Date: Thu, 21 Aug 2003 11:13:36 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 36615 for review Message-ID: <200308211813.h7LIDaxY013977@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=36615 Change 36615 by rwatson@rwatson_tislabs on 2003/08/21 11:13:07 Loop-back integration of mac_lomac fixes from the FreeBSD main tree to the TrustedBSD base branch. Affected files ... .. //depot/projects/trustedbsd/base/sys/security/mac_lomac/mac_lomac.c#12 integrate Differences ... ==== //depot/projects/trustedbsd/base/sys/security/mac_lomac/mac_lomac.c#12 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/security/mac_lomac/mac_lomac.c,v 1.16 2003/07/05 01:24:36 rwatson Exp $ + * $FreeBSD: src/sys/security/mac_lomac/mac_lomac.c,v 1.17 2003/08/21 18:07:52 rwatson Exp $ */ /* @@ -1596,19 +1596,27 @@ */ if (new->ml_flags & MAC_LOMAC_FLAGS_BOTH) { /* - * To change the LOMAC single label on a credential, the - * new single label must be in the current range. + * Fill in the missing parts from the previous label. */ - if (new->ml_flags & MAC_LOMAC_FLAG_SINGLE && - !mac_lomac_single_in_range(new, subj)) - return (EPERM); + if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0) + mac_lomac_copy_single(subj, new); + if ((new->ml_flags & MAC_LOMAC_FLAG_RANGE) == 0) + mac_lomac_copy_range(subj, new); /* * To change the LOMAC range on a credential, the new * range label must be in the current range. */ - if (new->ml_flags & MAC_LOMAC_FLAG_RANGE && - !mac_lomac_range_in_range(new, subj)) + if (!mac_lomac_range_in_range(new, subj)) + return (EPERM); + + /* + * To change the LOMAC single label on a credential, the + * new single label must be in the new range. Implicitly + * from the previous check, the new single is in the old + * range. + */ + if (!mac_lomac_single_in_range(new, new)) return (EPERM); /* @@ -1680,6 +1688,14 @@ */ if (new->ml_flags & MAC_LOMAC_FLAGS_BOTH) { /* + * Fill in the missing parts from the previous label. + */ + if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0) + mac_lomac_copy_single(subj, new); + if ((new->ml_flags & MAC_LOMAC_FLAG_RANGE) == 0) + mac_lomac_copy_range(subj, new); + + /* * Rely on the traditional superuser status for the LOMAC * interface relabel requirements. XXXMAC: This will go * away. @@ -2300,6 +2316,12 @@ } if (new->ml_flags & MAC_LOMAC_FLAG_AUX) { /* + * Fill in the missing parts from the previous label. + */ + if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0) + mac_lomac_copy_single(subj, new); + + /* * To change the auxiliary LOMAC label on a vnode, the new * vnode label must be in the subject range. */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308211813.h7LIDaxY013977>