Rename mac_cred_mmapped_drop_perms(), which revokes access to virtual

memory mappings when the MAC label on a process changes, to mac_proc_vm_revoke(), It now also acquires its own credential reference directly from the affected process rather than accepting one passed by the the caller, simplifying the API and consumer code. Obtained from: TrustedBSD Project
2008-10-28 12:49:07 +00:00 · 2008-10-28 12:49:07 +00:00 · 9215889d21
commit 9215889d21
parent 7cd5a03a8e
4 changed files with 18 additions and 20 deletions
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@ -259,6 +259,7 @@ int	mac_proc_check_signal(struct ucred *cred, struct proc *p,
 int	mac_proc_check_wait(struct ucred *cred, struct proc *p);
 void	mac_proc_destroy(struct proc *);
 void	mac_proc_init(struct proc *);
+void	mac_proc_vm_revoke(struct thread *td);
 int	mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
 void	mac_execve_exit(struct image_params *imgp);
 void	mac_execve_interpreter_enter(struct vnode *interpvp,
@ -434,8 +435,6 @@ int	mac_vnode_execve_will_transition(struct ucred *cred,
 void	mac_vnode_relabel(struct ucred *cred, struct vnode *vp,
 	    struct label *newlabel);

-void	mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred);
-
 /*
 * Calls to help various file systems implement labeling functionality using
 * their existing EA implementation.
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@ -81,7 +81,7 @@ SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW,
    &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
    "copy-on-write semantics, or by removing all write access");

-static void	mac_cred_mmapped_drop_perms_recurse(struct thread *td,
+static void	mac_proc_vm_revoke_recurse(struct thread *td,
 		    struct ucred *cred, struct vm_map *map);

 struct label *
@ -314,13 +314,20 @@ mac_execve_interpreter_exit(struct label *interpvplabel)
 * The process lock is not held here.
 */
 void
-mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred)
+mac_proc_vm_revoke(struct thread *td)
 {
+	struct ucred *cred;
+
+	PROC_LOCK(td->td_proc);
+	cred = crhold(td->td_proc->p_ucred);
+	PROC_UNLOCK(td->td_proc);

 	/* XXX freeze all other threads */
-	mac_cred_mmapped_drop_perms_recurse(td, cred,
+	mac_proc_vm_revoke_recurse(td, cred,
 	    &td->td_proc->p_vmspace->vm_map);
 	/* XXX allow other threads to continue */
+
+	crfree(cred);
 }

 static __inline const char *
@ -348,7 +355,7 @@ prot2str(vm_prot_t prot)
 }

 static void
-mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred,
+mac_proc_vm_revoke_recurse(struct thread *td, struct ucred *cred,
    struct vm_map *map)
 {
 	struct vm_map_entry *vme;
@ -365,7 +372,7 @@ mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred,
 	vm_map_lock_read(map);
 	for (vme = map->header.next; vme != &map->header; vme = vme->next) {
 		if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) {
-			mac_cred_mmapped_drop_perms_recurse(td, cred,
+			mac_proc_vm_revoke_recurse(td, cred,
 			    vme->object.sub_map);
 			continue;
 		}
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@ -203,17 +203,9 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
 	mac_cred_relabel(newcred, intlabel);
 	p->p_ucred = newcred;

-	/*
-	 * Grab additional reference for use while revoking mmaps, prior to
-	 * releasing the proc lock and sharing the cred.
-	 */
-	crhold(newcred);
 	PROC_UNLOCK(p);
-
-	mac_cred_mmapped_drop_perms(td, newcred);
-
-	crfree(newcred);	/* Free revocation reference. */
 	crfree(oldcred);
+	mac_proc_vm_revoke(td);

 out:
 	mac_cred_label_free(intlabel);
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@ -2225,9 +2225,9 @@ lomac_thread_userret(struct thread *td)
 		mtx_unlock(&subj->mtx);
 		newcred = crget();
 		/*
-		 * Prevent a lock order reversal in
-		 * mac_cred_mmapped_drop_perms; ideally, the other user of
-		 * subj->mtx wouldn't be holding Giant.
+		 * Prevent a lock order reversal in mac_proc_vm_revoke;
+		 * ideally, the other user of subj->mtx wouldn't be holding
+		 * Giant.
 		 */
 		mtx_lock(&Giant);
 		PROC_LOCK(p);
@ -2250,7 +2250,7 @@ lomac_thread_userret(struct thread *td)
 		mtx_unlock(&subj->mtx);
 		PROC_UNLOCK(p);
 		if (dodrop)
-			mac_cred_mmapped_drop_perms(curthread, newcred);
+			mac_proc_vm_revoke(curthread);
 		mtx_unlock(&Giant);
 	} else {
 		mtx_unlock(&subj->mtx);