PERFORCE change 79087 for review

Tue Jun 28 18:36:38 GMT 2005

http://perforce.freebsd.org/chv.cgi?CH=79087

Change 79087 by areisse at areisse_ibook on 2005/06/28 18:36:04

	Implement some missing features in our libselinux in order to remove
	libsedarwin entirely. This is security_compute_user,
	security_check_context, and getcon. The security_check_context 
	provided here is a good candidate for replacement with a new syscall
	(perhaps sedarwin-specific) that simply validates a label.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libselinux/src/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libselinux/src/check_context.c#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libselinux/src/getcon.c#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libselinux/src/security_get_user_contexts.c#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libselinux/src/sedarwin_config.c#3 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libselinux/src/Makefile#3 (text+ko) ====

@@ -11,7 +11,7 @@
 
 SRCS=   system.c security_get_user_contexts.c get_context_list.c \
         getseccontext.c query_user_context.c \
-        context.c \
+        context.c check_context.c getcon.c \
         get_default_type.c filecon.c sedarwin_config.c \
         freecon.c freeconary.c booleans.c
 

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libselinux/src/check_context.c#2 (text+ko) ====

@@ -1,27 +1,26 @@
-#include <unistd.h>
 #include <sys/types.h>
-#include <fcntl.h>
 #include <stdlib.h>
 #include <errno.h>
 #include <string.h>
-#include <stdio.h>
 #include <selinux/selinux.h>
-#include "policy.h"
 #include <limits.h>
+#include <sedarwin/sebsd.h>
+#include <mach/kern_return.h>
+#include <mach/security.h>
 
 int security_check_context(security_context_t con)
 {
-	char path[PATH_MAX];
-	int fd, ret;
+	kern_return_t kr;
+	char buf[strlen(con) + strlen(SEBSD_ID_STRING) + 2];
 
-	snprintf(path, sizeof path, "%s/context", selinux_mnt);
-	fd = open(path, O_RDWR);
-	if (fd < 0)
-		return -1;
+	strcpy(buf, SEBSD_ID_STRING);
+	strcat(buf, "/");
+	strcat(buf, con);
 
-	ret = write(fd, con, strlen(con)+1);
-	close(fd);
-	if (ret < 0)
-		return -1;
-	return 0;
+	kr = mac_check_name_port_access(mach_task_self(), mach_task_self(),
+	    buf, "file", "read");
+	if (kr == KERN_INVALID_ARGUMENT)
+		return (-1);
+	else
+		return (0);
 }

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libselinux/src/getcon.c#2 (text+ko) ====

@@ -1,44 +1,30 @@
 #include <unistd.h>
-#include <fcntl.h>
 #include <string.h>
 #include <selinux/selinux.h>
 #include <stdlib.h>
 #include <errno.h>
-#include <asm/page.h>
-#include "policy.h"
+#include <sedarwin/sebsd.h>
+#include <sys/mac.h>
 
 int getcon(security_context_t *context)
 {
-	char *buf;
-	size_t size;
-	int fd;
-	ssize_t ret;
+	mac_t label;
+	char *text;
+	int ret;
 
-	fd = open("/proc/self/attr/current", O_RDONLY);
-	if (fd < 0)
-		return -1;
-
-	size = PAGE_SIZE;
-	buf = malloc(size);
-	if (!buf) {
-		ret = -1;
-		goto out;
+	if (mac_prepare(&label, SEBSD_ID_STRING))
+		return (-1);
+	if (mac_get_proc(label)) {
+		mac_free(label);
+		return (-1);
 	}
-	memset(buf, 0, size);
+	ret = mac_to_text(label, &text);
+	if (ret == 0) {
+		*context = strdup(text+1+strlen(SEBSD_ID_STRING));
+		free(text);
+	} else
+		*context = NULL;
 
-	ret = read(fd, buf, size-1);
-	if (ret < 0)
-		goto out2;
-
-	*context = strdup(buf);
-	if (!(*context)) {
-		ret = -1;
-		goto out2;
-	}
-	ret = 0;
-out2:			
-	free(buf);
-out:
-	close(fd);
+	mac_free(label);
 	return ret;
 }

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libselinux/src/security_get_user_contexts.c#2 (text+ko) ====

@@ -43,6 +43,8 @@
 #include <string.h>
 #include <unistd.h>
 
+#include <selinux/selinux.h>
+
 struct getsid_args
 {
   char *ctx;
@@ -101,7 +103,7 @@
 		*retcontexts = NULL;
 		return (0);
 	}
-	contextarray = calloc(n, sizeof(char *));
+	contextarray = calloc(1+n, sizeof(char *));
 	if (contextarray == NULL) {
 		free(contexts);
 		return (-1);
@@ -136,3 +138,17 @@
 {
   return security_get_some_contexts (5, fromcontext, "unused", retcontexts, ncontexts);
 }
+
+int security_compute_user(security_context_t scon,
+			  const char *user,
+			  security_context_t **con)
+{
+	size_t ncon;
+	int rc = security_get_user_contexts(scon,user,con,&ncon);
+	if (rc || ncon == 0) {
+		free(*con);
+		return -1;
+	}
+	con[ncon] = 0;
+	return rc;
+}

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libselinux/src/sedarwin_config.c#3 (text+ko) ====

@@ -11,3 +11,18 @@
 {
 	return "/etc/security/sedarwin/booleans";
 }
+
+char *selinux_default_context_path()
+{
+	return "/etc/security/sedarwin/default_contexts";
+}
+
+char *selinux_failsafe_context_path()
+{
+	return "/etc/security/sedarwin/failsafe_context";
+}
+
+char *selinux_user_contexts_path()
+{
+	return "/etc/security/sedarwin/user_context";
+}
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

