mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2025-01-20 15:43:16 +00:00
Code Issues Releases Activity

Properly return the error from mls_subject_privileged() in the ifnet

Browse Source 
relabel check for MLS rather than returning 0 directly.

This problem didn't result in a vulnerability currently as the central
implementation of ifnet relabeling also checks for UNIX privilege, and
we currently don't guarantee containment for the root user in mac_mls,
but we should be using the MLS definition of privilege as well as the
UNIX definition in anticipation of supporting root containment at some
point.

MFC after:	3 days
Submitted by:	Zhouyi Zhou <zhouzhouyi at gmail dot com>
Sponsored by:	Google SoC 2007
This commit is contained in:
Robert Watson 2008-01-28 10:20:18 +00:00
parent 7572a9c749
commit 5ac3b03500
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=175747
1 changed files with 1 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/security/mac_mls/mac_mls.c
View File

@ -964,9 +964,7 @@ mls_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
/* /*
* Relabeling network interfaces requires MLS privilege. * Relabeling network interfaces requires MLS privilege.
*/ */
error = mls_subject_privileged(subj); return (mls_subject_privileged(subj));
return (0);
} }
static int static int