mac_mls mac_biba mac_lomac patches to fix ptys_equal mib support for new /dev/pts in FreeBSD 8

Mon, 01 Mar 2010 19:23:59 -0800 

Hi,

 

Found issues with sysctl mibs security.mac.biba.ptys_equal,
security.mac.lomac.ptys_equal, security.mac.mls.ptys_equal, not supporting
new /dev/pts terminal system in FreeBSD 8, proposed fix for issue.

 

When using a higher security grade/clearance with mac_mls it prevents
writing to the /dev/pts/5 as its set as mls/low and subjects may not write
to objects with a lower classification level than its own clearance level.

 

Feb 25 21:42:16 labyrinth sshd[30965]: error: /dev/pts/5: Permission denied

Feb 25 21:42:16 labyrinth sshd[30965]: error: open /dev/tty failed - could
not set controlling tty: Permission denied

 

-Selphie 

 

Patches:

 

diff -urNp /usr/src/sys/security-orig/mac_biba/mac_biba.c
/usr/src/sys/security/mac_biba/mac_biba.c

--- /usr/src/sys/security-orig/mac_biba/mac_biba.c      2010-03-01
17:11:30.000000000 -0800

+++ /usr/src/sys/security/mac_biba/mac_biba.c   2010-03-01
17:16:44.000000000 -0800

@@ -955,6 +955,7 @@ biba_devfs_create_device(struct ucred *c

                biba_type = MAC_BIBA_TYPE_EQUAL;

        else if (ptys_equal &&

            (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||

+           strncmp(dev->si_name, "pts/", strlen("pts/")) == 0 ||

            strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))

                biba_type = MAC_BIBA_TYPE_EQUAL;

        else

diff -urNp /usr/src/sys/security-orig/mac_lomac/mac_lomac.c
/usr/src/sys/security/mac_lomac/mac_lomac.c

--- /usr/src/sys/security-orig/mac_lomac/mac_lomac.c    2010-03-01
17:11:30.000000000 -0800

+++ /usr/src/sys/security/mac_lomac/mac_lomac.c 2010-03-01
17:16:23.000000000 -0800

@@ -1043,6 +1043,7 @@ lomac_devfs_create_device(struct ucred *

                lomac_type = MAC_LOMAC_TYPE_EQUAL;

        else if (ptys_equal &&

            (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||

+           strncmp(dev->si_name, "pts/", strlen("pts/")) == 0 ||

            strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))

                lomac_type = MAC_LOMAC_TYPE_EQUAL;

        else

diff -urNp /usr/src/sys/security-orig/mac_mls/mac_mls.c
/usr/src/sys/security/mac_mls/mac_mls.c

--- /usr/src/sys/security-orig/mac_mls/mac_mls.c        2010-03-01
17:11:30.000000000 -0800

+++ /usr/src/sys/security/mac_mls/mac_mls.c     2010-03-01
17:15:42.000000000 -0800

@@ -918,6 +918,7 @@ mls_devfs_create_device(struct ucred *cr

                mls_type = MAC_MLS_TYPE_HIGH;

        else if (ptys_equal &&

            (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||

+           strncmp(dev->si_name, "pts/", strlen("pts/")) == 0 ||

            strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))

                mls_type = MAC_MLS_TYPE_EQUAL;

        else

Attachment: fbsd80-mac-devpts-fix.patch
Description: Binary data

_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"

Reply via email to