PERFORCE change 20081 for review

[Robert Watson]

http://perforce.freebsd.org/chv.cgi?CH=20081

Change 20081 by rwatson at rwatson_tislabs on 2002/10/24 13:56:03

	More consistently use mac_biba_privileged(subj) instead of
	the old equal_ok notion.
	
	Use the error response from mac_biba_privileged() for the
	sysctl check, rather than treating it as a boolean
	incorrectly.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#157 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#157 (text+ko) ====

@@ -299,7 +299,7 @@
 }
 
 static int
-mac_biba_subject_equal_ok(struct mac_biba *mac_biba)
+mac_biba_privileged(struct mac_biba *mac_biba)
 {
 
 	KASSERT((mac_biba->mb_flags & MAC_BIBA_FLAGS_BOTH) ==
@@ -325,14 +325,6 @@
 }
 
 static int
-mac_biba_privileged(struct mac_biba *mac_biba)
-{
-
-	/* Equate the notion of "equal" with privilege. */
-	return (mac_biba_subject_equal_ok(mac_biba));
-}
-
-static int
 mac_biba_high_single(struct mac_biba *mac_biba)
 {
 
@@ -1475,7 +1467,7 @@
 		 * their label.
 		 */
 		if (mac_biba_contains_equal(new)) {
-			error = mac_biba_subject_equal_ok(subj);
+			error = mac_biba_privileged(subj);
 			if (error)
 				return (error);
 		}
@@ -1672,7 +1664,7 @@
 		 * subject must have appropriate privilege.
 		 */
 		if (mac_biba_contains_equal(new)) {
-			error = mac_biba_subject_equal_ok(subj);
+			error = mac_biba_privileged(subj);
 			if (error)
 				return (error);
 		}
@@ -1834,7 +1826,7 @@
 		 * the subject must have appropriate privilege.
 		 */
 		if (mac_biba_contains_equal(new)) {
-			error = mac_biba_subject_equal_ok(subj);
+			error = mac_biba_privileged(subj);
 			if (error)
 				return (error);
 		}
@@ -1866,6 +1858,7 @@
     void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
 {
 	struct mac_biba *subj;
+	int error;
 
 	if (!mac_biba_enabled)
 		return (0);
@@ -1881,8 +1874,9 @@
 	if (new != NULL) {
 		if (namelen > 0 && name[0] == 0)
 			return (0);
-		if (!mac_biba_privileged(subj))
-			return (EPERM);
+		error = mac_biba_privileged(subj);
+		if (error)
+			return (error);
 	}
 
 	return (0);
@@ -2247,7 +2241,7 @@
 		 * the subject must have appropriate privilege.
 		 */
 		if (mac_biba_contains_equal(new)) {
-			error = mac_biba_subject_equal_ok(subj);
+			error = mac_biba_privileged(subj);
 			if (error)
 				return (error);
 		}
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message