From owner-freebsd-hackers@FreeBSD.ORG Tue Mar 2 02:00:21 2010 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D33CA1065678 for ; Tue, 2 Mar 2010 02:00:21 +0000 (UTC) (envelope-from estella@mystagic.com) Received: from p3plsmtpa01-06.prod.phx3.secureserver.net (p3plsmtpa01-06.prod.phx3.secureserver.net [72.167.82.86]) by mx1.freebsd.org (Postfix) with SMTP id A74C08FC1D for ; Tue, 2 Mar 2010 02:00:21 +0000 (UTC) Received: (qmail 17180 invoked from network); 2 Mar 2010 01:33:41 -0000 Received: from unknown (69.181.16.61) by p3plsmtpa01-06.prod.phx3.secureserver.net (72.167.82.86) with ESMTP; 02 Mar 2010 01:33:41 -0000 From: "Estella Mystagic" To: Date: Mon, 1 Mar 2010 17:33:40 -0800 Message-ID: <2BD4195B78BE4E4E9F4953B3196590E3@2WIRE304> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_001D_01CAB965.55F649C0" X-Mailer: Microsoft Office Outlook 11 Thread-Index: Acq5qGNYWunOBxxoTwWe11oloJJaQA== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 X-Mailman-Approved-At: Tue, 02 Mar 2010 03:23:33 +0000 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: mac_mls mac_biba mac_lomac patches to fix ptys_equal mib support for new /dev/pts in FreeBSD 8 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Mar 2010 02:00:21 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_001D_01CAB965.55F649C0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Hi, Found issues with sysctl mibs security.mac.biba.ptys_equal, security.mac.lomac.ptys_equal, security.mac.mls.ptys_equal, not supporting new /dev/pts terminal system in FreeBSD 8, proposed fix for issue. When using a higher security grade/clearance with mac_mls it prevents writing to the /dev/pts/5 as its set as mls/low and subjects may not write to objects with a lower classification level than its own clearance level. Feb 25 21:42:16 labyrinth sshd[30965]: error: /dev/pts/5: Permission denied Feb 25 21:42:16 labyrinth sshd[30965]: error: open /dev/tty failed - could not set controlling tty: Permission denied -Selphie Patches: diff -urNp /usr/src/sys/security-orig/mac_biba/mac_biba.c /usr/src/sys/security/mac_biba/mac_biba.c --- /usr/src/sys/security-orig/mac_biba/mac_biba.c 2010-03-01 17:11:30.000000000 -0800 +++ /usr/src/sys/security/mac_biba/mac_biba.c 2010-03-01 17:16:44.000000000 -0800 @@ -955,6 +955,7 @@ biba_devfs_create_device(struct ucred *c biba_type = MAC_BIBA_TYPE_EQUAL; else if (ptys_equal && (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 || + strncmp(dev->si_name, "pts/", strlen("pts/")) == 0 || strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0)) biba_type = MAC_BIBA_TYPE_EQUAL; else diff -urNp /usr/src/sys/security-orig/mac_lomac/mac_lomac.c /usr/src/sys/security/mac_lomac/mac_lomac.c --- /usr/src/sys/security-orig/mac_lomac/mac_lomac.c 2010-03-01 17:11:30.000000000 -0800 +++ /usr/src/sys/security/mac_lomac/mac_lomac.c 2010-03-01 17:16:23.000000000 -0800 @@ -1043,6 +1043,7 @@ lomac_devfs_create_device(struct ucred * lomac_type = MAC_LOMAC_TYPE_EQUAL; else if (ptys_equal && (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 || + strncmp(dev->si_name, "pts/", strlen("pts/")) == 0 || strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0)) lomac_type = MAC_LOMAC_TYPE_EQUAL; else diff -urNp /usr/src/sys/security-orig/mac_mls/mac_mls.c /usr/src/sys/security/mac_mls/mac_mls.c --- /usr/src/sys/security-orig/mac_mls/mac_mls.c 2010-03-01 17:11:30.000000000 -0800 +++ /usr/src/sys/security/mac_mls/mac_mls.c 2010-03-01 17:15:42.000000000 -0800 @@ -918,6 +918,7 @@ mls_devfs_create_device(struct ucred *cr mls_type = MAC_MLS_TYPE_HIGH; else if (ptys_equal && (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 || + strncmp(dev->si_name, "pts/", strlen("pts/")) == 0 || strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0)) mls_type = MAC_MLS_TYPE_EQUAL; else ------=_NextPart_000_001D_01CAB965.55F649C0 Content-Type: application/octet-stream; name="fbsd80-mac-devpts-fix.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="fbsd80-mac-devpts-fix.patch" diff -urNp /usr/src/sys/security-orig/mac_biba/mac_biba.c = /usr/src/sys/security/mac_biba/mac_biba.c=0A= --- /usr/src/sys/security-orig/mac_biba/mac_biba.c 2010-03-01 = 17:11:30.000000000 -0800=0A= +++ /usr/src/sys/security/mac_biba/mac_biba.c 2010-03-01 = 17:16:44.000000000 -0800=0A= @@ -955,6 +955,7 @@ biba_devfs_create_device(struct ucred *c=0A= biba_type =3D MAC_BIBA_TYPE_EQUAL;=0A= else if (ptys_equal &&=0A= (strncmp(dev->si_name, "ttyp", strlen("ttyp")) =3D=3D 0 ||=0A= + strncmp(dev->si_name, "pts/", strlen("pts/")) =3D=3D 0 ||=0A= strncmp(dev->si_name, "ptyp", strlen("ptyp")) =3D=3D 0))=0A= biba_type =3D MAC_BIBA_TYPE_EQUAL;=0A= else=0A= diff -urNp /usr/src/sys/security-orig/mac_lomac/mac_lomac.c = /usr/src/sys/security/mac_lomac/mac_lomac.c=0A= --- /usr/src/sys/security-orig/mac_lomac/mac_lomac.c 2010-03-01 = 17:11:30.000000000 -0800=0A= +++ /usr/src/sys/security/mac_lomac/mac_lomac.c 2010-03-01 = 17:16:23.000000000 -0800=0A= @@ -1043,6 +1043,7 @@ lomac_devfs_create_device(struct ucred *=0A= lomac_type =3D MAC_LOMAC_TYPE_EQUAL;=0A= else if (ptys_equal &&=0A= (strncmp(dev->si_name, "ttyp", strlen("ttyp")) =3D=3D 0 ||=0A= + strncmp(dev->si_name, "pts/", strlen("pts/")) =3D=3D 0 ||=0A= strncmp(dev->si_name, "ptyp", strlen("ptyp")) =3D=3D 0))=0A= lomac_type =3D MAC_LOMAC_TYPE_EQUAL;=0A= else=0A= diff -urNp /usr/src/sys/security-orig/mac_mls/mac_mls.c = /usr/src/sys/security/mac_mls/mac_mls.c=0A= --- /usr/src/sys/security-orig/mac_mls/mac_mls.c 2010-03-01 = 17:11:30.000000000 -0800=0A= +++ /usr/src/sys/security/mac_mls/mac_mls.c 2010-03-01 = 17:15:42.000000000 -0800=0A= @@ -918,6 +918,7 @@ mls_devfs_create_device(struct ucred *cr=0A= mls_type =3D MAC_MLS_TYPE_HIGH;=0A= else if (ptys_equal &&=0A= (strncmp(dev->si_name, "ttyp", strlen("ttyp")) =3D=3D 0 ||=0A= + strncmp(dev->si_name, "pts/", strlen("pts/")) =3D=3D 0 ||=0A= strncmp(dev->si_name, "ptyp", strlen("ptyp")) =3D=3D 0))=0A= mls_type =3D MAC_MLS_TYPE_EQUAL;=0A= else=0A= ------=_NextPart_000_001D_01CAB965.55F649C0--