d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Introduce mac_biba_copy() and mac_mls_copy(), which conditionally

Browse Source 
copy elements of one Biba or MLS label to another based on the flags
on the source label element.  Use this instead of
mac_{biba,mls}_{single,range}() to simplify the existing code, as
well as support partial label updates (we don't update if none is
requested).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
This commit is contained in:
Robert Watson 2002-10-21 20:55:39 +00:00
parent 01a4d0197d
commit 36cf29fd8d
2 changed files with 49 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
sys/security/mac_biba/mac_biba.c
View File

@ -447,6 +447,16 @@ mac_biba_copy_single(struct mac_biba *labelfrom, struct mac_biba *labelto)
labelto->mb_flags |= MAC_BIBA_FLAG_SINGLE;
}
static void
mac_biba_copy(struct mac_biba *source, struct mac_biba *dest)
{
if (source->mb_flags & MAC_BIBA_FLAG_SINGLE)
mac_biba_copy_single(source, dest);
if (source->mb_flags & MAC_BIBA_FLAG_RANGE)
mac_biba_copy_range(source, dest);
}
/*
* Policy module operations.
*/
@ -631,7 +641,7 @@ mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp,
source = SLOT(label);
dest = SLOT(vnodelabel);
mac_biba_copy_single(source, dest);
mac_biba_copy(source, dest);
}
static void
@ -643,7 +653,7 @@ mac_biba_update_devfsdirent(struct devfs_dirent *devfs_dirent,
source = SLOT(vnodelabel);
dest = SLOT(direntlabel);
mac_biba_copy_single(source, dest);
mac_biba_copy(source, dest);
}
static void
@ -757,7 +767,7 @@ mac_biba_relabel_socket(struct ucred *cred, struct socket *socket,
source = SLOT(newlabel);
dest = SLOT(socketlabel);
mac_biba_copy_single(source, dest);
mac_biba_copy(source, dest);
}
static void
@ -769,7 +779,7 @@ mac_biba_relabel_pipe(struct ucred *cred, struct pipe *pipe,
source = SLOT(newlabel);
dest = SLOT(pipelabel);
mac_biba_copy_single(source, dest);
mac_biba_copy(source, dest);
}
static void
@ -912,7 +922,15 @@ mac_biba_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
source = SLOT(oldmbuflabel);
dest = SLOT(newmbuflabel);
mac_biba_copy_single(source, dest);
/*
* Because the source mbuf may not yet have been "created",
* just initialiezd, we do a conditional copy. Since we don't
* allow mbufs to have ranges, do a KASSERT to make sure that
* doesn't happen.
*/
KASSERT((source->mb_flags & MAC_BIBA_FLAG_RANGE) == 0,
("mac_biba_create_mbuf_from_mbuf: source mbuf has range"));
mac_biba_copy(source, dest);
}
static void
@ -996,8 +1014,7 @@ mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
source = SLOT(newlabel);
dest = SLOT(ifnetlabel);
mac_biba_copy_single(source, dest);
mac_biba_copy_range(source, dest);
mac_biba_copy(source, dest);
}
static void
@ -1076,8 +1093,7 @@ mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel)
source = SLOT(newlabel);
dest = SLOT(&cred->cr_label);
mac_biba_copy_single(source, dest);
mac_biba_copy_range(source, dest);
mac_biba_copy(source, dest);
}
/*

32
sys/security/mac_mls/mac_mls.c
View File

@ -435,6 +435,16 @@ mac_mls_copy_single(struct mac_mls *labelfrom, struct mac_mls *labelto)
labelto->mm_flags |= MAC_MLS_FLAG_SINGLE;
}
static void
mac_mls_copy(struct mac_mls *source, struct mac_mls *dest)
{
if (source->mm_flags & MAC_MLS_FLAG_SINGLE)
mac_mls_copy_single(source, dest);
if (source->mm_flags & MAC_MLS_FLAG_RANGE)
mac_mls_copy_range(source, dest);
}
/*
* Policy module operations.
*/
@ -622,7 +632,7 @@ mac_mls_relabel_vnode(struct ucred *cred, struct vnode *vp,
source = SLOT(label);
dest = SLOT(vnodelabel);
mac_mls_copy_single(source, dest);
mac_mls_copy(source, dest);
}
static void
@ -748,7 +758,7 @@ mac_mls_relabel_socket(struct ucred *cred, struct socket *socket,
source = SLOT(newlabel);
dest = SLOT(socketlabel);
mac_mls_copy_single(source, dest);
mac_mls_copy(source, dest);
}
static void
@ -760,7 +770,7 @@ mac_mls_relabel_pipe(struct ucred *cred, struct pipe *pipe,
source = SLOT(newlabel);
dest = SLOT(pipelabel);
mac_mls_copy_single(source, dest);
mac_mls_copy(source, dest);
}
static void
@ -867,7 +877,15 @@ mac_mls_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
source = SLOT(oldmbuflabel);
dest = SLOT(newmbuflabel);
mac_mls_copy_single(source, dest);
/*
* Because the source mbuf may not yet have been "created",
* just initialized, we do a conditional copy. Since we don't
* allow mbufs to have ranges, do a KASSERT to make sure that
* doesn't happen.
*/
KASSERT((source->mm_flags & MAC_MLS_FLAG_RANGE) == 0,
("mac_mls_create_mbuf_from_mbuf: source mbuf has range"));
mac_mls_copy(source, dest);
}
static void
@ -951,8 +969,7 @@ mac_mls_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
source = SLOT(newlabel);
dest = SLOT(ifnetlabel);
mac_mls_copy_single(source, dest);
mac_mls_copy_range(source, dest);
mac_mls_copy(source, dest);
}
static void
@ -1031,8 +1048,7 @@ mac_mls_relabel_cred(struct ucred *cred, struct label *newlabel)
source = SLOT(newlabel);
dest = SLOT(&cred->cr_label);
mac_mls_copy_single(source, dest);
mac_mls_copy_range(source, dest);
mac_mls_copy(source, dest);
}
/*