From owner-p4-projects  Wed Oct  2 22:22: 8 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 5AE5337B404; Wed,  2 Oct 2002 22:22:02 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E7DD437B401
	for <perforce@freebsd.org>; Wed,  2 Oct 2002 22:22:01 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8BFD443E4A
	for <perforce@freebsd.org>; Wed,  2 Oct 2002 22:22:01 -0700 (PDT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g935M1Co036240
	for <perforce@freebsd.org>; Wed, 2 Oct 2002 22:22:01 -0700 (PDT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g935M1TF036237
	for perforce@freebsd.org; Wed, 2 Oct 2002 22:22:01 -0700 (PDT)
Date: Wed, 2 Oct 2002 22:22:01 -0700 (PDT)
Message-Id: <200210030522.g935M1TF036237@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
Subject: PERFORCE change 18575 for review
To: Perforce Change Reviews <perforce@freebsd.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=18575

Change 18575 by rwatson@rwatson_tislabs on 2002/10/02 22:21:22

	Remove label ranges from socket objects: sockets are plain
	objects now from the perspective of Biba and MLS and have
	a single object label.  We didn't use the range anyway, and
	it makes more sense this way.  This leaves only process
	credentials and interfaces as supporting ranges.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#123 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#103 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#123 (text+ko) ====

@@ -413,19 +413,6 @@
 }
 
 static void
-mac_biba_copy_single_to_range(struct mac_biba *labelfrom,
-    struct mac_biba *labelto)
-{
-
-	KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
-	    ("mac_biba_copy_single_to_range: labelfrom not single"));
-
-	labelto->mb_rangelow = labelfrom->mb_single;
-	labelto->mb_rangehigh = labelfrom->mb_single;
-	labelto->mb_flags |= MAC_BIBA_FLAG_RANGE;
-}
-
-static void
 mac_biba_copy(struct mac_biba *source, struct mac_biba *dest)
 {
 
@@ -940,7 +927,6 @@
 	dest = SLOT(socketlabel);
 
 	mac_biba_copy_single(source, dest);
-	mac_biba_copy_single_to_range(source, dest);
 }
 
 static void
@@ -966,7 +952,6 @@
 	dest = SLOT(newsocketlabel);
 
 	mac_biba_copy_single(source, dest);
-	mac_biba_copy_range(source, dest);
 }
 
 static void
@@ -1694,9 +1679,9 @@
 
 	/*
 	 * If there is a Biba label update for the socket, it may be
-	 * an update of single, range, or both.
+	 * an update of single.
 	 */
-	error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
+	error = biba_atmostflags(new, MAC_BIBA_FLAG_SINGLE);
 	if (error)
 		return (error);
 
@@ -1708,30 +1693,14 @@
 		return (EPERM);
 
 	/*
-	 * To relabel a socket, the old socket range must be in the subject
-	 * range.
-	 */
-	if (!mac_biba_range_in_range(obj, subj))
-		return (EPERM);
-
-	/*
 	 * If the Biba label is to be changed, authorize as appropriate.
 	 */
-	if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
+	if (new->mb_flags & MAC_BIBA_FLAG_SINGLE) {
 		/*
 		 * To relabel a socket, the new socket single must be in
 		 * the subject range.
 		 */
-		if (new->mb_flags & MAC_BIBA_FLAG_SINGLE &&
-		    !mac_biba_single_in_range(new, subj))
-			return (EPERM);
-
-		/*
-		 * To change the Biba range on the socket, the new socket
-		 * range must be in the subject range.
-		 */
-		if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
-		    !mac_biba_range_in_range(new, subj))
+		if (!mac_biba_single_in_range(new, subj))
 			return (EPERM);
 
 		/*
@@ -1743,11 +1712,6 @@
 			if (error)
 				return (error);
 		}
-
-		/*
-		 * XXXMAC: Additional consistency tests regarding the single
-		 * and range of the new label might be performed here.
-		 */
 	}
 
 	return (0);

==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#103 (text+ko) ====

@@ -402,19 +402,6 @@
 }
 
 static void
-mac_mls_copy_single_to_range(struct mac_mls *labelfrom,
-    struct mac_mls *labelto)
-{
-
-	KASSERT((labelfrom->mm_flags & MAC_MLS_FLAG_SINGLE) != 0,
-	    ("mac_mls_copy_single_to_range: labelfrom not single"));
-
-	labelto->mm_rangelow = labelfrom->mm_single;
-	labelto->mm_rangehigh = labelfrom->mm_single;
-	labelto->mm_flags |= MAC_MLS_FLAG_RANGE;
-}
-
-static void
 mac_mls_copy(struct mac_mls *source, struct mac_mls *dest)
 {
 
@@ -933,7 +920,6 @@
 	dest = SLOT(socketlabel);
 
 	mac_mls_copy_single(source, dest);
-	mac_mls_copy_single_to_range(source, dest);
 }
 
 static void
@@ -959,7 +945,6 @@
 	dest = SLOT(newsocketlabel);
 
 	mac_mls_copy_single(source, dest);
-	mac_mls_copy_range(source, dest);
 }
 
 static void
@@ -1654,9 +1639,9 @@
 
 	/*
 	 * If there is an MLS label update for the socket, it may be
-	 * an update of single, range, or both.
+	 * an update of single.
 	 */
-	error = mls_atmostflags(new, MAC_MLS_FLAGS_BOTH);
+	error = mls_atmostflags(new, MAC_MLS_FLAG_SINGLE);
 	if (error)
 		return (error);
 
@@ -1668,33 +1653,17 @@
 		return (EPERM);
 
 	/*
-	 * To relabel a socket, the old socket range must be in the subject
-	 * range.
-	 */
-	if (!mac_mls_range_in_range(obj, subj))
-		return (EPERM);
-
-	/*
 	 * If the MLS label is to be changed, authorize as appropriate.
 	 */
-	if (new->mm_flags & MAC_MLS_FLAGS_BOTH) {
+	if (new->mm_flags & MAC_MLS_FLAG_SINGLE) {
 		/*
 		 * To relabel a socket, the new socket single must be in
 		 * the subject range.
 		 */
-		if (new->mm_flags & MAC_MLS_FLAG_SINGLE &&
-		    !mac_mls_single_in_range(new, subj))
+		if (!mac_mls_single_in_range(new, subj))
 			return (EPERM);
 	
 		/*
-		 * To change the MLS range on the socket, the new socket
-		 * range must be in the subject range.
-		 */
-		if (new->mm_flags & MAC_MLS_FLAG_RANGE &&
-		    !mac_mls_range_in_range(new, subj))
-			return (EPERM);
-
-		/*
 		 * To change the MLS label on the socket to contain EQUAL,
 		 * the subject must have appropriate privilege.
 		 */
@@ -1703,11 +1672,6 @@
 			if (error)
 				return (error);
 		}
-
-		/*
-		 * XXXMAC: Additional consistency tests regarding the single
-		 * and range of the new label might be performed here.
-		 */
 	}
 
 	return (0);

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message