Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 5 Jul 2005 11:49:40 GMT
From:      Robert Watson <rwatson@FreeBSD.org>
To:        Perforce Change Reviews <perforce@freebsd.org>
Subject:   PERFORCE change 79596 for review
Message-ID:  <200507051149.j65BneGM075715@repoman.freebsd.org>

next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=79596

Change 79596 by rwatson@rwatson_paprika on 2005/07/05 11:49:05

	In MAC and MAC policy modules, generally map suser() to
	CAP_SYS_ADMIN, with the exception of the ifnet label authorized
	as CAP_NET_ADMIN, and authorizing port binding in mac_portacl,
	with CAP_NET_BIND_SERVICE.  Comment in some places where further
	refinement or work is needed.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#13 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_bsdextended/mac_bsdextended.c#9 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_chkexec/mac_chkexec.c#2 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_lomac/mac_lomac.c#15 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_partition/mac_partition.c#9 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_portacl/mac_portacl.c#8 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_seeotheruids/mac_seeotheruids.c#7 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_suidacl/mac_suidacl.c#2 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#13 (text+ko) ====

@@ -491,7 +491,7 @@
 	 * policies impose this check themselves if required by the
 	 * policy.  Eventually, this should go away.
 	 */
-	error = suser_cred(cred, 0);
+	error = cap_check_cred(cred, CAP_NET_ADMIN, 0);
 	if (error) {
 		mac_ifnet_label_free(intlabel);
 		return (error);

==== //depot/projects/trustedbsd/sebsd/sys/security/mac_bsdextended/mac_bsdextended.c#9 (text+ko) ====

@@ -325,7 +325,23 @@
 {
 	int error, i;
 
-	if (suser_cred(cred, 0) == 0)
+	/*
+	 * Since we do not separately handle append, map append to
+	 * write.
+	 */
+	if (acc_mode & MBI_APPEND) {
+		acc_mode &= ~MBI_APPEND;
+		acc_mode |= MBI_WRITE;
+	}
+
+	/*
+	 * XXXRW: The interactions between capabilities and privilege in
+	 * mac_bsdextended are poorly defined, and should be thought about
+	 * more.  For now, go with the intent that the administrator not be
+	 * subject to the policy.  In the future, we might want to more
+	 * specifically handle the privileges in mac_bsdextended_rulecheck().
+	 */
+	if (cap_check_cred(cred, CAP_SYS_ADMIN, 0) == 0)
 		return (0);
 
 	mtx_lock(&mac_bsdextended_mtx);
@@ -333,15 +349,6 @@
 		if (rules[i] == NULL)
 			continue;
 
-		/*
-		 * Since we do not separately handle append, map append to
-		 * write.
-		 */
-		if (acc_mode & MBI_APPEND) {
-			acc_mode &= ~MBI_APPEND;
-			acc_mode |= MBI_WRITE;
-		}
-
 		error = mac_bsdextended_rulecheck(rules[i], cred, object_uid,
 		    object_gid, acc_mode);
 		if (error == EJUSTRETURN)

==== //depot/projects/trustedbsd/sebsd/sys/security/mac_chkexec/mac_chkexec.c#2 (text+ko) ====

@@ -832,7 +832,7 @@
 	 * Only superuser may modify the extended attribute namespace associated
 	 * with this files checksum.
 	 */
-	error = suser(td);
+	error = cap_check(td, CAP_SYS_ADMIN);
 	if (error)
 		return (error);
 	ha = mac_chkexec_get_algo();

==== //depot/projects/trustedbsd/sebsd/sys/security/mac_lomac/mac_lomac.c#15 (text+ko) ====


==== //depot/projects/trustedbsd/sebsd/sys/security/mac_partition/mac_partition.c#9 (text+ko) ====

@@ -190,7 +190,7 @@
 		 * in a partition in the first place, but this didn't
 		 * interact well with sendmail.
 		 */
-		error = suser_cred(cred, 0);
+		error = cap_check_cred(cred, CAP_SYS_ADMIN, 0);
 	}
 
 	return (error);

==== //depot/projects/trustedbsd/sebsd/sys/security/mac_portacl/mac_portacl.c#8 (text+ko) ====

@@ -96,6 +96,10 @@
     &mac_portacl_enabled, 0, "Enforce portacl policy");
 TUNABLE_INT("security.mac.portacl.enabled", &mac_portacl_enabled);
 
+/*
+ * XXXRW: suser_exempt may be less significant with capability masks, as we
+ * can grant the right using CAP_NET_BIND_SERVICE.
+ */
 static int	mac_portacl_suser_exempt = 1;
 SYSCTL_INT(_security_mac_portacl, OID_AUTO, suser_exempt, CTLFLAG_RW,
     &mac_portacl_suser_exempt, 0, "Privilege permits binding of any port");
@@ -480,7 +484,7 @@
 	mtx_unlock(&rule_mtx);
 
 	if (error != 0 && mac_portacl_suser_exempt != 0)
-		error = suser_cred(cred, 0);
+		error = cap_check_cred(cred, CAP_NET_BIND_SERVICE, 0);
 
 	return (error);
 }

==== //depot/projects/trustedbsd/sebsd/sys/security/mac_seeotheruids/mac_seeotheruids.c#7 (text+ko) ====

@@ -117,7 +117,7 @@
 	if (u1->cr_ruid == u2->cr_ruid)
 		return (0);
 
-	if (suser_cred(u1, 0) == 0)
+	if (cap_check_cred(u1, CAP_SYS_ADMIN, 0) == 0)
 		return (0);
 
 	return (ESRCH);

==== //depot/projects/trustedbsd/sebsd/sys/security/mac_suidacl/mac_suidacl.c#2 (text+ko) ====

@@ -340,6 +340,9 @@
 	int error = 0;
 	struct rule *current;
 
+	/*
+	 * XXXRW: Should we be using CAP_SETGID and CAP_SETUID here?
+	 */
 	if ((mac_suidacl_enabled == 0) || !suser_cred(cred, 0))
 		return (0);
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507051149.j65BneGM075715>