Sysctls handling cleanups.
Robert Watson
rwatson at FreeBSD.org
Tue Feb 17 04:12:24 GMT 2004
On Mon, 16 Feb 2004, Pawel Jakub Dawidek wrote:
> Current implementation of sysctl objects handling isn't to good. Patch
> below cleans it up and removes some 'XXX' code.
>
> http://garage.freebsd.pl/patches/mac_sysctls.patch
>
> Tested with mac_biba(4).
Generally looks good. One thought on this though:
> @@ -1985,16 +1985,10 @@ mac_biba_check_system_sysctl(struct ucre
> subj = SLOT(cred->cr_label);
>
> /*
> - * In general, treat sysctl variables as biba/high, but also
> - * require privilege to change them, since they are a
> - * communications channel between grades. Exempt MIB
> - * queries from this due to undocmented sysctl magic.
> - * XXXMAC: This probably requires some more review.
> + * Treat sysctl variables without CTLFLAG_ANYBODY flag as
> + * biba/high, but also require privilege to change them.
> */
> - if (new != NULL) {
> - if (namelen > 0 && name[0] == 0)
> - return (0);
> -
> + if (req->newptr != NULL && (oidp->oid_kind & CTLFLAG_ANYBODY) == 0) {
> if (!mac_biba_subject_dominate_high(subj))
> return (EACCES);
Since Biba is about information flow, it strikes me we should also block
writes to oid's with CTLFLAG_ANYBODY set, or we permit unwanted
information flow. On the other hand, perhaps CTLFLAG_ANYBODY settings are
generally "special" and don't represent shared state? Likewise for LOMAC
and MLS.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Senior Research Scientist, McAfee Research
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list