From owner-p4-projects@FreeBSD.ORG Thu Aug 21 11:04:24 2003 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 7912016A4C1; Thu, 21 Aug 2003 11:04:24 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A27B16A4BF for ; Thu, 21 Aug 2003 11:04:24 -0700 (PDT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF92543F75 for ; Thu, 21 Aug 2003 11:04:23 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h7LI4N0U013403 for ; Thu, 21 Aug 2003 11:04:23 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h7LI4Ns9013400 for perforce@freebsd.org; Thu, 21 Aug 2003 11:04:23 -0700 (PDT) Date: Thu, 21 Aug 2003 11:04:23 -0700 (PDT) Message-Id: <200308211804.h7LI4Ns9013400@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Subject: PERFORCE change 36612 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2003 18:04:25 -0000 http://perforce.freebsd.org/chv.cgi?CH=36612 Change 36612 by rwatson@rwatson_tislabs on 2003/08/21 11:03:51 Re-do the credential changing logic some more for LOMAC: since the new label will always contain both single and range elements, we can skip testing the single and range flags before doing sanity checks. Perform the new vs. old range test first, so that when we test the single against the new range, it also implicitly tests against the old range. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#65 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#65 (text+ko) ==== @@ -1615,21 +1615,21 @@ mac_lomac_copy_single(subj, new); if ((new->ml_flags & MAC_LOMAC_FLAG_RANGE) == 0) mac_lomac_copy_range(subj, new); - + /* - * To change the LOMAC single label on a credential, the - * new single label must be in the current range. + * To change the LOMAC range on a credential, the new + * range label must be in the current range. */ - if (new->ml_flags & MAC_LOMAC_FLAG_SINGLE && - !mac_lomac_single_in_range(new, subj)) + if (!mac_lomac_range_in_range(new, subj)) return (EPERM); /* - * To change the LOMAC range on a credential, the new - * range label must be in the new range. + * To change the LOMAC single label on a credential, the + * new single label must be in the new range. Implicitly + * from the previous check, the new single is in the old + * range. */ - if (new->ml_flags & MAC_LOMAC_FLAG_RANGE && - !mac_lomac_range_in_range(new, subj)) + if (!mac_lomac_single_in_range(new, new)) return (EPERM); /*