Bring in two sets of changes:

(1) Permit userland applications to request a change of label atomic
    with an execve() via mac_execve().  This is required for the
    SEBSD port of SELinux/FLASK.  Attempts to invoke this without
    MAC compiled in result in ENOSYS, as with all other MAC system
    calls.  Complexity, if desired, is present in policy modules,
    rather than the framework.

(2) Permit policies to have access to both the label of the vnode
    being executed as well as the interpreter if it's a shell
    script or related UNIX nonsense.  Because we can't hold both
    vnode locks at the same time, cache the interpreter label.
    SEBSD relies on this because it supports secure transitioning
    via shell script executables.  Other policies might want to
    take both labels into account during an integrity or
    confidentiality decision at execve()-time.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 56 insertions, 6 deletions

diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c
index e1f253101106..9f76f050d131 100644
--- a/sys/kern/kern_mac.c
+++ b/sys/kern/kern_mac.c
@@ -47,6 +47,7 @@
 
 #include <sys/param.h>
 #include <sys/extattr.h>
+#include <sys/imgact.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
@@ -1251,8 +1252,53 @@ mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
 	return (error);
 }
 
+int
+mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
+    struct label *execlabelstorage)
+{
+	struct mac mac;
+	char *buffer;
+	int error;
+
+	if (mac_p == NULL)
+		return (0);
+
+	error = copyin(mac_p, &mac, sizeof(mac));
+	if (error)
+		return (error);
+
+	error = mac_check_structmac_consistent(&mac);
+	if (error)
+		return (error);
+
+	buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
+	error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
+	if (error) {
+		free(buffer, M_MACTEMP);
+		return (error);
+	}
+
+	mac_init_cred_label(execlabelstorage);
+	error = mac_internalize_cred_label(execlabelstorage, buffer);
+	free(buffer, M_MACTEMP);
+	if (error) {
+		mac_destroy_cred_label(execlabelstorage);
+		return (error);
+	}
+	imgp->execlabel = execlabelstorage;
+	return (0);
+}
+
+void
+mac_execve_exit(struct image_params *imgp)
+{
+	if (imgp->execlabel != NULL)
+		mac_destroy_cred_label(imgp->execlabel);
+}
+
 void
-mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp)
+mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
+    struct label *interpvnodelabel, struct image_params *imgp)
 {
 
 	ASSERT_VOP_LOCKED(vp, "mac_execve_transition");
@@ -1260,11 +1306,13 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp)
 	if (!mac_enforce_process && !mac_enforce_fs)
 		return;
 
-	MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label);
+	MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label,
+	    interpvnodelabel, imgp);
 }
 
 int
-mac_execve_will_transition(struct ucred *old, struct vnode *vp)
+mac_execve_will_transition(struct ucred *old, struct vnode *vp,
+    struct label *interpvnodelabel, struct image_params *imgp)
 {
 	int result;
 
@@ -1274,7 +1322,8 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp)
 		return (0);
 
 	result = 0;
-	MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label);
+	MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label,
+	    interpvnodelabel, imgp);
 
 	return (result);
 }
@@ -1369,7 +1418,8 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 }
 
 int
-mac_check_vnode_exec(struct ucred *cred, struct vnode *vp)
+mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
+    struct image_params *imgp)
 {
 	int error;
 
@@ -1378,7 +1428,7 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp)
 	if (!mac_enforce_process && !mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label);
+	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp);
 
 	return (error);
 }