Date: Thu, 24 Oct 2002 15:43:00 -0700 (PDT) From: Brian Feldman <green@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 20089 for review Message-ID: <200210242243.g9OMh0Pg036050@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=20089 Change 20089 by green@green_laptop_2 on 2002/10/24 15:42:47 * For mac_lomac, assume "equal" labels for ttyv*. * When demoting, don't blindly set all parts of the label to the single target. Demote "rangehigh" and "single" the object label's single, and "rangelow" to the single if it would in fact be demoting it to do so (i.e. don't raise it). I can successfully use the range behavior to temporarily lower my integrity level to be able to observe objects that would otherwise demote me, and then raise it again. Also, I can successfully modify my label in all the normal Biba-like ways and then be demoted each time I observe a non-dominant object, like a many-level ratchet instead of a... two-level ratchet :-) Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#18 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#18 (text+ko) ==== @@ -443,10 +443,20 @@ goto out; } bzero(&subj->mac_lomac, sizeof(subj->mac_lomac)); + /* + * Always demote the single label. + */ mac_lomac_copy_single(objlabel, &subj->mac_lomac); - mac_lomac_set_range(&subj->mac_lomac, - objlabel->ml_single.mle_type, objlabel->ml_single.mle_grade, - objlabel->ml_single.mle_type, objlabel->ml_single.mle_grade); + /* + * Start with the original range, then minimize each side of + * the range to the point of not dominating the object. The + * high side will always be demoted, of course. + */ + mac_lomac_copy_range(subjlabel, &subj->mac_lomac); + if (!mac_lomac_dominate_element(&objlabel->ml_single, + &subj->mac_lomac.ml_rangelow)) + subj->mac_lomac.ml_rangelow = objlabel->ml_single; + subj->mac_lomac.ml_rangehigh = objlabel->ml_single; subj->mac_lomac.ml_flags |= MAC_LOMAC_FLAG_UPDATE; mtx_lock_spin(&sched_lock); curthread->td_kse->ke_flags |= KEF_ASTPENDING; @@ -773,7 +783,8 @@ if (strcmp(dev->si_name, "null") == 0 || strcmp(dev->si_name, "zero") == 0 || strcmp(dev->si_name, "random") == 0 || - strncmp(dev->si_name, "fd/", strlen("fd/")) == 0) + strncmp(dev->si_name, "fd/", strlen("fd/")) == 0 || + strncmp(dev->si_name, "ttyv", strlen("ttyv")) == 0) lomac_type = MAC_LOMAC_TYPE_EQUAL; else if (ptys_equal && (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 || To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210242243.g9OMh0Pg036050>