From 36cf29fd8db50bff9b54c912d2aa8a89c0ea4d20 Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Mon, 21 Oct 2002 20:55:39 +0000 Subject: [PATCH] Introduce mac_biba_copy() and mac_mls_copy(), which conditionally copy elements of one Biba or MLS label to another based on the flags on the source label element. Use this instead of mac_{biba,mls}_{single,range}() to simplify the existing code, as well as support partial label updates (we don't update if none is requested). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories --- sys/security/mac_biba/mac_biba.c | 34 +++++++++++++++++++++++--------- sys/security/mac_mls/mac_mls.c | 32 ++++++++++++++++++++++-------- 2 files changed, 49 insertions(+), 17 deletions(-) diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 027c2aa3d81..525ee5ad369 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -447,6 +447,16 @@ mac_biba_copy_single(struct mac_biba *labelfrom, struct mac_biba *labelto) labelto->mb_flags |= MAC_BIBA_FLAG_SINGLE; } +static void +mac_biba_copy(struct mac_biba *source, struct mac_biba *dest) +{ + + if (source->mb_flags & MAC_BIBA_FLAG_SINGLE) + mac_biba_copy_single(source, dest); + if (source->mb_flags & MAC_BIBA_FLAG_RANGE) + mac_biba_copy_range(source, dest); +} + /* * Policy module operations. */ @@ -631,7 +641,7 @@ mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp, source = SLOT(label); dest = SLOT(vnodelabel); - mac_biba_copy_single(source, dest); + mac_biba_copy(source, dest); } static void @@ -643,7 +653,7 @@ mac_biba_update_devfsdirent(struct devfs_dirent *devfs_dirent, source = SLOT(vnodelabel); dest = SLOT(direntlabel); - mac_biba_copy_single(source, dest); + mac_biba_copy(source, dest); } static void @@ -757,7 +767,7 @@ mac_biba_relabel_socket(struct ucred *cred, struct socket *socket, source = SLOT(newlabel); dest = SLOT(socketlabel); - mac_biba_copy_single(source, dest); + mac_biba_copy(source, dest); } static void @@ -769,7 +779,7 @@ mac_biba_relabel_pipe(struct ucred *cred, struct pipe *pipe, source = SLOT(newlabel); dest = SLOT(pipelabel); - mac_biba_copy_single(source, dest); + mac_biba_copy(source, dest); } static void @@ -912,7 +922,15 @@ mac_biba_create_mbuf_from_mbuf(struct mbuf *oldmbuf, source = SLOT(oldmbuflabel); dest = SLOT(newmbuflabel); - mac_biba_copy_single(source, dest); + /* + * Because the source mbuf may not yet have been "created", + * just initialiezd, we do a conditional copy. Since we don't + * allow mbufs to have ranges, do a KASSERT to make sure that + * doesn't happen. + */ + KASSERT((source->mb_flags & MAC_BIBA_FLAG_RANGE) == 0, + ("mac_biba_create_mbuf_from_mbuf: source mbuf has range")); + mac_biba_copy(source, dest); } static void @@ -996,8 +1014,7 @@ mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, source = SLOT(newlabel); dest = SLOT(ifnetlabel); - mac_biba_copy_single(source, dest); - mac_biba_copy_range(source, dest); + mac_biba_copy(source, dest); } static void @@ -1076,8 +1093,7 @@ mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel) source = SLOT(newlabel); dest = SLOT(&cred->cr_label); - mac_biba_copy_single(source, dest); - mac_biba_copy_range(source, dest); + mac_biba_copy(source, dest); } /* diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index d88181b1b0f..2a745898f77 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -435,6 +435,16 @@ mac_mls_copy_single(struct mac_mls *labelfrom, struct mac_mls *labelto) labelto->mm_flags |= MAC_MLS_FLAG_SINGLE; } +static void +mac_mls_copy(struct mac_mls *source, struct mac_mls *dest) +{ + + if (source->mm_flags & MAC_MLS_FLAG_SINGLE) + mac_mls_copy_single(source, dest); + if (source->mm_flags & MAC_MLS_FLAG_RANGE) + mac_mls_copy_range(source, dest); +} + /* * Policy module operations. */ @@ -622,7 +632,7 @@ mac_mls_relabel_vnode(struct ucred *cred, struct vnode *vp, source = SLOT(label); dest = SLOT(vnodelabel); - mac_mls_copy_single(source, dest); + mac_mls_copy(source, dest); } static void @@ -748,7 +758,7 @@ mac_mls_relabel_socket(struct ucred *cred, struct socket *socket, source = SLOT(newlabel); dest = SLOT(socketlabel); - mac_mls_copy_single(source, dest); + mac_mls_copy(source, dest); } static void @@ -760,7 +770,7 @@ mac_mls_relabel_pipe(struct ucred *cred, struct pipe *pipe, source = SLOT(newlabel); dest = SLOT(pipelabel); - mac_mls_copy_single(source, dest); + mac_mls_copy(source, dest); } static void @@ -867,7 +877,15 @@ mac_mls_create_mbuf_from_mbuf(struct mbuf *oldmbuf, source = SLOT(oldmbuflabel); dest = SLOT(newmbuflabel); - mac_mls_copy_single(source, dest); + /* + * Because the source mbuf may not yet have been "created", + * just initialized, we do a conditional copy. Since we don't + * allow mbufs to have ranges, do a KASSERT to make sure that + * doesn't happen. + */ + KASSERT((source->mm_flags & MAC_MLS_FLAG_RANGE) == 0, + ("mac_mls_create_mbuf_from_mbuf: source mbuf has range")); + mac_mls_copy(source, dest); } static void @@ -951,8 +969,7 @@ mac_mls_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, source = SLOT(newlabel); dest = SLOT(ifnetlabel); - mac_mls_copy_single(source, dest); - mac_mls_copy_range(source, dest); + mac_mls_copy(source, dest); } static void @@ -1031,8 +1048,7 @@ mac_mls_relabel_cred(struct ucred *cred, struct label *newlabel) source = SLOT(newlabel); dest = SLOT(&cred->cr_label); - mac_mls_copy_single(source, dest); - mac_mls_copy_range(source, dest); + mac_mls_copy(source, dest); } /*