PERFORCE change 36615 for review

Thu Aug 21 18:13:36 GMT 2003

http://perforce.freebsd.org/chv.cgi?CH=36615

Change 36615 by rwatson at rwatson_tislabs on 2003/08/21 11:13:07

	Loop-back integration of mac_lomac fixes from the FreeBSD
	main tree to the TrustedBSD base branch.

Affected files ...

.. //depot/projects/trustedbsd/base/sys/security/mac_lomac/mac_lomac.c#12 integrate

Differences ...

==== //depot/projects/trustedbsd/base/sys/security/mac_lomac/mac_lomac.c#12 (text+ko) ====

@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $FreeBSD: src/sys/security/mac_lomac/mac_lomac.c,v 1.16 2003/07/05 01:24:36 rwatson Exp $
+ * $FreeBSD: src/sys/security/mac_lomac/mac_lomac.c,v 1.17 2003/08/21 18:07:52 rwatson Exp $
  */
 
 /*
@@ -1596,19 +1596,27 @@
 	 */
 	if (new->ml_flags & MAC_LOMAC_FLAGS_BOTH) {
 		/*
-		 * To change the LOMAC single label on a credential, the
-		 * new single label must be in the current range.
+		 * Fill in the missing parts from the previous label.
 		 */
-		if (new->ml_flags & MAC_LOMAC_FLAG_SINGLE &&
-		    !mac_lomac_single_in_range(new, subj))
-			return (EPERM);
+		if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
+			mac_lomac_copy_single(subj, new);
+		if ((new->ml_flags & MAC_LOMAC_FLAG_RANGE) == 0)
+			mac_lomac_copy_range(subj, new);
 
 		/*
 		 * To change the LOMAC range on a credential, the new
 		 * range label must be in the current range.
 		 */
-		if (new->ml_flags & MAC_LOMAC_FLAG_RANGE &&
-		    !mac_lomac_range_in_range(new, subj))
+		if (!mac_lomac_range_in_range(new, subj))
+			return (EPERM);
+
+		/*
+		 * To change the LOMAC single label on a credential, the
+		 * new single label must be in the new range.  Implicitly
+		 * from the previous check, the new single is in the old
+		 * range.
+		 */
+		if (!mac_lomac_single_in_range(new, new))
 			return (EPERM);
 
 		/*
@@ -1680,6 +1688,14 @@
 	 */
 	if (new->ml_flags & MAC_LOMAC_FLAGS_BOTH) {
 		/*
+		 * Fill in the missing parts from the previous label.
+		 */
+		if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
+			mac_lomac_copy_single(subj, new);
+		if ((new->ml_flags & MAC_LOMAC_FLAG_RANGE) == 0)
+			mac_lomac_copy_range(subj, new);
+
+		/*
 		 * Rely on the traditional superuser status for the LOMAC
 		 * interface relabel requirements.  XXXMAC: This will go
 		 * away.
@@ -2300,6 +2316,12 @@
 	}
 	if (new->ml_flags & MAC_LOMAC_FLAG_AUX) {
 		/*
+		 * Fill in the missing parts from the previous label.
+		 */
+		if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
+			mac_lomac_copy_single(subj, new);
+
+		/*
 		 * To change the auxiliary LOMAC label on a vnode, the new
 		 * vnode label must be in the subject range.
 		 */
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

