PERFORCE change 18032 for review

Robert Watson rwatson at freebsd.org
Tue Sep 24 01:39:51 GMT 2002 

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=18032

Change 18032 by rwatson at rwatson_tislabs on 2002/09/23 18:39:45

	Minor hacks to better support ttys until openpty() does things
	better: add tunable/sysctl twiddles to set the labels on ptys
	to biba/equal and/or mls/equal when they are instantiated.  This
	is not the right long term solution since it doesn't properly
	handle pty reuse.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#111 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#93 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#111 (text+ko) ====

@@ -101,6 +101,11 @@
 TUNABLE_STR("security.mac.biba.trusted_interfaces", trusted_interfaces,
     sizeof(trusted_interfaces));
 
+static int	mac_biba_ptys_equal = 0;
+SYSCTL_INT(_security_mac_biba, OID_AUTO, ptys_equal, CTLFLAG_RW,
+    &mac_biba_ptys_equal, 0, "Label pty devices as biba/equal on create");
+TUNABLE_INT("security.mac.biba.ptys_equal", &mac_biba_ptys_equal);
+
 static int	mac_biba_revocation_enabled = 0;
 SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RW,
     &mac_biba_revocation_enabled, 0, "Revoke access to objects on relabel");
@@ -568,6 +573,10 @@
 	    strcmp(dev->si_name, "random") == 0 ||
 	    strncmp(dev->si_name, "fd/", strlen("fd/")) == 0)
 		biba_type = MAC_BIBA_TYPE_EQUAL;
+	else if (mac_biba_ptys_equal &&
+	    (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
+	    strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
+		biba_type = MAC_BIBA_TYPE_EQUAL;
 	else
 		biba_type = MAC_BIBA_TYPE_HIGH;
 	mac_biba_set_single(mac_biba, biba_type, 0);

==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#93 (text+ko) ====

@@ -90,6 +90,11 @@
 SYSCTL_INT(_security_mac_mls, OID_AUTO, destroyed_not_inited, CTLFLAG_RD,
     &destroyed_not_inited, 0, "Count of labels destroyed but not inited");
 
+static int	mac_mls_ptys_equal = 0;
+SYSCTL_INT(_security_mac_mls, OID_AUTO, ptys_equal, CTLFLAG_RW,
+    &mac_mls_ptys_equal, 0, "Label pty devices as mls/equal on create");
+TUNABLE_INT("security.mac.mls.ptys_equal", &mac_mls_ptys_equal);
+
 static int	mac_mls_revocation_enabled = 0;
 SYSCTL_INT(_security_mac_mls, OID_AUTO, revocation_enabled, CTLFLAG_RW,
     &mac_mls_revocation_enabled, 0, "Revoke access to objects on relabel");
@@ -559,6 +564,10 @@
 	else if (strcmp(dev->si_name, "kmem") == 0 ||
 	    strcmp(dev->si_name, "mem") == 0)
 		mls_type = MAC_MLS_TYPE_HIGH;
+	else if (mac_mls_ptys_equal &&
+	    (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
+	    strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
+		mls_type = MAC_MLS_TYPE_EQUAL;
 	else
 		mls_type = MAC_MLS_TYPE_LOW;
 	mac_mls_set_single(mac_mls, mls_type, 0);
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list