PERFORCE change 109955 for review

Todd Miller millert at FreeBSD.org
Tue Nov 14 18:48:25 UTC 2006


http://perforce.freebsd.org/chv.cgi?CH=109955

Change 109955 by millert at millert_g5tower on 2006/11/14 18:47:59

	Add an mprotect check.  Doesn't really do anything at the
	moment since there is no label to check.  Could be useful
	for preventing a process from making its stack executable
	but apparently only mac-on-intel has no-exec stack.  As a
	result, this will likely get changed significantly in the
	future or simply removed.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_mman.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#13 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#21 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#11 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#16 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/sorted-policynames.vim#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#11 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#19 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#35 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/vanity/vanity.c#8 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_mman.c#5 (text+ko) ====

@@ -634,13 +634,16 @@
 }
 
 int
-mprotect(__unused struct proc *p, struct mprotect_args *uap, __unused register_t *retval)
+mprotect(struct proc *p, struct mprotect_args *uap, __unused register_t *retval)
 {
 	register vm_prot_t prot;
 	mach_vm_offset_t	user_addr;
 	mach_vm_size_t	user_size;
 	kern_return_t	result;
 	vm_map_t	user_map;
+#ifdef MAC
+	int error;
+#endif
 
 	AUDIT_ARG(addr, uap->addr);
 	AUDIT_ARG(len, uap->len);
@@ -667,13 +670,19 @@
 
 #ifdef MAC
 	/*
-	 * There is no MAC check for mprotect for 2 reasons:
+	 * The MAC check for mprotect is of limited use for 2 reasons:
 	 * Without mmap revocation, the caller could have asked for the max
 	 * protections initially instead of a reduced set, so a mprotect
 	 * check would offer no new security.
-	 * It is nontrivial to extract the vnode from the pager object(s)
+	 * It is not possible to extract the vnode from the pager object(s)
 	 * of the target memory range.
+	 * However, the MAC check may be used to prevent a process from,
+	 * e.g., making the stack executable.
 	 */
+	error = mac_proc_check_mprotect(proc_ucred(p), p, (void *)user_addr,
+	    (size_t)user_size, prot);
+	if (error)
+		return (error);
 #endif
 	result = mach_vm_protect(user_map, user_addr, user_size,
 				 FALSE, prot);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#13 (text+ko) ====

@@ -411,8 +411,8 @@
 int	mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp);
 int	mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
 	    struct componentname *cnp);
-int	mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp,
-	    int prot);
+int	mac_proc_check_mprotect(struct ucred *cred, struct proc *proc,
+	    void *addr, size_t size, int prot);
 int	mac_vnode_check_open(struct ucred *cred, struct vnode *vp,
 	    int acc_mode);
 int	mac_vnode_check_read(struct ucred *active_cred,

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#21 (text+ko) ====

@@ -3596,6 +3596,29 @@
 );
 
 /**
+  @brief Access control check for setting memory protections
+  @param cred Subject credential
+  @param proc User process requesting the change
+  @param addr Start address of the memory range
+  @param size Length address of the memory range
+  @param prot Memory protections, see mmap(2)
+
+  Determine whether the subject identified by the credential should
+  be allowed to set the specified memory protections on memory mapped
+  in the process proc.
+
+  @return Return 0 if access is granted, otherwise an appropriate value for
+  errno should be returned.
+*/
+typedef int mpo_proc_check_mprotect_t(
+	struct ucred *cred,
+	struct proc *proc,
+	void *addr,
+	size_t size,
+	int prot
+);
+
+/**
   @brief Access control check for setting the Login Context
   @param p0 Calling process
   @param p Effected process
@@ -4679,27 +4702,6 @@
 );
 
 /**
-  @brief Access control check for setting memory protections
-  @param cred Subject credential
-  @param vp Mapped vnode
-  @param label Policy label associated with vp
-  @param prot Memory protections, see mmap(2)
-
-  Determine whether the subject identified by the credential should
-  be allowed to set the specified memory protections on memory mapped
-  from the vnode vp.
-
-  @return Return 0 if access is granted, otherwise an appropriate value for
-  errno should be returned.
-*/
-typedef int mpo_vnode_check_mprotect_t(
-	struct ucred *cred,
-	struct vnode *vp,
-	struct label *label,
-	int prot
-);
-
-/**
   @brief Access control check for open
   @param cred Subject credential
   @param vp Object vnode
@@ -5573,6 +5575,7 @@
 	mpo_proc_check_getaudit_t		*mpo_proc_check_getaudit;
 	mpo_proc_check_getauid_t		*mpo_proc_check_getauid;
 	mpo_proc_check_getlcid_t		*mpo_proc_check_getlcid;
+	mpo_proc_check_mprotect_t		*mpo_proc_check_mprotect;
 	mpo_proc_check_sched_t			*mpo_proc_check_sched;
 	mpo_proc_check_setaudit_t		*mpo_proc_check_setaudit;
 	mpo_proc_check_setauid_t		*mpo_proc_check_setauid;
@@ -5615,7 +5618,6 @@
 	mpo_vnode_check_link_t			*mpo_vnode_check_link;
 	mpo_vnode_check_listextattr_t		*mpo_vnode_check_listextattr;
 	mpo_vnode_check_lookup_t		*mpo_vnode_check_lookup;
-	mpo_vnode_check_mprotect_t		*mpo_vnode_check_mprotect;
 	mpo_vnode_check_open_t			*mpo_vnode_check_open;
 	mpo_vnode_check_read_t			*mpo_vnode_check_read;
 	mpo_vnode_check_readdir_t		*mpo_vnode_check_readdir;

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#11 (text+ko) ====

@@ -392,3 +392,14 @@
 	return (error);
 }
 #endif	/* LCTX */
+
+int
+mac_proc_check_mprotect(struct ucred *cred, struct proc *proc,
+    void *addr, size_t size, int prot)
+{
+	int error;
+
+	MAC_CHECK(proc_check_mprotect, cred, proc, addr, size, prot);
+	return (error);
+}
+

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#16 (text+ko) ====

@@ -514,15 +514,6 @@
 }
 
 int
-mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot)
-{
-	int error;
-
-	MAC_CHECK(vnode_check_mprotect, cred, vp, vp->v_label, prot);
-	return (error);
-}
-
-int
 mac_vnode_check_open(struct ucred *cred, struct vnode *vp, int acc_mode)
 {
 	int error;

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/sorted-policynames.vim#3 (text+ko) ====

@@ -117,6 +117,7 @@
 typedef mpo_proc_check_getaudit_t(
 typedef mpo_proc_check_getauid_t(
 typedef mpo_proc_check_getlcid_t(
+typedef mpo_proc_check_mprotect_t(
 typedef mpo_proc_check_sched_t(
 typedef mpo_proc_check_setaudit_t(
 typedef mpo_proc_check_setauid_t(
@@ -212,7 +213,6 @@
 typedef mpo_vnode_check_link_t(
 typedef mpo_vnode_check_listextattr_t(
 typedef mpo_vnode_check_lookup_t(
-typedef mpo_vnode_check_mprotect_t(
 typedef mpo_vnode_check_open_t(
 typedef mpo_vnode_check_read_t(
 typedef mpo_vnode_check_readdir_t(

==== //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#11 (text+ko) ====

@@ -518,11 +518,11 @@
 }
 
 static int
-color_vnode_check_mprotect(struct ucred *cred, struct vnode *vp,
-    struct label *label, int prot) 
+color_proc_check_mprotect(struct ucred *cred, struct proc *proc,
+    void *addr, size_t size, int prot) 
 {
 
-	return (co_maybe_promote_process(cred, label));
+	// Nothing yet
 }
 
 static int
@@ -709,6 +709,7 @@
 	.mpo_lctx_notify_leave		= color_lctx_notify_leave,
 	.mpo_lctx_label_update		= color_lctx_label_update,
 	.mpo_proc_check_signal		= color_proc_check_signal,
+	.mpo_proc_check_mprotect	= color_proc_check_mprotect,
 
 	.mpo_vnode_check_access		= color_vnode_check_access,
 	.mpo_vnode_check_chdir		= color_vnode_check_chdir,
@@ -724,7 +725,6 @@
 	.mpo_vnode_check_link		= color_vnode_check_link,
 	.mpo_vnode_check_listextattr	= color_vnode_check_listextattr,
 	.mpo_vnode_check_lookup		= color_vnode_check_lookup,
-	.mpo_vnode_check_mprotect	= color_vnode_check_mprotect,
 	.mpo_vnode_check_open		= color_vnode_check_open,
 	.mpo_vnode_check_read		= color_vnode_check_read,
 	.mpo_vnode_check_readdir	= color_vnode_check_readdir,

==== //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#19 (text+ko) ====

@@ -3498,24 +3498,14 @@
 }
 
 static int
-mac_mls_vnode_check_mprotect(struct ucred *cred, struct vnode *vp,
-    struct label *vlabel, int prot)
+mac_mls_proc_check_mprotect(struct ucred *cred, struct proc *proc,
+    void *addr, size_t size, int prot)
 {
-	struct mac_mls *subj, *obj;
-	int r, w;
 	
 	if (!mac_mls_enabled)
 		return (0);	
 	
-	subj = SLOT(cred->cr_label);
-	obj = SLOT(vlabel);
-	r = mac_mls_dominate_effective(subj, obj);
-	w = mac_mls_dominate_effective(obj, subj);
-	
-	if (!r && ((prot & VM_PROT_READ) || (prot & VM_PROT_EXECUTE)))
-		return (EACCES);
-	if (!w && (prot & VM_PROT_WRITE))
-		return (EACCES);
+#warning Implement mac_mls_proc_check_mprotect()
 	return (0);
 }
 
@@ -4090,7 +4080,7 @@
     .mpo_vnode_check_lookup             = mac_mls_vnode_check_lookup,
     .mpo_file_check_mmap                = mac_mls_file_check_mmap,
     .mpo_file_check_mmap_downgrade	= mac_mls_file_check_mmap_downgrade,
-    .mpo_vnode_check_mprotect		= mac_mls_vnode_check_mprotect,
+    .mpo_proc_check_mprotect		= mac_mls_proc_check_mprotect,
     .mpo_vnode_check_open               = mac_mls_vnode_check_open,
     .mpo_vnode_check_read               = mac_mls_vnode_check_read,
     .mpo_vnode_check_readdir            = mac_mls_vnode_check_readdir,

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#35 (text+ko) ====

@@ -2940,9 +2940,11 @@
 }
 
 static int
-sebsd_vnode_check_mprotect(struct ucred *cred, struct vnode *vp,
-    struct label *label, int prot)
+sebsd_proc_check_mprotect(struct ucred *cred, struct proc *proc,
+    void *addr, size_t size, int prot)
 {
+	/* XXX - check that stack is not being made executable */
+#ifdef notyet
 	u_int32_t av;
 
 	/*
@@ -2959,6 +2961,7 @@
 
 		return (vnode_has_perm(cred, vp, NULL, av));
 	}
+#endif
 	return (0);
 }
 
@@ -3634,6 +3637,7 @@
 	.mpo_port_check_hold_receive = sebsd_port_check_hold_recv,
 	.mpo_proc_check_debug = sebsd_proc_check_debug,
 	.mpo_proc_check_getaudit = sebsd_proc_check_getaudit,
+	.mpo_proc_check_mprotect = sebsd_proc_check_mprotect,
 	.mpo_proc_check_sched = sebsd_proc_check_sched,
 	.mpo_proc_check_setaudit = sebsd_proc_check_setaudit,
 	.mpo_proc_check_setlcid = sebsd_proc_check_setlcid,
@@ -3678,7 +3682,6 @@
 //	.mpo_vnode_check_kqfilter = sebsd_vnode_check_kqfilter,
 	.mpo_vnode_check_link = sebsd_vnode_check_link,
 	.mpo_vnode_check_lookup = sebsd_vnode_check_lookup,
-	.mpo_vnode_check_mprotect = sebsd_vnode_check_mprotect,
 	.mpo_vnode_check_open = sebsd_vnode_check_open,
 	.mpo_vnode_check_read = sebsd_vnode_check_read,
 	.mpo_vnode_check_readdir = sebsd_vnode_check_readdir,

==== //depot/projects/trustedbsd/sedarwin8/policies/vanity/vanity.c#8 (text+ko) ====

@@ -333,13 +333,6 @@
 }
 
 static int
-vanity_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, struct label *label, int prot) 
-{
-	VANITY(vp);
-	return (0);
-}
-
-static int
 vanity_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *label, int acc_mode) 
 {
 	VANITY(vp);
@@ -508,7 +501,6 @@
 	.mpo_vnode_check_link		= vanity_vnode_check_link,
 	.mpo_vnode_check_listextattr	= vanity_vnode_check_listextattr,
 	.mpo_vnode_check_lookup		= vanity_vnode_check_lookup,
-	.mpo_vnode_check_mprotect	= vanity_vnode_check_mprotect,
 	.mpo_vnode_check_open		= vanity_vnode_check_open,
 	.mpo_vnode_check_read		= vanity_vnode_check_read,
 	.mpo_vnode_check_readdir	= vanity_vnode_check_readdir,


More information about the trustedbsd-cvs mailing list