From c36c11c6b2f6de2fae431192f2bd49fad06511fc Mon Sep 17 00:00:00 2001 From: albert <> Date: Wed, 24 Dec 2003 04:18:24 +0000 Subject: [PATCH] NSA SELinux for Linux 2.6.xx --- NEWS | 8 +-- proc/readproc.c | 4 -- ps/common.h | 1 - ps/help.c | 15 ++--- ps/output.c | 168 ++++++++---------------------------------------- ps/parser.c | 6 -- ps/ps.1 | 4 +- ps/sortformat.c | 3 +- sysctl.8 | 2 +- 9 files changed, 40 insertions(+), 171 deletions(-) diff --git a/NEWS b/NEWS index ab89ae54..94902e32 100644 --- a/NEWS +++ b/NEWS @@ -1,11 +1,11 @@ procps-3.1.14 --> procps-3.1.15 install to /lib64 if it exists -hide kernel PID bug (Linux 2.4.13-pre1 to 2.4.MAX) #217278 #219730 #217525 +hide kernel PID bug (Linux 2.4.13-pre1 to 2.4.MAX) #217278 #219730 #217525 #224470 ps: faster threaded display -...top: Jim's fix -...top: newline fix -...sysctl: man page tweak +top: auto-margin problem #217559 +ps: support NSA SELinux, all builds, Linux 2.6+ #193648 +sysctl: tweak man page for ESR's broken parser procps-3.1.13 --> procps-3.1.14 diff --git a/proc/readproc.c b/proc/readproc.c index aea4a7eb..9c60a1f8 100644 --- a/proc/readproc.c +++ b/proc/readproc.c @@ -27,10 +27,6 @@ #include #include -#ifdef FLASK_LINUX -#include -#endif - // sometimes it's easier to do this manually, w/o gcc helping #ifdef PROF extern void __cyg_profile_func_enter(void*,void*); diff --git a/ps/common.h b/ps/common.h index 580d5945..9726b752 100644 --- a/ps/common.h +++ b/ps/common.h @@ -139,7 +139,6 @@ #define FF_LX 0x0100 /* X */ #define FF_Lm 0x0200 /* m */ /* overloaded: threads, sort, format */ #define FF_Fc 0x0400 /* --context */ /* Flask security context format */ -#define FF_Fs 0x0800 /* --SID */ /* Flask SID format */ /* predefined format modifier flags such as: -l -f l u s -j */ #define FM_c 0x0001 /* -c */ diff --git a/ps/help.c b/ps/help.c index ab195aa8..db18ee4c 100644 --- a/ps/help.c +++ b/ps/help.c @@ -34,21 +34,18 @@ const char *help_message = "-j,j job control s signal --group --user --sid --rows\n" "-O,O preloaded -o v virtual memory --cumulative --format --deselect\n" "-l,l long u user-oriented --sort --tty --forest --version\n" -"-F extra full X registers --heading --no-heading\n" -#ifdef FLASK_LINUX -" --context --SID (Flask only)\n" -#endif +"-F extra full X registers --heading --no-heading --context\n" " ********* misc options *********\n" -"-V,V show version L list format codes f ASCII art forest\n" -"-m,m show threads S children in sum -y change -l format\n" -"-n,N set namelist file c true command name n numeric WCHAN,UID\n" -"-w,w wide output e show environment -H process hierarchy\n" +"-V,V show version L list format codes f ASCII art forest\n" +"-m,m,-L,-T,H threads S children in sum -y change -l format\n" +"-c scheduling class c true command name n numeric WCHAN,UID\n" +"-w,w wide output e show environment -H process hierarchy\n" ; /* Missing: * - * -c -L -P -M --info + * -P -M --info * */ diff --git a/ps/output.c b/ps/output.c index f161dedb..5add7458 100644 --- a/ps/output.c +++ b/ps/output.c @@ -65,14 +65,6 @@ #include "../proc/escape.h" #include "common.h" -#ifdef FLASK_LINUX -#include -#include -#include -#define DEF_CTXTLEN 255 -#endif - - /* TODO: * Stop assuming system time is local time. */ @@ -941,142 +933,38 @@ static int pr_sgi_p(char *restrict const outbuf, const proc_t *restrict const pp } -/****************** FLASK security stuff **********************/ -#ifdef FLASK_LINUX - -/* - * The sr_fn() calls -- for sorting -- don't return errors because - * the same errors should show up when the printing function pr_fn() - * is called, at which point the error goes onscreen. - */ - -/* as above, creates sr_secsid function */ -CMP_INT(secsid) /* FLASK security ID, **NOT** a session ID -- ugh */ - -static int pr_secsid(char *restrict const outbuf, const proc_t *restrict const pp){ - return sprintf(outbuf, "%d", (int) pp->secsid); -} +/****************** FLASK & seLinux security stuff **********************/ +// move the bulk of this to libproc sometime static int pr_context(char *restrict const outbuf, const proc_t *restrict const pp){ - char *ctxt; /* should be security_context_t */ - unsigned int len; - int rv; + char filename[48]; + size_t len; + ssize_t num_read; + int fd; - len = DEF_CTXTLEN; - ctxt = (char *) calloc(1, len); - if ( ctxt != NULL ) - rv = security_sid_to_context(pp->secsid, (security_context_t) ctxt, &len); - else - return sprintf(outbuf, "-"); +// wchan file is suitable for testing +//snprintf(filename, sizeof filename, "/proc/%d/task/%d/wchan", pp->tgid, pp->tid); + snprintf(filename, sizeof filename, "/proc/%d/task/%d/attr/current", pp->tgid, pp->tid); - if ( rv ) { - if ( errno != ENOSPC ) { - free(ctxt); - return sprintf(outbuf, "-"); - } else { - free(ctxt); - ctxt = (char *) calloc(1, len); - if ( ctxt != NULL ) { - rv = security_sid_to_context(pp->secsid, (security_context_t) ctxt, &len); - if ( rv ) { - free(ctxt); - return sprintf(outbuf, "-"); - } else { - rv = sprintf(outbuf, "%s", ctxt); - free(ctxt); - return rv; - } - } else { /* calloc() failed */ - return sprintf(outbuf, "-"); - } - } - } else { - rv = sprintf(outbuf, "%s", ctxt); - free(ctxt); - return rv; - } + fd = open(filename, O_RDONLY, 0); + if(likely(fd==-1)) goto fail; + num_read = read(fd, outbuf, 666); + close(fd); + if(unlikely(num_read<=0)) goto fail; + outbuf[num_read] = '\0'; + + len = strspn(outbuf, "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ:_0123456789"); + if(!len) goto fail; + outbuf[len] = '\0'; + return len; + +fail: + outbuf[0] = '-'; + outbuf[1] = '\0'; + return 1; } -static int sr_context ( const proc_t* P, const proc_t* Q ) { - char *ctxt_P, *ctxt_Q; /* type should be security_context_t */ - unsigned int len; - int rv; - - len = DEF_CTXTLEN; - ctxt_P = (char *) calloc(1, len); - ctxt_Q = (char *) calloc(1, len); - - rv = security_sid_to_context(P->secsid, (security_context_t) ctxt_P, &len); - if ( rv ) { - if ( errno != ENOSPC ) { - free(ctxt_P); - /* error should resurface during printing */ - return( 0 ); - } else { - free(ctxt_P); - ctxt_P = (char *) calloc(1, len); - if ( ctxt_P != NULL ) { - rv = security_sid_to_context(P->secsid, (security_context_t) ctxt_P, &len); - if ( rv ) { - free(ctxt_P); - /* error should resurface during printing */ - return( 0 ); - } - } else { /* calloc() failed */ - /* error should resurface during printing */ - return( 0 ); - } - } - } - - len = DEF_CTXTLEN; - - rv = security_sid_to_context(Q->secsid, (security_context_t) ctxt_Q, &len); - if ( rv ) { - if ( errno != ENOSPC ) { - free(ctxt_P); - free(ctxt_Q); - /* error should resurface during printing */ - return( 0 ); - } else { - free(ctxt_Q); - ctxt_Q = (char *) calloc(1, len); - if ( ctxt_Q != NULL ) { - rv = security_sid_to_context(Q->secsid, (security_context_t) ctxt_Q, &len); - if ( rv ) { - free(ctxt_P); - free(ctxt_Q); - /* error should resurface during printing */ - return( 0 ); - } - } else { /* calloc() failed */ - /* error should resurface during printing */ - free(ctxt_P); - return( 0 ); - } - } - } - - rv = strcmp(ctxt_P, ctxt_Q); - - free(ctxt_P); - free(ctxt_Q); - - return( rv ); -} - -#else - -/****** dummy functions ******/ - -#define pr_secsid pr_nop -#define sr_secsid sr_nop -#define pr_context pr_nop -#define sr_context sr_nop - -#endif - /***************************************************************************/ /*************************** other stuff ***********************************/ @@ -1164,7 +1052,7 @@ static const format_struct format_array[] = { {"cnswap", "-", pr_nop, sr_cnswap, 1, 0, LNX, AN|RIGHT}, {"comm", "COMMAND", pr_comm, sr_nop, 16, COM, U98, PO|UNLIMITED}, /*ucomm*/ {"command", "COMMAND", pr_args, sr_nop, 16, ARG, XXX, PO|UNLIMITED}, /*args*/ -{"context", "CONTEXT", pr_context, sr_context,40, 0, LNX, AN|LEFT}, +{"context", "CONTEXT", pr_context, sr_nop, 40, 0, LNX, AN|LEFT}, {"cp", "CP", pr_cp, sr_pcpu, 3, 0, DEC, ET|RIGHT}, /*cpu*/ {"cpu", "CPU", pr_nop, sr_nop, 3, 0, BSD, AN|RIGHT}, /* FIXME ... HP-UX wants this as the CPU number for SMP? */ {"cputime", "TIME", pr_time, sr_nop, 8, 0, DEC, ET|RIGHT}, /*time*/ @@ -1275,7 +1163,6 @@ static const format_struct format_array[] = { {"sched", "SCH", pr_sched, sr_sched, 3, 0, AIX, TO|RIGHT}, {"scnt", "SCNT", pr_nop, sr_nop, 4, 0, DEC, AN|RIGHT}, /* man page misspelling of scount? */ {"scount", "SC", pr_nop, sr_nop, 4, 0, AIX, AN|RIGHT}, /* scnt==scount, DEC claims both */ -{"secsid", "SID", pr_secsid, sr_secsid, 6, 0, LNX, AN|RIGHT}, /* Flask Linux */ {"sess", "SESS", pr_sess, sr_session, 5, 0, XXX, PO|PIDMAX|RIGHT}, {"session", "SESS", pr_sess, sr_session, 5, 0, LNX, PO|PIDMAX|RIGHT}, {"sgi_p", "P", pr_sgi_p, sr_nop, 1, 0, LNX, TO|RIGHT}, /* "cpu" number */ @@ -1398,8 +1285,7 @@ static const macro_struct macro_array[] = { {"FL5FMT", "f,state,uid,pid,ppid,pcpu,pri,nice,rss,wchan,start,time,command"}, /* Digital -fl */ -{"FLASK_context", "pid,secsid,context,command"}, /* Flask Linux context, --context */ -{"FLASK_sid", "pid,secsid,command"}, /* Flask Linux SID, --SID */ +{"FLASK_context", "pid,context,command"}, /* Flask Linux context, --context */ {"HP_", "pid,tty,time,comm"}, /* HP default */ {"HP_f", "user,pid,ppid,cpu,stime,tty,time,args"}, /* HP -f */ diff --git a/ps/parser.c b/ps/parser.c index ffb3e70d..02f9fdaa 100644 --- a/ps/parser.c +++ b/ps/parser.c @@ -737,7 +737,6 @@ static const char *parse_gnu_option(void){ gnu_table_struct *found; static const gnu_table_struct gnu_table[] = { {"Group", &&case_Group}, /* rgid */ - {"SID", &&case_secsid}, {"User", &&case_User}, /* ruid */ {"cols", &&case_cols}, {"columns", &&case_columns}, @@ -765,7 +764,6 @@ static const char *parse_gnu_option(void){ {"pid", &&case_pid}, {"ppid", &&case_ppid}, {"rows", &&case_rows}, - {"secsid", &&case_secsid}, {"sid", &&case_sid}, {"sort", &&case_sort}, {"tty", &&case_tty}, @@ -954,10 +952,6 @@ static const char *parse_gnu_option(void){ trace("--context\n"); format_flags |= FF_Fc; return NULL; - case_secsid: - trace("--secsid\n"); - format_flags |= FF_Fs; - return NULL; } /*************** process trailing PIDs **********************/ diff --git a/ps/ps.1 b/ps/ps.1 index 17facc89..8e7c0d5a 100644 --- a/ps/ps.1 +++ b/ps/ps.1 @@ -97,8 +97,7 @@ s display signal format u display user-oriented format v display virtual memory format --format user-defined format ---context (SELinux only) Display security context format; implies --secsid ---secsid (SELinux only) Display Security ID +--context display security context format (NSA SELinux, etc.) OUTPUT MODIFIERS -H show process hierarchy (forest) @@ -410,7 +409,6 @@ rsz RSZ ruid RUID ruser RUSER s S -secsid SECSID sess SESS session SESS sgi_p P diff --git a/ps/sortformat.c b/ps/sortformat.c index 11d65a3c..64fb6bf7 100644 --- a/ps/sortformat.c +++ b/ps/sortformat.c @@ -860,9 +860,8 @@ const char *process_sf_options(int localbroken){ case FF_LX: spec="OL_X"; break; case FF_Lm: spec="OL_m"; break; - /* These are FLASK security options. */ + /* This is the sole FLASK security option. */ case FF_Fc: spec="FLASK_context"; break; - case FF_Fs: spec="FLASK_sid"; break; } /* end switch(format_flags) */ diff --git a/sysctl.8 b/sysctl.8 index 7a2844ba..94926d38 100644 --- a/sysctl.8 +++ b/sysctl.8 @@ -14,7 +14,7 @@ sysctl \- configure kernel parameters at runtime .br .B "sysctl [-n] [-e] -w variable=value ..." .br -.B "sysctl [-n] [-e] -p (default /etc/sysctl.conf)" +.B "sysctl [-n] [-e] -p " .br .B "sysctl [-n] [-e] -a" .br