Remove a suser() check in the mac_biba policy: the MAC Framework itself

already checks suser on a network interface relabel, so don't dup it
here.  Rely solely on the Biba definition of privilege, which is
already tested.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
Submitted by:	Andrew Reisse <areisse@nailabs.com>

1 files changed, 0 insertions, 19 deletions

diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 60575c0..afd5c7a 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1482,25 +1482,6 @@ mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
 	if (error)
 		return (error);
 
-	/*
-	 * If the Biba label is to be changed, authorize as appropriate.
-	 */
-	if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
-		/*
-		 * Rely on the traditional superuser status for the Biba
-		 * interface relabel requirements.  XXXMAC: This will go
-		 * away.
-		 */
-		error = suser_cred(cred, 0);
-		if (error)
-			return (EPERM);
-
-		/*
-		 * XXXMAC: Additional consistency tests regarding the single
-		 * and the range of the new label might be performed here.
-		 */
-	}
-
 	return (0);
 }