upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-09 08:43:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Properly return the error from mls_subject_privileged() in the ifnet

Browse source 
relabel check for MLS rather than returning 0 directly.

This problem didn't result in a vulnerability currently as the central
implementation of ifnet relabeling also checks for UNIX privilege, and
we currently don't guarantee containment for the root user in mac_mls,
but we should be using the MLS definition of privilege as well as the
UNIX definition in anticipation of supporting root containment at some
point.

MFC after:	3 days
Submitted by:	Zhouyi Zhou <zhouzhouyi at gmail dot com>
Sponsored by:	Google SoC 2007
This commit is contained in:
Robert Watson 2008-01-28 10:20:18 +00:00
parent 7572a9c749
commit 5ac3b03500
1 changed files with 1 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
sys/security/mac_mls/mac_mls.c
View file

@ -964,9 +964,7 @@ mls_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
/*
* Relabeling network interfaces requires MLS privilege.
*/
error = mls_subject_privileged(subj);
return (0);
return (mls_subject_privileged(subj));
}
static int