Implement mpo_associate_nfsd_label entry point for the BIBA security policy,

we will initialize the label to biba/low for files that have been created
through an NFS RPC. This is a safe default given the default nature of our
NFS implementation, there is not a whole lot of data integrity there by
default. This also fixes kernel panics associated with file creation over NFS
while creating files on filesystems which have multilabel enabled with BIBA
enabled.

MFC after:	2 weeks
Discussed with:	rwatson
This commit is contained in:
Christian S.J. Peron 2006-07-10 19:13:32 +00:00
parent 6b5b470aea
commit a4690c931e
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=160243

View File

@ -3019,6 +3019,18 @@ mac_biba_check_vnode_write(struct ucred *active_cred,
return (0);
}
static int
mac_biba_associate_nfsd_label(struct ucred *cred)
{
struct mac_biba *label;
label = SLOT(cred->cr_label);
mac_biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
mac_biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL,
MAC_BIBA_TYPE_HIGH, 0, NULL);
return (0);
}
static struct mac_policy_ops mac_biba_ops =
{
.mpo_init = mac_biba_init,
@ -3198,6 +3210,7 @@ static struct mac_policy_ops mac_biba_ops =
.mpo_check_vnode_setutimes = mac_biba_check_vnode_setutimes,
.mpo_check_vnode_stat = mac_biba_check_vnode_stat,
.mpo_check_vnode_write = mac_biba_check_vnode_write,
.mpo_associate_nfsd_label = mac_biba_associate_nfsd_label,
};
MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba",