Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 8 Aug 2002 15:18:53 -0700 (PDT)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        Perforce Change Reviews <perforce@freebsd.org>
Subject:   PERFORCE change 15703 for review
Message-ID:  <200208082218.g78MIrBo025581@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15703

Change 15703 by rwatson@rwatson_tislabs on 2002/08/08 15:18:28

	Remove suser() exemptions for subject credential relabeling--
	these were for debugging/development purposes only.  The root
	user is no longer given special privilege to bypass label
	requirements for processes.  Su and other user programs
	manipulating labels will still try to set the label based
	on user class policy, but they may fail if their own labels
	can't be relabeled to the requested user label for policy
	reasons.
	
	The only remaining explicit exemption for the superuser
	is for interface relabeling, and that probably requires us to
	have some notion of a security administrator role for MLS
	and Biba.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#95 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#77 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#95 (text+ko) ====

@@ -1261,13 +1261,6 @@
 	 */
 	if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
 		/*
-		 * Exempt traditional superuser processes from the Biba
-		 * relabel requirements.  XXXMAC: This will go away.
-		 */
-		if (suser_cred(cred, 0) == 0)
-			return (0);
-
-		/*
 		 * To change the Biba single label on a credential, the
 		 * new single label must be in the current range.
 		 */

==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#77 (text+ko) ====

@@ -1209,13 +1209,6 @@
 	 */
 	if (new->mm_flags & MAC_MLS_FLAGS_BOTH) {
 		/*
-		 * Exempt traditional superuser processes from the MLS
-		 * relabel requirements. XXXMAC: This will go away.
-		 */
-		if (suser_cred(cred, 0) == 0)
-			return (0);
-
-		/*
 		 * To change the MLS single label on a credential, the
 		 * new single label must be in the current range.
 		 */

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200208082218.g78MIrBo025581>