Date: Sat, 19 Jun 1999 23:22:14 -0500 (CDT) From: Frank Tobin <ftobin@bigfoot.com> To: FreeBSD-security Mailing List <freebsd-security@freebsd.org> Subject: Re: proposed secure-level 4 patch (fwd) Message-ID: <Pine.BSF.4.10.9906192320330.66866-300000@srh0710.urh.uiuc.edu>
index | next in thread | raw e-mail
[-- Attachment #1 --]
Kris is awesome.
---------- Forwarded message ----------
<non-reveleant info removed>
here is the no-union-mount-in-secure-mode diff and the tcp diff, which
should both be against -current.
k
--
kris wehner (kris@further.com)
"VMS is about as secure as a poodle encased in a block of lucite...
...about as useful, too." -wendigo@pobox.com
[-- Attachment #2 --]
*** vfs_syscalls.c.orig Sat Jun 19 21:28:28 1999
--- vfs_syscalls.c Sat Jun 19 21:28:50 1999
***************
*** 215,220 ****
--- 215,228 ----
vput(vp);
return (error);
}
+ /*
+ * Disable union mounts in super-secure mode
+ */
+ if (securelevel >= 2)
+ if (SCARG(uap, flags) & MNT_UNION || !strcmp(fstypename,"union")) {
+ vput(vp);
+ return EPERM;
+ }
for (vfsp = vfsconf; vfsp; vfsp = vfsp->vfc_next)
if (!strcmp(vfsp->vfc_name, fstypename))
break;
[-- Attachment #3 --]
*** tcp_usrreq.c.orig Fri Jun 18 19:12:18 1999
--- tcp_usrreq.c Fri Jun 18 19:15:49 1999
***************
*** 185,190 ****
--- 185,198 ----
error = EAFNOSUPPORT;
goto out;
}
+ /*
+ * Disallow bind if we are in super secure mode and port <= 1024
+ */
+ if (sinp->sin_family == AF_INET && sinp->sin_port <= 1024 &&
+ securelevel >= 4) {
+ error = EACCES;
+ goto out;
+ }
error = in_pcbbind(inp, nam, p);
if (error)
goto out;
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9906192320330.66866-300000>