diff options
author | rwatson <rwatson@FreeBSD.org> | 2002-10-21 20:55:39 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2002-10-21 20:55:39 +0000 |
commit | 3304731f7b3e64f0d6fbeec31c6c9eea6c042aac (patch) | |
tree | 0c95424f8b2ac7462b671b2d9829949f0b825b90 /sys/security/mac_biba | |
parent | 0fd9c5367a31e17429418b7d3c9bb503c5cfaad1 (diff) | |
download | FreeBSD-src-3304731f7b3e64f0d6fbeec31c6c9eea6c042aac.zip FreeBSD-src-3304731f7b3e64f0d6fbeec31c6c9eea6c042aac.tar.gz |
Introduce mac_biba_copy() and mac_mls_copy(), which conditionally
copy elements of one Biba or MLS label to another based on the flags
on the source label element. Use this instead of
mac_{biba,mls}_{single,range}() to simplify the existing code, as
well as support partial label updates (we don't update if none is
requested).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/security/mac_biba')
-rw-r--r-- | sys/security/mac_biba/mac_biba.c | 34 |
1 files changed, 25 insertions, 9 deletions
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 027c2aa..525ee5a 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -447,6 +447,16 @@ mac_biba_copy_single(struct mac_biba *labelfrom, struct mac_biba *labelto) labelto->mb_flags |= MAC_BIBA_FLAG_SINGLE; } +static void +mac_biba_copy(struct mac_biba *source, struct mac_biba *dest) +{ + + if (source->mb_flags & MAC_BIBA_FLAG_SINGLE) + mac_biba_copy_single(source, dest); + if (source->mb_flags & MAC_BIBA_FLAG_RANGE) + mac_biba_copy_range(source, dest); +} + /* * Policy module operations. */ @@ -631,7 +641,7 @@ mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp, source = SLOT(label); dest = SLOT(vnodelabel); - mac_biba_copy_single(source, dest); + mac_biba_copy(source, dest); } static void @@ -643,7 +653,7 @@ mac_biba_update_devfsdirent(struct devfs_dirent *devfs_dirent, source = SLOT(vnodelabel); dest = SLOT(direntlabel); - mac_biba_copy_single(source, dest); + mac_biba_copy(source, dest); } static void @@ -757,7 +767,7 @@ mac_biba_relabel_socket(struct ucred *cred, struct socket *socket, source = SLOT(newlabel); dest = SLOT(socketlabel); - mac_biba_copy_single(source, dest); + mac_biba_copy(source, dest); } static void @@ -769,7 +779,7 @@ mac_biba_relabel_pipe(struct ucred *cred, struct pipe *pipe, source = SLOT(newlabel); dest = SLOT(pipelabel); - mac_biba_copy_single(source, dest); + mac_biba_copy(source, dest); } static void @@ -912,7 +922,15 @@ mac_biba_create_mbuf_from_mbuf(struct mbuf *oldmbuf, source = SLOT(oldmbuflabel); dest = SLOT(newmbuflabel); - mac_biba_copy_single(source, dest); + /* + * Because the source mbuf may not yet have been "created", + * just initialiezd, we do a conditional copy. Since we don't + * allow mbufs to have ranges, do a KASSERT to make sure that + * doesn't happen. + */ + KASSERT((source->mb_flags & MAC_BIBA_FLAG_RANGE) == 0, + ("mac_biba_create_mbuf_from_mbuf: source mbuf has range")); + mac_biba_copy(source, dest); } static void @@ -996,8 +1014,7 @@ mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, source = SLOT(newlabel); dest = SLOT(ifnetlabel); - mac_biba_copy_single(source, dest); - mac_biba_copy_range(source, dest); + mac_biba_copy(source, dest); } static void @@ -1076,8 +1093,7 @@ mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel) source = SLOT(newlabel); dest = SLOT(&cred->cr_label); - mac_biba_copy_single(source, dest); - mac_biba_copy_range(source, dest); + mac_biba_copy(source, dest); } /* |