Implement mpo_associate_nfsd_label entry point for the BIBA security policy,
we will initialize the label to biba/low for files that have been created through an NFS RPC. This is a safe default given the default nature of our NFS implementation, there is not a whole lot of data integrity there by default. This also fixes kernel panics associated with file creation over NFS while creating files on filesystems which have multilabel enabled with BIBA enabled. MFC after: 2 weeks Discussed with: rwatson
This commit is contained in:
parent
6b5b470aea
commit
a4690c931e
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=160243
@ -3019,6 +3019,18 @@ mac_biba_check_vnode_write(struct ucred *active_cred,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_associate_nfsd_label(struct ucred *cred)
|
||||
{
|
||||
struct mac_biba *label;
|
||||
|
||||
label = SLOT(cred->cr_label);
|
||||
mac_biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
|
||||
mac_biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL,
|
||||
MAC_BIBA_TYPE_HIGH, 0, NULL);
|
||||
return (0);
|
||||
}
|
||||
|
||||
static struct mac_policy_ops mac_biba_ops =
|
||||
{
|
||||
.mpo_init = mac_biba_init,
|
||||
@ -3198,6 +3210,7 @@ static struct mac_policy_ops mac_biba_ops =
|
||||
.mpo_check_vnode_setutimes = mac_biba_check_vnode_setutimes,
|
||||
.mpo_check_vnode_stat = mac_biba_check_vnode_stat,
|
||||
.mpo_check_vnode_write = mac_biba_check_vnode_write,
|
||||
.mpo_associate_nfsd_label = mac_biba_associate_nfsd_label,
|
||||
};
|
||||
|
||||
MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba",
|
||||
|
Loading…
Reference in New Issue
Block a user