Date: Thu, 8 Aug 2002 15:18:53 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 15703 for review Message-ID: <200208082218.g78MIrBo025581@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15703 Change 15703 by rwatson@rwatson_tislabs on 2002/08/08 15:18:28 Remove suser() exemptions for subject credential relabeling-- these were for debugging/development purposes only. The root user is no longer given special privilege to bypass label requirements for processes. Su and other user programs manipulating labels will still try to set the label based on user class policy, but they may fail if their own labels can't be relabeled to the requested user label for policy reasons. The only remaining explicit exemption for the superuser is for interface relabeling, and that probably requires us to have some notion of a security administrator role for MLS and Biba. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#95 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#77 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#95 (text+ko) ==== @@ -1261,13 +1261,6 @@ */ if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) { /* - * Exempt traditional superuser processes from the Biba - * relabel requirements. XXXMAC: This will go away. - */ - if (suser_cred(cred, 0) == 0) - return (0); - - /* * To change the Biba single label on a credential, the * new single label must be in the current range. */ ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#77 (text+ko) ==== @@ -1209,13 +1209,6 @@ */ if (new->mm_flags & MAC_MLS_FLAGS_BOTH) { /* - * Exempt traditional superuser processes from the MLS - * relabel requirements. XXXMAC: This will go away. - */ - if (suser_cred(cred, 0) == 0) - return (0); - - /* * To change the MLS single label on a credential, the * new single label must be in the current range. */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200208082218.g78MIrBo025581>