Introduce mac_biba_copy() and mac_mls_copy(), which conditionally

copy elements of one Biba or MLS label to another based on the flags
on the source label element.  Use this instead of
mac_{biba,mls}_{single,range}() to simplify the existing code, as
well as support partial label updates (we don't update if none is
requested).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

2 files changed, 49 insertions, 17 deletions

diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 027c2aa..525ee5a 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -447,6 +447,16 @@ mac_biba_copy_single(struct mac_biba *labelfrom, struct mac_biba *labelto)
 	labelto->mb_flags |= MAC_BIBA_FLAG_SINGLE;
 }
 
+static void
+mac_biba_copy(struct mac_biba *source, struct mac_biba *dest)
+{
+
+	if (source->mb_flags & MAC_BIBA_FLAG_SINGLE)
+		mac_biba_copy_single(source, dest);
+	if (source->mb_flags & MAC_BIBA_FLAG_RANGE)
+		mac_biba_copy_range(source, dest);
+}
+
 /*
  * Policy module operations.
  */
@@ -631,7 +641,7 @@ mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp,
 	source = SLOT(label);
 	dest = SLOT(vnodelabel);
 
-	mac_biba_copy_single(source, dest);
+	mac_biba_copy(source, dest);
 }
 
 static void
@@ -643,7 +653,7 @@ mac_biba_update_devfsdirent(struct devfs_dirent *devfs_dirent,
 	source = SLOT(vnodelabel);
 	dest = SLOT(direntlabel);
 
-	mac_biba_copy_single(source, dest);
+	mac_biba_copy(source, dest);
 }
 
 static void
@@ -757,7 +767,7 @@ mac_biba_relabel_socket(struct ucred *cred, struct socket *socket,
 	source = SLOT(newlabel);
 	dest = SLOT(socketlabel);
 
-	mac_biba_copy_single(source, dest);
+	mac_biba_copy(source, dest);
 }
 
 static void
@@ -769,7 +779,7 @@ mac_biba_relabel_pipe(struct ucred *cred, struct pipe *pipe,
 	source = SLOT(newlabel);
 	dest = SLOT(pipelabel);
 
-	mac_biba_copy_single(source, dest);
+	mac_biba_copy(source, dest);
 }
 
 static void
@@ -912,7 +922,15 @@ mac_biba_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
 	source = SLOT(oldmbuflabel);
 	dest = SLOT(newmbuflabel);
 
-	mac_biba_copy_single(source, dest);
+	/*
+	 * Because the source mbuf may not yet have been "created",
+	 * just initialiezd, we do a conditional copy.  Since we don't
+	 * allow mbufs to have ranges, do a KASSERT to make sure that
+	 * doesn't happen.
+	 */
+	KASSERT((source->mb_flags & MAC_BIBA_FLAG_RANGE) == 0,
+	    ("mac_biba_create_mbuf_from_mbuf: source mbuf has range"));
+	mac_biba_copy(source, dest);
 }
 
 static void
@@ -996,8 +1014,7 @@ mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
 	source = SLOT(newlabel);
 	dest = SLOT(ifnetlabel);
 
-	mac_biba_copy_single(source, dest);
-	mac_biba_copy_range(source, dest);
+	mac_biba_copy(source, dest);
 }
 
 static void
@@ -1076,8 +1093,7 @@ mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel)
 	source = SLOT(newlabel);
 	dest = SLOT(&cred->cr_label);
 
-	mac_biba_copy_single(source, dest);
-	mac_biba_copy_range(source, dest);
+	mac_biba_copy(source, dest);
 }
 
 /*
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index d88181b..2a74589 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -435,6 +435,16 @@ mac_mls_copy_single(struct mac_mls *labelfrom, struct mac_mls *labelto)
 	labelto->mm_flags |= MAC_MLS_FLAG_SINGLE;
 }
 
+static void
+mac_mls_copy(struct mac_mls *source, struct mac_mls *dest)
+{
+
+	if (source->mm_flags & MAC_MLS_FLAG_SINGLE)
+		mac_mls_copy_single(source, dest);
+	if (source->mm_flags & MAC_MLS_FLAG_RANGE)
+		mac_mls_copy_range(source, dest);
+}
+
 /*
  * Policy module operations.
  */
@@ -622,7 +632,7 @@ mac_mls_relabel_vnode(struct ucred *cred, struct vnode *vp,
 	source = SLOT(label);
 	dest = SLOT(vnodelabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy(source, dest);
 }
 
 static void
@@ -748,7 +758,7 @@ mac_mls_relabel_socket(struct ucred *cred, struct socket *socket,
 	source = SLOT(newlabel);
 	dest = SLOT(socketlabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy(source, dest);
 }
 
 static void
@@ -760,7 +770,7 @@ mac_mls_relabel_pipe(struct ucred *cred, struct pipe *pipe,
 	source = SLOT(newlabel);
 	dest = SLOT(pipelabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy(source, dest);
 }
 
 static void
@@ -867,7 +877,15 @@ mac_mls_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
 	source = SLOT(oldmbuflabel);
 	dest = SLOT(newmbuflabel);
 
-	mac_mls_copy_single(source, dest);
+	/*
+	 * Because the source mbuf may not yet have been "created",
+	 * just initialized, we do a conditional copy.  Since we don't
+	 * allow mbufs to have ranges, do a KASSERT to make sure that
+	 * doesn't happen.
+	 */
+	KASSERT((source->mm_flags & MAC_MLS_FLAG_RANGE) == 0,
+	    ("mac_mls_create_mbuf_from_mbuf: source mbuf has range"));
+	mac_mls_copy(source, dest);
 }
 
 static void
@@ -951,8 +969,7 @@ mac_mls_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
 	source = SLOT(newlabel);
 	dest = SLOT(ifnetlabel);
 
-	mac_mls_copy_single(source, dest);
-	mac_mls_copy_range(source, dest);
+	mac_mls_copy(source, dest);
 }
 
 static void
@@ -1031,8 +1048,7 @@ mac_mls_relabel_cred(struct ucred *cred, struct label *newlabel)
 	source = SLOT(newlabel);
 	dest = SLOT(&cred->cr_label);
 
-	mac_mls_copy_single(source, dest);
-	mac_mls_copy_range(source, dest);
+	mac_mls_copy(source, dest);
 }
 
 /*