PERFORCE change 23852 for review

Sat Jan 18 03:57:22 GMT 2003

If this is ready to merge to the main tree, let me know and I'll do so.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Network Associates Laboratories

On Fri, 17 Jan 2003, Brian Feldman wrote:

> http://perforce.freebsd.org/chv.cgi?CH=23852
> 
> Change 23852 by green at green_laptop_2 on 2003/01/17 11:44:01
> 
> 	Fix a problem reported by tjr in which incorrect labels were
> 	checked and okayed during relabel operations in LOMAC.  Fill
> 	out the partial labels with information from the current label
> 	to make them complete, as per the comments.
> 
> Affected files ...
> 
> .. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#50 edit
> 
> Differences ...
> 
> ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#50 (text+ko) ====
> 
> @@ -1649,6 +1649,14 @@
>  	 */
>  	if (new->ml_flags & MAC_LOMAC_FLAGS_BOTH) {
>  		/*
> +		 * Fill in the missing parts from the previous label.
> +		 */
> +		if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
> +			mac_lomac_copy_single(subj, new);
> +		else
> +			mac_lomac_copy_range(subj, new);
> +			
> +		/*
>  		 * To change the LOMAC single label on a credential, the
>  		 * new single label must be in the current range.
>  		 */
> @@ -1680,6 +1688,10 @@
>  		 * single and range of the new label might be performed
>  		 * here.
>  		 */
> +
> +		/*
> +		 * Fill in what is not already filled in.
> +		 */
>  	}
>  
>  	return (0);
> @@ -1733,6 +1745,14 @@
>  	 */
>  	if (new->ml_flags & MAC_LOMAC_FLAGS_BOTH) {
>  		/*
> +		 * Fill in the missing parts from the previous label.
> +		 */
> +		if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
> +			mac_lomac_copy_single(subj, new);
> +		else
> +			mac_lomac_copy_range(subj, new);
> +
> +		/*
>  		 * Rely on the traditional superuser status for the LOMAC
>  		 * interface relabel requirements.  XXXMAC: This will go
>  		 * away.
> @@ -2353,6 +2373,12 @@
>  	}
>  	if (new->ml_flags & MAC_LOMAC_FLAG_AUX) {
>  		/*
> +		 * Fill in the missing parts from the previous label.
> +		 */
> +		if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
> +			mac_lomac_copy_single(subj, new);
> +
> +		/*
>  		 * To change the auxiliary LOMAC label on a vnode, the new
>  		 * vnode label must be in the subject range.
>  		 */
> 

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message