diff options
| -rw-r--r-- | sys/fs/devfs/devfs_devs.c | 3 | ||||
| -rw-r--r-- | sys/fs/devfs/devfs_vnops.c | 10 | ||||
| -rw-r--r-- | sys/kern/kern_conf.c | 45 | ||||
| -rw-r--r-- | sys/kern/tty_pty.c | 15 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.h | 4 | ||||
| -rw-r--r-- | sys/security/mac/mac_policy.h | 6 | ||||
| -rw-r--r-- | sys/security/mac/mac_vfs.c | 9 | ||||
| -rw-r--r-- | sys/security/mac_biba/mac_biba.c | 4 | ||||
| -rw-r--r-- | sys/security/mac_lomac/mac_lomac.c | 4 | ||||
| -rw-r--r-- | sys/security/mac_mls/mac_mls.c | 4 | ||||
| -rw-r--r-- | sys/security/mac_stub/mac_stub.c | 4 | ||||
| -rw-r--r-- | sys/security/mac_test/mac_test.c | 7 | ||||
| -rw-r--r-- | sys/sys/conf.h | 8 | ||||
| -rw-r--r-- | sys/sys/mac.h | 4 | ||||
| -rw-r--r-- | sys/sys/mac_policy.h | 6 |
15 files changed, 99 insertions, 34 deletions
diff --git a/sys/fs/devfs/devfs_devs.c b/sys/fs/devfs/devfs_devs.c index 761caa5..172a63c 100644 --- a/sys/fs/devfs/devfs_devs.c +++ b/sys/fs/devfs/devfs_devs.c @@ -324,7 +324,8 @@ devfs_populate(struct devfs_mount *dm) de->de_dirent->d_type = DT_CHR; } #ifdef MAC - mac_create_devfs_device(dm->dm_mount, dev, de); + mac_create_devfs_device(dev->si_cred, dm->dm_mount, + dev, de); #endif *dep = de; de->de_dir = dd; diff --git a/sys/fs/devfs/devfs_vnops.c b/sys/fs/devfs/devfs_vnops.c index e0ceef2..b03498f 100644 --- a/sys/fs/devfs/devfs_vnops.c +++ b/sys/fs/devfs/devfs_vnops.c @@ -705,9 +705,13 @@ devfs_lookupx(ap) goto notfound; cdev = NULL; - EVENTHANDLER_INVOKE(dev_clone, pname, strlen(pname), &cdev); - if (cdev == NULL) - goto notfound; + EVENTHANDLER_INVOKE(dev_clone_cred, td->td_ucred, pname, + strlen(pname), &cdev); + if (cdev == NULL) { + EVENTHANDLER_INVOKE(dev_clone, pname, strlen(pname), &cdev); + if (cdev == NULL) + goto notfound; + } devfs_populate(dmp); diff --git a/sys/kern/kern_conf.c b/sys/kern/kern_conf.c index e4d44ba..3c4ab29 100644 --- a/sys/kern/kern_conf.c +++ b/sys/kern/kern_conf.c @@ -42,6 +42,7 @@ __FBSDID("$FreeBSD$"); #include <sys/poll.h> #include <sys/ctype.h> #include <sys/tty.h> +#include <sys/ucred.h> #include <machine/stdarg.h> static MALLOC_DEFINE(M_DEVT, "cdev", "cdev storage"); @@ -51,6 +52,9 @@ static MALLOC_DEFINE(M_DEVT, "cdev", "cdev storage"); static struct mtx devmtx; static void freedev(struct cdev *dev); static void destroy_devl(struct cdev *dev); +static struct cdev *make_dev_credv(struct cdevsw *devsw, int minornr, + struct ucred *cr, uid_t uid, gid_t gid, int mode, const char *fmt, + va_list ap); void dev_lock(void) @@ -300,6 +304,8 @@ static void freedev(struct cdev *dev) { + if (dev->si_cred != NULL) + crfree(dev->si_cred); free(dev, M_DEVT); } @@ -370,11 +376,11 @@ prep_cdevsw(struct cdevsw *devsw) dev_unlock(); } -struct cdev * -make_dev(struct cdevsw *devsw, int minornr, uid_t uid, gid_t gid, int mode, const char *fmt, ...) +static struct cdev * +make_dev_credv(struct cdevsw *devsw, int minornr, struct ucred *cr, uid_t uid, + gid_t gid, int mode, const char *fmt, va_list ap) { struct cdev *dev; - va_list ap; int i; KASSERT((minornr & ~MAXMINOR) == 0, @@ -400,16 +406,18 @@ make_dev(struct cdevsw *devsw, int minornr, uid_t uid, gid_t gid, int mode, cons ("make_dev() by driver %s on pre-existing device (min=%x, name=%s)", devsw->d_name, minor(dev), devtoname(dev))); - va_start(ap, fmt); i = vsnrprintf(dev->__si_namebuf, sizeof dev->__si_namebuf, 32, fmt, ap); if (i > (sizeof dev->__si_namebuf - 1)) { printf("WARNING: Device name truncated! (%s)\n", dev->__si_namebuf); } - va_end(ap); dev->si_devsw = devsw; dev->si_flags |= SI_NAMED; + if (cr != NULL) + dev->si_cred = crhold(cr); + else + dev->si_cred = NULL; dev->si_uid = uid; dev->si_gid = gid; dev->si_mode = mode; @@ -419,6 +427,33 @@ make_dev(struct cdevsw *devsw, int minornr, uid_t uid, gid_t gid, int mode, cons return (dev); } +struct cdev * +make_dev(struct cdevsw *devsw, int minornr, uid_t uid, gid_t gid, int mode, + const char *fmt, ...) +{ + struct cdev *dev; + va_list ap; + + va_start(ap, fmt); + dev = make_dev_credv(devsw, minornr, NULL, uid, gid, mode, fmt, ap); + va_end(ap); + return (dev); +} + +struct cdev * +make_dev_cred(struct cdevsw *devsw, int minornr, struct ucred *cr, uid_t uid, + gid_t gid, int mode, const char *fmt, ...) +{ + struct cdev *dev; + va_list ap; + + va_start(ap, fmt); + dev = make_dev_credv(devsw, minornr, cr, uid, gid, mode, fmt, ap); + va_end(ap); + + return (dev); +} + int dev_named(struct cdev *pdev, const char *name) { diff --git a/sys/kern/tty_pty.c b/sys/kern/tty_pty.c index 3a53294..92f6da1 100644 --- a/sys/kern/tty_pty.c +++ b/sys/kern/tty_pty.c @@ -63,7 +63,7 @@ static MALLOC_DEFINE(M_PTY, "ptys", "pty data structures"); static void ptsstart(struct tty *tp); static void ptsstop(struct tty *tp, int rw); static void ptcwakeup(struct tty *tp, int flag); -static struct cdev *ptyinit(struct cdev *cdev); +static struct cdev *ptyinit(struct cdev *cdev, struct thread *td); static d_open_t ptsopen; static d_close_t ptsclose; @@ -132,7 +132,7 @@ static char *names = "pqrsPQRS"; * than 256 ptys. */ static struct cdev * -ptyinit(struct cdev *devc) +ptyinit(struct cdev *devc, struct thread *td) { struct cdev *devs; struct ptsc *pt; @@ -146,7 +146,7 @@ ptyinit(struct cdev *devc) devc->si_flags &= ~SI_CHEAPCLONE; pt = malloc(sizeof(*pt), M_PTY, M_WAITOK | M_ZERO); - pt->devs = devs = make_dev(&pts_cdevsw, n, + pt->devs = devs = make_dev_cred(&pts_cdevsw, n, td->td_ucred, UID_ROOT, GID_WHEEL, 0666, "tty%c%r", names[n / 32], n % 32); pt->devc = devc; @@ -272,7 +272,7 @@ ptcopen(struct cdev *dev, int flag, int devtype, struct thread *td) struct ptsc *pt; if (!dev->si_drv1) - ptyinit(dev); + ptyinit(dev, td); if (!dev->si_drv1) return(ENXIO); tp = dev->si_tty; @@ -681,7 +681,8 @@ ptsioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag, struct thread *td } static void -pty_clone(void *arg, char *name, int namelen, struct cdev **dev) +pty_clone(void *arg, struct ucred *cr, char *name, int namelen, + struct cdev **dev) { int u; @@ -708,7 +709,7 @@ pty_clone(void *arg, char *name, int namelen, struct cdev **dev) u += name[4] - 'a' + 10; else return; - *dev = make_dev(&ptc_cdevsw, u, + *dev = make_dev_cred(&ptc_cdevsw, u, cr, UID_ROOT, GID_WHEEL, 0666, "pty%c%r", names[u / 32], u % 32); dev_ref(*dev); (*dev)->si_flags |= SI_CHEAPCLONE; @@ -719,7 +720,7 @@ static void ptc_drvinit(void *unused) { - EVENTHANDLER_REGISTER(dev_clone, pty_clone, 0, 1000); + EVENTHANDLER_REGISTER(dev_clone_cred, pty_clone, 0, 1000); } SYSINIT(ptcdev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE,ptc_drvinit,NULL) diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 810c320..e21edec 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -200,8 +200,8 @@ void mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, struct vnode *vp); int mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp); void mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp); -void mac_create_devfs_device(struct mount *mp, struct cdev *dev, - struct devfs_dirent *de); +void mac_create_devfs_device(struct ucred *cred, struct mount *mp, + struct cdev *dev, struct devfs_dirent *de); void mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de); void mac_create_devfs_symlink(struct ucred *cred, struct mount *mp, diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 6f10638..506f7d0 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -11,6 +11,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -191,7 +194,8 @@ struct mac_policy_ops { void (*mpo_associate_vnode_singlelabel)(struct mount *mp, struct label *fslabel, struct vnode *vp, struct label *vlabel); - void (*mpo_create_devfs_device)(struct mount *mp, struct cdev *dev, + void (*mpo_create_devfs_device)(struct ucred *cred, + struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *label); void (*mpo_create_devfs_directory)(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index acf21a5..647697b 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -2,6 +2,7 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2005 McAfee, Inc. + * Copyright (c) 2005 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -12,6 +13,9 @@ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -939,10 +943,11 @@ mac_check_mount_stat(struct ucred *cred, struct mount *mount) } void -mac_create_devfs_device(struct mount *mp, struct cdev *dev, struct devfs_dirent *de) +mac_create_devfs_device(struct ucred *cred, struct mount *mp, + struct cdev *dev, struct devfs_dirent *de) { - MAC_PERFORM(create_devfs_device, mp, dev, de, de->de_label); + MAC_PERFORM(create_devfs_device, cred, mp, dev, de, de->de_label); } void diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 8faf806..8d5e9db 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -780,8 +780,8 @@ mac_biba_copy_label(struct label *src, struct label *dest) * a lot like file system objects. */ static void -mac_biba_create_devfs_device(struct mount *mp, struct cdev *dev, - struct devfs_dirent *devfs_dirent, struct label *label) +mac_biba_create_devfs_device(struct ucred *cred, struct mount *mp, + struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label) { struct mac_biba *mac_biba; int biba_type; diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index 1a090ec..cb2ebdf 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -900,8 +900,8 @@ mac_lomac_copy_label(struct label *src, struct label *dest) * a lot like file system objects. */ static void -mac_lomac_create_devfs_device(struct mount *mp, struct cdev *dev, - struct devfs_dirent *devfs_dirent, struct label *label) +mac_lomac_create_devfs_device(struct ucred *cred, struct mount *mp, + struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label) { struct mac_lomac *mac_lomac; int lomac_type; diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index a6c1511..1599cc0 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -746,8 +746,8 @@ mac_mls_copy_label(struct label *src, struct label *dest) * a lot like file system objects. */ static void -mac_mls_create_devfs_device(struct mount *mp, struct cdev *dev, - struct devfs_dirent *devfs_dirent, struct label *label) +mac_mls_create_devfs_device(struct ucred *cred, struct mount *mp, + struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label) { struct mac_mls *mac_mls; int mls_type; diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index f22a48a..8a520a1 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -187,8 +187,8 @@ stub_associate_vnode_singlelabel(struct mount *mp, } static void -stub_create_devfs_device(struct mount *mp, struct cdev *dev, - struct devfs_dirent *devfs_dirent, struct label *label) +stub_create_devfs_device(struct ucred *cred, struct mount *mp, + struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label) { } diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 312287e..3c51215 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -865,10 +865,13 @@ mac_test_associate_vnode_singlelabel(struct mount *mp, } static void -mac_test_create_devfs_device(struct mount *mp, struct cdev *dev, - struct devfs_dirent *devfs_dirent, struct label *label) +mac_test_create_devfs_device(struct ucred *cred, struct mount *mp, + struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label) { + if (cred != NULL) { + ASSERT_CRED_LABEL(cred->cr_label); + } ASSERT_DEVFS_LABEL(label); } diff --git a/sys/sys/conf.h b/sys/sys/conf.h index 12cad57..8784ace 100644 --- a/sys/sys/conf.h +++ b/sys/sys/conf.h @@ -68,6 +68,7 @@ struct cdev { uid_t si_uid; gid_t si_gid; mode_t si_mode; + struct ucred *si_cred; u_int si_drv0; int si_refcount; LIST_ENTRY(cdev) si_list; @@ -253,6 +254,9 @@ void dev_rel(struct cdev *dev); void dev_strategy(struct cdev *dev, struct buf *bp); struct cdev *make_dev(struct cdevsw *_devsw, int _minor, uid_t _uid, gid_t _gid, int _perms, const char *_fmt, ...) __printflike(6, 7); +struct cdev *make_dev_cred(struct cdevsw *_devsw, int _minor, + struct ucred *_cr, uid_t _uid, gid_t _gid, int _perms, + const char *_fmt, ...) __printflike(7, 8); struct cdev *make_dev_alias(struct cdev *_pdev, const char *_fmt, ...) __printflike(2, 3); int dev2unit(struct cdev *_dev); void dev_lock(void); @@ -280,6 +284,10 @@ typedef void (*dev_clone_fn)(void *arg, char *name, int namelen, struct cdev **r int dev_stdclone(char *_name, char **_namep, const char *_stem, int *_unit); EVENTHANDLER_DECLARE(dev_clone, dev_clone_fn); +typedef void (*dev_clone_cred_fn)(void *arg, struct ucred *cred, char *name, + int namelen, struct cdev **result); +EVENTHANDLER_DECLARE(dev_clone_cred, dev_clone_cred_fn); + /* Stuff relating to kernel-dump */ struct dumperinfo { diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 810c320..e21edec 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -200,8 +200,8 @@ void mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, struct vnode *vp); int mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp); void mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp); -void mac_create_devfs_device(struct mount *mp, struct cdev *dev, - struct devfs_dirent *de); +void mac_create_devfs_device(struct ucred *cred, struct mount *mp, + struct cdev *dev, struct devfs_dirent *de); void mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de); void mac_create_devfs_symlink(struct ucred *cred, struct mount *mp, diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index 6f10638..506f7d0 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -11,6 +11,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -191,7 +194,8 @@ struct mac_policy_ops { void (*mpo_associate_vnode_singlelabel)(struct mount *mp, struct label *fslabel, struct vnode *vp, struct label *vlabel); - void (*mpo_create_devfs_device)(struct mount *mp, struct cdev *dev, + void (*mpo_create_devfs_device)(struct ucred *cred, + struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *label); void (*mpo_create_devfs_directory)(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, |
