diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 027c2aa3d81..525ee5ad369 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -447,6 +447,16 @@ mac_biba_copy_single(struct mac_biba *labelfrom, struct mac_biba *labelto) labelto->mb_flags |= MAC_BIBA_FLAG_SINGLE; } +static void +mac_biba_copy(struct mac_biba *source, struct mac_biba *dest) +{ + + if (source->mb_flags & MAC_BIBA_FLAG_SINGLE) + mac_biba_copy_single(source, dest); + if (source->mb_flags & MAC_BIBA_FLAG_RANGE) + mac_biba_copy_range(source, dest); +} + /* * Policy module operations. */ @@ -631,7 +641,7 @@ mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp, source = SLOT(label); dest = SLOT(vnodelabel); - mac_biba_copy_single(source, dest); + mac_biba_copy(source, dest); } static void @@ -643,7 +653,7 @@ mac_biba_update_devfsdirent(struct devfs_dirent *devfs_dirent, source = SLOT(vnodelabel); dest = SLOT(direntlabel); - mac_biba_copy_single(source, dest); + mac_biba_copy(source, dest); } static void @@ -757,7 +767,7 @@ mac_biba_relabel_socket(struct ucred *cred, struct socket *socket, source = SLOT(newlabel); dest = SLOT(socketlabel); - mac_biba_copy_single(source, dest); + mac_biba_copy(source, dest); } static void @@ -769,7 +779,7 @@ mac_biba_relabel_pipe(struct ucred *cred, struct pipe *pipe, source = SLOT(newlabel); dest = SLOT(pipelabel); - mac_biba_copy_single(source, dest); + mac_biba_copy(source, dest); } static void @@ -912,7 +922,15 @@ mac_biba_create_mbuf_from_mbuf(struct mbuf *oldmbuf, source = SLOT(oldmbuflabel); dest = SLOT(newmbuflabel); - mac_biba_copy_single(source, dest); + /* + * Because the source mbuf may not yet have been "created", + * just initialiezd, we do a conditional copy. Since we don't + * allow mbufs to have ranges, do a KASSERT to make sure that + * doesn't happen. + */ + KASSERT((source->mb_flags & MAC_BIBA_FLAG_RANGE) == 0, + ("mac_biba_create_mbuf_from_mbuf: source mbuf has range")); + mac_biba_copy(source, dest); } static void @@ -996,8 +1014,7 @@ mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, source = SLOT(newlabel); dest = SLOT(ifnetlabel); - mac_biba_copy_single(source, dest); - mac_biba_copy_range(source, dest); + mac_biba_copy(source, dest); } static void @@ -1076,8 +1093,7 @@ mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel) source = SLOT(newlabel); dest = SLOT(&cred->cr_label); - mac_biba_copy_single(source, dest); - mac_biba_copy_range(source, dest); + mac_biba_copy(source, dest); } /* diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index d88181b1b0f..2a745898f77 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -435,6 +435,16 @@ mac_mls_copy_single(struct mac_mls *labelfrom, struct mac_mls *labelto) labelto->mm_flags |= MAC_MLS_FLAG_SINGLE; } +static void +mac_mls_copy(struct mac_mls *source, struct mac_mls *dest) +{ + + if (source->mm_flags & MAC_MLS_FLAG_SINGLE) + mac_mls_copy_single(source, dest); + if (source->mm_flags & MAC_MLS_FLAG_RANGE) + mac_mls_copy_range(source, dest); +} + /* * Policy module operations. */ @@ -622,7 +632,7 @@ mac_mls_relabel_vnode(struct ucred *cred, struct vnode *vp, source = SLOT(label); dest = SLOT(vnodelabel); - mac_mls_copy_single(source, dest); + mac_mls_copy(source, dest); } static void @@ -748,7 +758,7 @@ mac_mls_relabel_socket(struct ucred *cred, struct socket *socket, source = SLOT(newlabel); dest = SLOT(socketlabel); - mac_mls_copy_single(source, dest); + mac_mls_copy(source, dest); } static void @@ -760,7 +770,7 @@ mac_mls_relabel_pipe(struct ucred *cred, struct pipe *pipe, source = SLOT(newlabel); dest = SLOT(pipelabel); - mac_mls_copy_single(source, dest); + mac_mls_copy(source, dest); } static void @@ -867,7 +877,15 @@ mac_mls_create_mbuf_from_mbuf(struct mbuf *oldmbuf, source = SLOT(oldmbuflabel); dest = SLOT(newmbuflabel); - mac_mls_copy_single(source, dest); + /* + * Because the source mbuf may not yet have been "created", + * just initialized, we do a conditional copy. Since we don't + * allow mbufs to have ranges, do a KASSERT to make sure that + * doesn't happen. + */ + KASSERT((source->mm_flags & MAC_MLS_FLAG_RANGE) == 0, + ("mac_mls_create_mbuf_from_mbuf: source mbuf has range")); + mac_mls_copy(source, dest); } static void @@ -951,8 +969,7 @@ mac_mls_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, source = SLOT(newlabel); dest = SLOT(ifnetlabel); - mac_mls_copy_single(source, dest); - mac_mls_copy_range(source, dest); + mac_mls_copy(source, dest); } static void @@ -1031,8 +1048,7 @@ mac_mls_relabel_cred(struct ucred *cred, struct label *newlabel) source = SLOT(newlabel); dest = SLOT(&cred->cr_label); - mac_mls_copy_single(source, dest); - mac_mls_copy_range(source, dest); + mac_mls_copy(source, dest); } /*