PERFORCE change 20657 for review
Brian Feldman
green at freebsd.org
Mon Nov 4 19:35:43 GMT 2002
http://perforce.freebsd.org/chv.cgi?CH=20657
Change 20657 by green at green_laptop_2 on 2002/11/04 11:34:53
Be resilient to relabel operations on mac_lomac objects by
always blanking the destination and copying the old label,
but only if the new label "appears" internalized.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#33 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#33 (text+ko) ====
@@ -577,6 +577,21 @@
}
/*
+ * Relabel "to" to "from" only if "from" is a valid label (contains
+ * at least a single), as for a relabel operation which may or may
+ * not involve a relevant label.
+ */
+void
+try_relabel(struct mac_lomac *from, struct mac_lomac *to)
+{
+
+ if (from->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
+ bzero(to, sizeof(*to));
+ mac_lomac_copy(from, to);
+ }
+}
+
+/*
* Policy module operations.
*/
static void
@@ -1010,8 +1025,7 @@
source = SLOT(label);
dest = SLOT(vnodelabel);
- bzero(dest, sizeof(*dest));
- mac_lomac_copy(source, dest);
+ try_relabel(source, dest);
}
static void
@@ -1211,7 +1225,7 @@
source = SLOT(newlabel);
dest = SLOT(socketlabel);
- mac_lomac_copy(source, dest);
+ try_relabel(source, dest);
}
static void
@@ -1223,7 +1237,7 @@
source = SLOT(newlabel);
dest = SLOT(pipelabel);
- mac_lomac_copy(source, dest);
+ try_relabel(source, dest);
}
static void
@@ -1465,7 +1479,7 @@
source = SLOT(newlabel);
dest = SLOT(ifnetlabel);
- mac_lomac_copy(source, dest);
+ try_relabel(source, dest);
}
static void
@@ -1579,7 +1593,7 @@
source = SLOT(newlabel);
dest = SLOT(&cred->cr_label);
- mac_lomac_copy(source, dest);
+ try_relabel(source, dest);
}
/*
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list