PERFORCE change 20143 for review

Fri Oct 25 18:51:56 GMT 2002

http://perforce.freebsd.org/chv.cgi?CH=20143

Change 20143 by green at green_laptop_2 on 2002/10/25 11:51:02

	Here's the initial, probably-buggy implementation of mac_lomac's
	LOMAC-style explicit inheritance of labels from directories.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#21 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#21 (text+ko) ====

@@ -432,6 +432,16 @@
 }
 
 static void
+mac_lomac_set_auxsingle(struct mac_lomac *mac_lomac, u_short type,
+    u_short grade)
+{
+
+	mac_lomac->ml_auxsingle.mle_type = type;
+	mac_lomac->ml_auxsingle.mle_grade = grade;
+	mac_lomac->ml_flags |= MAC_LOMAC_FLAG_AUX;
+}
+
+static void
 mac_lomac_copy_range(struct mac_lomac *labelfrom, struct mac_lomac *labelto)
 {
 
@@ -1054,7 +1064,7 @@
     struct label *fslabel, struct vnode *dvp, struct label *dlabel,
     struct vnode *vp, struct label *vlabel, struct componentname *cnp)
 {
-	struct mac_lomac *source, *dest, temp;
+	struct mac_lomac *source, *dest, *dir, temp;
 	size_t buflen;
 	int error;
 
@@ -1063,12 +1073,19 @@
 
 	source = SLOT(&cred->cr_label);
 	dest = SLOT(vlabel);
-	mac_lomac_copy_single(source, &temp);
+	dir = SLOT(dlabel);
+	if (dir->ml_flags & MAC_LOMAC_FLAG_AUX) {
+		mac_lomac_copy_auxsingle(dir, &temp);
+		mac_lomac_set_single(&temp, dir->ml_auxsingle.mle_type,
+		    dir->ml_auxsingle.mle_grade);
+	} else {
+		mac_lomac_copy_single(source, &temp);
+	}
 
 	error = vn_extattr_set(vp, IO_NODELOCKED, MAC_LOMAC_EXTATTR_NAMESPACE,
 	    MAC_LOMAC_EXTATTR_NAME, buflen, (char *)&temp, curthread);
 	if (error == 0)
-		mac_lomac_copy_single(source, dest);
+		mac_lomac_copy(&temp, dest);
 	return (error);
 }
 
@@ -1916,8 +1933,10 @@
 		if (namelen > 0 && name[0] == 0)
 			return (0);
 
+#ifdef notdef
 		if (!mac_lomac_subject_dominate_high(subj))
 			return (EACCES);
+#endif
 
 		if (!mac_lomac_subject_privileged(subj))
 			return (EPERM);
@@ -1940,6 +1959,9 @@
 
 	if (!mac_lomac_dominate_single(subj, obj))
 		return (EACCES);
+	if (obj->ml_flags & MAC_LOMAC_FLAG_AUX &&
+	    !mac_lomac_dominate_element(&subj->ml_single, &obj->ml_auxsingle))
+		return (EACCES);
 
 	return (0);
 }
@@ -2186,7 +2208,7 @@
 		 * EQUAL, the subject must have appropriate privilege.
 		 */
 		if (mac_lomac_contains_equal(new)) {
-			error = mac_lomac_subject_equal_ok(subj);
+			error = mac_lomac_subject_privileged(subj);
 			if (error)
 				return (error);
 		}
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

