From cc461cb6e3210c65f97f97566f6d0cf18b98f870 Mon Sep 17 00:00:00 2001
From: rwatson <rwatson@FreeBSD.org>
Date: Thu, 31 Jul 2003 18:35:43 +0000
Subject: Remove a suser() check in the mac_biba policy: the MAC Framework
 itself already checks suser on a network interface relabel, so don't dup it
 here.  Rely solely on the Biba definition of privilege, which is already
 tested.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
Submitted by:	Andrew Reisse <areisse@nailabs.com>
---
 sys/security/mac_biba/mac_biba.c | 19 -------------------
 1 file changed, 19 deletions(-)

(limited to 'sys/security')

diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 60575c0..afd5c7a 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1482,25 +1482,6 @@ mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
 	if (error)
 		return (error);
 
-	/*
-	 * If the Biba label is to be changed, authorize as appropriate.
-	 */
-	if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
-		/*
-		 * Rely on the traditional superuser status for the Biba
-		 * interface relabel requirements.  XXXMAC: This will go
-		 * away.
-		 */
-		error = suser_cred(cred, 0);
-		if (error)
-			return (EPERM);
-
-		/*
-		 * XXXMAC: Additional consistency tests regarding the single
-		 * and the range of the new label might be performed here.
-		 */
-	}
-
 	return (0);
 }
 
-- 
cgit v1.1