PERFORCE change 79596 for review
Robert Watson
rwatson at FreeBSD.org
Tue Jul 5 11:49:40 GMT 2005
http://perforce.freebsd.org/chv.cgi?CH=79596
Change 79596 by rwatson at rwatson_paprika on 2005/07/05 11:49:05
In MAC and MAC policy modules, generally map suser() to
CAP_SYS_ADMIN, with the exception of the ifnet label authorized
as CAP_NET_ADMIN, and authorizing port binding in mac_portacl,
with CAP_NET_BIND_SERVICE. Comment in some places where further
refinement or work is needed.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#13 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_bsdextended/mac_bsdextended.c#9 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_chkexec/mac_chkexec.c#2 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_lomac/mac_lomac.c#15 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_partition/mac_partition.c#9 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_portacl/mac_portacl.c#8 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_seeotheruids/mac_seeotheruids.c#7 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_suidacl/mac_suidacl.c#2 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#13 (text+ko) ====
@@ -491,7 +491,7 @@
* policies impose this check themselves if required by the
* policy. Eventually, this should go away.
*/
- error = suser_cred(cred, 0);
+ error = cap_check_cred(cred, CAP_NET_ADMIN, 0);
if (error) {
mac_ifnet_label_free(intlabel);
return (error);
==== //depot/projects/trustedbsd/sebsd/sys/security/mac_bsdextended/mac_bsdextended.c#9 (text+ko) ====
@@ -325,7 +325,23 @@
{
int error, i;
- if (suser_cred(cred, 0) == 0)
+ /*
+ * Since we do not separately handle append, map append to
+ * write.
+ */
+ if (acc_mode & MBI_APPEND) {
+ acc_mode &= ~MBI_APPEND;
+ acc_mode |= MBI_WRITE;
+ }
+
+ /*
+ * XXXRW: The interactions between capabilities and privilege in
+ * mac_bsdextended are poorly defined, and should be thought about
+ * more. For now, go with the intent that the administrator not be
+ * subject to the policy. In the future, we might want to more
+ * specifically handle the privileges in mac_bsdextended_rulecheck().
+ */
+ if (cap_check_cred(cred, CAP_SYS_ADMIN, 0) == 0)
return (0);
mtx_lock(&mac_bsdextended_mtx);
@@ -333,15 +349,6 @@
if (rules[i] == NULL)
continue;
- /*
- * Since we do not separately handle append, map append to
- * write.
- */
- if (acc_mode & MBI_APPEND) {
- acc_mode &= ~MBI_APPEND;
- acc_mode |= MBI_WRITE;
- }
-
error = mac_bsdextended_rulecheck(rules[i], cred, object_uid,
object_gid, acc_mode);
if (error == EJUSTRETURN)
==== //depot/projects/trustedbsd/sebsd/sys/security/mac_chkexec/mac_chkexec.c#2 (text+ko) ====
@@ -832,7 +832,7 @@
* Only superuser may modify the extended attribute namespace associated
* with this files checksum.
*/
- error = suser(td);
+ error = cap_check(td, CAP_SYS_ADMIN);
if (error)
return (error);
ha = mac_chkexec_get_algo();
==== //depot/projects/trustedbsd/sebsd/sys/security/mac_lomac/mac_lomac.c#15 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/sys/security/mac_partition/mac_partition.c#9 (text+ko) ====
@@ -190,7 +190,7 @@
* in a partition in the first place, but this didn't
* interact well with sendmail.
*/
- error = suser_cred(cred, 0);
+ error = cap_check_cred(cred, CAP_SYS_ADMIN, 0);
}
return (error);
==== //depot/projects/trustedbsd/sebsd/sys/security/mac_portacl/mac_portacl.c#8 (text+ko) ====
@@ -96,6 +96,10 @@
&mac_portacl_enabled, 0, "Enforce portacl policy");
TUNABLE_INT("security.mac.portacl.enabled", &mac_portacl_enabled);
+/*
+ * XXXRW: suser_exempt may be less significant with capability masks, as we
+ * can grant the right using CAP_NET_BIND_SERVICE.
+ */
static int mac_portacl_suser_exempt = 1;
SYSCTL_INT(_security_mac_portacl, OID_AUTO, suser_exempt, CTLFLAG_RW,
&mac_portacl_suser_exempt, 0, "Privilege permits binding of any port");
@@ -480,7 +484,7 @@
mtx_unlock(&rule_mtx);
if (error != 0 && mac_portacl_suser_exempt != 0)
- error = suser_cred(cred, 0);
+ error = cap_check_cred(cred, CAP_NET_BIND_SERVICE, 0);
return (error);
}
==== //depot/projects/trustedbsd/sebsd/sys/security/mac_seeotheruids/mac_seeotheruids.c#7 (text+ko) ====
@@ -117,7 +117,7 @@
if (u1->cr_ruid == u2->cr_ruid)
return (0);
- if (suser_cred(u1, 0) == 0)
+ if (cap_check_cred(u1, CAP_SYS_ADMIN, 0) == 0)
return (0);
return (ESRCH);
==== //depot/projects/trustedbsd/sebsd/sys/security/mac_suidacl/mac_suidacl.c#2 (text+ko) ====
@@ -340,6 +340,9 @@
int error = 0;
struct rule *current;
+ /*
+ * XXXRW: Should we be using CAP_SETGID and CAP_SETUID here?
+ */
if ((mac_suidacl_enabled == 0) || !suser_cred(cred, 0))
return (0);
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list