From 684bc9e08ec18169c603912587c56a6206587948 Mon Sep 17 00:00:00 2001 From: rwatson Date: Mon, 21 Oct 2002 04:15:40 +0000 Subject: Add a twiddle to create PTY's with a biba/equal or mls/equal label instead of the default biba/high, mls/low, making it easier to use ptys with these policies. This isn't the final solution, but does help. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories --- sys/security/mac_biba/mac_biba.c | 9 +++++++++ sys/security/mac_mls/mac_mls.c | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index d27b54c..d7349f3 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -102,6 +102,11 @@ SYSCTL_STRING(_security_mac_biba, OID_AUTO, trusted_interfaces, CTLFLAG_RD, TUNABLE_STR("security.mac.biba.trusted_interfaces", trusted_interfaces, sizeof(trusted_interfaces)); +static int ptys_equal = 0; +SYSCTL_INT(_security_mac_biba, OID_AUTO, ptys_equal, CTLFLAG_RW, + &ptys_equal, 0, "Label pty devices as biba/equal on create"); +TUNABLE_INT("security.mac.biba.ptys_equal", &ptys_equal); + static int mac_biba_revocation_enabled = 0; SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RW, &mac_biba_revocation_enabled, 0, "Revoke access to objects on relabel"); @@ -461,6 +466,10 @@ mac_biba_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent, strcmp(dev->si_name, "random") == 0 || strncmp(dev->si_name, "fd/", strlen("fd/")) == 0) biba_type = MAC_BIBA_TYPE_EQUAL; + else if (ptys_equal && + (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 || + strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0)) + biba_type = MAC_BIBA_TYPE_EQUAL; else biba_type = MAC_BIBA_TYPE_HIGH; mac_biba_set_single(mac_biba, biba_type, 0); diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 7fb2c78..752a7ad 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -91,6 +91,11 @@ static int destroyed_not_inited; SYSCTL_INT(_security_mac_mls, OID_AUTO, destroyed_not_inited, CTLFLAG_RD, &destroyed_not_inited, 0, "Count of labels destroyed but not inited"); +static int ptys_equal = 0; +SYSCTL_INT(_security_mac_mls, OID_AUTO, ptys_equal, CTLFLAG_RW, + &ptys_equal, 0, "Label pty devices as mls/equal on create"); +TUNABLE_INT("security.mac.mls.ptys_equal", &ptys_equal); + static int mac_mls_revocation_enabled = 0; SYSCTL_INT(_security_mac_mls, OID_AUTO, revocation_enabled, CTLFLAG_RW, &mac_mls_revocation_enabled, 0, "Revoke access to objects on relabel"); @@ -453,6 +458,10 @@ mac_mls_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent, else if (strcmp(dev->si_name, "kmem") == 0 || strcmp(dev->si_name, "mem") == 0) mls_type = MAC_MLS_TYPE_HIGH; + else if (ptys_equal && + (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 || + strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0)) + mls_type = MAC_MLS_TYPE_EQUAL; else mls_type = MAC_MLS_TYPE_LOW; mac_mls_set_single(mac_mls, mls_type, 0); -- cgit v1.1