Place more stringent checks on process credential relabeling for the Biba

and MLS policies: as we support both an effective (single) element and
range (available) elements, require that the single be in the range if
both the single and range are defined in the update.  Remove comments
suggesting that such a check might be a good idea.

Don't introduce a similar check for network interfaces; due to different
interpretations of the single and range elements, it's not clear that
it's useful to do so.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 10 insertions, 6 deletions

diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index b5288ed..fd3f41a 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1422,6 +1422,16 @@ mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel)
 	 */
 	if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
 		/*
+		 * If the change request modifies both the Biba label
+		 * single and range, check that the new single will be
+		 * in the new range.
+		 */
+		if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) ==
+		    MAC_BIBA_FLAGS_BOTH &&
+		    !mac_biba_single_in_range(new, new))
+			return (EINVAL);
+
+		/*
 		 * To change the Biba single label on a credential, the
 		 * new single label must be in the current range.
 		 */
@@ -1447,12 +1457,6 @@ mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel)
 			if (error)
 				return (error);
 		}
-
-		/*
-		 * XXXMAC: Additional consistency tests regarding the
-		 * single and range of the new label might be performed
-		 * here.
-		 */
 	}
 
 	return (0);