From owner-p4-projects  Sat Jun  1 17: 5:58 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id D97AB37B40A; Sat,  1 Jun 2002 17:05:26 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id EB55537B409
	for <perforce@freebsd.org>; Sat,  1 Jun 2002 17:05:25 -0700 (PDT)
Received: (from perforce@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g5205PP50615
	for perforce@freebsd.org; Sat, 1 Jun 2002 17:05:25 -0700 (PDT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Sat, 1 Jun 2002 17:05:25 -0700 (PDT)
Message-Id: <200206020005.g5205PP50615@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
Subject: PERFORCE change 12282 for review
To: Perforce Change Reviews <perforce@freebsd.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=12282

Change 12282 by rwatson@rwatson_curry on 2002/06/01 17:04:27

	Generally improve access control for relabeling operations.

Affected files ...

... //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#44 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#44 (text+ko) ====

@@ -157,6 +157,16 @@
 }
 
 static int
+mac_biba_range_in_range(struct mac_biba *rangea, struct mac_biba *rangeb)
+{
+
+	return (mac_biba_dominate_element(&rangea->mb_rangehigh,
+	    &rangeb->mb_rangehigh) &&
+	    mac_biba_dominate_element(&rangeb->mb_rangelow,
+	    &rangea->mb_rangelow));
+}
+
+static int
 mac_biba_single_in_range(struct mac_biba *single, struct mac_biba *range)
 {
 
@@ -216,6 +226,13 @@
 }
 
 static int
+mac_biba_high_single(struct mac_biba *mac_biba)
+{
+
+	return (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_HIGH);
+}
+
+static int
 mac_biba_valid(struct mac_biba *mac_biba)
 {
 
@@ -996,8 +1013,7 @@
 	dest = SLOT(&cred->cr_label);
 
 	mac_biba_set_single(dest, MAC_BIBA_TYPE_EQUAL, 0);
-	mac_biba_set_range(dest, MAC_BIBA_TYPE_EQUAL, 0,
-	    MAC_BIBA_TYPE_EQUAL, 0);
+	mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, MAC_BIBA_TYPE_HIGH, 0);
 }
 
 static void
@@ -1080,13 +1096,19 @@
 mac_biba_cred_check_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
     struct label *ifnetlabel, struct label *newlabel)
 {
-	struct mac_biba *new;
+	struct mac_biba *subj, *new;
 
+	subj = SLOT(&cred->cr_label);
 	new = SLOT(newlabel);
 
 	if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH)
 		return (EINVAL);
 
+	/*
+	 * XXX: Only Biba HIGH subjects may relabel interfaces. */
+	if (!mac_biba_high_single(subj))
+		return (EPERM);
+
 	return (suser_cred(cred, 0));
 }
 
@@ -1094,32 +1116,64 @@
 mac_biba_cred_check_relabel_socket(struct ucred *cred, struct socket *socket,
     struct label *socketlabel, struct label *newlabel)
 {
-	struct mac_biba *new;
+	struct mac_biba *subj, *obj, *new;
 
 	new = SLOT(newlabel);
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT(socketlabel);
 
 	if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE)
 		return (EINVAL);
 
-	return (suser_cred(cred, 0));
+	/*
+	 * To relabel a socket, the old socket label must be in the subject
+	 * range.
+	 */
+	if (!mac_biba_single_in_range(obj, subj))
+		return (EPERM);
+
+	/*
+	 * To relabel a socket, the new socket label must be in the subject
+	 * range.
+	 */
+	if (!mac_biba_single_in_range(new, subj))
+		return (EPERM);
+
+	/*
+	 * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
+	 */
+
+	return (0);
 }
 
 static int
 mac_biba_cred_check_relabel_subject(struct ucred *cred, struct label *newlabel)
 {
-	struct mac_biba *new;
+	struct mac_biba *subj, *new;
 
+	subj = SLOT(&cred->cr_label);
 	new = SLOT(newlabel);
 
 	if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH)
 		return (EINVAL);
 
 	/*
-	 * XXX: check that new single is in old range, new range is in old
-	 * range, or that privilege is present.
+	 * The new single must be in the old range.
+	 */
+	if (!mac_biba_single_in_range(new, subj))
+		return (EPERM);
+
+	/*
+	 * The new range must be in the old range.
+	 */
+	if (!mac_biba_range_in_range(new, subj))
+		return (EPERM);
+
+	/*
+	 * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
 	 */
 
-	return (suser_cred(cred, 0));
+	return (0);
 }
 
 static int
@@ -1136,8 +1190,21 @@
 		return (EINVAL);
 
 	/*
-	 * XXX: check that old is in cred label range, that new is in cred
-	 * label range, or that privilege is held.
+	 * To relabel a vnode, the old vnode label must be in the subject
+	 * range.
+	 */
+	if (!mac_biba_single_in_range(old, subj))
+		return (EPERM);
+
+	/*
+	 * To relabel a vnode, the new vnode label must be in the subject
+	 * range.
+	 */
+	if (!mac_biba_single_in_range(new, subj))
+		return (EPERM);
+
+	/*
+	 * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
 	 */
 
 	return (suser_cred(cred, 0));

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message