PERFORCE change 15500 for review

[Robert Watson]

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15500

Change 15500 by rwatson at rwatson_curry on 2002/08/03 15:37:28

	Revise logic so that we allow equal labels to be set based on
	the subject single being equal, the range starting or ending
	with equal, or the range being LOW-HIGH.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#88 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#88 (text+ko) ====

@@ -290,6 +290,28 @@
 }
 
 static int
+mac_biba_subj_equal_ok(struct mac_biba *mac_biba)
+{
+
+	/* If the single is EQUAL, it's ok */
+	if (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_EQUAL)
+		return (0);
+
+	/* If either range endpoint is EQUAL, it's ok */
+	if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL ||
+	    mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL)
+		return (0);
+
+	/* If the range is low-high, it's ok */
+	if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_LOW &&
+	    mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_HIGH)
+		return (0);
+
+	/* It's not OK. */
+	return (EPERM);
+}
+
+static int
 mac_biba_valid(struct mac_biba *mac_biba)
 {
 
@@ -1250,7 +1272,7 @@
 	 * If the old subject label doesn't contain EQUAL, don't let the
 	 * new subject label contain EQUAL.
 	 */
-	if (mac_biba_contains_equal(new) && !mac_biba_contains_equal(subj))
+	if (mac_biba_contains_equal(new) && !mac_biba_subj_equal_ok(subj))
 		return (EPERM);
 
 	return (0);
@@ -1406,7 +1428,7 @@
 	 * If the subject label doesn't contain equal, don't let the new
 	 * pipe label contain equal.
 	 */
-	if (mac_biba_contains_equal(new) && !mac_biba_contains_equal(subj))
+	if (mac_biba_contains_equal(new) && !mac_biba_subj_equal_ok(subj))
 		return (EPERM);
 
 	return (0);
@@ -1528,7 +1550,7 @@
 	 * If the subject label doesn't contain EQUAL, don't let the new
 	 * socket label contain EQUAL.
 	 */
-	if (mac_biba_contains_equal(new) && !mac_biba_contains_equal(subj))
+	if (mac_biba_contains_equal(new) && !mac_biba_subj_equal_ok(subj))
 		return (EPERM);
 
 	return (0);
@@ -1820,7 +1842,7 @@
 	 * If the subject label doesn't contain EQUAL, don't let the new
 	 * vnode label contain EQUAL.
 	 */
-	if (mac_biba_contains_equal(new) && !mac_biba_contains_equal(subj))
+	if (mac_biba_contains_equal(new) && !mac_biba_subj_equal_ok(subj))
 		return (EPERM);
 
 	return (suser_cred(cred, 0));
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message