From owner-p4-projects Tue Feb 4 11:31:18 2003 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 2575F37B405; Tue, 4 Feb 2003 11:31:15 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C662237B401 for ; Tue, 4 Feb 2003 11:31:14 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F00C43F9B for ; Tue, 4 Feb 2003 11:31:14 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h14JVEbv043013 for ; Tue, 4 Feb 2003 11:31:14 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h14JVD2D043002 for perforce@freebsd.org; Tue, 4 Feb 2003 11:31:13 -0800 (PST) Date: Tue, 4 Feb 2003 11:31:13 -0800 (PST) Message-Id: <200302041931.h14JVD2D043002@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 24664 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://perforce.freebsd.org/chv.cgi?CH=24664 Change 24664 by rwatson@rwatson_tislabs on 2003/02/04 11:31:09 Add additional sanity checks regarding the setting of labels in Biba/MLS: if both single and range elements are set, make sure they are consistent. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#196 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#155 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#196 (text+ko) ==== @@ -1440,6 +1440,16 @@ */ if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) { /* + * If the change request modifies both the Biba label + * single and range, check that the new single will be + * in the new range. + */ + if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) == + MAC_BIBA_FLAGS_BOTH && + !mac_biba_single_in_range(new, new)) + return (EINVAL); + + /* * To change the Biba single label on a credential, the * new single label must be in the current range. */ @@ -1449,7 +1459,7 @@ /* * To change the Biba range on a credential, the new - * range label must be in the new range. + * range label must be in the current range. */ if (new->mb_flags & MAC_BIBA_FLAG_RANGE && !mac_biba_range_in_range(new, subj)) @@ -1465,12 +1475,6 @@ if (error) return (error); } - - /* - * XXXMAC: Additional consistency tests regarding the - * single and range of the new label might be performed - * here. - */ } return (0); ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#155 (text+ko) ==== @@ -1378,6 +1378,16 @@ */ if (new->mm_flags & MAC_MLS_FLAGS_BOTH) { /* + * If the change request modifies both the MLS label single + * and range, check that the new single will be in the + * new range. + */ + if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) == + MAC_MLS_FLAGS_BOTH && + !mac_mls_single_in_range(new, new)) + return (EINVAL); + + /* * To change the MLS single label on a credential, the * new single label must be in the current range. */ @@ -1387,7 +1397,7 @@ /* * To change the MLS range label on a credential, the - * new range label must be in the new range. + * new range must be in the current range. */ if (new->mm_flags & MAC_MLS_FLAG_RANGE && !mac_mls_range_in_range(new, subj)) @@ -1403,11 +1413,6 @@ if (error) return (error); } - - /* - * XXXMAC: Additional consistency tests regarding the single - * and range of the new label might be performed here. - */ } return (0); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message