From owner-p4-projects  Mon Sep 23 18:39:55 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 57FAE37B404; Mon, 23 Sep 2002 18:39:52 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F2DAC37B401
	for <perforce@freebsd.org>; Mon, 23 Sep 2002 18:39:51 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8C84243E4A
	for <perforce@freebsd.org>; Mon, 23 Sep 2002 18:39:51 -0700 (PDT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g8O1dpCo048028
	for <perforce@freebsd.org>; Mon, 23 Sep 2002 18:39:51 -0700 (PDT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g8O1dp81048025
	for perforce@freebsd.org; Mon, 23 Sep 2002 18:39:51 -0700 (PDT)
Date: Mon, 23 Sep 2002 18:39:51 -0700 (PDT)
Message-Id: <200209240139.g8O1dp81048025@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
Subject: PERFORCE change 18032 for review
To: Perforce Change Reviews <perforce@freebsd.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=18032

Change 18032 by rwatson@rwatson_tislabs on 2002/09/23 18:39:45

	Minor hacks to better support ttys until openpty() does things
	better: add tunable/sysctl twiddles to set the labels on ptys
	to biba/equal and/or mls/equal when they are instantiated.  This
	is not the right long term solution since it doesn't properly
	handle pty reuse.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#111 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#93 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#111 (text+ko) ====

@@ -101,6 +101,11 @@
 TUNABLE_STR("security.mac.biba.trusted_interfaces", trusted_interfaces,
     sizeof(trusted_interfaces));
 
+static int	mac_biba_ptys_equal = 0;
+SYSCTL_INT(_security_mac_biba, OID_AUTO, ptys_equal, CTLFLAG_RW,
+    &mac_biba_ptys_equal, 0, "Label pty devices as biba/equal on create");
+TUNABLE_INT("security.mac.biba.ptys_equal", &mac_biba_ptys_equal);
+
 static int	mac_biba_revocation_enabled = 0;
 SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RW,
     &mac_biba_revocation_enabled, 0, "Revoke access to objects on relabel");
@@ -568,6 +573,10 @@
 	    strcmp(dev->si_name, "random") == 0 ||
 	    strncmp(dev->si_name, "fd/", strlen("fd/")) == 0)
 		biba_type = MAC_BIBA_TYPE_EQUAL;
+	else if (mac_biba_ptys_equal &&
+	    (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
+	    strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
+		biba_type = MAC_BIBA_TYPE_EQUAL;
 	else
 		biba_type = MAC_BIBA_TYPE_HIGH;
 	mac_biba_set_single(mac_biba, biba_type, 0);

==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#93 (text+ko) ====

@@ -90,6 +90,11 @@
 SYSCTL_INT(_security_mac_mls, OID_AUTO, destroyed_not_inited, CTLFLAG_RD,
     &destroyed_not_inited, 0, "Count of labels destroyed but not inited");
 
+static int	mac_mls_ptys_equal = 0;
+SYSCTL_INT(_security_mac_mls, OID_AUTO, ptys_equal, CTLFLAG_RW,
+    &mac_mls_ptys_equal, 0, "Label pty devices as mls/equal on create");
+TUNABLE_INT("security.mac.mls.ptys_equal", &mac_mls_ptys_equal);
+
 static int	mac_mls_revocation_enabled = 0;
 SYSCTL_INT(_security_mac_mls, OID_AUTO, revocation_enabled, CTLFLAG_RW,
     &mac_mls_revocation_enabled, 0, "Revoke access to objects on relabel");
@@ -559,6 +564,10 @@
 	else if (strcmp(dev->si_name, "kmem") == 0 ||
 	    strcmp(dev->si_name, "mem") == 0)
 		mls_type = MAC_MLS_TYPE_HIGH;
+	else if (mac_mls_ptys_equal &&
+	    (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
+	    strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
+		mls_type = MAC_MLS_TYPE_EQUAL;
 	else
 		mls_type = MAC_MLS_TYPE_LOW;
 	mac_mls_set_single(mac_mls, mls_type, 0);

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message