Date: Thu, 21 Aug 2003 11:04:23 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 36612 for review Message-ID: <200308211804.h7LI4Ns9013400@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=36612 Change 36612 by rwatson@rwatson_tislabs on 2003/08/21 11:03:51 Re-do the credential changing logic some more for LOMAC: since the new label will always contain both single and range elements, we can skip testing the single and range flags before doing sanity checks. Perform the new vs. old range test first, so that when we test the single against the new range, it also implicitly tests against the old range. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#65 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#65 (text+ko) ==== @@ -1615,21 +1615,21 @@ mac_lomac_copy_single(subj, new); if ((new->ml_flags & MAC_LOMAC_FLAG_RANGE) == 0) mac_lomac_copy_range(subj, new); - + /* - * To change the LOMAC single label on a credential, the - * new single label must be in the current range. + * To change the LOMAC range on a credential, the new + * range label must be in the current range. */ - if (new->ml_flags & MAC_LOMAC_FLAG_SINGLE && - !mac_lomac_single_in_range(new, subj)) + if (!mac_lomac_range_in_range(new, subj)) return (EPERM); /* - * To change the LOMAC range on a credential, the new - * range label must be in the new range. + * To change the LOMAC single label on a credential, the + * new single label must be in the new range. Implicitly + * from the previous check, the new single is in the old + * range. */ - if (new->ml_flags & MAC_LOMAC_FLAG_RANGE && - !mac_lomac_range_in_range(new, subj)) + if (!mac_lomac_single_in_range(new, new)) return (EPERM); /*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308211804.h7LI4Ns9013400>