From owner-p4-projects@FreeBSD.ORG Thu Aug 21 11:13:38 2003 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id F084916A4C1; Thu, 21 Aug 2003 11:13:37 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A338716A4BF for ; Thu, 21 Aug 2003 11:13:37 -0700 (PDT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2839543FA3 for ; Thu, 21 Aug 2003 11:13:37 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h7LIDa0U013980 for ; Thu, 21 Aug 2003 11:13:36 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h7LIDaxY013977 for perforce@freebsd.org; Thu, 21 Aug 2003 11:13:36 -0700 (PDT) Date: Thu, 21 Aug 2003 11:13:36 -0700 (PDT) Message-Id: <200308211813.h7LIDaxY013977@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Subject: PERFORCE change 36615 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2003 18:13:38 -0000 http://perforce.freebsd.org/chv.cgi?CH=36615 Change 36615 by rwatson@rwatson_tislabs on 2003/08/21 11:13:07 Loop-back integration of mac_lomac fixes from the FreeBSD main tree to the TrustedBSD base branch. Affected files ... .. //depot/projects/trustedbsd/base/sys/security/mac_lomac/mac_lomac.c#12 integrate Differences ... ==== //depot/projects/trustedbsd/base/sys/security/mac_lomac/mac_lomac.c#12 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/security/mac_lomac/mac_lomac.c,v 1.16 2003/07/05 01:24:36 rwatson Exp $ + * $FreeBSD: src/sys/security/mac_lomac/mac_lomac.c,v 1.17 2003/08/21 18:07:52 rwatson Exp $ */ /* @@ -1596,19 +1596,27 @@ */ if (new->ml_flags & MAC_LOMAC_FLAGS_BOTH) { /* - * To change the LOMAC single label on a credential, the - * new single label must be in the current range. + * Fill in the missing parts from the previous label. */ - if (new->ml_flags & MAC_LOMAC_FLAG_SINGLE && - !mac_lomac_single_in_range(new, subj)) - return (EPERM); + if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0) + mac_lomac_copy_single(subj, new); + if ((new->ml_flags & MAC_LOMAC_FLAG_RANGE) == 0) + mac_lomac_copy_range(subj, new); /* * To change the LOMAC range on a credential, the new * range label must be in the current range. */ - if (new->ml_flags & MAC_LOMAC_FLAG_RANGE && - !mac_lomac_range_in_range(new, subj)) + if (!mac_lomac_range_in_range(new, subj)) + return (EPERM); + + /* + * To change the LOMAC single label on a credential, the + * new single label must be in the new range. Implicitly + * from the previous check, the new single is in the old + * range. + */ + if (!mac_lomac_single_in_range(new, new)) return (EPERM); /* @@ -1680,6 +1688,14 @@ */ if (new->ml_flags & MAC_LOMAC_FLAGS_BOTH) { /* + * Fill in the missing parts from the previous label. + */ + if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0) + mac_lomac_copy_single(subj, new); + if ((new->ml_flags & MAC_LOMAC_FLAG_RANGE) == 0) + mac_lomac_copy_range(subj, new); + + /* * Rely on the traditional superuser status for the LOMAC * interface relabel requirements. XXXMAC: This will go * away. @@ -2300,6 +2316,12 @@ } if (new->ml_flags & MAC_LOMAC_FLAG_AUX) { /* + * Fill in the missing parts from the previous label. + */ + if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0) + mac_lomac_copy_single(subj, new); + + /* * To change the auxiliary LOMAC label on a vnode, the new * vnode label must be in the subject range. */