PERFORCE change 24664 for review

Robert Watson rwatson at freebsd.org
Tue Feb 4 19:31:13 GMT 2003 

http://perforce.freebsd.org/chv.cgi?CH=24664

Change 24664 by rwatson at rwatson_tislabs on 2003/02/04 11:31:09

	Add additional sanity checks regarding the setting of labels
	in Biba/MLS: if both single and range elements are set, make
	sure they are consistent.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#196 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#155 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#196 (text+ko) ====

@@ -1440,6 +1440,16 @@
 	 */
 	if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
 		/*
+		 * If the change request modifies both the Biba label
+		 * single and range, check that the new single will be
+		 * in the new range.
+		 */
+		if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) ==
+		    MAC_BIBA_FLAGS_BOTH &&
+		    !mac_biba_single_in_range(new, new))
+			return (EINVAL);
+
+		/*
 		 * To change the Biba single label on a credential, the
 		 * new single label must be in the current range.
 		 */
@@ -1449,7 +1459,7 @@
 
 		/*
 		 * To change the Biba range on a credential, the new
-		 * range label must be in the new range.
+		 * range label must be in the current range.
 		 */
 		if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
 		    !mac_biba_range_in_range(new, subj))
@@ -1465,12 +1475,6 @@
 			if (error)
 				return (error);
 		}
-
-		/*
-		 * XXXMAC: Additional consistency tests regarding the
-		 * single and range of the new label might be performed
-		 * here.
-		 */
 	}
 
 	return (0);

==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#155 (text+ko) ====

@@ -1378,6 +1378,16 @@
 	 */
 	if (new->mm_flags & MAC_MLS_FLAGS_BOTH) {
 		/*
+		 * If the change request modifies both the MLS label single
+		 * and range, check that the new single will be in the
+		 * new range.
+		 */
+		if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) ==
+		    MAC_MLS_FLAGS_BOTH &&
+		    !mac_mls_single_in_range(new, new))
+			return (EINVAL);
+
+		/*
 		 * To change the MLS single label on a credential, the
 		 * new single label must be in the current range.
 		 */
@@ -1387,7 +1397,7 @@
 
 		/*
 		 * To change the MLS range label on a credential, the
-		 * new range label must be in the new range.
+		 * new range must be in the current range.
 		 */
 		if (new->mm_flags & MAC_MLS_FLAG_RANGE &&
 		    !mac_mls_range_in_range(new, subj))
@@ -1403,11 +1413,6 @@
 			if (error)
 				return (error);
 		}
-
-		/*
-		 * XXXMAC: Additional consistency tests regarding the single
-		 * and range of the new label might be performed here.
-		 */
 	}
 
 	return (0);
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list