diff options
Diffstat (limited to 'sys')
-rw-r--r-- | sys/security/mac_biba/mac_biba.c | 16 | ||||
-rw-r--r-- | sys/security/mac_mls/mac_mls.c | 17 |
2 files changed, 21 insertions, 12 deletions
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index b5288ed..fd3f41a 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1422,6 +1422,16 @@ mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) */ if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) { /* + * If the change request modifies both the Biba label + * single and range, check that the new single will be + * in the new range. + */ + if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) == + MAC_BIBA_FLAGS_BOTH && + !mac_biba_single_in_range(new, new)) + return (EINVAL); + + /* * To change the Biba single label on a credential, the * new single label must be in the current range. */ @@ -1447,12 +1457,6 @@ mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) if (error) return (error); } - - /* - * XXXMAC: Additional consistency tests regarding the - * single and range of the new label might be performed - * here. - */ } return (0); diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 34c0788..b4aa3e0 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1349,6 +1349,16 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) */ if (new->mm_flags & MAC_MLS_FLAGS_BOTH) { /* + * If the change request modifies both the MLS label single + * and range, check that the new single will be in the + * new range. + */ + if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) == + MAC_MLS_FLAGS_BOTH && + !mac_mls_single_in_range(new, new)) + return (EINVAL); + + /* * To change the MLS single label on a credential, the * new single label must be in the current range. */ @@ -1358,7 +1368,7 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) /* * To change the MLS range label on a credential, the - * new range label must be in the current range. + * new range must be in the current range. */ if (new->mm_flags & MAC_MLS_FLAG_RANGE && !mac_mls_range_in_range(new, subj)) @@ -1374,11 +1384,6 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) if (error) return (error); } - - /* - * XXXMAC: Additional consistency tests regarding the single - * and range of the new label might be performed here. - */ } return (0); |