PERFORCE change 15611 for review
Robert Watson
rwatson at freebsd.org
Tue Aug 6 14:18:52 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15611
Change 15611 by rwatson at rwatson_tislabs on 2002/08/06 07:18:22
Synchronize mac_biba policy checks during relable to mac_mls.
Further improve handling of partial label updates between
policies. Revert Biba from "high" to "suser" check for interface
relabeling since how to handle privilege is not yet clear.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#92 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#92 (text+ko) ====
@@ -1247,40 +1247,57 @@
subj = SLOT(&cred->cr_label);
new = SLOT(newlabel);
+ /*
+ * If there is a Biba label update for the credential, it may
+ * be an update of the single, range, or both.
+ */
error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
if (error)
return (error);
/*
- * XXX: Allow processes with root privilege to set labels outside
- * their range, so suid things like "su" work. This WILL go away
- * when we figure out the 'correct' solution...
+ * If the Biba label is to be changed, authorize as appropriate.
*/
- if (!suser_cred(cred, 0))
- return (0);
+ if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
+ /*
+ * Exempt traditional superuser processes from the Biba
+ * relabel requirements. XXXMAC: This will go away.
+ */
+ if (suser_cred(cred, 0) == 0)
+ return (0);
+
+ /*
+ * To change the Biba single label on a credential, the
+ * new single label must be in the current range.
+ */
+ if (new->mb_flags & MAC_BIBA_FLAG_SINGLE &&
+ !mac_biba_single_in_range(new, subj))
+ return (EPERM);
- /*
- * The new single must be in the old range.
- */
- if (new->mb_flags & MAC_BIBA_FLAG_SINGLE &&
- !mac_biba_single_in_range(new, subj))
- return (EPERM);
+ /*
+ * To change the Biba range on a credential, the new
+ * range label must be in the current range.
+ */
+ if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
+ !mac_biba_range_in_range(new, subj))
+ return (EPERM);
- /*
- * The new range must be in the old range.
- */
- if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
- !mac_biba_range_in_range(new, subj))
- return (EPERM);
+ /*
+ * To have EQUAL in any components of the new credential
+ * Biba label, the subject must already have EQUAL in
+ * their label.
+ */
+ if (mac_biba_contains_equal(new)) {
+ error = mac_biba_subject_equal_ok(subj);
+ if (error)
+ return (error);
+ }
- /*
- * If the old subject label doesn't contain EQUAL, don't let the
- * new subject label contain EQUAL.
- */
- if (mac_biba_contains_equal(new)) {
- error = mac_biba_subject_equal_ok(subj);
- if (error)
- return (error);
+ /*
+ * XXXMAC: Additional consistency tests regarding the
+ * single and range of the new label might be performed
+ * here.
+ */
}
return (0);
@@ -1314,16 +1331,29 @@
subj = SLOT(&cred->cr_label);
new = SLOT(newlabel);
+ /*
+ * If there is a Biba label update for the interface, it may
+ * be an update of the single, range, or both.
+ */
error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
if (error)
return (error);
/*
- * XXX: Only Biba HIGH subjects may relabel interfaces. */
- if (!mac_biba_high_single(subj))
- return (EPERM);
+ * If the Biba label is to be changed, authorize as appropriate.
+ */
+ if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
+ /*
+ * Rely on the traditional superuser status for the Biba
+ * interface relabel requirements. XXXMAC: This will go
+ * away.
+ */
+ error = suser_cred(cred, 0);
+ if (error)
+ return (EPERM);
+ }
- return (suser_cred(cred, 0));
+ return (0);
}
static int
@@ -1413,33 +1443,41 @@
subj = SLOT(&cred->cr_label);
obj = SLOT(pipelabel);
+ /*
+ * If there is a Biba label update for a pipe, it must be a
+ * single update.
+ */
error = biba_atmostflags(new, MAC_BIBA_FLAG_SINGLE);
if (error)
return (error);
/*
- * To relabel a pipe, the old pipe label must be in the subject
- * range.
+ * To perform a relabel of a pipe (Biba label or not), Biba must
+ * authorize the relabel.
*/
if (!mac_biba_single_in_range(obj, subj))
return (EPERM);
/*
- * To relabel a pipe, the new pipe label must be in the subject
- * range.
+ * If the Biba label is to be changed, authorize as appropriate.
*/
- if (new->mb_flags & MAC_BIBA_FLAG_SINGLE &&
- !mac_biba_single_in_range(new, subj))
- return (EPERM);
+ if (new->mb_flags & MAC_BIBA_FLAG_SINGLE) {
+ /*
+ * To change the Biba label on a pipe, the new pipe label
+ * must be in the subject range.
+ */
+ if (!mac_biba_single_in_range(new, subj))
+ return (EPERM);
- /*
- * If the subject label doesn't contain equal, don't let the new
- * pipe label contain equal.
- */
- if (mac_biba_contains_equal(new)) {
- error = mac_biba_subject_equal_ok(subj);
- if (error)
- return (error);
+ /*
+ * To change the Biba label on a pipe to be EQUAL, the
+ * subject must have appropriate privilege.
+ */
+ if (mac_biba_contains_equal(new)) {
+ error = mac_biba_subject_equal_ok(subj);
+ if (error)
+ return (error);
+ }
}
return (0);
@@ -1531,41 +1569,64 @@
subj = SLOT(&cred->cr_label);
obj = SLOT(socketlabel);
+ /*
+ * If there is a Biba label update for the socket, it may be
+ * an update of single, range, or both.
+ */
error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
if (error)
return (error);
/*
- * To relabel a socket, the old socket label must be in the subject
+ * To relabel a socket, the old socket single must be in the subject
* range.
*/
if (!mac_biba_single_in_range(obj, subj))
return (EPERM);
/*
- * To relabel a socket, the new socket single must be in the subject
+ * To relabel a socket, the old socket range must be in the subject
* range.
*/
- if (new->mb_flags & MAC_BIBA_FLAG_SINGLE &&
- !mac_biba_single_in_range(new, subj))
+ if (!mac_biba_range_in_range(obj, subj))
return (EPERM);
/*
- * The new range must be in the subject range.
+ * If the Biba label is to be changed, authorize as appropriate.
*/
- if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
- !mac_biba_range_in_range(new, subj))
- return (EPERM);
+ if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
+ /*
+ * To relabel a socket, the new socket single must be in
+ * the subject range.
+ */
+ if (new->mb_flags & MAC_BIBA_FLAG_SINGLE &&
+ !mac_biba_single_in_range(new, subj))
+ return (EPERM);
+
+ /*
+ * To change the Biba range on the socket, the new socket
+ * range must be in the subject range.
+ */
+ if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
+ !mac_biba_range_in_range(new, subj))
+ return (EPERM);
+
+ /*
+ * To change the Biba label on the socket to contain EQUAL,
+ * the subject must have appropriate privilege.
+ */
+ if (mac_biba_contains_equal(new)) {
+ error = mac_biba_subject_equal_ok(subj);
+ if (error)
+ return (error);
+ }
- /*
- * If the subject label doesn't contain EQUAL, don't let the new
- * socket label contain EQUAL.
- */
- if (mac_biba_contains_equal(new)) {
- error = mac_biba_subject_equal_ok(subj);
- if (error)
- return (error);
+ /*
+ * XXXMAC: Additional consistency tests regarding the single
+ * and range of the new label might be performed here.
+ */
}
+
return (0);
}
@@ -1832,33 +1893,42 @@
new = SLOT(newlabel);
subj = SLOT(&cred->cr_label);
+ /*
+ * If there is a Biba label update for the vnode, it must be a
+ * single label.
+ */
error = biba_atmostflags(new, MAC_BIBA_FLAG_SINGLE);
if (error)
return (error);
/*
- * To relabel a vnode, the old vnode label must be in the subject
- * range.
+ * To perform a relabel of the vnode (Biba label or not), Biba must
+ * authorize the relabel.
*/
if (!mac_biba_single_in_range(old, subj))
return (EPERM);
/*
- * To relabel a vnode, the new vnode label must be in the subject
- * range.
+ * If the Biba label is to be changed, authorize as appropriate.
*/
- if (new->mb_flags & MAC_BIBA_FLAG_SINGLE &&
- !mac_biba_single_in_range(new, subj))
- return (EPERM);
+ if (new->mb_flags & MAC_BIBA_FLAG_SINGLE) {
+ /*
+ * To change the Biba label on a vnode, the new vnode label
+ * must be in the subject range.
+ */
+ if (new->mb_flags & MAC_BIBA_FLAG_SINGLE &&
+ !mac_biba_single_in_range(new, subj))
+ return (EPERM);
- /*
- * If the subject label doesn't contain EQUAL, don't let the new
- * vnode label contain EQUAL.
- */
- if (mac_biba_contains_equal(new)) {
- error = mac_biba_subject_equal_ok(subj);
- if (error)
- return (error);
+ /*
+ * To change the Biba label on the vnode to be EQUAL,
+ * the subject must have appropriate privilege.
+ */
+ if (mac_biba_contains_equal(new)) {
+ error = mac_biba_subject_equal_ok(subj);
+ if (error)
+ return (error);
+ }
}
return (0);
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list