Place more stringent checks on process credential relabeling for the Biba

and MLS policies: as we support both an effective (single) element and range (available) elements, require that the single be in the range if both the single and range are defined in the update. Remove comments suggesting that such a check might be a good idea. Don't introduce a similar check for network interfaces; due to different interpretations of the single and range elements, it's not clear that it's useful to do so. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-02-04 21:28:46 +00:00 · 2003-02-04 21:28:46 +00:00 · 12613c76cc
commit 12613c76cc
parent 4d2ec8debb
2 changed files with 21 additions and 12 deletions
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@ -1421,6 +1421,16 @@ mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel)
 	 * If the Biba label is to be changed, authorize as appropriate.
 	 */
 	if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
+		/*
+		 * If the change request modifies both the Biba label
+		 * single and range, check that the new single will be
+		 * in the new range.
+		 */
+		if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) ==
+		    MAC_BIBA_FLAGS_BOTH &&
+		    !mac_biba_single_in_range(new, new))
+			return (EINVAL);
+
 		/*
 		 * To change the Biba single label on a credential, the
 		 * new single label must be in the current range.
@ -1447,12 +1457,6 @@ mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel)
 			if (error)
 				return (error);
 		}
-
-		/*
-		 * XXXMAC: Additional consistency tests regarding the
-		 * single and range of the new label might be performed
-		 * here.
-		 */
 	}

 	return (0);
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@ -1348,6 +1348,16 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel)
 	 * If the MLS label is to be changed, authorize as appropriate.
 	 */
 	if (new->mm_flags & MAC_MLS_FLAGS_BOTH) {
+		/*
+		 * If the change request modifies both the MLS label single
+		 * and range, check that the new single will be in the
+		 * new range.
+		 */
+		if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) ==
+		    MAC_MLS_FLAGS_BOTH &&
+		    !mac_mls_single_in_range(new, new))
+			return (EINVAL);
+
 		/*
 		 * To change the MLS single label on a credential, the
 		 * new single label must be in the current range.
@ -1358,7 +1368,7 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel)

 		/*
 		 * To change the MLS range label on a credential, the
-		 * new range label must be in the current range.
+		 * new range must be in the current range.
 		 */
 		if (new->mm_flags & MAC_MLS_FLAG_RANGE &&
 		    !mac_mls_range_in_range(new, subj))
@ -1374,11 +1384,6 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel)
 			if (error)
 				return (error);
 		}
-
-		/*
-		 * XXXMAC: Additional consistency tests regarding the single
-		 * and range of the new label might be performed here.
-		 */
 	}

 	return (0);