Date: Sat, 3 Aug 2002 15:38:15 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 15500 for review Message-ID: <200208032238.g73McFLb066293@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15500 Change 15500 by rwatson@rwatson_curry on 2002/08/03 15:37:28 Revise logic so that we allow equal labels to be set based on the subject single being equal, the range starting or ending with equal, or the range being LOW-HIGH. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#88 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#88 (text+ko) ==== @@ -290,6 +290,28 @@ } static int +mac_biba_subj_equal_ok(struct mac_biba *mac_biba) +{ + + /* If the single is EQUAL, it's ok */ + if (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_EQUAL) + return (0); + + /* If either range endpoint is EQUAL, it's ok */ + if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL || + mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL) + return (0); + + /* If the range is low-high, it's ok */ + if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_LOW && + mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_HIGH) + return (0); + + /* It's not OK. */ + return (EPERM); +} + +static int mac_biba_valid(struct mac_biba *mac_biba) { @@ -1250,7 +1272,7 @@ * If the old subject label doesn't contain EQUAL, don't let the * new subject label contain EQUAL. */ - if (mac_biba_contains_equal(new) && !mac_biba_contains_equal(subj)) + if (mac_biba_contains_equal(new) && !mac_biba_subj_equal_ok(subj)) return (EPERM); return (0); @@ -1406,7 +1428,7 @@ * If the subject label doesn't contain equal, don't let the new * pipe label contain equal. */ - if (mac_biba_contains_equal(new) && !mac_biba_contains_equal(subj)) + if (mac_biba_contains_equal(new) && !mac_biba_subj_equal_ok(subj)) return (EPERM); return (0); @@ -1528,7 +1550,7 @@ * If the subject label doesn't contain EQUAL, don't let the new * socket label contain EQUAL. */ - if (mac_biba_contains_equal(new) && !mac_biba_contains_equal(subj)) + if (mac_biba_contains_equal(new) && !mac_biba_subj_equal_ok(subj)) return (EPERM); return (0); @@ -1820,7 +1842,7 @@ * If the subject label doesn't contain EQUAL, don't let the new * vnode label contain EQUAL. */ - if (mac_biba_contains_equal(new) && !mac_biba_contains_equal(subj)) + if (mac_biba_contains_equal(new) && !mac_biba_subj_equal_ok(subj)) return (EPERM); return (suser_cred(cred, 0)); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200208032238.g73McFLb066293>