Implement Biba policy entry points for mac_check_system_swapon()

and mac_check_system_sysctl(), providing additional integrity protections relating to swap target device selection and system management via sysctl(). Require Biba privilege for both; also require that the target of swap operations be a high integrity object, since swap data is high integrity. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Asssociates Laboratories
2002-10-29 19:18:52 +00:00 · 2002-10-29 19:18:52 +00:00 · 84c7715ec3
commit 84c7715ec3
parent 757db56952
1 changed files with 59 additions and 0 deletions
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@ -1870,6 +1870,61 @@ mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket,
 	return (0);
 }

+static int
+mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!mac_biba_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT(label);
+
+	if (!mac_biba_subject_privileged(subj))
+		return (EPERM);
+
+	if (!mac_biba_high_single(obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mac_biba_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
+    void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
+{
+	struct mac_biba *subj;
+	int error;
+
+	if (!mac_biba_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+
+	/*
+	 * In general, treat sysctl variables as biba/high, but also
+	 * require privilege to change them, since they are a
+	 * communications channel between grades.  Exempt MIB
+	 * queries from this due to undocmented sysctl magic.
+	 * XXXMAC: This probably requires some more review.
+	 */
+	if (new != NULL) {
+		if (namelen > 0 && name[0] == 0)
+			return (0);
+
+		if (!mac_biba_subject_dominate_high(subj))
+			return (EACCES);
+
+		error = mac_biba_subject_privileged(subj);
+		if (error)
+			return (error);
+	}
+
+	return (0);
+}
+
 static int
 mac_biba_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
    struct label *dlabel)
@ -2651,6 +2706,10 @@ static struct mac_policy_op_entry mac_biba_ops[] =
 	    (macop_t)mac_biba_check_socket_relabel },
 	{ MAC_CHECK_SOCKET_VISIBLE,
 	    (macop_t)mac_biba_check_socket_visible },
+	{ MAC_CHECK_SYSTEM_SWAPON,
+	    (macop_t)mac_biba_check_system_swapon },
+	{ MAC_CHECK_SYSTEM_SYSCTL,
+	    (macop_t)mac_biba_check_system_sysctl },
 	{ MAC_CHECK_VNODE_ACCESS,
 	    (macop_t)mac_biba_check_vnode_open },
 	{ MAC_CHECK_VNODE_CHDIR,