From owner-p4-projects@FreeBSD.ORG  Tue Jul  5 11:49:41 2005
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id C325316A420; Tue,  5 Jul 2005 11:49:40 +0000 (GMT)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8966816A41C
	for <perforce@freebsd.org>; Tue,  5 Jul 2005 11:49:40 +0000 (GMT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 689E143D45
	for <perforce@freebsd.org>; Tue,  5 Jul 2005 11:49:40 +0000 (GMT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id j65Bne2i075718
	for <perforce@freebsd.org>; Tue, 5 Jul 2005 11:49:40 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.1/8.13.1/Submit) id j65BneGM075715
	for perforce@freebsd.org; Tue, 5 Jul 2005 11:49:40 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Tue, 5 Jul 2005 11:49:40 GMT
Message-Id: <200507051149.j65BneGM075715@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 79596 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jul 2005 11:49:41 -0000

http://perforce.freebsd.org/chv.cgi?CH=79596

Change 79596 by rwatson@rwatson_paprika on 2005/07/05 11:49:05

	In MAC and MAC policy modules, generally map suser() to
	CAP_SYS_ADMIN, with the exception of the ifnet label authorized
	as CAP_NET_ADMIN, and authorizing port binding in mac_portacl,
	with CAP_NET_BIND_SERVICE.  Comment in some places where further
	refinement or work is needed.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#13 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_bsdextended/mac_bsdextended.c#9 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_chkexec/mac_chkexec.c#2 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_lomac/mac_lomac.c#15 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_partition/mac_partition.c#9 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_portacl/mac_portacl.c#8 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_seeotheruids/mac_seeotheruids.c#7 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_suidacl/mac_suidacl.c#2 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#13 (text+ko) ====

@@ -491,7 +491,7 @@
 	 * policies impose this check themselves if required by the
 	 * policy.  Eventually, this should go away.
 	 */
-	error = suser_cred(cred, 0);
+	error = cap_check_cred(cred, CAP_NET_ADMIN, 0);
 	if (error) {
 		mac_ifnet_label_free(intlabel);
 		return (error);

==== //depot/projects/trustedbsd/sebsd/sys/security/mac_bsdextended/mac_bsdextended.c#9 (text+ko) ====

@@ -325,7 +325,23 @@
 {
 	int error, i;
 
-	if (suser_cred(cred, 0) == 0)
+	/*
+	 * Since we do not separately handle append, map append to
+	 * write.
+	 */
+	if (acc_mode & MBI_APPEND) {
+		acc_mode &= ~MBI_APPEND;
+		acc_mode |= MBI_WRITE;
+	}
+
+	/*
+	 * XXXRW: The interactions between capabilities and privilege in
+	 * mac_bsdextended are poorly defined, and should be thought about
+	 * more.  For now, go with the intent that the administrator not be
+	 * subject to the policy.  In the future, we might want to more
+	 * specifically handle the privileges in mac_bsdextended_rulecheck().
+	 */
+	if (cap_check_cred(cred, CAP_SYS_ADMIN, 0) == 0)
 		return (0);
 
 	mtx_lock(&mac_bsdextended_mtx);
@@ -333,15 +349,6 @@
 		if (rules[i] == NULL)
 			continue;
 
-		/*
-		 * Since we do not separately handle append, map append to
-		 * write.
-		 */
-		if (acc_mode & MBI_APPEND) {
-			acc_mode &= ~MBI_APPEND;
-			acc_mode |= MBI_WRITE;
-		}
-
 		error = mac_bsdextended_rulecheck(rules[i], cred, object_uid,
 		    object_gid, acc_mode);
 		if (error == EJUSTRETURN)

==== //depot/projects/trustedbsd/sebsd/sys/security/mac_chkexec/mac_chkexec.c#2 (text+ko) ====

@@ -832,7 +832,7 @@
 	 * Only superuser may modify the extended attribute namespace associated
 	 * with this files checksum.
 	 */
-	error = suser(td);
+	error = cap_check(td, CAP_SYS_ADMIN);
 	if (error)
 		return (error);
 	ha = mac_chkexec_get_algo();

==== //depot/projects/trustedbsd/sebsd/sys/security/mac_lomac/mac_lomac.c#15 (text+ko) ====


==== //depot/projects/trustedbsd/sebsd/sys/security/mac_partition/mac_partition.c#9 (text+ko) ====

@@ -190,7 +190,7 @@
 		 * in a partition in the first place, but this didn't
 		 * interact well with sendmail.
 		 */
-		error = suser_cred(cred, 0);
+		error = cap_check_cred(cred, CAP_SYS_ADMIN, 0);
 	}
 
 	return (error);

==== //depot/projects/trustedbsd/sebsd/sys/security/mac_portacl/mac_portacl.c#8 (text+ko) ====

@@ -96,6 +96,10 @@
     &mac_portacl_enabled, 0, "Enforce portacl policy");
 TUNABLE_INT("security.mac.portacl.enabled", &mac_portacl_enabled);
 
+/*
+ * XXXRW: suser_exempt may be less significant with capability masks, as we
+ * can grant the right using CAP_NET_BIND_SERVICE.
+ */
 static int	mac_portacl_suser_exempt = 1;
 SYSCTL_INT(_security_mac_portacl, OID_AUTO, suser_exempt, CTLFLAG_RW,
     &mac_portacl_suser_exempt, 0, "Privilege permits binding of any port");
@@ -480,7 +484,7 @@
 	mtx_unlock(&rule_mtx);
 
 	if (error != 0 && mac_portacl_suser_exempt != 0)
-		error = suser_cred(cred, 0);
+		error = cap_check_cred(cred, CAP_NET_BIND_SERVICE, 0);
 
 	return (error);
 }

==== //depot/projects/trustedbsd/sebsd/sys/security/mac_seeotheruids/mac_seeotheruids.c#7 (text+ko) ====

@@ -117,7 +117,7 @@
 	if (u1->cr_ruid == u2->cr_ruid)
 		return (0);
 
-	if (suser_cred(u1, 0) == 0)
+	if (cap_check_cred(u1, CAP_SYS_ADMIN, 0) == 0)
 		return (0);
 
 	return (ESRCH);

==== //depot/projects/trustedbsd/sebsd/sys/security/mac_suidacl/mac_suidacl.c#2 (text+ko) ====

@@ -340,6 +340,9 @@
 	int error = 0;
 	struct rule *current;
 
+	/*
+	 * XXXRW: Should we be using CAP_SETGID and CAP_SETUID here?
+	 */
 	if ((mac_suidacl_enabled == 0) || !suser_cred(cred, 0))
 		return (0);