Bug 178667 - [mac] [patch] mac_lomac policy ignores aux label when reading/writing file extattr
Summary: [mac] [patch] mac_lomac policy ignores aux label when reading/writing file ex...
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 9.1-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
Depends on:
Reported: 2013-05-15 19:00 UTC by Priit Järv
Modified: 2018-01-03 05:13 UTC (History)
0 users

See Also:

file.diff (642 bytes, patch)
2013-05-15 19:00 UTC, Priit Järv
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Priit Järv 2013-05-15 19:00:00 UTC
in sys/security/mac_lomac/mac_lomac.c:

lomac_vnode_associate_extattr() and lomac_vnode_setlabel_extattr() only copy part of the LOMAC label, ignoring the value of the auxiliary grade.

Note that lomac_vnode_create_extattr(), the third function to access the file extended attributes, does already copy the auxiliary grade if it is present.

The problem has been reported for 9.1-RELEASE but it has been confirmed to be present in stable/9. The same problem is likely to be present in head (-CURRENT) as the relevant code has not been modified.

Fix: Apply the patch. Tested with GENERIC kernel on 9.1-RELEASE and stable/9.

Patch attached with submission follows:
How-To-Repeat: 1. enable mac_lomac policy in kernel
2. create a multilabel filesystem (newfs -l -U /dev/somedev)
3. mount the filesystem and set lomac labels
   mount /dev/somedev /mnt
   mkdir /mnt/1
   setfmac lomac/high\[low\] /mnt/1 # aux grade
   touch /mnt/1/2 # inherits grade from directory
   touch /mnt/1/3
   setfmac lomac/high\[low\] /mnt/1/3 # set manually
4. use getextattr -x system mac_lomac /mnt/1 /mnt/1/2 /mnt/1/3
   (only the file that inherited the grade has aux grade in extattr)
5. note the labels ls -lZa /mnt/1
6. umount /mnt; mount /dev/somedev /mnt
7. note the aux grades are missing with ls -lZa /mnt/1
Comment 1 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:56 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped