From 458f818f4711ca8bfde212d04294f10eb384437f Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Thu, 5 Jul 2007 13:16:04 +0000 Subject: [PATCH] In preparation for 7.0 privilege cleanup, clean up style: - Sort copyrights by date. - Re-wrap, and in some cases, fix comments. - Fix tabbing, white space, remove extra blank lines. - Remove commented out debugging printfs. Approved by: re (kensmith) --- .../mac_bsdextended/mac_bsdextended.c | 111 +++++------------- .../mac_bsdextended/mac_bsdextended.h | 8 +- 2 files changed, 32 insertions(+), 87 deletions(-) diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c index aa1a2b97303f..c51dde2e1f5d 100644 --- a/sys/security/mac_bsdextended/mac_bsdextended.c +++ b/sys/security/mac_bsdextended/mac_bsdextended.c @@ -1,7 +1,7 @@ /*- - * Copyright (c) 2005 Tom Rhodes * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. + * Copyright (c) 2005 Tom Rhodes * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -38,8 +38,9 @@ /* * Developed by the TrustedBSD Project. - * "BSD Extended" MAC policy, allowing the administrator to impose - * mandatory rules regarding users and some system objects. + * + * "BSD Extended" MAC policy, allowing the administrator to impose mandatory + * firewall-like rules regarding users and file system objects. */ #include @@ -88,23 +89,23 @@ SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_version, CTLFLAG_RD, &rule_version, 0, "Version number for API\n"); /* - * This is just used for logging purposes, eventually we would like - * to log much more then failed requests. + * This is just used for logging purposes, eventually we would like to log + * much more then failed requests. */ static int mac_bsdextended_logging; SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, logging, CTLFLAG_RW, &mac_bsdextended_logging, 0, "Log failed authorization requests"); /* - * This tunable is here for compatibility. It will allow the user - * to switch between the new mode (first rule matches) and the old - * functionality (all rules match). + * This tunable is here for compatibility. It will allow the user to switch + * between the new mode (first rule matches) and the old functionality (all + * rules match). */ static int mac_bsdextended_firstmatch_enabled; SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled, - CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 1, - "Disable/enable match first rule functionality"); + CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 1, + "Disable/enable match first rule functionality"); static int mac_bsdextended_rule_valid(struct mac_bsdextended_rule *rule) @@ -112,23 +113,17 @@ mac_bsdextended_rule_valid(struct mac_bsdextended_rule *rule) if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) != MBS_ALL_FLAGS) return (EINVAL); - if ((rule->mbr_subject.mbs_neg | MBS_ALL_FLAGS) != MBS_ALL_FLAGS) return (EINVAL); - if ((rule->mbr_object.mbo_flags | MBO_ALL_FLAGS) != MBO_ALL_FLAGS) return (EINVAL); - if ((rule->mbr_object.mbo_neg | MBO_ALL_FLAGS) != MBO_ALL_FLAGS) return (EINVAL); - if ((rule->mbr_object.mbo_neg | MBO_TYPE_DEFINED) && (rule->mbr_object.mbo_type | MBO_ALL_TYPE) != MBO_ALL_TYPE) return (EINVAL); - if ((rule->mbr_mode | MBI_ALLPERM) != MBI_ALLPERM) return (EINVAL); - return (0); } @@ -142,12 +137,8 @@ sysctl_rule(SYSCTL_HANDLER_ARGS) error = 0; name = (int *)arg1; namelen = arg2; - - /* printf("bsdextended sysctl handler (namelen %d)\n", namelen); */ - if (namelen != 1) return (EINVAL); - index = name[0]; if (index >= MAC_BSDEXTENDED_MAXRULES) return (ENOENT); @@ -162,7 +153,6 @@ sysctl_rule(SYSCTL_HANDLER_ARGS) } mtx_lock(&mac_bsdextended_mtx); - if (req->oldptr) { if (index < 0 || index > rule_slots + 1) { error = ENOENT; @@ -174,9 +164,7 @@ sysctl_rule(SYSCTL_HANDLER_ARGS) } temprule = *rules[index]; } - if (req->newptr && req->newlen == 0) { - /* printf("deletion\n"); */ KASSERT(ruleptr == NULL, ("sysctl_rule: ruleptr != NULL")); ruleptr = rules[index]; if (ruleptr == NULL) { @@ -189,52 +177,40 @@ sysctl_rule(SYSCTL_HANDLER_ARGS) error = mac_bsdextended_rule_valid(&temprule); if (error) goto out; - if (rules[index] == NULL) { - /* printf("addition\n"); */ *ruleptr = temprule; rules[index] = ruleptr; ruleptr = NULL; if (index + 1 > rule_slots) rule_slots = index + 1; rule_count++; - } else { - /* printf("replacement\n"); */ + } else *rules[index] = temprule; - } } - out: mtx_unlock(&mac_bsdextended_mtx); if (ruleptr != NULL) FREE(ruleptr, M_MACBSDEXTENDED); if (req->oldptr && error == 0) error = SYSCTL_OUT(req, &temprule, sizeof(temprule)); - return (error); } -SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules, - CTLFLAG_RW, sysctl_rule, "BSD extended MAC rules"); +SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules, CTLFLAG_RW, + sysctl_rule, "BSD extended MAC rules"); static void mac_bsdextended_init(struct mac_policy_conf *mpc) { - /* Initialize ruleset lock. */ mtx_init(&mac_bsdextended_mtx, "mac_bsdextended lock", NULL, MTX_DEF); - - /* Register dynamic sysctl's for rules. */ } static void mac_bsdextended_destroy(struct mac_policy_conf *mpc) { - /* Destroy ruleset lock. */ mtx_destroy(&mac_bsdextended_mtx); - - /* Tear down sysctls. */ } static int @@ -255,10 +231,8 @@ mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule, cred->cr_ruid >= rule->mbr_subject.mbs_uid_min) || (cred->cr_svuid <= rule->mbr_subject.mbs_uid_max && cred->cr_svuid >= rule->mbr_subject.mbs_uid_min)); - if (rule->mbr_subject.mbs_neg & MBS_UID_DEFINED) match = !match; - if (!match) return (0); } @@ -268,9 +242,8 @@ mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule, cred->cr_rgid >= rule->mbr_subject.mbs_gid_min) || (cred->cr_svgid <= rule->mbr_subject.mbs_gid_max && cred->cr_svgid >= rule->mbr_subject.mbs_gid_min)); - if (!match) { - for (i = 0; i < cred->cr_ngroups; i++) + for (i = 0; i < cred->cr_ngroups; i++) { if (cred->cr_groups[i] <= rule->mbr_subject.mbs_gid_max && cred->cr_groups[i] @@ -278,11 +251,10 @@ mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule, match = 1; break; } + } } - if (rule->mbr_subject.mbs_neg & MBS_GID_DEFINED) match = !match; - if (!match) return (0); } @@ -290,10 +262,8 @@ mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule, if (rule->mbr_subject.mbs_flags & MBS_PRISON_DEFINED) { match = (cred->cr_prison != NULL && cred->cr_prison->pr_id == rule->mbr_subject.mbs_prison); - if (rule->mbr_subject.mbs_neg & MBS_PRISON_DEFINED) match = !match; - if (!match) return (0); } @@ -304,10 +274,8 @@ mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule, if (rule->mbr_object.mbo_flags & MBO_UID_DEFINED) { match = (vap->va_uid <= rule->mbr_object.mbo_uid_max && vap->va_uid >= rule->mbr_object.mbo_uid_min); - if (rule->mbr_object.mbo_neg & MBO_UID_DEFINED) match = !match; - if (!match) return (0); } @@ -315,10 +283,8 @@ mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule, if (rule->mbr_object.mbo_flags & MBO_GID_DEFINED) { match = (vap->va_gid <= rule->mbr_object.mbo_gid_max && vap->va_gid >= rule->mbr_object.mbo_gid_min); - if (rule->mbr_object.mbo_neg & MBO_GID_DEFINED) match = !match; - if (!match) return (0); } @@ -327,56 +293,46 @@ mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule, match = (bcmp(&(vp->v_mount->mnt_stat.f_fsid), &(rule->mbr_object.mbo_fsid), sizeof(rule->mbr_object.mbo_fsid)) == 0); - if (rule->mbr_object.mbo_neg & MBO_FSID_DEFINED) match = !match; - if (!match) - return 0; + return (0); } if (rule->mbr_object.mbo_flags & MBO_SUID) { match = (vap->va_mode & VSUID); - if (rule->mbr_object.mbo_neg & MBO_SUID) match = !match; - if (!match) - return 0; + return (0); } if (rule->mbr_object.mbo_flags & MBO_SGID) { match = (vap->va_mode & VSGID); - if (rule->mbr_object.mbo_neg & MBO_SGID) match = !match; - if (!match) - return 0; + return (0); } if (rule->mbr_object.mbo_flags & MBO_UID_SUBJECT) { match = (vap->va_uid == cred->cr_uid || vap->va_uid == cred->cr_ruid || vap->va_uid == cred->cr_svuid); - if (rule->mbr_object.mbo_neg & MBO_UID_SUBJECT) match = !match; - if (!match) - return 0; + return (0); } if (rule->mbr_object.mbo_flags & MBO_GID_SUBJECT) { match = (groupmember(vap->va_gid, cred) || vap->va_gid == cred->cr_rgid || vap->va_gid == cred->cr_svgid); - if (rule->mbr_object.mbo_neg & MBO_GID_SUBJECT) match = !match; - if (!match) - return 0; + return (0); } if (rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) { @@ -405,12 +361,10 @@ mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule, default: match = 0; } - if (rule->mbr_object.mbo_neg & MBO_TYPE_DEFINED) match = !match; - if (!match) - return 0; + return (0); } /* @@ -420,8 +374,9 @@ mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule, if (mac_bsdextended_logging) log(LOG_AUTHPRIV, "mac_bsdextended: %d:%d request %d" " on %d:%d failed. \n", cred->cr_ruid, - cred->cr_rgid, acc_mode, vap->va_uid, vap->va_gid); - return (EACCES); /* Matching rule denies access */ + cred->cr_rgid, acc_mode, vap->va_uid, + vap->va_gid); + return (EACCES); } /* @@ -431,7 +386,7 @@ mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule, if (mac_bsdextended_firstmatch_enabled) return (EJUSTRETURN); else - return(0); + return (0); } static int @@ -441,7 +396,7 @@ mac_bsdextended_check(struct ucred *cred, struct vnode *vp, struct vattr *vap, int error, i; /* - * XXXRW: More specific privilege selection needed? + * XXXRW: More specific privilege selection needed. */ if (suser_cred(cred, 0) == 0) return (0); @@ -453,12 +408,10 @@ mac_bsdextended_check(struct ucred *cred, struct vnode *vp, struct vattr *vap, acc_mode &= ~MBI_APPEND; acc_mode |= MBI_WRITE; } - mtx_lock(&mac_bsdextended_mtx); for (i = 0; i < rule_slots; i++) { if (rules[i] == NULL) continue; - error = mac_bsdextended_rulecheck(rules[i], cred, vp, vap, acc_mode); if (error == EJUSTRETURN) @@ -480,11 +433,9 @@ mac_bsdextended_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode) if (!mac_bsdextended_enabled) return (0); - error = VOP_GETATTR(vp, &vap, cred, curthread); if (error) return (error); - return (mac_bsdextended_check(cred, vp, &vap, acc_mode)); } @@ -562,7 +513,6 @@ mac_bsdextended_check_vnode_delete(struct ucred *cred, struct vnode *dvp, error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE); if (error) return (error); - return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); } @@ -619,7 +569,6 @@ mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp, error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE); if (error) return (error); - error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE); if (error) return (error); @@ -676,9 +625,7 @@ mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE); if (error) return (error); - error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE); - - return (error); + return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); } static int @@ -691,10 +638,8 @@ mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE); if (error) return (error); - if (vp != NULL) error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE); - return (error); } diff --git a/sys/security/mac_bsdextended/mac_bsdextended.h b/sys/security/mac_bsdextended/mac_bsdextended.h index af3ae8f78fb5..c09abc0f2ab0 100644 --- a/sys/security/mac_bsdextended/mac_bsdextended.h +++ b/sys/security/mac_bsdextended/mac_bsdextended.h @@ -40,10 +40,10 @@ #define MB_VERSION 2 /* Used to check library and kernel are the same. */ /* - * Rights that can be represented in mbr_mode. These have the same values - * as the V* rights in vnode.h, but in order to avoid sharing user and - * kernel constants, we define them here. That will also improve ABI - * stability if the in-kernel values change. + * Rights that can be represented in mbr_mode. These have the same values as + * the V* rights in vnode.h, but in order to avoid sharing user and kernel + * constants, we define them here. That will also improve ABI stability if + * the in-kernel values change. */ #define MBI_EXEC 000100 #define MBI_WRITE 000200