From a4690c931ee98f21c38898b44f7b6be1b3ed6c5a Mon Sep 17 00:00:00 2001 From: "Christian S.J. Peron" Date: Mon, 10 Jul 2006 19:13:32 +0000 Subject: [PATCH] Implement mpo_associate_nfsd_label entry point for the BIBA security policy, we will initialize the label to biba/low for files that have been created through an NFS RPC. This is a safe default given the default nature of our NFS implementation, there is not a whole lot of data integrity there by default. This also fixes kernel panics associated with file creation over NFS while creating files on filesystems which have multilabel enabled with BIBA enabled. MFC after: 2 weeks Discussed with: rwatson --- sys/security/mac_biba/mac_biba.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 6d6c8fdf1914..c098fe2bf124 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -3019,6 +3019,18 @@ mac_biba_check_vnode_write(struct ucred *active_cred, return (0); } +static int +mac_biba_associate_nfsd_label(struct ucred *cred) +{ + struct mac_biba *label; + + label = SLOT(cred->cr_label); + mac_biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL); + mac_biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, + MAC_BIBA_TYPE_HIGH, 0, NULL); + return (0); +} + static struct mac_policy_ops mac_biba_ops = { .mpo_init = mac_biba_init, @@ -3198,6 +3210,7 @@ static struct mac_policy_ops mac_biba_ops = .mpo_check_vnode_setutimes = mac_biba_check_vnode_setutimes, .mpo_check_vnode_stat = mac_biba_check_vnode_stat, .mpo_check_vnode_write = mac_biba_check_vnode_write, + .mpo_associate_nfsd_label = mac_biba_associate_nfsd_label, }; MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba",