From owner-p4-projects@FreeBSD.ORG  Thu Jul 31 12:58:29 2003
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 68C8E37B408; Thu, 31 Jul 2003 12:58:28 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E903A37B407
	for <perforce@freebsd.org>; Thu, 31 Jul 2003 12:58:27 -0700 (PDT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BCC7643F85
	for <perforce@freebsd.org>; Thu, 31 Jul 2003 12:58:26 -0700 (PDT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h6VJwQ0U001078
	for <perforce@freebsd.org>; Thu, 31 Jul 2003 12:58:26 -0700 (PDT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h6VJwQtw001075
	for perforce@freebsd.org; Thu, 31 Jul 2003 12:58:26 -0700 (PDT)
Date: Thu, 31 Jul 2003 12:58:26 -0700 (PDT)
Message-Id: <200307311958.h6VJwQtw001075@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Subject: PERFORCE change 35282 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jul 2003 19:58:31 -0000

http://perforce.freebsd.org/chv.cgi?CH=35282

Change 35282 by rwatson@rwatson_tislabs on 2003/07/31 12:58:23

	Improve consistency with the Biba policy -- rename
	mac_mls_subject_equal_ok() to mac_mls_subject_privileged(),
	which more consistently reflects the fact that this is really
	about our notion of privilege in the MLS policy.
	
	Since we don't use suser() for privilege in MLS, remove
	the suser check from the ifnet relabel ioctl, and replace it
	with an MLS privilege check.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#175 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#175 (text+ko) ====

@@ -286,11 +286,12 @@
 }
 
 static int
-mac_mls_subject_equal_ok(struct mac_mls *mac_mls)
+mac_mls_subject_privileged(struct mac_mls *mac_mls)
 {
 
-	KASSERT((mac_mls->mm_flags & MAC_MLS_FLAGS_BOTH) == MAC_MLS_FLAGS_BOTH,
-	    ("mac_mls_subject_equal_ok: subject doesn't have both labels"));
+	KASSERT((mac_mls->mm_flags & MAC_MLS_FLAGS_BOTH) ==
+	    MAC_MLS_FLAGS_BOTH,
+	    ("mac_mls_subject_privileged: subject doesn't have both labels"));
 
 	/* If the single is EQUAL, it's ok. */
 	if (mac_mls->mm_single.mme_type == MAC_MLS_TYPE_EQUAL)
@@ -1434,7 +1435,7 @@
 		 * their label.
 		 */
 		if (mac_mls_contains_equal(new)) {
-			error = mac_mls_subject_equal_ok(subj);
+			error = mac_mls_subject_privileged(subj);
 			if (error)
 				return (error);
 		}
@@ -1480,23 +1481,9 @@
 		return (error);
 
 	/*
-	 * If the MLS label is to be changed, authorize as appropriate.
+	 * Relabeling network interfaces requires MLS privilege.
 	 */
-	if (new->mm_flags & MAC_MLS_FLAGS_BOTH) {
-		/*
-		 * Rely on traditional superuser status for the MLS
-		 * interface relabel requirements.  XXX: This will go
-		 * away.
-		 */
-		error = suser_cred(cred, 0);
-		if (error)
-			return (EPERM);
-
-		/*
-		 * XXXMAC: Additional consistency tests regarding the single
-		 * and the range of the new label might be performed here.
-		 */
-	}
+	error = mac_mls_subject_privileged(subj);
 
 	return (0);
 }
@@ -1625,7 +1612,7 @@
 		 * subject must have appropriate privilege.
 		 */
 		if (mac_mls_contains_equal(new)) {
-			error = mac_mls_subject_equal_ok(subj);
+			error = mac_mls_subject_privileged(subj);
 			if (error)
 				return (error);
 		}
@@ -1787,7 +1774,7 @@
 		 * the subject must have appropriate privilege.
 		 */
 		if (mac_mls_contains_equal(new)) {
-			error = mac_mls_subject_equal_ok(subj);
+			error = mac_mls_subject_privileged(subj);
 			if (error)
 				return (error);
 		}
@@ -2242,7 +2229,7 @@
 		 * the subject must have appropriate privilege.
 		 */
 		if (mac_mls_contains_equal(new)) {
-			error = mac_mls_subject_equal_ok(subj);
+			error = mac_mls_subject_privileged(subj);
 			if (error)
 				return (error);
 		}