cvs commit: src/sys/sys mac_policy.h src/sys/kern kern_mac.c src/sys/security/mac_biba mac_biba.c src/sys/security/mac_lomac mac_lomac.c src/sys/security/mac_mls mac_mls.c src/sys/security/mac_partition ...

Robert Watson rwatson at FreeBSD.org
Sun Jun 22 18:26:36 PDT 2003 

rwatson     2003/06/22 18:26:34 PDT

  FreeBSD src repository

  Modified files:
    sys/sys              mac_policy.h 
    sys/kern             kern_mac.c 
    sys/security/mac_biba mac_biba.c 
    sys/security/mac_lomac mac_lomac.c 
    sys/security/mac_mls mac_mls.c 
    sys/security/mac_none mac_none.c 
    sys/security/mac_partition mac_partition.c 
    sys/security/mac_test mac_test.c 
  Log:
  Redesign the externalization APIs from the MAC Framework to
  the MAC policy modules to improve robustness against C string
  bugs and vulnerabilities.  Following these revisions, all
  string construction of labels for export to userspace (or
  elsewhere) is performed using the sbuf API, which prevents
  the consumer from having to perform laborious and intricate
  pointer and buffer checks.  This substantially simplifies
  the externalization logic, both at the MAC Framework level,
  and in individual policies; this becomes especially useful
  when policies export more complex label data, such as with
  compartments in Biba and MLS.
  
  Bundled in here are some other minor fixes associated with
  externalization: including avoiding malloc while holding the
  process mutex in mac_lomac, and hence avoid a failure mode
  when printing labels during a downgrade operation due to
  the removal of the M_NOWAIT case.
  
  This has been running in the MAC development tree for about
  three weeks without problems.
  
  Obtained from:  TrustedBSD Project
  Sponsored by: DARPA, Network Associates Laboratories
  
  Revision  Changes    Path
  1.93      +20 -40    src/sys/kern/kern_mac.c
  1.62      +14 -26    src/sys/security/mac_biba/mac_biba.c
  1.15      +66 -105   src/sys/security/mac_lomac/mac_lomac.c
  1.50      +14 -26    src/sys/security/mac_mls/mac_mls.c
  1.29      +1 -1      src/sys/security/mac_none/mac_none.c
  1.7       +7 -3      src/sys/security/mac_partition/mac_partition.c
  1.28      +1 -1      src/sys/security/mac_test/mac_test.c
  1.41      +7 -12     src/sys/sys/mac_policy.h

More information about the cvs-all mailing list