Date: Tue, 5 Jul 2005 11:49:40 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 79596 for review Message-ID: <200507051149.j65BneGM075715@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=79596 Change 79596 by rwatson@rwatson_paprika on 2005/07/05 11:49:05 In MAC and MAC policy modules, generally map suser() to CAP_SYS_ADMIN, with the exception of the ifnet label authorized as CAP_NET_ADMIN, and authorizing port binding in mac_portacl, with CAP_NET_BIND_SERVICE. Comment in some places where further refinement or work is needed. Affected files ... .. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#13 edit .. //depot/projects/trustedbsd/sebsd/sys/security/mac_bsdextended/mac_bsdextended.c#9 edit .. //depot/projects/trustedbsd/sebsd/sys/security/mac_chkexec/mac_chkexec.c#2 edit .. //depot/projects/trustedbsd/sebsd/sys/security/mac_lomac/mac_lomac.c#15 edit .. //depot/projects/trustedbsd/sebsd/sys/security/mac_partition/mac_partition.c#9 edit .. //depot/projects/trustedbsd/sebsd/sys/security/mac_portacl/mac_portacl.c#8 edit .. //depot/projects/trustedbsd/sebsd/sys/security/mac_seeotheruids/mac_seeotheruids.c#7 edit .. //depot/projects/trustedbsd/sebsd/sys/security/mac_suidacl/mac_suidacl.c#2 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#13 (text+ko) ==== @@ -491,7 +491,7 @@ * policies impose this check themselves if required by the * policy. Eventually, this should go away. */ - error = suser_cred(cred, 0); + error = cap_check_cred(cred, CAP_NET_ADMIN, 0); if (error) { mac_ifnet_label_free(intlabel); return (error); ==== //depot/projects/trustedbsd/sebsd/sys/security/mac_bsdextended/mac_bsdextended.c#9 (text+ko) ==== @@ -325,7 +325,23 @@ { int error, i; - if (suser_cred(cred, 0) == 0) + /* + * Since we do not separately handle append, map append to + * write. + */ + if (acc_mode & MBI_APPEND) { + acc_mode &= ~MBI_APPEND; + acc_mode |= MBI_WRITE; + } + + /* + * XXXRW: The interactions between capabilities and privilege in + * mac_bsdextended are poorly defined, and should be thought about + * more. For now, go with the intent that the administrator not be + * subject to the policy. In the future, we might want to more + * specifically handle the privileges in mac_bsdextended_rulecheck(). + */ + if (cap_check_cred(cred, CAP_SYS_ADMIN, 0) == 0) return (0); mtx_lock(&mac_bsdextended_mtx); @@ -333,15 +349,6 @@ if (rules[i] == NULL) continue; - /* - * Since we do not separately handle append, map append to - * write. - */ - if (acc_mode & MBI_APPEND) { - acc_mode &= ~MBI_APPEND; - acc_mode |= MBI_WRITE; - } - error = mac_bsdextended_rulecheck(rules[i], cred, object_uid, object_gid, acc_mode); if (error == EJUSTRETURN) ==== //depot/projects/trustedbsd/sebsd/sys/security/mac_chkexec/mac_chkexec.c#2 (text+ko) ==== @@ -832,7 +832,7 @@ * Only superuser may modify the extended attribute namespace associated * with this files checksum. */ - error = suser(td); + error = cap_check(td, CAP_SYS_ADMIN); if (error) return (error); ha = mac_chkexec_get_algo(); ==== //depot/projects/trustedbsd/sebsd/sys/security/mac_lomac/mac_lomac.c#15 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/sys/security/mac_partition/mac_partition.c#9 (text+ko) ==== @@ -190,7 +190,7 @@ * in a partition in the first place, but this didn't * interact well with sendmail. */ - error = suser_cred(cred, 0); + error = cap_check_cred(cred, CAP_SYS_ADMIN, 0); } return (error); ==== //depot/projects/trustedbsd/sebsd/sys/security/mac_portacl/mac_portacl.c#8 (text+ko) ==== @@ -96,6 +96,10 @@ &mac_portacl_enabled, 0, "Enforce portacl policy"); TUNABLE_INT("security.mac.portacl.enabled", &mac_portacl_enabled); +/* + * XXXRW: suser_exempt may be less significant with capability masks, as we + * can grant the right using CAP_NET_BIND_SERVICE. + */ static int mac_portacl_suser_exempt = 1; SYSCTL_INT(_security_mac_portacl, OID_AUTO, suser_exempt, CTLFLAG_RW, &mac_portacl_suser_exempt, 0, "Privilege permits binding of any port"); @@ -480,7 +484,7 @@ mtx_unlock(&rule_mtx); if (error != 0 && mac_portacl_suser_exempt != 0) - error = suser_cred(cred, 0); + error = cap_check_cred(cred, CAP_NET_BIND_SERVICE, 0); return (error); } ==== //depot/projects/trustedbsd/sebsd/sys/security/mac_seeotheruids/mac_seeotheruids.c#7 (text+ko) ==== @@ -117,7 +117,7 @@ if (u1->cr_ruid == u2->cr_ruid) return (0); - if (suser_cred(u1, 0) == 0) + if (cap_check_cred(u1, CAP_SYS_ADMIN, 0) == 0) return (0); return (ESRCH); ==== //depot/projects/trustedbsd/sebsd/sys/security/mac_suidacl/mac_suidacl.c#2 (text+ko) ==== @@ -340,6 +340,9 @@ int error = 0; struct rule *current; + /* + * XXXRW: Should we be using CAP_SETGID and CAP_SETUID here? + */ if ((mac_suidacl_enabled == 0) || !suser_cred(cred, 0)) return (0);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507051149.j65BneGM075715>