PERFORCE change 89432 for review

Christian S.J. Peron csjp at FreeBSD.org
Mon Jan 9 20:01:50 GMT 2006 

http://perforce.freebsd.org/chv.cgi?CH=89432

Change 89432 by csjp at csjp_xor on 2006/01/09 20:01:34

	Now that we have support for labeling in NFS, teach the BIBA policy about
	it. For now, the NFSD label will be set to biba/high(low-high). This is
	going to change, however. We need to think about what makes the most sense.
	
	Should the label be inherited from the NFSD process which makes the nfssvc()
	call? Should it come from the network interface the NFS request was recieved
	on? We need to give this some thought.
	
	It should be noted that this fixed a panic which occurs when files are created
	through NFS. This happpend because the object label was not properly initialized.
	So this effectively un-breaks BIBA+NFS
	
	We will need to do something similar for other labeled security policies, too.
	Hopefully I have the time to do this.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#259 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#259 (text+ko) ====

@@ -49,6 +49,7 @@
 #include <sys/malloc.h>
 #include <sys/mman.h>
 #include <sys/mount.h>
+#include <sys/namei.h>
 #include <sys/proc.h>
 #include <sys/sbuf.h>
 #include <sys/systm.h>
@@ -3083,6 +3084,17 @@
 	return (0);
 }
 
+static void
+mac_biba_associate_nfsd_label(struct ucred *cred)
+{
+	struct mac_biba *label;
+
+	label = SLOT(cred->cr_label);
+	mac_biba_set_effective(label, MAC_BIBA_TYPE_HIGH, 0, NULL);
+	mac_biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL,
+	    MAC_BIBA_TYPE_HIGH, 0, NULL);
+}
+
 static struct mac_policy_ops mac_biba_ops =
 {
 	.mpo_init = mac_biba_init,
@@ -3262,6 +3274,7 @@
 	.mpo_check_vnode_setutimes = mac_biba_check_vnode_setutimes,
 	.mpo_check_vnode_stat = mac_biba_check_vnode_stat,
 	.mpo_check_vnode_write = mac_biba_check_vnode_write,
+	.mpo_associate_nfsd_label = mac_biba_associate_nfsd_label,
 };
 
 MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba",
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list