Date: Mon, 9 Jan 2006 20:01:50 GMT From: "Christian S.J. Peron" <csjp@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 89432 for review Message-ID: <200601092001.k09K1oBa064790@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=89432 Change 89432 by csjp@csjp_xor on 2006/01/09 20:01:34 Now that we have support for labeling in NFS, teach the BIBA policy about it. For now, the NFSD label will be set to biba/high(low-high). This is going to change, however. We need to think about what makes the most sense. Should the label be inherited from the NFSD process which makes the nfssvc() call? Should it come from the network interface the NFS request was recieved on? We need to give this some thought. It should be noted that this fixed a panic which occurs when files are created through NFS. This happpend because the object label was not properly initialized. So this effectively un-breaks BIBA+NFS We will need to do something similar for other labeled security policies, too. Hopefully I have the time to do this. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#259 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#259 (text+ko) ==== @@ -49,6 +49,7 @@ #include <sys/malloc.h> #include <sys/mman.h> #include <sys/mount.h> +#include <sys/namei.h> #include <sys/proc.h> #include <sys/sbuf.h> #include <sys/systm.h> @@ -3083,6 +3084,17 @@ return (0); } +static void +mac_biba_associate_nfsd_label(struct ucred *cred) +{ + struct mac_biba *label; + + label = SLOT(cred->cr_label); + mac_biba_set_effective(label, MAC_BIBA_TYPE_HIGH, 0, NULL); + mac_biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, + MAC_BIBA_TYPE_HIGH, 0, NULL); +} + static struct mac_policy_ops mac_biba_ops = { .mpo_init = mac_biba_init, @@ -3262,6 +3274,7 @@ .mpo_check_vnode_setutimes = mac_biba_check_vnode_setutimes, .mpo_check_vnode_stat = mac_biba_check_vnode_stat, .mpo_check_vnode_write = mac_biba_check_vnode_write, + .mpo_associate_nfsd_label = mac_biba_associate_nfsd_label, }; MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba",
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200601092001.k09K1oBa064790>