d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Properly return the error from mls_subject_privileged() in the ifnet

Browse Source 
relabel check for MLS rather than returning 0 directly.

This problem didn't result in a vulnerability currently as the central
implementation of ifnet relabeling also checks for UNIX privilege, and
we currently don't guarantee containment for the root user in mac_mls,
but we should be using the MLS definition of privilege as well as the
UNIX definition in anticipation of supporting root containment at some
point.

MFC after:	3 days
Submitted by:	Zhouyi Zhou <zhouzhouyi at gmail dot com>
Sponsored by:	Google SoC 2007
This commit is contained in:
Robert Watson 2008-01-28 10:20:18 +00:00
parent 7572a9c749
commit 5ac3b03500
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=175747
1 changed files with 1 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/security/mac_mls/mac_mls.c
View File

@ -964,9 +964,7 @@ mls_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
/*
* Relabeling network interfaces requires MLS privilege.
*/
error = mls_subject_privileged(subj);
return (0);
return (mls_subject_privileged(subj));
}
static int