diff options
author | rwatson <rwatson@FreeBSD.org> | 2003-02-04 21:28:46 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2003-02-04 21:28:46 +0000 |
commit | 61099be7ded96edfdddde587d72ce15118df4e18 (patch) | |
tree | fd1126786f8636ca1abb3a1e254def292d6e1580 /sys | |
parent | 413da05130b4d0ef260322f565d8b087640ac1bb (diff) | |
download | FreeBSD-src-61099be7ded96edfdddde587d72ce15118df4e18.zip FreeBSD-src-61099be7ded96edfdddde587d72ce15118df4e18.tar.gz |
Place more stringent checks on process credential relabeling for the Biba
and MLS policies: as we support both an effective (single) element and
range (available) elements, require that the single be in the range if
both the single and range are defined in the update. Remove comments
suggesting that such a check might be a good idea.
Don't introduce a similar check for network interfaces; due to different
interpretations of the single and range elements, it's not clear that
it's useful to do so.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys')
-rw-r--r-- | sys/security/mac_biba/mac_biba.c | 16 | ||||
-rw-r--r-- | sys/security/mac_mls/mac_mls.c | 17 |
2 files changed, 21 insertions, 12 deletions
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index b5288ed..fd3f41a 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1422,6 +1422,16 @@ mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) */ if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) { /* + * If the change request modifies both the Biba label + * single and range, check that the new single will be + * in the new range. + */ + if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) == + MAC_BIBA_FLAGS_BOTH && + !mac_biba_single_in_range(new, new)) + return (EINVAL); + + /* * To change the Biba single label on a credential, the * new single label must be in the current range. */ @@ -1447,12 +1457,6 @@ mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) if (error) return (error); } - - /* - * XXXMAC: Additional consistency tests regarding the - * single and range of the new label might be performed - * here. - */ } return (0); diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 34c0788..b4aa3e0 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1349,6 +1349,16 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) */ if (new->mm_flags & MAC_MLS_FLAGS_BOTH) { /* + * If the change request modifies both the MLS label single + * and range, check that the new single will be in the + * new range. + */ + if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) == + MAC_MLS_FLAGS_BOTH && + !mac_mls_single_in_range(new, new)) + return (EINVAL); + + /* * To change the MLS single label on a credential, the * new single label must be in the current range. */ @@ -1358,7 +1368,7 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) /* * To change the MLS range label on a credential, the - * new range label must be in the current range. + * new range must be in the current range. */ if (new->mm_flags & MAC_MLS_FLAG_RANGE && !mac_mls_range_in_range(new, subj)) @@ -1374,11 +1384,6 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) if (error) return (error); } - - /* - * XXXMAC: Additional consistency tests regarding the single - * and range of the new label might be performed here. - */ } return (0); |