PERFORCE change 57312 for review
Robert Watson
rwatson at FreeBSD.org
Wed Jul 14 03:13:11 GMT 2004
http://perforce.freebsd.org/chv.cgi?CH=57312
Change 57312 by rwatson at rwatson_tislabs on 2004/07/14 03:12:30
Search and replace: rename "mb_single" and "mm_single" to
"mb_effective" and "mm_effective" respectively in the Biba
and MLS policies. "single label" in these policies was
causing confusion with respect to "singlelabel file systems",
and "effective" generally describes the label better than
"single".
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#244 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.h#16 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#198 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.h#17 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#244 (text+ko) ====
@@ -1,6 +1,6 @@
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
- * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
+ * Copyright (c) 2001-2004 Networks Associates Technology, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@@ -227,9 +227,9 @@
{
struct mac_biba_element *element;
- KASSERT((mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
- ("mac_biba_single_in_range: mac_biba not single"));
- element = &mac_biba->mb_single;
+ KASSERT((mac_biba->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
+ ("mac_biba_effective_in_range: mac_biba not effective"));
+ element = &mac_biba->mb_effective;
return (element->mbe_type == MAC_BIBA_TYPE_EQUAL ||
element->mbe_type == MAC_BIBA_TYPE_HIGH);
@@ -246,31 +246,32 @@
}
static int
-mac_biba_single_in_range(struct mac_biba *single, struct mac_biba *range)
+mac_biba_effective_in_range(struct mac_biba *effective,
+ struct mac_biba *range)
{
- KASSERT((single->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
- ("mac_biba_single_in_range: a not single"));
+ KASSERT((effective->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
+ ("mac_biba_effective_in_range: a not effective"));
KASSERT((range->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
- ("mac_biba_single_in_range: b not range"));
+ ("mac_biba_effective_in_range: b not range"));
return (mac_biba_dominate_element(&range->mb_rangehigh,
- &single->mb_single) &&
- mac_biba_dominate_element(&single->mb_single,
+ &effective->mb_effective) &&
+ mac_biba_dominate_element(&effective->mb_effective,
&range->mb_rangelow));
return (1);
}
static int
-mac_biba_dominate_single(struct mac_biba *a, struct mac_biba *b)
+mac_biba_dominate_effective(struct mac_biba *a, struct mac_biba *b)
{
- KASSERT((a->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
- ("mac_biba_dominate_single: a not single"));
- KASSERT((b->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
- ("mac_biba_dominate_single: b not single"));
+ KASSERT((a->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
+ ("mac_biba_dominate_effective: a not effective"));
+ KASSERT((b->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
+ ("mac_biba_dominate_effective: b not effective"));
- return (mac_biba_dominate_element(&a->mb_single, &b->mb_single));
+ return (mac_biba_dominate_element(&a->mb_effective, &b->mb_effective));
}
static int
@@ -285,23 +286,23 @@
}
static int
-mac_biba_equal_single(struct mac_biba *a, struct mac_biba *b)
+mac_biba_equal_effective(struct mac_biba *a, struct mac_biba *b)
{
- KASSERT((a->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
- ("mac_biba_equal_single: a not single"));
- KASSERT((b->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
- ("mac_biba_equal_single: b not single"));
+ KASSERT((a->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
+ ("mac_biba_equal_effective: a not effective"));
+ KASSERT((b->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
+ ("mac_biba_equal_effective: b not effective"));
- return (mac_biba_equal_element(&a->mb_single, &b->mb_single));
+ return (mac_biba_equal_element(&a->mb_effective, &b->mb_effective));
}
static int
mac_biba_contains_equal(struct mac_biba *mac_biba)
{
- if (mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE)
- if (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_EQUAL)
+ if (mac_biba->mb_flags & MAC_BIBA_FLAG_EFFECTIVE)
+ if (mac_biba->mb_effective.mbe_type == MAC_BIBA_TYPE_EQUAL)
return (1);
if (mac_biba->mb_flags & MAC_BIBA_FLAG_RANGE) {
@@ -322,8 +323,8 @@
MAC_BIBA_FLAGS_BOTH,
("mac_biba_subject_privileged: subject doesn't have both labels"));
- /* If the single is EQUAL, it's ok. */
- if (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_EQUAL)
+ /* If the effective is EQUAL, it's ok. */
+ if (mac_biba->mb_effective.mbe_type == MAC_BIBA_TYPE_EQUAL)
return (0);
/* If either range endpoint is EQUAL, it's ok. */
@@ -341,30 +342,30 @@
}
static int
-mac_biba_high_single(struct mac_biba *mac_biba)
+mac_biba_high_effective(struct mac_biba *mac_biba)
{
- KASSERT((mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
- ("mac_biba_equal_single: mac_biba not single"));
+ KASSERT((mac_biba->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
+ ("mac_biba_equal_effective: mac_biba not effective"));
- return (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_HIGH);
+ return (mac_biba->mb_effective.mbe_type == MAC_BIBA_TYPE_HIGH);
}
static int
mac_biba_valid(struct mac_biba *mac_biba)
{
- if (mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE) {
- switch (mac_biba->mb_single.mbe_type) {
+ if (mac_biba->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
+ switch (mac_biba->mb_effective.mbe_type) {
case MAC_BIBA_TYPE_GRADE:
break;
case MAC_BIBA_TYPE_EQUAL:
case MAC_BIBA_TYPE_HIGH:
case MAC_BIBA_TYPE_LOW:
- if (mac_biba->mb_single.mbe_grade != 0 ||
+ if (mac_biba->mb_effective.mbe_grade != 0 ||
!MAC_BIBA_BIT_SET_EMPTY(
- mac_biba->mb_single.mbe_compartments))
+ mac_biba->mb_effective.mbe_compartments))
return (EINVAL);
break;
@@ -372,7 +373,7 @@
return (EINVAL);
}
} else {
- if (mac_biba->mb_single.mbe_type != MAC_BIBA_TYPE_UNDEF)
+ if (mac_biba->mb_effective.mbe_type != MAC_BIBA_TYPE_UNDEF)
return (EINVAL);
}
@@ -444,16 +445,16 @@
}
static void
-mac_biba_set_single(struct mac_biba *mac_biba, u_short type, u_short grade,
+mac_biba_set_effective(struct mac_biba *mac_biba, u_short type, u_short grade,
u_char *compartments)
{
- mac_biba->mb_single.mbe_type = type;
- mac_biba->mb_single.mbe_grade = grade;
+ mac_biba->mb_effective.mbe_type = type;
+ mac_biba->mb_effective.mbe_grade = grade;
if (compartments != NULL)
- memcpy(mac_biba->mb_single.mbe_compartments, compartments,
- sizeof(mac_biba->mb_single.mbe_compartments));
- mac_biba->mb_flags |= MAC_BIBA_FLAG_SINGLE;
+ memcpy(mac_biba->mb_effective.mbe_compartments, compartments,
+ sizeof(mac_biba->mb_effective.mbe_compartments));
+ mac_biba->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE;
}
static void
@@ -469,22 +470,22 @@
}
static void
-mac_biba_copy_single(struct mac_biba *labelfrom, struct mac_biba *labelto)
+mac_biba_copy_effective(struct mac_biba *labelfrom, struct mac_biba *labelto)
{
- KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
- ("mac_biba_copy_single: labelfrom not single"));
+ KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
+ ("mac_biba_copy_effective: labelfrom not effective"));
- labelto->mb_single = labelfrom->mb_single;
- labelto->mb_flags |= MAC_BIBA_FLAG_SINGLE;
+ labelto->mb_effective = labelfrom->mb_effective;
+ labelto->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE;
}
static void
mac_biba_copy(struct mac_biba *source, struct mac_biba *dest)
{
- if (source->mb_flags & MAC_BIBA_FLAG_SINGLE)
- mac_biba_copy_single(source, dest);
+ if (source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE)
+ mac_biba_copy_effective(source, dest);
if (source->mb_flags & MAC_BIBA_FLAG_RANGE)
mac_biba_copy_range(source, dest);
}
@@ -632,8 +633,8 @@
mac_biba_to_string(struct sbuf *sb, struct mac_biba *mac_biba)
{
- if (mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE) {
- if (mac_biba_element_to_string(sb, &mac_biba->mb_single)
+ if (mac_biba->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
+ if (mac_biba_element_to_string(sb, &mac_biba->mb_effective)
== -1)
return (EINVAL);
}
@@ -768,12 +769,12 @@
static int
mac_biba_parse(struct mac_biba *mac_biba, char *string)
{
- char *rangehigh, *rangelow, *single;
+ char *rangehigh, *rangelow, *effective;
int error;
- single = strsep(&string, "(");
- if (*single == '\0')
- single = NULL;
+ effective = strsep(&string, "(");
+ if (*effective == '\0')
+ effective = NULL;
if (string != NULL) {
rangelow = strsep(&string, "-");
@@ -794,11 +795,12 @@
("mac_biba_parse: range mismatch"));
bzero(mac_biba, sizeof(*mac_biba));
- if (single != NULL) {
- error = mac_biba_parse_element(&mac_biba->mb_single, single);
+ if (effective != NULL) {
+ error = mac_biba_parse_element(&mac_biba->mb_effective,
+ effective);
if (error)
return (error);
- mac_biba->mb_flags |= MAC_BIBA_FLAG_SINGLE;
+ mac_biba->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE;
}
if (rangelow != NULL) {
@@ -873,7 +875,7 @@
biba_type = MAC_BIBA_TYPE_EQUAL;
else
biba_type = MAC_BIBA_TYPE_HIGH;
- mac_biba_set_single(mac_biba, biba_type, 0, NULL);
+ mac_biba_set_effective(mac_biba, biba_type, 0, NULL);
}
static void
@@ -884,7 +886,7 @@
struct mac_biba *mac_biba;
mac_biba = SLOT(label);
- mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_HIGH, 0, NULL);
+ mac_biba_set_effective(mac_biba, MAC_BIBA_TYPE_HIGH, 0, NULL);
}
static void
@@ -897,7 +899,7 @@
source = SLOT(cred->cr_label);
dest = SLOT(delabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -908,9 +910,9 @@
source = SLOT(cred->cr_label);
dest = SLOT(mntlabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
dest = SLOT(fslabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -921,9 +923,9 @@
/* Always mount root as high integrity. */
mac_biba = SLOT(fslabel);
- mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_HIGH, 0, NULL);
+ mac_biba_set_effective(mac_biba, MAC_BIBA_TYPE_HIGH, 0, NULL);
mac_biba = SLOT(mntlabel);
- mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_HIGH, 0, NULL);
+ mac_biba_set_effective(mac_biba, MAC_BIBA_TYPE_HIGH, 0, NULL);
}
static void
@@ -961,7 +963,7 @@
source = SLOT(delabel);
dest = SLOT(vlabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static int
@@ -981,7 +983,7 @@
MAC_BIBA_EXTATTR_NAME, &buflen, (char *) &temp, curthread);
if (error == ENOATTR || error == EOPNOTSUPP) {
/* Fall back to the fslabel. */
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
return (0);
} else if (error)
return (error);
@@ -995,12 +997,12 @@
printf("mac_biba_associate_vnode_extattr: invalid\n");
return (EPERM);
}
- if ((temp.mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE) {
- printf("mac_biba_associate_vnode_extattr: not single\n");
+ if ((temp.mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_EFFECTIVE) {
+ printf("mac_biba_associate_vnode_extattr: not effective\n");
return (EPERM);
}
- mac_biba_copy_single(&temp, dest);
+ mac_biba_copy_effective(&temp, dest);
return (0);
}
@@ -1013,7 +1015,7 @@
source = SLOT(fslabel);
dest = SLOT(vlabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static int
@@ -1030,12 +1032,12 @@
source = SLOT(cred->cr_label);
dest = SLOT(vlabel);
- mac_biba_copy_single(source, &temp);
+ mac_biba_copy_effective(source, &temp);
error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
MAC_BIBA_EXTATTR_NAME, buflen, (char *) &temp, curthread);
if (error == 0)
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
return (error);
}
@@ -1051,10 +1053,10 @@
bzero(&temp, buflen);
source = SLOT(intlabel);
- if ((source->mb_flags & MAC_BIBA_FLAG_SINGLE) == 0)
+ if ((source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) == 0)
return (0);
- mac_biba_copy_single(source, &temp);
+ mac_biba_copy_effective(source, &temp);
error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
MAC_BIBA_EXTATTR_NAME, buflen, (char *) &temp, curthread);
@@ -1073,7 +1075,7 @@
source = SLOT(solabel);
dest = SLOT(inplabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -1085,7 +1087,7 @@
source = SLOT(socketlabel);
dest = SLOT(mbuflabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -1097,7 +1099,7 @@
source = SLOT(cred->cr_label);
dest = SLOT(socketlabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -1109,7 +1111,7 @@
source = SLOT(cred->cr_label);
dest = SLOT(pipelabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -1121,7 +1123,7 @@
source = SLOT(cred->cr_label);
dest = SLOT(ks_label);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -1134,7 +1136,7 @@
source = SLOT(oldsocketlabel);
dest = SLOT(newsocketlabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -1170,7 +1172,7 @@
source = SLOT(mbuflabel);
dest = SLOT(socketpeerlabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
/*
@@ -1187,7 +1189,7 @@
source = SLOT(cred->cr_label);
dest = SLOT(msglabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -1199,7 +1201,7 @@
source = SLOT(cred->cr_label);
dest = SLOT(msqlabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -1211,7 +1213,7 @@
source = SLOT(cred->cr_label);
dest = SLOT(semalabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -1223,7 +1225,7 @@
source = SLOT(cred->cr_label);
dest = SLOT(shmlabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
/*
@@ -1239,7 +1241,7 @@
source = SLOT(oldsocketlabel);
dest = SLOT(newsocketpeerlabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -1251,7 +1253,7 @@
source = SLOT(cred->cr_label);
dest = SLOT(bpflabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -1296,7 +1298,7 @@
p = q;
}
set:
- mac_biba_set_single(dest, type, 0, NULL);
+ mac_biba_set_effective(dest, type, 0, NULL);
mac_biba_set_range(dest, type, 0, NULL, type, 0, NULL);
}
@@ -1309,7 +1311,7 @@
source = SLOT(fragmentlabel);
dest = SLOT(ipqlabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -1322,7 +1324,7 @@
dest = SLOT(datagramlabel);
/* Just use the head, since we require them all to match. */
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -1334,7 +1336,7 @@
source = SLOT(datagramlabel);
dest = SLOT(fragmentlabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -1346,7 +1348,7 @@
source = SLOT(inplabel);
dest = SLOT(mlabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -1378,7 +1380,7 @@
dest = SLOT(mbuflabel);
- mac_biba_set_single(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
+ mac_biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
}
static void
@@ -1390,7 +1392,7 @@
source = SLOT(bpflabel);
dest = SLOT(mbuflabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -1402,7 +1404,7 @@
source = SLOT(ifnetlabel);
dest = SLOT(mbuflabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -1415,7 +1417,7 @@
source = SLOT(oldmbuflabel);
dest = SLOT(newmbuflabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static void
@@ -1427,7 +1429,7 @@
source = SLOT(oldmbuflabel);
dest = SLOT(newmbuflabel);
- mac_biba_copy_single(source, dest);
+ mac_biba_copy_effective(source, dest);
}
static int
@@ -1439,7 +1441,7 @@
a = SLOT(ipqlabel);
b = SLOT(fragmentlabel);
- return (mac_biba_equal_single(a, b));
+ return (mac_biba_equal_effective(a, b));
}
static void
@@ -1484,7 +1486,7 @@
dest = SLOT(cred->cr_label);
- mac_biba_set_single(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
+ mac_biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL,
MAC_BIBA_TYPE_HIGH, 0, NULL);
}
@@ -1496,7 +1498,7 @@
dest = SLOT(cred->cr_label);
- mac_biba_set_single(dest, MAC_BIBA_TYPE_HIGH, 0, NULL);
+ mac_biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL);
mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL,
MAC_BIBA_TYPE_HIGH, 0, NULL);
}
@@ -1557,7 +1559,7 @@
a = SLOT(bpflabel);
b = SLOT(ifnetlabel);
- if (mac_biba_equal_single(a, b))
+ if (mac_biba_equal_effective(a, b))
return (0);
return (EACCES);
}
@@ -1573,7 +1575,7 @@
/*
* If there is a Biba label update for the credential, it may
- * be an update of the single, range, or both.
+ * be an update of the effective, range, or both.
*/
error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
if (error)
@@ -1585,20 +1587,20 @@
if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
/*
* If the change request modifies both the Biba label
- * single and range, check that the new single will be
+ * effective and range, check that the new effective will be
* in the new range.
*/
if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) ==
MAC_BIBA_FLAGS_BOTH &&
- !mac_biba_single_in_range(new, new))
+ !mac_biba_effective_in_range(new, new))
return (EINVAL);
/*
- * To change the Biba single label on a credential, the
- * new single label must be in the current range.
+ * To change the Biba effective label on a credential, the
+ * new effective label must be in the current range.
*/
- if (new->mb_flags & MAC_BIBA_FLAG_SINGLE &&
- !mac_biba_single_in_range(new, subj))
+ if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE &&
+ !mac_biba_effective_in_range(new, subj))
return (EPERM);
/*
@@ -1636,7 +1638,7 @@
obj = SLOT(u2->cr_label);
/* XXX: range */
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (ESRCH);
return (0);
@@ -1654,7 +1656,7 @@
/*
* If there is a Biba label update for the interface, it may
- * be an update of the single, range, or both.
+ * be an update of the effective, range, or both.
*/
error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
if (error)
@@ -1682,7 +1684,7 @@
p = SLOT(mbuflabel);
i = SLOT(ifnetlabel);
- return (mac_biba_single_in_range(p, i) ? 0 : EACCES);
+ return (mac_biba_effective_in_range(p, i) ? 0 : EACCES);
}
static int
@@ -1697,7 +1699,7 @@
p = SLOT(mlabel);
i = SLOT(inplabel);
- return (mac_biba_equal_single(p, i) ? 0 : EACCES);
+ return (mac_biba_equal_effective(p, i) ? 0 : EACCES);
}
static int
@@ -1712,7 +1714,7 @@
subj = SLOT(cred->cr_label);
obj = SLOT(msglabel);
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
return (0);
@@ -1730,7 +1732,7 @@
subj = SLOT(cred->cr_label);
obj = SLOT(msglabel);
- if (!mac_biba_dominate_single(subj, obj))
+ if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
return (0);
@@ -1748,7 +1750,7 @@
subj = SLOT(cred->cr_label);
obj = SLOT(msqklabel);
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
return (0);
@@ -1766,7 +1768,7 @@
subj = SLOT(cred->cr_label);
obj = SLOT(msqklabel);
- if (!mac_biba_dominate_single(subj, obj))
+ if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
return (0);
@@ -1784,7 +1786,7 @@
subj = SLOT(cred->cr_label);
obj = SLOT(msqklabel);
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
return (0);
@@ -1806,12 +1808,12 @@
switch(cmd) {
case IPC_RMID:
case IPC_SET:
- if (!mac_biba_dominate_single(subj, obj))
+ if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
break;
case IPC_STAT:
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
break;
@@ -1839,7 +1841,7 @@
case IPC_SET:
case SETVAL:
case SETALL:
- if (!mac_biba_dominate_single(subj, obj))
+ if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
break;
@@ -1849,7 +1851,7 @@
case GETNCNT:
case GETZCNT:
case GETALL:
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
break;
@@ -1873,7 +1875,7 @@
subj = SLOT(cred->cr_label);
obj = SLOT(semaklabel);
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
return (0);
@@ -1893,11 +1895,11 @@
obj = SLOT(semaklabel);
if (accesstype & SEM_R)
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
if (accesstype & SEM_A)
- if (!mac_biba_dominate_single(subj, obj))
+ if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
return (0);
@@ -1915,10 +1917,10 @@
subj = SLOT(cred->cr_label);
obj = SLOT(shmseglabel);
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
if ((shmflg & SHM_RDONLY) == 0) {
- if (!mac_biba_dominate_single(subj, obj))
+ if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
}
@@ -1940,13 +1942,13 @@
switch(cmd) {
case IPC_RMID:
case IPC_SET:
- if (!mac_biba_dominate_single(subj, obj))
+ if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
break;
case IPC_STAT:
case SHM_STAT:
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
break;
@@ -1976,7 +1978,7 @@
subj = SLOT(cred->cr_label);
obj = SLOT(shmseglabel);
- if (!mac_biba_dominate_single(subj, obj))
+ if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
return (0);
@@ -1995,7 +1997,7 @@
subj = SLOT(cred->cr_label);
obj = SLOT(shmseglabel);
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
return (0);
@@ -2018,7 +2020,7 @@
return (error);
obj = SLOT(label);
- if (!mac_biba_high_single(obj))
+ if (!mac_biba_high_effective(obj))
return (EACCES);
return (0);
@@ -2050,7 +2052,7 @@
subj = SLOT(cred->cr_label);
obj = SLOT(mntlabel);
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
return (0);
@@ -2081,7 +2083,7 @@
subj = SLOT(cred->cr_label);
obj = SLOT((pipelabel));
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
return (0);
@@ -2099,7 +2101,7 @@
subj = SLOT(cred->cr_label);
obj = SLOT((pipelabel));
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
return (0);
@@ -2118,9 +2120,9 @@
/*
* If there is a Biba label update for a pipe, it must be a
- * single update.
+ * effective update.
*/
- error = biba_atmostflags(new, MAC_BIBA_FLAG_SINGLE);
+ error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
if (error)
return (error);
@@ -2128,18 +2130,18 @@
* To perform a relabel of a pipe (Biba label or not), Biba must
* authorize the relabel.
*/
- if (!mac_biba_single_in_range(obj, subj))
+ if (!mac_biba_effective_in_range(obj, subj))
return (EPERM);
/*
* If the Biba label is to be changed, authorize as appropriate.
*/
- if (new->mb_flags & MAC_BIBA_FLAG_SINGLE) {
+ if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
/*
* To change the Biba label on a pipe, the new pipe label
* must be in the subject range.
*/
- if (!mac_biba_single_in_range(new, subj))
+ if (!mac_biba_effective_in_range(new, subj))
return (EPERM);
/*
@@ -2168,7 +2170,7 @@
subj = SLOT(cred->cr_label);
obj = SLOT((pipelabel));
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
return (0);
@@ -2186,7 +2188,7 @@
subj = SLOT(cred->cr_label);
obj = SLOT((pipelabel));
- if (!mac_biba_dominate_single(subj, obj))
+ if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
return (0);
@@ -2204,7 +2206,7 @@
subj = SLOT(cred->cr_label);
obj = SLOT(ks_label);
- if (!mac_biba_dominate_single(subj, obj))
+ if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
return (0);
@@ -2222,7 +2224,7 @@
subj = SLOT(cred->cr_label);
obj = SLOT(ks_label);
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
return (0);
@@ -2240,9 +2242,9 @@
obj = SLOT(proc->p_ucred->cr_label);
/* XXX: range checks */
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (ESRCH);
- if (!mac_biba_dominate_single(subj, obj))
+ if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
return (0);
@@ -2260,9 +2262,9 @@
obj = SLOT(proc->p_ucred->cr_label);
/* XXX: range checks */
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (ESRCH);
- if (!mac_biba_dominate_single(subj, obj))
+ if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
return (0);
@@ -2280,9 +2282,9 @@
obj = SLOT(proc->p_ucred->cr_label);
/* XXX: range checks */
- if (!mac_biba_dominate_single(obj, subj))
+ if (!mac_biba_dominate_effective(obj, subj))
return (ESRCH);
- if (!mac_biba_dominate_single(subj, obj))
+ if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list