summaryrefslogtreecommitdiffstats
path: root/sys/security/mac_biba/mac_biba.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/security/mac_biba/mac_biba.c')
-rw-r--r--sys/security/mac_biba/mac_biba.c16
1 files changed, 10 insertions, 6 deletions
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index b5288ed..fd3f41a 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1422,6 +1422,16 @@ mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel)
*/
if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
/*
+ * If the change request modifies both the Biba label
+ * single and range, check that the new single will be
+ * in the new range.
+ */
+ if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) ==
+ MAC_BIBA_FLAGS_BOTH &&
+ !mac_biba_single_in_range(new, new))
+ return (EINVAL);
+
+ /*
* To change the Biba single label on a credential, the
* new single label must be in the current range.
*/
@@ -1447,12 +1457,6 @@ mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel)
if (error)
return (error);
}
-
- /*
- * XXXMAC: Additional consistency tests regarding the
- * single and range of the new label might be performed
- * here.
- */
}
return (0);
OpenPOWER on IntegriCloud