Date: Sat, 19 Jun 1999 23:22:14 -0500 (CDT) From: Frank Tobin <ftobin@bigfoot.com> To: FreeBSD-security Mailing List <freebsd-security@freebsd.org> Subject: Re: proposed secure-level 4 patch (fwd) Message-ID: <Pine.BSF.4.10.9906192320330.66866-300000@srh0710.urh.uiuc.edu>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--vtzGhvizbBRQ85DL
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.BSF.4.10.9906192320332.66866@srh0710.urh.uiuc.edu>
Kris is awesome.
---------- Forwarded message ----------
<non-reveleant info removed>
here is the no-union-mount-in-secure-mode diff and the tcp diff, which
should both be against -current.
k
--
kris wehner (kris@further.com)
"VMS is about as secure as a poodle encased in a block of lucite...
...about as useful, too." -wendigo@pobox.com
--vtzGhvizbBRQ85DL
Content-Type: TEXT/PLAIN; CHARSET=us-ascii
Content-ID: <Pine.BSF.4.10.9906192320333.66866@srh0710.urh.uiuc.edu>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME="union_current.diff"
*** vfs_syscalls.c.orig Sat Jun 19 21:28:28 1999
--- vfs_syscalls.c Sat Jun 19 21:28:50 1999
***************
*** 215,220 ****
--- 215,228 ----
vput(vp);
return (error);
}
+ /*
+ * Disable union mounts in super-secure mode
+ */
+ if (securelevel >= 2)
+ if (SCARG(uap, flags) & MNT_UNION || !strcmp(fstypename,"union")) {
+ vput(vp);
+ return EPERM;
+ }
for (vfsp = vfsconf; vfsp; vfsp = vfsp->vfc_next)
if (!strcmp(vfsp->vfc_name, fstypename))
break;
--vtzGhvizbBRQ85DL
Content-Type: TEXT/PLAIN; CHARSET=us-ascii
Content-ID: <Pine.BSF.4.10.9906192320334.66866@srh0710.urh.uiuc.edu>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME="tcp_patch.diff"
*** tcp_usrreq.c.orig Fri Jun 18 19:12:18 1999
--- tcp_usrreq.c Fri Jun 18 19:15:49 1999
***************
*** 185,190 ****
--- 185,198 ----
error = EAFNOSUPPORT;
goto out;
}
+ /*
+ * Disallow bind if we are in super secure mode and port <= 1024
+ */
+ if (sinp->sin_family == AF_INET && sinp->sin_port <= 1024 &&
+ securelevel >= 4) {
+ error = EACCES;
+ goto out;
+ }
error = in_pcbbind(inp, nam, p);
if (error)
goto out;
--vtzGhvizbBRQ85DL--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9906192320330.66866-300000>