PERFORCE change 18575 for review

Thu Oct 3 05:22:01 GMT 2002

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=18575

Change 18575 by rwatson at rwatson_tislabs on 2002/10/02 22:21:22

	Remove label ranges from socket objects: sockets are plain
	objects now from the perspective of Biba and MLS and have
	a single object label.  We didn't use the range anyway, and
	it makes more sense this way.  This leaves only process
	credentials and interfaces as supporting ranges.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#123 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#103 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#123 (text+ko) ====

@@ -413,19 +413,6 @@
 }
 
 static void
-mac_biba_copy_single_to_range(struct mac_biba *labelfrom,
-    struct mac_biba *labelto)
-{
-
-	KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
-	    ("mac_biba_copy_single_to_range: labelfrom not single"));
-
-	labelto->mb_rangelow = labelfrom->mb_single;
-	labelto->mb_rangehigh = labelfrom->mb_single;
-	labelto->mb_flags |= MAC_BIBA_FLAG_RANGE;
-}
-
-static void
 mac_biba_copy(struct mac_biba *source, struct mac_biba *dest)
 {
 
@@ -940,7 +927,6 @@
 	dest = SLOT(socketlabel);
 
 	mac_biba_copy_single(source, dest);
-	mac_biba_copy_single_to_range(source, dest);
 }
 
 static void
@@ -966,7 +952,6 @@
 	dest = SLOT(newsocketlabel);
 
 	mac_biba_copy_single(source, dest);
-	mac_biba_copy_range(source, dest);
 }
 
 static void
@@ -1694,9 +1679,9 @@
 
 	/*
 	 * If there is a Biba label update for the socket, it may be
-	 * an update of single, range, or both.
+	 * an update of single.
 	 */
-	error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
+	error = biba_atmostflags(new, MAC_BIBA_FLAG_SINGLE);
 	if (error)
 		return (error);
 
@@ -1708,30 +1693,14 @@
 		return (EPERM);
 
 	/*
-	 * To relabel a socket, the old socket range must be in the subject
-	 * range.
-	 */
-	if (!mac_biba_range_in_range(obj, subj))
-		return (EPERM);
-
-	/*
 	 * If the Biba label is to be changed, authorize as appropriate.
 	 */
-	if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
+	if (new->mb_flags & MAC_BIBA_FLAG_SINGLE) {
 		/*
 		 * To relabel a socket, the new socket single must be in
 		 * the subject range.
 		 */
-		if (new->mb_flags & MAC_BIBA_FLAG_SINGLE &&
-		    !mac_biba_single_in_range(new, subj))
-			return (EPERM);
-
-		/*
-		 * To change the Biba range on the socket, the new socket
-		 * range must be in the subject range.
-		 */
-		if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
-		    !mac_biba_range_in_range(new, subj))
+		if (!mac_biba_single_in_range(new, subj))
 			return (EPERM);
 
 		/*
@@ -1743,11 +1712,6 @@
 			if (error)
 				return (error);
 		}
-
-		/*
-		 * XXXMAC: Additional consistency tests regarding the single
-		 * and range of the new label might be performed here.
-		 */
 	}
 
 	return (0);

==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#103 (text+ko) ====

@@ -402,19 +402,6 @@
 }
 
 static void
-mac_mls_copy_single_to_range(struct mac_mls *labelfrom,
-    struct mac_mls *labelto)
-{
-
-	KASSERT((labelfrom->mm_flags & MAC_MLS_FLAG_SINGLE) != 0,
-	    ("mac_mls_copy_single_to_range: labelfrom not single"));
-
-	labelto->mm_rangelow = labelfrom->mm_single;
-	labelto->mm_rangehigh = labelfrom->mm_single;
-	labelto->mm_flags |= MAC_MLS_FLAG_RANGE;
-}
-
-static void
 mac_mls_copy(struct mac_mls *source, struct mac_mls *dest)
 {
 
@@ -933,7 +920,6 @@
 	dest = SLOT(socketlabel);
 
 	mac_mls_copy_single(source, dest);
-	mac_mls_copy_single_to_range(source, dest);
 }
 
 static void
@@ -959,7 +945,6 @@
 	dest = SLOT(newsocketlabel);
 
 	mac_mls_copy_single(source, dest);
-	mac_mls_copy_range(source, dest);
 }
 
 static void
@@ -1654,9 +1639,9 @@
 
 	/*
 	 * If there is an MLS label update for the socket, it may be
-	 * an update of single, range, or both.
+	 * an update of single.
 	 */
-	error = mls_atmostflags(new, MAC_MLS_FLAGS_BOTH);
+	error = mls_atmostflags(new, MAC_MLS_FLAG_SINGLE);
 	if (error)
 		return (error);
 
@@ -1668,33 +1653,17 @@
 		return (EPERM);
 
 	/*
-	 * To relabel a socket, the old socket range must be in the subject
-	 * range.
-	 */
-	if (!mac_mls_range_in_range(obj, subj))
-		return (EPERM);
-
-	/*
 	 * If the MLS label is to be changed, authorize as appropriate.
 	 */
-	if (new->mm_flags & MAC_MLS_FLAGS_BOTH) {
+	if (new->mm_flags & MAC_MLS_FLAG_SINGLE) {
 		/*
 		 * To relabel a socket, the new socket single must be in
 		 * the subject range.
 		 */
-		if (new->mm_flags & MAC_MLS_FLAG_SINGLE &&
-		    !mac_mls_single_in_range(new, subj))
+		if (!mac_mls_single_in_range(new, subj))
 			return (EPERM);
 	
 		/*
-		 * To change the MLS range on the socket, the new socket
-		 * range must be in the subject range.
-		 */
-		if (new->mm_flags & MAC_MLS_FLAG_RANGE &&
-		    !mac_mls_range_in_range(new, subj))
-			return (EPERM);
-
-		/*
 		 * To change the MLS label on the socket to contain EQUAL,
 		 * the subject must have appropriate privilege.
 		 */
@@ -1703,11 +1672,6 @@
 			if (error)
 				return (error);
 		}
-
-		/*
-		 * XXXMAC: Additional consistency tests regarding the single
-		 * and range of the new label might be performed here.
-		 */
 	}
 
 	return (0);
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

