Date: Tue, 4 Feb 2003 11:31:13 -0800 (PST) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 24664 for review Message-ID: <200302041931.h14JVD2D043002@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=24664 Change 24664 by rwatson@rwatson_tislabs on 2003/02/04 11:31:09 Add additional sanity checks regarding the setting of labels in Biba/MLS: if both single and range elements are set, make sure they are consistent. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#196 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#155 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#196 (text+ko) ==== @@ -1440,6 +1440,16 @@ */ if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) { /* + * If the change request modifies both the Biba label + * single and range, check that the new single will be + * in the new range. + */ + if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) == + MAC_BIBA_FLAGS_BOTH && + !mac_biba_single_in_range(new, new)) + return (EINVAL); + + /* * To change the Biba single label on a credential, the * new single label must be in the current range. */ @@ -1449,7 +1459,7 @@ /* * To change the Biba range on a credential, the new - * range label must be in the new range. + * range label must be in the current range. */ if (new->mb_flags & MAC_BIBA_FLAG_RANGE && !mac_biba_range_in_range(new, subj)) @@ -1465,12 +1475,6 @@ if (error) return (error); } - - /* - * XXXMAC: Additional consistency tests regarding the - * single and range of the new label might be performed - * here. - */ } return (0); ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#155 (text+ko) ==== @@ -1378,6 +1378,16 @@ */ if (new->mm_flags & MAC_MLS_FLAGS_BOTH) { /* + * If the change request modifies both the MLS label single + * and range, check that the new single will be in the + * new range. + */ + if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) == + MAC_MLS_FLAGS_BOTH && + !mac_mls_single_in_range(new, new)) + return (EINVAL); + + /* * To change the MLS single label on a credential, the * new single label must be in the current range. */ @@ -1387,7 +1397,7 @@ /* * To change the MLS range label on a credential, the - * new range label must be in the new range. + * new range must be in the current range. */ if (new->mm_flags & MAC_MLS_FLAG_RANGE && !mac_mls_range_in_range(new, subj)) @@ -1403,11 +1413,6 @@ if (error) return (error); } - - /* - * XXXMAC: Additional consistency tests regarding the single - * and range of the new label might be performed here. - */ } return (0); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302041931.h14JVD2D043002>