur->datum) >> 32);
+ buf[items++] = cpu_to_le32(avtab_auditallow(&cur->datum) & 0xffffffff);
+ }
} else {
if (cur->datum.specified & AVTAB_TRANSITION)
buf[items++] = cpu_to_le32(avtab_transition(&cur->datum));
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/avtab.h#3 (text+ko) ====
@@ -32,7 +32,7 @@
#define AVTAB_CHANGE 64
#define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
__u32 specified; /* what fields are specified */
- __u32 data[3]; /* access vectors or types */
+ __u64 data[3]; /* access vectors or types */
#define avtab_allowed(x) (x)->data[0]
#define avtab_auditdeny(x) (x)->data[1]
#define avtab_auditallow(x) (x)->data[2]
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/policydb.h#3 (text+ko) ====
@@ -248,7 +248,7 @@
#define PERM_SYMTAB_SIZE 32
-#define POLICYDB_VERSION 11
+#define POLICYDB_VERSION 13
#define POLICYDB_CONFIG_MLS 1
#define OBJECT_R "object_r"
@@ -262,3 +262,5 @@
/* FLASK */
+
+
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list