d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Demote sockets to single-label objects rather than maintaining a

Browse Source 
range on them, leaving process credentials as the only kernel
objects with label ranges in the Biba and MLS policies.  We
weren't using the range in any access control decisions, so this
lets us garbage collect effectively unused code.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
This commit is contained in:
Robert Watson 2002-10-21 18:05:12 +00:00
parent 6157bb02e8
commit 2f7f04362b
2 changed files with 0 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
sys/security/mac_biba/mac_biba.c
View File

@ -407,19 +407,6 @@ mac_biba_copy_single(struct mac_biba *labelfrom, struct mac_biba *labelto)
labelto->mb_flags |= MAC_BIBA_FLAG_SINGLE;
}
static void
mac_biba_copy_single_to_range(struct mac_biba *labelfrom,
struct mac_biba *labelto)
{
KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
("mac_biba_copy_single_to_range: labelfrom not single"));
labelto->mb_rangelow = labelfrom->mb_single;
labelto->mb_rangehigh = labelfrom->mb_single;
labelto->mb_flags |= MAC_BIBA_FLAG_RANGE;
}
/*
* Policy module operations.
*/
@ -694,7 +681,6 @@ mac_biba_create_socket(struct ucred *cred, struct socket *socket,
dest = SLOT(socketlabel);
mac_biba_copy_single(source, dest);
mac_biba_copy_single_to_range(source, dest);
}
static void
@ -720,7 +706,6 @@ mac_biba_create_socket_from_socket(struct socket *oldsocket,
dest = SLOT(newsocketlabel);
mac_biba_copy_single(source, dest);
mac_biba_copy_range(source, dest);
}
static void
@ -733,7 +718,6 @@ mac_biba_relabel_socket(struct ucred *cred, struct socket *socket,
dest = SLOT(socketlabel);
mac_biba_copy_single(source, dest);
mac_biba_copy_range(source, dest);
}
static void

16
sys/security/mac_mls/mac_mls.c
View File

@ -396,19 +396,6 @@ mac_mls_copy_single(struct mac_mls *labelfrom, struct mac_mls *labelto)
labelto->mm_flags |= MAC_MLS_FLAG_SINGLE;
}
static void
mac_mls_copy_single_to_range(struct mac_mls *labelfrom,
struct mac_mls *labelto)
{
KASSERT((labelfrom->mm_flags & MAC_MLS_FLAG_SINGLE) != 0,
("mac_mls_copy_single_to_range: labelfrom not single"));
labelto->mm_rangelow = labelfrom->mm_single;
labelto->mm_rangehigh = labelfrom->mm_single;
labelto->mm_flags |= MAC_MLS_FLAG_RANGE;
}
/*
* Policy module operations.
*/
@ -686,7 +673,6 @@ mac_mls_create_socket(struct ucred *cred, struct socket *socket,
dest = SLOT(socketlabel);
mac_mls_copy_single(source, dest);
mac_mls_copy_single_to_range(source, dest);
}
static void
@ -712,7 +698,6 @@ mac_mls_create_socket_from_socket(struct socket *oldsocket,
dest = SLOT(newsocketlabel);
mac_mls_copy_single(source, dest);
mac_mls_copy_range(source, dest);
}
static void
@ -725,7 +710,6 @@ mac_mls_relabel_socket(struct ucred *cred, struct socket *socket,
dest = SLOT(socketlabel);
mac_mls_copy_single(source, dest);
mac_mls_copy_range(source, dest);
}
static void