Date: Sat, 19 Jun 1999 23:22:14 -0500 (CDT) From: Frank Tobin <ftobin@bigfoot.com> To: FreeBSD-security Mailing List <freebsd-security@freebsd.org> Subject: Re: proposed secure-level 4 patch (fwd) Message-ID: <Pine.BSF.4.10.9906192320330.66866-300000@srh0710.urh.uiuc.edu>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --vtzGhvizbBRQ85DL Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <Pine.BSF.4.10.9906192320332.66866@srh0710.urh.uiuc.edu> Kris is awesome. ---------- Forwarded message ---------- <non-reveleant info removed> here is the no-union-mount-in-secure-mode diff and the tcp diff, which should both be against -current. k -- kris wehner (kris@further.com) "VMS is about as secure as a poodle encased in a block of lucite... ...about as useful, too." -wendigo@pobox.com --vtzGhvizbBRQ85DL Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: <Pine.BSF.4.10.9906192320333.66866@srh0710.urh.uiuc.edu> Content-Description: Content-Disposition: ATTACHMENT; FILENAME="union_current.diff" *** vfs_syscalls.c.orig Sat Jun 19 21:28:28 1999 --- vfs_syscalls.c Sat Jun 19 21:28:50 1999 *************** *** 215,220 **** --- 215,228 ---- vput(vp); return (error); } + /* + * Disable union mounts in super-secure mode + */ + if (securelevel >= 2) + if (SCARG(uap, flags) & MNT_UNION || !strcmp(fstypename,"union")) { + vput(vp); + return EPERM; + } for (vfsp = vfsconf; vfsp; vfsp = vfsp->vfc_next) if (!strcmp(vfsp->vfc_name, fstypename)) break; --vtzGhvizbBRQ85DL Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: <Pine.BSF.4.10.9906192320334.66866@srh0710.urh.uiuc.edu> Content-Description: Content-Disposition: ATTACHMENT; FILENAME="tcp_patch.diff" *** tcp_usrreq.c.orig Fri Jun 18 19:12:18 1999 --- tcp_usrreq.c Fri Jun 18 19:15:49 1999 *************** *** 185,190 **** --- 185,198 ---- error = EAFNOSUPPORT; goto out; } + /* + * Disallow bind if we are in super secure mode and port <= 1024 + */ + if (sinp->sin_family == AF_INET && sinp->sin_port <= 1024 && + securelevel >= 4) { + error = EACCES; + goto out; + } error = in_pcbbind(inp, nam, p); if (error) goto out; --vtzGhvizbBRQ85DL-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9906192320330.66866-300000>