PERFORCE change 15499 for review
Robert Watson
rwatson at freebsd.org
Sat Aug 3 22:32:07 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15499
Change 15499 by rwatson at rwatson_curry on 2002/08/03 15:31:46
Teach Biba to prevent equal labels from being set by subjects
without EQUAL already set (a special case will be needed to
permit low-high processes to set EQUAL).
Teach Biba to support partial updates of labels that contain
both low and high, as well as to ignore update requests
that don't set any Biba components.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#87 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#87 (text+ko) ====
@@ -135,6 +135,15 @@
}
static int
+biba_atmostflags(struct mac_biba *mac_biba, int flags)
+{
+
+ if (((mac_biba->mb_flags & MAC_BIBA_FLAGS_BOTH) & flags) != flags)
+ return (EINVAL);
+ return (0);
+}
+
+static int
mac_biba_dominate_element(struct mac_biba_element *a,
struct mac_biba_element *b)
{
@@ -263,6 +272,24 @@
}
static int
+mac_biba_contains_equal(struct mac_biba *mac_biba)
+{
+
+ if (mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE)
+ if (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_EQUAL)
+ return (1);
+
+ if (mac_biba->mb_flags & MAC_BIBA_FLAG_RANGE) {
+ if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL)
+ return (1);
+ if (mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL)
+ return (1);
+ }
+
+ return (0);
+}
+
+static int
mac_biba_valid(struct mac_biba *mac_biba)
{
@@ -384,6 +411,16 @@
labelto->mb_flags |= MAC_BIBA_FLAG_RANGE;
}
+static void
+mac_biba_copy(struct mac_biba *source, struct mac_biba *dest)
+{
+
+ if (source->mb_flags & MAC_BIBA_FLAG_SINGLE)
+ mac_biba_copy_single(source, dest);
+ if (source->mb_flags & MAC_BIBA_FLAG_RANGE)
+ mac_biba_copy_range(source, dest);
+}
+
/*
* Policy module operations.
*/
@@ -707,7 +744,7 @@
source = SLOT(label);
dest = SLOT(vnodelabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy(source, dest);
}
static void
@@ -719,7 +756,7 @@
source = SLOT(vnodelabel);
dest = SLOT(direntlabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy(source, dest);
}
static void
@@ -835,8 +872,7 @@
source = SLOT(newlabel);
dest = SLOT(socketlabel);
- mac_biba_copy_single(source, dest);
- mac_biba_copy_range(source, dest);
+ mac_biba_copy(source, dest);
}
static void
@@ -1075,8 +1111,7 @@
source = SLOT(newlabel);
dest = SLOT(ifnetlabel);
- mac_biba_copy_single(source, dest);
- mac_biba_copy_range(source, dest);
+ mac_biba_copy(source, dest);
}
static void
@@ -1153,8 +1188,7 @@
source = SLOT(newlabel);
dest = SLOT(&cred->cr_label);
- mac_biba_copy_single(source, dest);
- mac_biba_copy_range(source, dest);
+ mac_biba_copy(source, dest);
}
/*
@@ -1181,12 +1215,14 @@
mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel)
{
struct mac_biba *subj, *new;
+ int error;
subj = SLOT(&cred->cr_label);
new = SLOT(newlabel);
- if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH)
- return (EINVAL);
+ error = mac_biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
+ if (error)
+ return (error);
/*
* XXX: Allow processes with root privilege to set labels outside
@@ -1199,18 +1235,23 @@
/*
* The new single must be in the old range.
*/
- if (!mac_biba_single_in_range(new, subj))
+ if (new->mb_flags & MAC_BIBA_FLAG_SINGLE &&
+ !mac_biba_single_in_range(new, subj))
return (EPERM);
/*
* The new range must be in the old range.
*/
- if (!mac_biba_range_in_range(new, subj))
+ if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
+ !mac_biba_range_in_range(new, subj))
return (EPERM);
/*
- * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
+ * If the old subject label doesn't contain EQUAL, don't let the
+ * new subject label contain EQUAL.
*/
+ if (mac_biba_contains_equal(new) && !mac_biba_contains_equal(subj))
+ return (EPERM);
return (0);
}
@@ -1238,12 +1279,14 @@
struct label *ifnetlabel, struct label *newlabel)
{
struct mac_biba *subj, *new;
+ int error;
subj = SLOT(&cred->cr_label);
new = SLOT(newlabel);
- if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH)
- return (EINVAL);
+ error = mac_biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
+ if (error)
+ return (error);
/*
* XXX: Only Biba HIGH subjects may relabel interfaces. */
@@ -1258,7 +1301,7 @@
struct mbuf *m, struct label *mbuflabel)
{
struct mac_biba *p, *i;
-
+
if (!mac_biba_enabled)
return (0);
@@ -1334,13 +1377,15 @@
struct label *pipelabel, struct label *newlabel)
{
struct mac_biba *subj, *obj, *new;
+ int error;
new = SLOT(newlabel);
subj = SLOT(&cred->cr_label);
obj = SLOT(pipelabel);
- if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE)
- return (EINVAL);
+ error = mac_biba_atmostflags(new, MAC_BIBA_FLAG_SINGLE);
+ if (error)
+ return (error);
/*
* To relabel a pipe, the old pipe label must be in the subject
@@ -1353,12 +1398,16 @@
* To relabel a pipe, the new pipe label must be in the subject
* range.
*/
- if (!mac_biba_single_in_range(new, subj))
+ if (new->mb_flags & MAC_BIBA_FLAGS_SINGLE &&
+ !mac_biba_single_in_range(new, subj))
return (EPERM);
/*
- * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
+ * If the subject label doesn't contain equal, don't let the new
+ * pipe label contain equal.
*/
+ if (mac_biba_contains_equal(new) && !mac_biba_contains_equal(subj))
+ return (EPERM);
return (0);
}
@@ -1443,13 +1492,15 @@
struct label *socketlabel, struct label *newlabel)
{
struct mac_biba *subj, *obj, *new;
+ int error;
new = SLOT(newlabel);
subj = SLOT(&cred->cr_label);
obj = SLOT(socketlabel);
- if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE)
- return (EINVAL);
+ error = mac_biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
+ if (error)
+ return (error);
/*
* To relabel a socket, the old socket label must be in the subject
@@ -1459,16 +1510,27 @@
return (EPERM);
/*
- * To relabel a socket, the new socket label must be in the subject
+ * To relabel a socket, the new socket single must be in the subject
* range.
*/
- if (!mac_biba_single_in_range(new, subj))
+ if (new->mb_flags & MAC_BIBA_FLAG_SINGLE &&
+ !mac_biba_single_in_range(new, subj))
return (EPERM);
/*
- * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
+ * The new range must be in the subject range.
*/
+ if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
+ !mac_biba_range_in_range(new, subj))
+ return (EPERM);
+ /*
+ * If the subject label doesn't contain EQUAL, don't let the new
+ * socket label contain EQUAL.
+ */
+ if (mac_biba_contains_equal(new) && !mac_biba_contains_equal(subj))
+ return (EPERM);
+
return (0);
}
@@ -1729,13 +1791,15 @@
struct label *vnodelabel, struct label *newlabel)
{
struct mac_biba *old, *new, *subj;
+ int error;
old = SLOT(vnodelabel);
new = SLOT(newlabel);
subj = SLOT(&cred->cr_label);
- if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE)
- return (EINVAL);
+ error = mac_biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
+ if (error)
+ return (error);
/*
* To relabel a vnode, the old vnode label must be in the subject
@@ -1748,12 +1812,16 @@
* To relabel a vnode, the new vnode label must be in the subject
* range.
*/
- if (!mac_biba_single_in_range(new, subj))
+ if (new->mb_flags & MAC_BIBA_FLAG_SINGLE &&
+ !mac_biba_single_in_range(new, subj))
return (EPERM);
/*
- * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
+ * If the subject label doesn't contain EQUAL, don't let the new
+ * vnode label contain EQUAL.
*/
+ if (mac_biba_contains_equal(new) && !mac_biba_contains_equal(subj))
+ return (EPERM);
return (suser_cred(cred, 0));
}
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list