From owner-p4-projects  Sat Aug  3 15:32:30 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id E64BC37B401; Sat,  3 Aug 2002 15:32:08 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5962337B400
	for <perforce@freebsd.org>; Sat,  3 Aug 2002 15:32:08 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7A21843E42
	for <perforce@freebsd.org>; Sat,  3 Aug 2002 15:32:07 -0700 (PDT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g73MW7JU065977
	for <perforce@freebsd.org>; Sat, 3 Aug 2002 15:32:07 -0700 (PDT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g73MW7iQ065974
	for perforce@freebsd.org; Sat, 3 Aug 2002 15:32:07 -0700 (PDT)
Date: Sat, 3 Aug 2002 15:32:07 -0700 (PDT)
Message-Id: <200208032232.g73MW7iQ065974@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
Subject: PERFORCE change 15499 for review
To: Perforce Change Reviews <perforce@freebsd.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15499

Change 15499 by rwatson@rwatson_curry on 2002/08/03 15:31:46

	Teach Biba to prevent equal labels from being set by subjects
	without EQUAL already set (a special case will be needed to
	permit low-high processes to set EQUAL).
	
	Teach Biba to support partial updates of labels that contain
	both low and high, as well as to ignore update requests
	that don't set any Biba components.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#87 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#87 (text+ko) ====

@@ -135,6 +135,15 @@
 }
 
 static int
+biba_atmostflags(struct mac_biba *mac_biba, int flags)
+{
+
+	if (((mac_biba->mb_flags & MAC_BIBA_FLAGS_BOTH) & flags) != flags)
+		return (EINVAL);
+	return (0);
+}
+
+static int
 mac_biba_dominate_element(struct mac_biba_element *a,
     struct mac_biba_element *b)
 {
@@ -263,6 +272,24 @@
 }
 
 static int
+mac_biba_contains_equal(struct mac_biba *mac_biba)
+{
+
+	if (mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE)
+		if (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_EQUAL)
+			return (1);
+
+	if (mac_biba->mb_flags & MAC_BIBA_FLAG_RANGE) {
+		if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL)
+			return (1);
+		if (mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL)
+			return (1);
+	}
+
+	return (0);
+}
+
+static int
 mac_biba_valid(struct mac_biba *mac_biba)
 {
 
@@ -384,6 +411,16 @@
 	labelto->mb_flags |= MAC_BIBA_FLAG_RANGE;
 }
 
+static void
+mac_biba_copy(struct mac_biba *source, struct mac_biba *dest)
+{
+
+	if (source->mb_flags & MAC_BIBA_FLAG_SINGLE)
+		mac_biba_copy_single(source, dest);
+	if (source->mb_flags & MAC_BIBA_FLAG_RANGE)
+		mac_biba_copy_range(source, dest);
+}
+
 /*
  * Policy module operations.
  */
@@ -707,7 +744,7 @@
 	source = SLOT(label);
 	dest = SLOT(vnodelabel);
 
-	mac_biba_copy_single(source, dest);
+	mac_biba_copy(source, dest);
 }
 
 static void
@@ -719,7 +756,7 @@
 	source = SLOT(vnodelabel);
 	dest = SLOT(direntlabel);
 
-	mac_biba_copy_single(source, dest);
+	mac_biba_copy(source, dest);
 }
 
 static void
@@ -835,8 +872,7 @@
 	source = SLOT(newlabel);
 	dest = SLOT(socketlabel);
 
-	mac_biba_copy_single(source, dest);
-	mac_biba_copy_range(source, dest);
+	mac_biba_copy(source, dest);
 }
 
 static void
@@ -1075,8 +1111,7 @@
 	source = SLOT(newlabel);
 	dest = SLOT(ifnetlabel);
 
-	mac_biba_copy_single(source, dest);
-	mac_biba_copy_range(source, dest);
+	mac_biba_copy(source, dest);
 }
 
 static void
@@ -1153,8 +1188,7 @@
 	source = SLOT(newlabel);
 	dest = SLOT(&cred->cr_label);
 
-	mac_biba_copy_single(source, dest);
-	mac_biba_copy_range(source, dest);
+	mac_biba_copy(source, dest);
 }
 
 /*
@@ -1181,12 +1215,14 @@
 mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 	struct mac_biba *subj, *new;
+	int error;
 
 	subj = SLOT(&cred->cr_label);
 	new = SLOT(newlabel);
 
-	if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH)
-		return (EINVAL);
+	error = mac_biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
+	if (error)
+		return (error);
 
 	/*
 	 * XXX: Allow processes with root privilege to set labels outside
@@ -1199,18 +1235,23 @@
 	/*
 	 * The new single must be in the old range.
 	 */
-	if (!mac_biba_single_in_range(new, subj))
+	if (new->mb_flags & MAC_BIBA_FLAG_SINGLE &&
+	    !mac_biba_single_in_range(new, subj))
 		return (EPERM);
 
 	/*
 	 * The new range must be in the old range.
 	 */
-	if (!mac_biba_range_in_range(new, subj))
+	if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
+	    !mac_biba_range_in_range(new, subj))
 		return (EPERM);
 
 	/*
-	 * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
+	 * If the old subject label doesn't contain EQUAL, don't let the
+	 * new subject label contain EQUAL.
 	 */
+	if (mac_biba_contains_equal(new) && !mac_biba_contains_equal(subj))
+		return (EPERM);
 
 	return (0);
 }
@@ -1238,12 +1279,14 @@
     struct label *ifnetlabel, struct label *newlabel)
 {
 	struct mac_biba *subj, *new;
+	int error;
 
 	subj = SLOT(&cred->cr_label);
 	new = SLOT(newlabel);
 
-	if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH)
-		return (EINVAL);
+	error = mac_biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
+	if (error)
+		return (error);
 
 	/*
 	 * XXX: Only Biba HIGH subjects may relabel interfaces. */
@@ -1258,7 +1301,7 @@
     struct mbuf *m, struct label *mbuflabel)
 {
 	struct mac_biba *p, *i;
-        
+	
 	if (!mac_biba_enabled)
 		return (0);
 
@@ -1334,13 +1377,15 @@
     struct label *pipelabel, struct label *newlabel)
 {
 	struct mac_biba *subj, *obj, *new;
+	int error;
 
 	new = SLOT(newlabel);
 	subj = SLOT(&cred->cr_label);
 	obj = SLOT(pipelabel);
 
-	if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE)
-		return (EINVAL);
+	error = mac_biba_atmostflags(new, MAC_BIBA_FLAG_SINGLE);
+	if (error)
+		return (error);
 
 	/*
 	 * To relabel a pipe, the old pipe label must be in the subject
@@ -1353,12 +1398,16 @@
 	 * To relabel a pipe, the new pipe label must be in the subject
 	 * range.
 	 */
-	if (!mac_biba_single_in_range(new, subj))
+	if (new->mb_flags & MAC_BIBA_FLAGS_SINGLE &&
+	    !mac_biba_single_in_range(new, subj))
 		return (EPERM);
 
 	/*
-	 * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
+	 * If the subject label doesn't contain equal, don't let the new
+	 * pipe label contain equal.
 	 */
+	if (mac_biba_contains_equal(new) && !mac_biba_contains_equal(subj))
+		return (EPERM);
 
 	return (0);
 }
@@ -1443,13 +1492,15 @@
     struct label *socketlabel, struct label *newlabel)
 {
 	struct mac_biba *subj, *obj, *new;
+	int error;
 
 	new = SLOT(newlabel);
 	subj = SLOT(&cred->cr_label);
 	obj = SLOT(socketlabel);
 
-	if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE)
-		return (EINVAL);
+	error = mac_biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
+	if (error)
+		return (error);
 
 	/*
 	 * To relabel a socket, the old socket label must be in the subject
@@ -1459,16 +1510,27 @@
 		return (EPERM);
 
 	/*
-	 * To relabel a socket, the new socket label must be in the subject
+	 * To relabel a socket, the new socket single must be in the subject
 	 * range.
 	 */
-	if (!mac_biba_single_in_range(new, subj))
+	if (new->mb_flags & MAC_BIBA_FLAG_SINGLE &&
+	    !mac_biba_single_in_range(new, subj))
 		return (EPERM);
 
 	/*
-	 * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
+	 * The new range must be in the subject range.
 	 */
+	if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
+	    !mac_biba_range_in_range(new, subj))
+		return (EPERM);
 
+	/*
+	 * If the subject label doesn't contain EQUAL, don't let the new
+	 * socket label contain EQUAL.
+	 */
+	if (mac_biba_contains_equal(new) && !mac_biba_contains_equal(subj))
+		return (EPERM);
+
 	return (0);
 }
 
@@ -1729,13 +1791,15 @@
     struct label *vnodelabel, struct label *newlabel)
 {
 	struct mac_biba *old, *new, *subj;
+	int error;
 
 	old = SLOT(vnodelabel);
 	new = SLOT(newlabel);
 	subj = SLOT(&cred->cr_label);
 
-	if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE)
-		return (EINVAL);
+	error = mac_biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
+	if (error)
+		return (error);
 
 	/*
 	 * To relabel a vnode, the old vnode label must be in the subject
@@ -1748,12 +1812,16 @@
 	 * To relabel a vnode, the new vnode label must be in the subject
 	 * range.
 	 */
-	if (!mac_biba_single_in_range(new, subj))
+	if (new->mb_flags & MAC_BIBA_FLAG_SINGLE &&
+	    !mac_biba_single_in_range(new, subj))
 		return (EPERM);
 
 	/*
-	 * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
+	 * If the subject label doesn't contain EQUAL, don't let the new
+	 * vnode label contain EQUAL.
 	 */
+	if (mac_biba_contains_equal(new) && !mac_biba_contains_equal(subj))
+		return (EPERM);
 
 	return (suser_cred(cred, 0));
 }

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message