NSA SELinux for Linux 2.6.xx

2003-12-24 04:18:24 +00:00 · 2003-12-24 04:18:24 +00:00 · c36c11c6b2
commit c36c11c6b2
parent e6bf84b8f3
9 changed files with 40 additions and 171 deletions
--- a/8
+++ b/8
@ -1,11 +1,11 @@
 procps-3.1.14 --> procps-3.1.15
 install to /lib64 if it exists
-hide kernel PID bug (Linux 2.4.13-pre1 to 2.4.MAX)   #217278 #219730 #217525
+hide kernel PID bug (Linux 2.4.13-pre1 to 2.4.MAX)   #217278 #219730 #217525 #224470
 ps: faster threaded display
-...top: Jim's fix
+top: auto-margin problem                           #217559
-...top: newline fix
+ps: support NSA SELinux, all builds, Linux 2.6+    #193648
-...sysctl: man page tweak
+sysctl: tweak man page for ESR's broken parser
 procps-3.1.13 --> procps-3.1.14
--- a/proc/readproc.c
+++ b/proc/readproc.c
@ -27,10 +27,6 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #ifdef FLASK_LINUX
 #include <fs_secure.h>
 #endif
 // sometimes it's easier to do this manually, w/o gcc helping
 #ifdef PROF
 extern void __cyg_profile_func_enter(void*,void*);
--- a/ps/common.h
+++ b/ps/common.h
@ -139,7 +139,6 @@
 #define FF_LX 0x0100 /* X */
 #define FF_Lm 0x0200 /* m */  /* overloaded: threads, sort, format */
 #define FF_Fc 0x0400 /* --context */  /* Flask security context format */
 #define FF_Fs 0x0800 /* --SID */      /* Flask SID format */
 /* predefined format modifier flags such as:  -l -f l u s -j */
 #define FM_c 0x0001 /* -c */
--- a/ps/help.c
+++ b/ps/help.c
@ -34,21 +34,18 @@ const char *help_message =
 "-j,j job control   s  signal          --group --user --sid --rows\n"
 "-O,O preloaded -o  v  virtual memory  --cumulative --format --deselect\n"
 "-l,l long          u  user-oriented   --sort --tty --forest --version\n"
-"-F   extra full    X  registers       --heading --no-heading\n"
+"-F   extra full    X  registers       --heading --no-heading --context\n"
 #ifdef FLASK_LINUX
 "                                      --context --SID   (Flask only)\n"
 #endif
 "                    ********* misc options *********\n"
-"-V,V show version       L  list format codes  f  ASCII art forest\n"
+"-V,V  show version      L  list format codes  f  ASCII art forest\n"
-"-m,m show threads       S  children in sum    -y change -l format\n"
+"-m,m,-L,-T,H  threads   S  children in sum    -y change -l format\n"
-"-n,N set namelist file  c  true command name  n  numeric WCHAN,UID\n"
+"-c    scheduling class  c  true command name  n  numeric WCHAN,UID\n"
-"-w,w wide output        e  show environment   -H process hierarchy\n"
+"-w,w  wide output       e  show environment   -H process hierarchy\n"
 ;
 /* Missing:
 *
- * -c -L -P -M --info
+ * -P -M --info
 *
 */
--- a/ps/output.c
+++ b/ps/output.c
@ -65,14 +65,6 @@
 #include "../proc/escape.h"
 #include "common.h"
 #ifdef FLASK_LINUX
 #include <errno.h>
 #include <fs_secure.h>
 #include <ss.h>
 #define DEF_CTXTLEN 255
 #endif
 /* TODO:
 * Stop assuming system time is local time.
 */
@ -941,142 +933,38 @@ static int pr_sgi_p(char *restrict const outbuf, const proc_t *restrict const pp
 }
-/****************** FLASK security stuff **********************/
+/****************** FLASK & seLinux security stuff **********************/
 #ifdef FLASK_LINUX
 /*
 * The sr_fn() calls -- for sorting -- don't return errors because
 * the same errors should show up when the printing function pr_fn()
 * is called, at which point the error goes onscreen.
 */
 /* as above, creates sr_secsid function */
 CMP_INT(secsid)  /* FLASK security ID, **NOT** a session ID -- ugh */
 static int pr_secsid(char *restrict const outbuf, const proc_t *restrict const pp){
  return sprintf(outbuf, "%d", (int) pp->secsid);
 }
 // move the bulk of this to libproc sometime
 static int pr_context(char *restrict const outbuf, const proc_t *restrict const pp){
-  char *ctxt; /* should be security_context_t */
+  char filename[48];
-  unsigned int len;
+  size_t len;
-  int rv;
+  ssize_t num_read;
  int fd;
-  len = DEF_CTXTLEN;
+// wchan file is suitable for testing
-  ctxt = (char *) calloc(1, len);
+//snprintf(filename, sizeof filename, "/proc/%d/task/%d/wchan", pp->tgid, pp->tid);
-  if ( ctxt != NULL )
+  snprintf(filename, sizeof filename, "/proc/%d/task/%d/attr/current", pp->tgid, pp->tid);
    rv = security_sid_to_context(pp->secsid, (security_context_t) ctxt, &len);
  else
    return sprintf(outbuf, "-");
-  if ( rv ) {
+  fd = open(filename, O_RDONLY, 0);
-    if ( errno != ENOSPC ) {
+  if(likely(fd==-1)) goto fail;
-      free(ctxt);
+  num_read = read(fd, outbuf, 666);
-      return sprintf(outbuf, "-");
+  close(fd);
-    } else {
+  if(unlikely(num_read<=0)) goto fail;
-      free(ctxt);
+  outbuf[num_read] = '\0';
-      ctxt = (char *) calloc(1, len);
+
-      if ( ctxt != NULL ) {
+  len = strspn(outbuf, "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ:_0123456789");
-	rv = security_sid_to_context(pp->secsid, (security_context_t) ctxt, &len);
+  if(!len) goto fail;
-	if ( rv ) {
+  outbuf[len] = '\0';
-	  free(ctxt);
+  return len;
-	  return sprintf(outbuf, "-");
+
-	} else {
+fail:
-	  rv = sprintf(outbuf, "%s", ctxt);
+  outbuf[0] = '-';
-	  free(ctxt);
+  outbuf[1] = '\0';
-	  return rv;
+  return 1;
 	}
      } else {           /* calloc() failed */
 	return sprintf(outbuf, "-");
      }
    }
  } else {
    rv = sprintf(outbuf, "%s", ctxt);
    free(ctxt);
    return rv;
  }
 }
 static int sr_context ( const proc_t* P, const proc_t* Q ) {
  char *ctxt_P, *ctxt_Q; /* type should be security_context_t */
  unsigned int len;
  int rv;
  len = DEF_CTXTLEN;
  ctxt_P = (char *) calloc(1, len);
  ctxt_Q = (char *) calloc(1, len);
  rv = security_sid_to_context(P->secsid, (security_context_t) ctxt_P, &len);
  if ( rv ) {
    if ( errno != ENOSPC ) {
      free(ctxt_P);
      /* error should resurface during printing */
      return( 0 );
    } else {
      free(ctxt_P);
      ctxt_P = (char *) calloc(1, len);
      if ( ctxt_P != NULL ) {
 	rv = security_sid_to_context(P->secsid, (security_context_t) ctxt_P, &len);
 	if ( rv ) {
 	  free(ctxt_P);
 	  /* error should resurface during printing */
 	  return( 0 );
 	}
      } else {       /* calloc() failed */
 	/* error should resurface during printing */
 	return( 0 );
      }
    }
  }
  len = DEF_CTXTLEN;
  rv = security_sid_to_context(Q->secsid, (security_context_t) ctxt_Q, &len);
  if ( rv ) {
    if ( errno != ENOSPC ) {
      free(ctxt_P);
      free(ctxt_Q);
      /* error should resurface during printing */
      return( 0 );
    } else {
      free(ctxt_Q);
      ctxt_Q = (char *) calloc(1, len);
      if ( ctxt_Q != NULL ) {
 	rv = security_sid_to_context(Q->secsid, (security_context_t) ctxt_Q, &len);
 	if ( rv ) {
 	  free(ctxt_P);
 	  free(ctxt_Q);
 	  /* error should resurface during printing */
 	  return( 0 );
 	}
      } else {      /* calloc() failed */
 	/* error should resurface during printing */
 	free(ctxt_P);
 	return( 0 );
      }
    }
  }
  rv = strcmp(ctxt_P, ctxt_Q);
  free(ctxt_P);
  free(ctxt_Q);
  return( rv );
 }
 #else
 /****** dummy functions ******/
 #define pr_secsid pr_nop
 #define sr_secsid sr_nop
 #define pr_context pr_nop
 #define sr_context sr_nop
 #endif
 /***************************************************************************/
 /*************************** other stuff ***********************************/
@ -1164,7 +1052,7 @@ static const format_struct format_array[] = {
 {"cnswap",    "-",       pr_nop,      sr_cnswap,  1,   0,    LNX, AN|RIGHT},
 {"comm",      "COMMAND", pr_comm,     sr_nop,    16, COM,    U98, PO|UNLIMITED}, /*ucomm*/
 {"command",   "COMMAND", pr_args,     sr_nop,    16, ARG,    XXX, PO|UNLIMITED}, /*args*/
-{"context",   "CONTEXT", pr_context,  sr_context,40,   0,    LNX, AN|LEFT},
+{"context",   "CONTEXT", pr_context,  sr_nop,    40,   0,    LNX, AN|LEFT},
 {"cp",        "CP",      pr_cp,       sr_pcpu,    3,   0,    DEC, ET|RIGHT}, /*cpu*/
 {"cpu",       "CPU",     pr_nop,      sr_nop,     3,   0,    BSD, AN|RIGHT}, /* FIXME ... HP-UX wants this as the CPU number for SMP? */
 {"cputime",   "TIME",    pr_time,     sr_nop,     8,   0,    DEC, ET|RIGHT}, /*time*/
@ -1275,7 +1163,6 @@ static const format_struct format_array[] = {
 {"sched",     "SCH",     pr_sched,    sr_sched,   3,   0,    AIX, TO|RIGHT},
 {"scnt",      "SCNT",    pr_nop,      sr_nop,     4,   0,    DEC, AN|RIGHT},  /* man page misspelling of scount? */
 {"scount",    "SC",      pr_nop,      sr_nop,     4,   0,    AIX, AN|RIGHT},  /* scnt==scount, DEC claims both */
 {"secsid",    "SID",     pr_secsid,   sr_secsid,  6,   0,    LNX, AN|RIGHT}, /* Flask Linux */
 {"sess",      "SESS",    pr_sess,     sr_session, 5,   0,    XXX, PO|PIDMAX|RIGHT},
 {"session",   "SESS",    pr_sess,     sr_session, 5,   0,    LNX, PO|PIDMAX|RIGHT},
 {"sgi_p",     "P",       pr_sgi_p,    sr_nop,     1,   0,    LNX, TO|RIGHT}, /* "cpu" number */
@ -1398,8 +1285,7 @@ static const macro_struct macro_array[] = {
 {"FL5FMT",   "f,state,uid,pid,ppid,pcpu,pri,nice,rss,wchan,start,time,command"},  /* Digital -fl */
-{"FLASK_context",   "pid,secsid,context,command"},  /* Flask Linux context, --context */
+{"FLASK_context",   "pid,context,command"},  /* Flask Linux context, --context */
 {"FLASK_sid",       "pid,secsid,command"},          /* Flask Linux SID,     --SID */
 {"HP_",      "pid,tty,time,comm"},  /* HP default */
 {"HP_f",     "user,pid,ppid,cpu,stime,tty,time,args"},  /* HP -f */
--- a/ps/parser.c
+++ b/ps/parser.c
@ -737,7 +737,6 @@ static const char *parse_gnu_option(void){
  gnu_table_struct *found;
  static const gnu_table_struct gnu_table[] = {
  {"Group",         &&case_Group},       /* rgid */
  {"SID",           &&case_secsid},
  {"User",          &&case_User},        /* ruid */
  {"cols",          &&case_cols},
  {"columns",       &&case_columns},
@ -765,7 +764,6 @@ static const char *parse_gnu_option(void){
  {"pid",           &&case_pid},
  {"ppid",          &&case_ppid},
  {"rows",          &&case_rows},
  {"secsid",        &&case_secsid},
  {"sid",           &&case_sid},
  {"sort",          &&case_sort},
  {"tty",           &&case_tty},
@ -954,10 +952,6 @@ static const char *parse_gnu_option(void){
    trace("--context\n");
    format_flags |= FF_Fc;
    return NULL;
  case_secsid:
     trace("--secsid\n");
     format_flags |= FF_Fs;
     return NULL;
 }
 /*************** process trailing PIDs  **********************/
--- a/ps/ps.1
+++ b/ps/ps.1
@ -97,8 +97,7 @@ s            display signal format
 u            display user-oriented format
 v            display virtual memory format
 --format     user-defined format
--context    (SELinux only) Display security context format; implies --secsid
+--context    display security context format (NSA SELinux, etc.)
 --secsid     (SELinux only) Display Security ID
 OUTPUT MODIFIERS
 -H           show process hierarchy (forest)
@ -410,7 +409,6 @@ rsz          RSZ
 ruid         RUID    
 ruser        RUSER   
 s            S       
 secsid       SECSID
 sess         SESS    
 session      SESS    
 sgi_p        P       
--- a/ps/sortformat.c
+++ b/ps/sortformat.c
@ -860,9 +860,8 @@ const char *process_sf_options(int localbroken){
    case FF_LX:          spec="OL_X";         break;
    case FF_Lm:          spec="OL_m";         break;
-    /* These are FLASK security options. */
+    /* This is the sole FLASK security option. */
    case FF_Fc:          spec="FLASK_context"; break;
    case FF_Fs:          spec="FLASK_sid";     break;
    }  /* end switch(format_flags) */
--- a/sysctl.8
+++ b/sysctl.8
@ -14,7 +14,7 @@ sysctl \- configure kernel parameters at runtime
 .br
 .B "sysctl [-n] [-e] -w variable=value ..."
 .br
-.B "sysctl [-n] [-e] -p <filename>    (default /etc/sysctl.conf)"
+.B "sysctl [-n] [-e] -p <filename>"
 .br
 .B "sysctl [-n] [-e] -a"
 .br