PERFORCE change 105778 for review
Todd Miller
millert at FreeBSD.org
Thu Sep 7 13:47:52 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=105778
Change 105778 by millert at millert_g5tower on 2006/09/07 13:25:54
Add mac_task_internalize_label, mac_task_externalize_label,
mac_task_copy_label and their associated entry points.
This allows us to support policies where task and port
labels are different.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_labelh.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_mach_internal.h#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#7 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_task.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/ipctrace/module/ipctrace.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#8 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#12 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#6 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_labelh.c#5 (text+ko) ====
@@ -91,8 +91,7 @@
kern_return_t kr;
mac_task_init_label(&inl);
- /* XXX - should be mac_task_internalize_label */
- if (mac_port_internalize_label(&inl, labelstr))
+ if (mac_task_internalize_label(&inl, labelstr))
return (KERN_INVALID_ARGUMENT);
kr = labelh_new_user(space, &inl, namep);
@@ -141,8 +140,7 @@
lh = labelh_new();
ip_lock(lh->lh_port);
mac_task_init_label(&lh->lh_label);
- /* XXX - should be mac_task_copy_label */
- mac_port_copy_label(&old->lh_label, &lh->lh_label);
+ mac_task_copy_label(&old->lh_label, &lh->lh_label);
ip_unlock(lh->lh_port);
return (lh);
}
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_mach_internal.h#3 (text+ko) ====
@@ -39,6 +39,7 @@
/* tasks */
void mac_task_init_label(struct label *);
+void mac_task_copy_label(struct label *src, struct label *dest);
void mac_task_destroy_label(struct label *);
void mac_task_create(struct task *, struct task *, struct label *,
struct label *, struct label *);
@@ -70,6 +71,7 @@
int mac_port_check_hold_receive(struct label *task, struct label *port);
int mac_task_externalize_label(struct label *, char *e, char *out, size_t olen, int flags);
+int mac_task_internalize_label(struct label *label, char *string);
int mac_port_externalize_label(struct label *, char *e, char *out, size_t olen, int flags);
int mac_port_internalize_label(struct label *label, char *string);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#7 (text+ko) ====
@@ -944,6 +944,19 @@
);
/**
+ @brief Copy a Mach task label
+ @param src Source task label
+ @param dest Destination task label
+
+ Copy the Mach task label information from src to dest. This is used
+ when duplicating label handles to implement copy-on-write semantics.
+*/
+typedef void mpo_task_copy_label_t(
+ struct label *src,
+ struct label *dest
+);
+
+/**
@brief Externalize a user credential label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
@@ -1013,6 +1026,28 @@
);
/**
+ @brief Externalize a task label
+ @param label Label to be externalized
+ @param element_name Name of the label namespace for which labels should be
+ externalized
+ @param sb String buffer to be filled with a text representation of the label
+
+ Produce an external representation of the label on a task. An
+ externalized label consists of a text representation of the label
+ contents that can be used with user applications. Policy-agnostic
+ user space tools will display this externalized version.
+
+ @return 0 on success, return non-zero if an error occurs while
+ externalizing the label data.
+
+*/
+typedef int mpo_task_externalize_label_t(
+ struct label *label,
+ char *element_name,
+ struct sbuf *sb
+);
+
+/**
@brief Externalize a vnode label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
@@ -1161,6 +1196,32 @@
);
/**
+ @brief Internalize a task label
+ @param label Label to be internalized
+ @param element_name Name of the label namespace for which the label should
+ be internalized
+ @param element_data Text data to be internalized
+
+ Produce a task label from an external representation. An
+ externalized label consists of a text representation of the label
+ contents that can be used with user applications. Policy-agnostic
+ user space tools will forward text version to the kernel for
+ processing by individual policy modules.
+
+ The policy's internalize entry points will be called only if the
+ policy has registered interest in the label namespace.
+
+ @return 0 on success, Otherwise, return non-zero if an error occurs
+ while internalizing the label data.
+
+*/
+typedef int mpo_task_internalize_label_t(
+ struct label *label,
+ char *element_name,
+ char *element_data
+);
+
+/**
@brief Internalize a vnode label
@param label Label to be internalized
@param element_name Name of the label namespace for which the label should
@@ -4881,11 +4942,13 @@
mpo_port_copy_label_t *mpo_port_copy_label;
mpo_socket_copy_label_t *mpo_socket_copy_label;
mpo_pipe_copy_label_t *mpo_pipe_copy_label;
+ mpo_task_copy_label_t *mpo_task_copy_label;
mpo_cred_externalize_label_t *mpo_cred_externalize_label;
mpo_cred_externalize_audit_label_t *mpo_cred_externalize_audit_label;
mpo_lctx_externalize_label_t *mpo_lctx_externalize_label;
mpo_socket_externalize_label_t *mpo_socket_externalize_label;
mpo_socket_peer_externalize_label_t *mpo_socket_peer_externalize_label;
+ mpo_task_externalize_label_t *mpo_task_externalize_label;
mpo_vnode_externalize_label_t *mpo_vnode_externalize_label;
mpo_vnode_externalize_audit_label_t *mpo_vnode_externalize_audit_label;
mpo_pipe_externalize_label_t *mpo_pipe_externalize_label;
@@ -4893,6 +4956,7 @@
mpo_cred_internalize_label_t *mpo_cred_internalize_label;
mpo_lctx_internalize_label_t *mpo_lctx_internalize_label;
mpo_socket_internalize_label_t *mpo_socket_internalize_label;
+ mpo_task_internalize_label_t *mpo_task_internalize_label;
mpo_vnode_internalize_label_t *mpo_vnode_internalize_label;
mpo_pipe_internalize_label_t *mpo_pipe_internalize_label;
mpo_mount_internalize_label_t *mpo_mount_internalize_label;
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_task.c#3 (text+ko) ====
@@ -54,6 +54,13 @@
}
void
+mac_task_copy_label(struct label *src, struct label *dest)
+{
+
+ MAC_PERFORM(task_copy_label, src, dest);
+}
+
+void
mac_task_destroy_label(struct label *label)
{
@@ -88,10 +95,20 @@
if (elements[0] == '*') {
int count;
- MAC_EXTERNALIZE_REGISTERED_LABELS(cred, label, outbuf,
+ MAC_EXTERNALIZE_REGISTERED_LABELS(task, label, outbuf,
outbuflen, count);
} else
- MAC_EXTERNALIZE_LIST(cred, label, elements, outbuf, outbuflen);
+ MAC_EXTERNALIZE_LIST(task, label, elements, outbuf, outbuflen);
+
+ return (error);
+}
+
+int
+mac_task_internalize_label(struct label *label, char *string)
+{
+ int error;
+
+ MAC_INTERNALIZE_LIST(task, label, string);
return (error);
}
==== //depot/projects/trustedbsd/sedarwin8/policies/ipctrace/module/ipctrace.c#4 (text+ko) ====
@@ -399,6 +399,7 @@
.mpo_task_destroy_label = ipctrace_destroy_label,
.mpo_port_destroy_label = ipctrace_destroy_label,
.mpo_port_copy_label = ipctrace_copy_label,
+ .mpo_task_copy_label = ipctrace_copy_label,
.mpo_cred_externalize_label = ipctrace_externalize_label,
/* Labeling event operations */
==== //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#8 (text+ko) ====
@@ -4087,6 +4087,7 @@
.mpo_task_init_label = mac_mls_init_label,
.mpo_port_destroy_label = mac_mls_destroy_label,
.mpo_task_destroy_label = mac_mls_destroy_label,
+ .mpo_task_copy_label = mac_mls_copy_label,
.mpo_port_copy_label = mac_mls_copy_label,
.mpo_port_update_from_cred = mac_mls_port_update_from_cred,
.mpo_cred_copy_to_task = mac_mls_cred_copy_to_task,
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#12 (text+ko) ====
@@ -2985,7 +2985,7 @@
#endif
static void
-sebsd_port_copy_label(struct label *src, struct label *dest)
+sebsd_task_copy_label(struct label *src, struct label *dest)
{
*(struct task_security_struct *)SLOT(dest) =
*(struct task_security_struct *)SLOT(src);
@@ -3477,7 +3477,8 @@
/* Copy labels */
.mpo_cred_copy_to_task = sebsd_cred_copy_to_task,
- .mpo_port_copy_label = sebsd_port_copy_label,
+ .mpo_port_copy_label = sebsd_task_copy_label,
+ .mpo_task_copy_label = sebsd_task_copy_label,
.mpo_vnode_copy_label = sebsd_vnode_copy_label,
.mpo_pipe_copy_label = sebsd_vnode_copy_label,
.mpo_socket_copy_label = copy_network_label,
@@ -3501,6 +3502,9 @@
.mpo_socket_externalize_label = sebsd_network_externalize_label,
.mpo_socket_peer_externalize_label = sebsd_network_externalize_label,
+ .mpo_task_internalize_label = sebsd_cred_internalize_label,
+ .mpo_task_externalize_label = sebsd_cred_externalize_label,
+
.mpo_cred_setlabel = sebsd_cred_setlabel,
.mpo_vnode_setlabel = sebsd_vnode_setlabel,
.mpo_pipe_setlabel = sebsd_pipe_setlabel,
==== //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#6 (text+ko) ====
@@ -896,6 +896,13 @@
#endif
}
+static void
+mac_test_task_copy_label(struct label *src, struct label *dest)
+{
+ USE_LABEL(src, TASKTYPE);
+ COPY_LABEL(src, dest, TASKTYPE);
+}
+
static int
mac_test_cred_externalize_label(struct label *label,
char *element_name, struct sbuf *sb)
@@ -3182,6 +3189,7 @@
.mpo_mbuf_copy_label = mac_test_mbuf_copy_label,
.mpo_pipe_copy_label = mac_test_pipe_copy_label,
.mpo_port_copy_label = mac_test_port_copy_label,
+ .mpo_task_copy_label = mac_test_task_copy_label,
.mpo_socket_copy_label = mac_test_socket_copy_label,
.mpo_cred_externalize_label = mac_test_cred_externalize_label,
.mpo_cred_externalize_audit_label =
More information about the trustedbsd-cvs
mailing list