mac_partition and /sbin/init

Robert Watson rwatson at FreeBSD.org
Thu Sep 25 16:28:52 GMT 2003 

On Wed, 24 Sep 2003, Kenny Freeman wrote:

> Robert, thanks! I was wondering how partition/none was treated in the
> source.  It probably would have taken me another few hours of digging
> through the different sources to figure out that 0 was actually none. Is
> there any way that the getpmac output could be rewritten so us simple
> folk don't get confused? ie. partition/0 -> partition/none. Well, that
> or put it into the man pages. I've been fiddling with this for a few
> evenings now.

Yes, that would be pretty easy to do actually: the conversion to and from
text occurs in the kernel in the mac_partition internalize/externalize
routines.  I haven't compiled/tested it, but the attached patch might be
close to what you want.  It still interprets partition/0 as "none", but
now exports "partition/0" as "partition/none", and knows that
"partition/none" is the same as "partition/0" on import.

> I guess I'm going to have to put in a few rc scripts to
> start these jails up. Using the jail util like: 
> 
> jail_dnscache_exec="/usr/sbin/setpmac partition/1 /bin/sh /etc/rc"
> 
>  I get permission denied errors when setting the partition to anything
> other than none, presumably because the process has already been put
> inside the jail when the setpmac util is run.

Yeah.  Currently, processes in jail aren't permitted to change the
partition label, so you have to put it in the partition first.  Note that
the only real effect of the partition module in this case will be to
reinforce the existing protections, I believe.

> Oh, this has probably been asked many times before.. Where would one
> find some usefull documentation on using biba, lomac and mls? I mean
> more about how to develop policies to secure a system with them. I've
> looked around at some trusted irix docs etc but haven't really found
> anything readable yet. Thanks for the other mailing list suggestions. I
> tihnk I will subscribe when I get some time. 

Are you looking more for theory behind them, or for documentation about
specifically implementing them?  The original Biba and Bell-La Padula
papers are a good source for the theory.  In terms of implementing them on
FreeBSD, that's an area where we're lacking on the documentation side and
need to work to improve things. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Network Associates Laboratories
-------------- next part --------------
Index: mac_partition.c
===================================================================
RCS file: /home/ncvs/src/sys/security/mac_partition/mac_partition.c,v
retrieving revision 1.7
diff -u -r1.7 mac_partition.c
--- mac_partition.c	23 Jun 2003 01:26:34 -0000	1.7
+++ mac_partition.c	25 Sep 2003 16:26:14 -0000
@@ -1,6 +1,6 @@
 /*-
  * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
- * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
+ * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -111,10 +111,15 @@
 
 	(*claimed)++;
 
-	if (sbuf_printf(sb, "%ld", SLOT(label)) == -1)
-		return (EINVAL);
-	else
-		return (0);
+	if (SLOT(label) == 0) {
+		if (sbuf_printf(sb, "none") == -1)
+			return (EINVAL);
+	} else {
+		if (sbuf_printf(sb, "%ld", SLOT(label)) == -1)
+			return (EINVAL);
+	}
+
+	return (0);
 }
 
 static int
@@ -126,7 +131,12 @@
 		return (0);
 
 	(*claimed)++;
-	SLOT(label) = strtol(element_data, NULL, 10);
+
+	if (strcmp(element_data, "none") == 0)
+		SLOT(label) = 0;
+	else
+		SLOT(label) = strtol(element_data, NULL, 10);
+
 	return (0);
 }

More information about the trustedbsd-discuss mailing list