Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Jan 2003 11:44:11 -0800 (PST)
From:      Brian Feldman <green@FreeBSD.org>
To:        Perforce Change Reviews <perforce@freebsd.org>
Subject:   PERFORCE change 23852 for review
Message-ID:  <200301171944.h0HJiBjV047947@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help 
http://perforce.freebsd.org/chv.cgi?CH=23852

Change 23852 by green@green_laptop_2 on 2003/01/17 11:44:01

	Fix a problem reported by tjr in which incorrect labels were
	checked and okayed during relabel operations in LOMAC.  Fill
	out the partial labels with information from the current label
	to make them complete, as per the comments.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#50 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#50 (text+ko) ====

@@ -1649,6 +1649,14 @@
 	 */
 	if (new->ml_flags & MAC_LOMAC_FLAGS_BOTH) {
 		/*
+		 * Fill in the missing parts from the previous label.
+		 */
+		if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
+			mac_lomac_copy_single(subj, new);
+		else
+			mac_lomac_copy_range(subj, new);
+			
+		/*
 		 * To change the LOMAC single label on a credential, the
 		 * new single label must be in the current range.
 		 */
@@ -1680,6 +1688,10 @@
 		 * single and range of the new label might be performed
 		 * here.
 		 */
+
+		/*
+		 * Fill in what is not already filled in.
+		 */
 	}
 
 	return (0);
@@ -1733,6 +1745,14 @@
 	 */
 	if (new->ml_flags & MAC_LOMAC_FLAGS_BOTH) {
 		/*
+		 * Fill in the missing parts from the previous label.
+		 */
+		if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
+			mac_lomac_copy_single(subj, new);
+		else
+			mac_lomac_copy_range(subj, new);
+
+		/*
 		 * Rely on the traditional superuser status for the LOMAC
 		 * interface relabel requirements.  XXXMAC: This will go
 		 * away.
@@ -2353,6 +2373,12 @@
 	}
 	if (new->ml_flags & MAC_LOMAC_FLAG_AUX) {
 		/*
+		 * Fill in the missing parts from the previous label.
+		 */
+		if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
+			mac_lomac_copy_single(subj, new);
+
+		/*
 		 * To change the auxiliary LOMAC label on a vnode, the new
 		 * vnode label must be in the subject range.
 		 */

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301171944.h0HJiBjV047947>