Date: Mon, 1 Mar 2010 17:33:40 -0800 From: "Estella Mystagic" <estella@mystagic.com> To: <freebsd-hackers@freebsd.org> Subject: mac_mls mac_biba mac_lomac patches to fix ptys_equal mib support for new /dev/pts in FreeBSD 8 Message-ID: <2BD4195B78BE4E4E9F4953B3196590E3@2WIRE304>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
------=_NextPart_000_001D_01CAB965.55F649C0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Hi,
Found issues with sysctl mibs security.mac.biba.ptys_equal,
security.mac.lomac.ptys_equal, security.mac.mls.ptys_equal, not supporting
new /dev/pts terminal system in FreeBSD 8, proposed fix for issue.
When using a higher security grade/clearance with mac_mls it prevents
writing to the /dev/pts/5 as its set as mls/low and subjects may not write
to objects with a lower classification level than its own clearance level.
Feb 25 21:42:16 labyrinth sshd[30965]: error: /dev/pts/5: Permission denied
Feb 25 21:42:16 labyrinth sshd[30965]: error: open /dev/tty failed - could
not set controlling tty: Permission denied
-Selphie
Patches:
diff -urNp /usr/src/sys/security-orig/mac_biba/mac_biba.c
/usr/src/sys/security/mac_biba/mac_biba.c
--- /usr/src/sys/security-orig/mac_biba/mac_biba.c 2010-03-01
17:11:30.000000000 -0800
+++ /usr/src/sys/security/mac_biba/mac_biba.c 2010-03-01
17:16:44.000000000 -0800
@@ -955,6 +955,7 @@ biba_devfs_create_device(struct ucred *c
biba_type = MAC_BIBA_TYPE_EQUAL;
else if (ptys_equal &&
(strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
+ strncmp(dev->si_name, "pts/", strlen("pts/")) == 0 ||
strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
biba_type = MAC_BIBA_TYPE_EQUAL;
else
diff -urNp /usr/src/sys/security-orig/mac_lomac/mac_lomac.c
/usr/src/sys/security/mac_lomac/mac_lomac.c
--- /usr/src/sys/security-orig/mac_lomac/mac_lomac.c 2010-03-01
17:11:30.000000000 -0800
+++ /usr/src/sys/security/mac_lomac/mac_lomac.c 2010-03-01
17:16:23.000000000 -0800
@@ -1043,6 +1043,7 @@ lomac_devfs_create_device(struct ucred *
lomac_type = MAC_LOMAC_TYPE_EQUAL;
else if (ptys_equal &&
(strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
+ strncmp(dev->si_name, "pts/", strlen("pts/")) == 0 ||
strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
lomac_type = MAC_LOMAC_TYPE_EQUAL;
else
diff -urNp /usr/src/sys/security-orig/mac_mls/mac_mls.c
/usr/src/sys/security/mac_mls/mac_mls.c
--- /usr/src/sys/security-orig/mac_mls/mac_mls.c 2010-03-01
17:11:30.000000000 -0800
+++ /usr/src/sys/security/mac_mls/mac_mls.c 2010-03-01
17:15:42.000000000 -0800
@@ -918,6 +918,7 @@ mls_devfs_create_device(struct ucred *cr
mls_type = MAC_MLS_TYPE_HIGH;
else if (ptys_equal &&
(strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
+ strncmp(dev->si_name, "pts/", strlen("pts/")) == 0 ||
strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
mls_type = MAC_MLS_TYPE_EQUAL;
else
------=_NextPart_000_001D_01CAB965.55F649C0
Content-Type: application/octet-stream;
name="fbsd80-mac-devpts-fix.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="fbsd80-mac-devpts-fix.patch"
diff -urNp /usr/src/sys/security-orig/mac_biba/mac_biba.c =
/usr/src/sys/security/mac_biba/mac_biba.c=0A=
--- /usr/src/sys/security-orig/mac_biba/mac_biba.c 2010-03-01 =
17:11:30.000000000 -0800=0A=
+++ /usr/src/sys/security/mac_biba/mac_biba.c 2010-03-01 =
17:16:44.000000000 -0800=0A=
@@ -955,6 +955,7 @@ biba_devfs_create_device(struct ucred *c=0A=
biba_type =3D MAC_BIBA_TYPE_EQUAL;=0A=
else if (ptys_equal &&=0A=
(strncmp(dev->si_name, "ttyp", strlen("ttyp")) =3D=3D 0 ||=0A=
+ strncmp(dev->si_name, "pts/", strlen("pts/")) =3D=3D 0 ||=0A=
strncmp(dev->si_name, "ptyp", strlen("ptyp")) =3D=3D 0))=0A=
biba_type =3D MAC_BIBA_TYPE_EQUAL;=0A=
else=0A=
diff -urNp /usr/src/sys/security-orig/mac_lomac/mac_lomac.c =
/usr/src/sys/security/mac_lomac/mac_lomac.c=0A=
--- /usr/src/sys/security-orig/mac_lomac/mac_lomac.c 2010-03-01 =
17:11:30.000000000 -0800=0A=
+++ /usr/src/sys/security/mac_lomac/mac_lomac.c 2010-03-01 =
17:16:23.000000000 -0800=0A=
@@ -1043,6 +1043,7 @@ lomac_devfs_create_device(struct ucred *=0A=
lomac_type =3D MAC_LOMAC_TYPE_EQUAL;=0A=
else if (ptys_equal &&=0A=
(strncmp(dev->si_name, "ttyp", strlen("ttyp")) =3D=3D 0 ||=0A=
+ strncmp(dev->si_name, "pts/", strlen("pts/")) =3D=3D 0 ||=0A=
strncmp(dev->si_name, "ptyp", strlen("ptyp")) =3D=3D 0))=0A=
lomac_type =3D MAC_LOMAC_TYPE_EQUAL;=0A=
else=0A=
diff -urNp /usr/src/sys/security-orig/mac_mls/mac_mls.c =
/usr/src/sys/security/mac_mls/mac_mls.c=0A=
--- /usr/src/sys/security-orig/mac_mls/mac_mls.c 2010-03-01 =
17:11:30.000000000 -0800=0A=
+++ /usr/src/sys/security/mac_mls/mac_mls.c 2010-03-01 =
17:15:42.000000000 -0800=0A=
@@ -918,6 +918,7 @@ mls_devfs_create_device(struct ucred *cr=0A=
mls_type =3D MAC_MLS_TYPE_HIGH;=0A=
else if (ptys_equal &&=0A=
(strncmp(dev->si_name, "ttyp", strlen("ttyp")) =3D=3D 0 ||=0A=
+ strncmp(dev->si_name, "pts/", strlen("pts/")) =3D=3D 0 ||=0A=
strncmp(dev->si_name, "ptyp", strlen("ptyp")) =3D=3D 0))=0A=
mls_type =3D MAC_MLS_TYPE_EQUAL;=0A=
else=0A=
------=_NextPart_000_001D_01CAB965.55F649C0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2BD4195B78BE4E4E9F4953B3196590E3>