From 12613c76cc60fc0063d85bdc51de5baa362e7257 Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Tue, 4 Feb 2003 21:28:46 +0000 Subject: [PATCH] Place more stringent checks on process credential relabeling for the Biba and MLS policies: as we support both an effective (single) element and range (available) elements, require that the single be in the range if both the single and range are defined in the update. Remove comments suggesting that such a check might be a good idea. Don't introduce a similar check for network interfaces; due to different interpretations of the single and range elements, it's not clear that it's useful to do so. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories --- sys/security/mac_biba/mac_biba.c | 16 ++++++++++------ sys/security/mac_mls/mac_mls.c | 17 +++++++++++------ 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index b5288ed8f724..fd3f41ad58b5 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1421,6 +1421,16 @@ mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) * If the Biba label is to be changed, authorize as appropriate. */ if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) { + /* + * If the change request modifies both the Biba label + * single and range, check that the new single will be + * in the new range. + */ + if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) == + MAC_BIBA_FLAGS_BOTH && + !mac_biba_single_in_range(new, new)) + return (EINVAL); + /* * To change the Biba single label on a credential, the * new single label must be in the current range. @@ -1447,12 +1457,6 @@ mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) if (error) return (error); } - - /* - * XXXMAC: Additional consistency tests regarding the - * single and range of the new label might be performed - * here. - */ } return (0); diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 34c078872283..b4aa3e0c62d6 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1348,6 +1348,16 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) * If the MLS label is to be changed, authorize as appropriate. */ if (new->mm_flags & MAC_MLS_FLAGS_BOTH) { + /* + * If the change request modifies both the MLS label single + * and range, check that the new single will be in the + * new range. + */ + if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) == + MAC_MLS_FLAGS_BOTH && + !mac_mls_single_in_range(new, new)) + return (EINVAL); + /* * To change the MLS single label on a credential, the * new single label must be in the current range. @@ -1358,7 +1368,7 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) /* * To change the MLS range label on a credential, the - * new range label must be in the current range. + * new range must be in the current range. */ if (new->mm_flags & MAC_MLS_FLAG_RANGE && !mac_mls_range_in_range(new, subj)) @@ -1374,11 +1384,6 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) if (error) return (error); } - - /* - * XXXMAC: Additional consistency tests regarding the single - * and range of the new label might be performed here. - */ } return (0);