diff options
| author | rwatson <rwatson@FreeBSD.org> | 2002-10-29 19:18:52 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2002-10-29 19:18:52 +0000 |
| commit | 6c3898d0fcf0bb660ed6f58721b1eae2fc2115a8 (patch) | |
| tree | cb10c26da7c512fab73c820b4baa0f0ef9524f00 /sys/security/mac_biba | |
| parent | 34c75e428fc104c17fc6389e9b66a05ed6bdd586 (diff) | |
| download | FreeBSD-src-6c3898d0fcf0bb660ed6f58721b1eae2fc2115a8.zip FreeBSD-src-6c3898d0fcf0bb660ed6f58721b1eae2fc2115a8.tar.gz | |
Implement Biba policy entry points for mac_check_system_swapon()
and mac_check_system_sysctl(), providing additional integrity
protections relating to swap target device selection and system
management via sysctl(). Require Biba privilege for both; also
require that the target of swap operations be a high integrity
object, since swap data is high integrity.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Asssociates Laboratories
Diffstat (limited to 'sys/security/mac_biba')
| -rw-r--r-- | sys/security/mac_biba/mac_biba.c | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index c4ce41a..c424328 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1871,6 +1871,61 @@ mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket, } static int +mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_biba_subject_privileged(subj)) + return (EPERM); + + if (!mac_biba_high_single(obj)) + return (EACCES); + + return (0); +} + +static int +mac_biba_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, + void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) +{ + struct mac_biba *subj; + int error; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + + /* + * In general, treat sysctl variables as biba/high, but also + * require privilege to change them, since they are a + * communications channel between grades. Exempt MIB + * queries from this due to undocmented sysctl magic. + * XXXMAC: This probably requires some more review. + */ + if (new != NULL) { + if (namelen > 0 && name[0] == 0) + return (0); + + if (!mac_biba_subject_dominate_high(subj)) + return (EACCES); + + error = mac_biba_subject_privileged(subj); + if (error) + return (error); + } + + return (0); +} + +static int mac_biba_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { @@ -2651,6 +2706,10 @@ static struct mac_policy_op_entry mac_biba_ops[] = (macop_t)mac_biba_check_socket_relabel }, { MAC_CHECK_SOCKET_VISIBLE, (macop_t)mac_biba_check_socket_visible }, + { MAC_CHECK_SYSTEM_SWAPON, + (macop_t)mac_biba_check_system_swapon }, + { MAC_CHECK_SYSTEM_SYSCTL, + (macop_t)mac_biba_check_system_sysctl }, { MAC_CHECK_VNODE_ACCESS, (macop_t)mac_biba_check_vnode_open }, { MAC_CHECK_VNODE_CHDIR, |
