Date: Sat, 1 Jun 2002 17:05:25 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 12282 for review Message-ID: <200206020005.g5205PP50615@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=12282 Change 12282 by rwatson@rwatson_curry on 2002/06/01 17:04:27 Generally improve access control for relabeling operations. Affected files ... ... //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#44 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#44 (text+ko) ==== @@ -157,6 +157,16 @@ } static int +mac_biba_range_in_range(struct mac_biba *rangea, struct mac_biba *rangeb) +{ + + return (mac_biba_dominate_element(&rangea->mb_rangehigh, + &rangeb->mb_rangehigh) && + mac_biba_dominate_element(&rangeb->mb_rangelow, + &rangea->mb_rangelow)); +} + +static int mac_biba_single_in_range(struct mac_biba *single, struct mac_biba *range) { @@ -216,6 +226,13 @@ } static int +mac_biba_high_single(struct mac_biba *mac_biba) +{ + + return (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_HIGH); +} + +static int mac_biba_valid(struct mac_biba *mac_biba) { @@ -996,8 +1013,7 @@ dest = SLOT(&cred->cr_label); mac_biba_set_single(dest, MAC_BIBA_TYPE_EQUAL, 0); - mac_biba_set_range(dest, MAC_BIBA_TYPE_EQUAL, 0, - MAC_BIBA_TYPE_EQUAL, 0); + mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, MAC_BIBA_TYPE_HIGH, 0); } static void @@ -1080,13 +1096,19 @@ mac_biba_cred_check_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { - struct mac_biba *new; + struct mac_biba *subj, *new; + subj = SLOT(&cred->cr_label); new = SLOT(newlabel); if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH) return (EINVAL); + /* + * XXX: Only Biba HIGH subjects may relabel interfaces. */ + if (!mac_biba_high_single(subj)) + return (EPERM); + return (suser_cred(cred, 0)); } @@ -1094,32 +1116,64 @@ mac_biba_cred_check_relabel_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { - struct mac_biba *new; + struct mac_biba *subj, *obj, *new; new = SLOT(newlabel); + subj = SLOT(&cred->cr_label); + obj = SLOT(socketlabel); if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE) return (EINVAL); - return (suser_cred(cred, 0)); + /* + * To relabel a socket, the old socket label must be in the subject + * range. + */ + if (!mac_biba_single_in_range(obj, subj)) + return (EPERM); + + /* + * To relabel a socket, the new socket label must be in the subject + * range. + */ + if (!mac_biba_single_in_range(new, subj)) + return (EPERM); + + /* + * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. + */ + + return (0); } static int mac_biba_cred_check_relabel_subject(struct ucred *cred, struct label *newlabel) { - struct mac_biba *new; + struct mac_biba *subj, *new; + subj = SLOT(&cred->cr_label); new = SLOT(newlabel); if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH) return (EINVAL); /* - * XXX: check that new single is in old range, new range is in old - * range, or that privilege is present. + * The new single must be in the old range. + */ + if (!mac_biba_single_in_range(new, subj)) + return (EPERM); + + /* + * The new range must be in the old range. + */ + if (!mac_biba_range_in_range(new, subj)) + return (EPERM); + + /* + * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. */ - return (suser_cred(cred, 0)); + return (0); } static int @@ -1136,8 +1190,21 @@ return (EINVAL); /* - * XXX: check that old is in cred label range, that new is in cred - * label range, or that privilege is held. + * To relabel a vnode, the old vnode label must be in the subject + * range. + */ + if (!mac_biba_single_in_range(old, subj)) + return (EPERM); + + /* + * To relabel a vnode, the new vnode label must be in the subject + * range. + */ + if (!mac_biba_single_in_range(new, subj)) + return (EPERM); + + /* + * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. */ return (suser_cred(cred, 0)); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206020005.g5205PP50615>