Add a twiddle to create PTY's with a biba/equal or mls/equal label
instead of the default biba/high, mls/low, making it easier to use ptys with these policies. This isn't the final solution, but does help. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
This commit is contained in:
parent
803bf0837b
commit
0b9b85b91d
@ -102,6 +102,11 @@ SYSCTL_STRING(_security_mac_biba, OID_AUTO, trusted_interfaces, CTLFLAG_RD,
|
||||
TUNABLE_STR("security.mac.biba.trusted_interfaces", trusted_interfaces,
|
||||
sizeof(trusted_interfaces));
|
||||
|
||||
static int ptys_equal = 0;
|
||||
SYSCTL_INT(_security_mac_biba, OID_AUTO, ptys_equal, CTLFLAG_RW,
|
||||
&ptys_equal, 0, "Label pty devices as biba/equal on create");
|
||||
TUNABLE_INT("security.mac.biba.ptys_equal", &ptys_equal);
|
||||
|
||||
static int mac_biba_revocation_enabled = 0;
|
||||
SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RW,
|
||||
&mac_biba_revocation_enabled, 0, "Revoke access to objects on relabel");
|
||||
@ -461,6 +466,10 @@ mac_biba_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent,
|
||||
strcmp(dev->si_name, "random") == 0 ||
|
||||
strncmp(dev->si_name, "fd/", strlen("fd/")) == 0)
|
||||
biba_type = MAC_BIBA_TYPE_EQUAL;
|
||||
else if (ptys_equal &&
|
||||
(strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
|
||||
strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
|
||||
biba_type = MAC_BIBA_TYPE_EQUAL;
|
||||
else
|
||||
biba_type = MAC_BIBA_TYPE_HIGH;
|
||||
mac_biba_set_single(mac_biba, biba_type, 0);
|
||||
|
@ -91,6 +91,11 @@ static int destroyed_not_inited;
|
||||
SYSCTL_INT(_security_mac_mls, OID_AUTO, destroyed_not_inited, CTLFLAG_RD,
|
||||
&destroyed_not_inited, 0, "Count of labels destroyed but not inited");
|
||||
|
||||
static int ptys_equal = 0;
|
||||
SYSCTL_INT(_security_mac_mls, OID_AUTO, ptys_equal, CTLFLAG_RW,
|
||||
&ptys_equal, 0, "Label pty devices as mls/equal on create");
|
||||
TUNABLE_INT("security.mac.mls.ptys_equal", &ptys_equal);
|
||||
|
||||
static int mac_mls_revocation_enabled = 0;
|
||||
SYSCTL_INT(_security_mac_mls, OID_AUTO, revocation_enabled, CTLFLAG_RW,
|
||||
&mac_mls_revocation_enabled, 0, "Revoke access to objects on relabel");
|
||||
@ -453,6 +458,10 @@ mac_mls_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent,
|
||||
else if (strcmp(dev->si_name, "kmem") == 0 ||
|
||||
strcmp(dev->si_name, "mem") == 0)
|
||||
mls_type = MAC_MLS_TYPE_HIGH;
|
||||
else if (ptys_equal &&
|
||||
(strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
|
||||
strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
|
||||
mls_type = MAC_MLS_TYPE_EQUAL;
|
||||
else
|
||||
mls_type = MAC_MLS_TYPE_LOW;
|
||||
mac_mls_set_single(mac_mls, mls_type, 0);
|
||||
|
Loading…
Reference in New Issue
Block a user