PERFORCE change 36612 for review

[Robert Watson]

http://perforce.freebsd.org/chv.cgi?CH=36612

Change 36612 by rwatson at rwatson_tislabs on 2003/08/21 11:03:51

	Re-do the credential changing logic some more for LOMAC: since
	the new label will always contain both single and range elements,
	we can skip testing the single and range flags before doing
	sanity checks.  Perform the new vs. old range test first, so
	that when we test the single against the new range, it also
	implicitly tests against the old range.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#65 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#65 (text+ko) ====

@@ -1615,21 +1615,21 @@
 			mac_lomac_copy_single(subj, new);
 		if ((new->ml_flags & MAC_LOMAC_FLAG_RANGE) == 0)
 			mac_lomac_copy_range(subj, new);
-			
+
 		/*
-		 * To change the LOMAC single label on a credential, the
-		 * new single label must be in the current range.
+		 * To change the LOMAC range on a credential, the new
+		 * range label must be in the current range.
 		 */
-		if (new->ml_flags & MAC_LOMAC_FLAG_SINGLE &&
-		    !mac_lomac_single_in_range(new, subj))
+		if (!mac_lomac_range_in_range(new, subj))
 			return (EPERM);
 
 		/*
-		 * To change the LOMAC range on a credential, the new
-		 * range label must be in the new range.
+		 * To change the LOMAC single label on a credential, the
+		 * new single label must be in the new range.  Implicitly
+		 * from the previous check, the new single is in the old
+		 * range.
 		 */
-		if (new->ml_flags & MAC_LOMAC_FLAG_RANGE &&
-		    !mac_lomac_range_in_range(new, subj))
+		if (!mac_lomac_single_in_range(new, new))
 			return (EPERM);
 
 		/*
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message