From owner-p4-projects Sat Aug 3 19:51:37 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id E0D3537B401; Sat, 3 Aug 2002 19:51:24 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8694137B400 for ; Sat, 3 Aug 2002 19:51:24 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 33E4643E6E for ; Sat, 3 Aug 2002 19:51:24 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g742pOJU002174 for ; Sat, 3 Aug 2002 19:51:24 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g742pNsS002171 for perforce@freebsd.org; Sat, 3 Aug 2002 19:51:23 -0700 (PDT) Date: Sat, 3 Aug 2002 19:51:23 -0700 (PDT) Message-Id: <200208040251.g742pNsS002171@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 15506 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15506 Change 15506 by rwatson@rwatson_tislabs on 2002/08/03 19:51:15 Fix some spelling, add KASSERTs, fix some logic in the various relabel checks relating to EQUAL labels. It's now possible to do partial label updates with Biba, relabel vnodes as an unprivileged user, and the ability to set equal labels is limited to privilege. Remove the suser() call in the vnode relabel check: as long as the labels match up well, we consider it OK for unprivileged processes to relabel. The suser() call is still present in the subject relabel case, but we'd probably like to get rid of that once we figure out how we want to deal with the notion of privilege and role in MLS. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#89 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#89 (text+ko) ==== @@ -138,7 +138,7 @@ biba_atmostflags(struct mac_biba *mac_biba, int flags) { - if (((mac_biba->mb_flags & MAC_BIBA_FLAGS_BOTH) & flags) != flags) + if ((mac_biba->mb_flags & flags) != mac_biba->mb_flags) return (EINVAL); return (0); } @@ -290,9 +290,13 @@ } static int -mac_biba_subj_equal_ok(struct mac_biba *mac_biba) +mac_biba_subject_equal_ok(struct mac_biba *mac_biba) { + KASSERT((mac_biba->mb_flags & MAC_BIBA_FLAGS_BOTH == + MAC_BIBA_FLAGS_BOTH), + ("mac_biba_subject_equal_ok: subject doesn't have both labels")); + /* If the single is EQUAL, it's ok */ if (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_EQUAL) return (0); @@ -1242,7 +1246,7 @@ subj = SLOT(&cred->cr_label); new = SLOT(newlabel); - error = mac_biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); + error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); if (error) return (error); @@ -1272,8 +1276,11 @@ * If the old subject label doesn't contain EQUAL, don't let the * new subject label contain EQUAL. */ - if (mac_biba_contains_equal(new) && !mac_biba_subj_equal_ok(subj)) - return (EPERM); + if (mac_biba_contains_equal(new)) { + error = mac_biba_subject_equal_ok(subj); + if (error) + return (error); + } return (0); } @@ -1306,7 +1313,7 @@ subj = SLOT(&cred->cr_label); new = SLOT(newlabel); - error = mac_biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); + error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); if (error) return (error); @@ -1405,7 +1412,7 @@ subj = SLOT(&cred->cr_label); obj = SLOT(pipelabel); - error = mac_biba_atmostflags(new, MAC_BIBA_FLAG_SINGLE); + error = biba_atmostflags(new, MAC_BIBA_FLAG_SINGLE); if (error) return (error); @@ -1420,7 +1427,7 @@ * To relabel a pipe, the new pipe label must be in the subject * range. */ - if (new->mb_flags & MAC_BIBA_FLAGS_SINGLE && + if (new->mb_flags & MAC_BIBA_FLAG_SINGLE && !mac_biba_single_in_range(new, subj)) return (EPERM); @@ -1428,8 +1435,11 @@ * If the subject label doesn't contain equal, don't let the new * pipe label contain equal. */ - if (mac_biba_contains_equal(new) && !mac_biba_subj_equal_ok(subj)) - return (EPERM); + if (mac_biba_contains_equal(new)) { + error = mac_biba_subject_equal_ok(subj); + if (error) + return (error); + } return (0); } @@ -1520,7 +1530,7 @@ subj = SLOT(&cred->cr_label); obj = SLOT(socketlabel); - error = mac_biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); + error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); if (error) return (error); @@ -1550,9 +1560,11 @@ * If the subject label doesn't contain EQUAL, don't let the new * socket label contain EQUAL. */ - if (mac_biba_contains_equal(new) && !mac_biba_subj_equal_ok(subj)) - return (EPERM); - + if (mac_biba_contains_equal(new)) { + error = mac_biba_subject_equal_ok(subj); + if (error) + return (error); + } return (0); } @@ -1819,7 +1831,7 @@ new = SLOT(newlabel); subj = SLOT(&cred->cr_label); - error = mac_biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); + error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); if (error) return (error); @@ -1842,10 +1854,13 @@ * If the subject label doesn't contain EQUAL, don't let the new * vnode label contain EQUAL. */ - if (mac_biba_contains_equal(new) && !mac_biba_subj_equal_ok(subj)) - return (EPERM); + if (mac_biba_contains_equal(new)) { + error = mac_biba_subject_equal_ok(subj); + if (error) + return (error); + } - return (suser_cred(cred, 0)); + return (0); } static int To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message