Date: Sat, 3 Aug 2002 19:51:23 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 15506 for review Message-ID: <200208040251.g742pNsS002171@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15506 Change 15506 by rwatson@rwatson_tislabs on 2002/08/03 19:51:15 Fix some spelling, add KASSERTs, fix some logic in the various relabel checks relating to EQUAL labels. It's now possible to do partial label updates with Biba, relabel vnodes as an unprivileged user, and the ability to set equal labels is limited to privilege. Remove the suser() call in the vnode relabel check: as long as the labels match up well, we consider it OK for unprivileged processes to relabel. The suser() call is still present in the subject relabel case, but we'd probably like to get rid of that once we figure out how we want to deal with the notion of privilege and role in MLS. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#89 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#89 (text+ko) ==== @@ -138,7 +138,7 @@ biba_atmostflags(struct mac_biba *mac_biba, int flags) { - if (((mac_biba->mb_flags & MAC_BIBA_FLAGS_BOTH) & flags) != flags) + if ((mac_biba->mb_flags & flags) != mac_biba->mb_flags) return (EINVAL); return (0); } @@ -290,9 +290,13 @@ } static int -mac_biba_subj_equal_ok(struct mac_biba *mac_biba) +mac_biba_subject_equal_ok(struct mac_biba *mac_biba) { + KASSERT((mac_biba->mb_flags & MAC_BIBA_FLAGS_BOTH == + MAC_BIBA_FLAGS_BOTH), + ("mac_biba_subject_equal_ok: subject doesn't have both labels")); + /* If the single is EQUAL, it's ok */ if (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_EQUAL) return (0); @@ -1242,7 +1246,7 @@ subj = SLOT(&cred->cr_label); new = SLOT(newlabel); - error = mac_biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); + error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); if (error) return (error); @@ -1272,8 +1276,11 @@ * If the old subject label doesn't contain EQUAL, don't let the * new subject label contain EQUAL. */ - if (mac_biba_contains_equal(new) && !mac_biba_subj_equal_ok(subj)) - return (EPERM); + if (mac_biba_contains_equal(new)) { + error = mac_biba_subject_equal_ok(subj); + if (error) + return (error); + } return (0); } @@ -1306,7 +1313,7 @@ subj = SLOT(&cred->cr_label); new = SLOT(newlabel); - error = mac_biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); + error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); if (error) return (error); @@ -1405,7 +1412,7 @@ subj = SLOT(&cred->cr_label); obj = SLOT(pipelabel); - error = mac_biba_atmostflags(new, MAC_BIBA_FLAG_SINGLE); + error = biba_atmostflags(new, MAC_BIBA_FLAG_SINGLE); if (error) return (error); @@ -1420,7 +1427,7 @@ * To relabel a pipe, the new pipe label must be in the subject * range. */ - if (new->mb_flags & MAC_BIBA_FLAGS_SINGLE && + if (new->mb_flags & MAC_BIBA_FLAG_SINGLE && !mac_biba_single_in_range(new, subj)) return (EPERM); @@ -1428,8 +1435,11 @@ * If the subject label doesn't contain equal, don't let the new * pipe label contain equal. */ - if (mac_biba_contains_equal(new) && !mac_biba_subj_equal_ok(subj)) - return (EPERM); + if (mac_biba_contains_equal(new)) { + error = mac_biba_subject_equal_ok(subj); + if (error) + return (error); + } return (0); } @@ -1520,7 +1530,7 @@ subj = SLOT(&cred->cr_label); obj = SLOT(socketlabel); - error = mac_biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); + error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); if (error) return (error); @@ -1550,9 +1560,11 @@ * If the subject label doesn't contain EQUAL, don't let the new * socket label contain EQUAL. */ - if (mac_biba_contains_equal(new) && !mac_biba_subj_equal_ok(subj)) - return (EPERM); - + if (mac_biba_contains_equal(new)) { + error = mac_biba_subject_equal_ok(subj); + if (error) + return (error); + } return (0); } @@ -1819,7 +1831,7 @@ new = SLOT(newlabel); subj = SLOT(&cred->cr_label); - error = mac_biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); + error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); if (error) return (error); @@ -1842,10 +1854,13 @@ * If the subject label doesn't contain EQUAL, don't let the new * vnode label contain EQUAL. */ - if (mac_biba_contains_equal(new) && !mac_biba_subj_equal_ok(subj)) - return (EPERM); + if (mac_biba_contains_equal(new)) { + error = mac_biba_subject_equal_ok(subj); + if (error) + return (error); + } - return (suser_cred(cred, 0)); + return (0); } static int To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200208040251.g742pNsS002171>