| mac_biba.c (106089) | mac_biba.c (106090) |
|---|---|
| 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, --- 20 unchanged lines hidden (view full) --- 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, --- 20 unchanged lines hidden (view full) --- 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * |
| 37 * $FreeBSD: head/sys/security/mac_biba/mac_biba.c 106089 2002-10-28 19:16:44Z rwatson $ | 37 * $FreeBSD: head/sys/security/mac_biba/mac_biba.c 106090 2002-10-28 19:17:39Z rwatson $ |
| 38 */ 39 40/* 41 * Developed by the TrustedBSD Project. 42 * Biba fixed label mandatory integrity policy. 43 */ 44 45#include <sys/types.h> --- 261 unchanged lines hidden (view full) --- 307 if (mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL) 308 return (1); 309 } 310 311 return (0); 312} 313 314static int | 38 */ 39 40/* 41 * Developed by the TrustedBSD Project. 42 * Biba fixed label mandatory integrity policy. 43 */ 44 45#include <sys/types.h> --- 261 unchanged lines hidden (view full) --- 307 if (mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL) 308 return (1); 309 } 310 311 return (0); 312} 313 314static int |
| 315mac_biba_subject_equal_ok(struct mac_biba *mac_biba) | 315mac_biba_subject_privileged(struct mac_biba *mac_biba) |
| 316{ 317 318 KASSERT((mac_biba->mb_flags & MAC_BIBA_FLAGS_BOTH) == 319 MAC_BIBA_FLAGS_BOTH, | 316{ 317 318 KASSERT((mac_biba->mb_flags & MAC_BIBA_FLAGS_BOTH) == 319 MAC_BIBA_FLAGS_BOTH, |
| 320 ("mac_biba_subject_equal_ok: subject doesn't have both labels")); | 320 ("mac_biba_subject_privileged: subject doesn't have both labels")); |
| 321 322 /* If the single is EQUAL, it's ok. */ 323 if (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_EQUAL) 324 return (0); 325 326 /* If either range endpoint is EQUAL, it's ok. */ 327 if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL || 328 mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL) --- 1142 unchanged lines hidden (view full) --- 1471 return (EPERM); 1472 1473 /* 1474 * To have EQUAL in any component of the new credential 1475 * Biba label, the subject must already have EQUAL in 1476 * their label. 1477 */ 1478 if (mac_biba_contains_equal(new)) { | 321 322 /* If the single is EQUAL, it's ok. */ 323 if (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_EQUAL) 324 return (0); 325 326 /* If either range endpoint is EQUAL, it's ok. */ 327 if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL || 328 mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL) --- 1142 unchanged lines hidden (view full) --- 1471 return (EPERM); 1472 1473 /* 1474 * To have EQUAL in any component of the new credential 1475 * Biba label, the subject must already have EQUAL in 1476 * their label. 1477 */ 1478 if (mac_biba_contains_equal(new)) { |
| 1479 error = mac_biba_subject_equal_ok(subj); | 1479 error = mac_biba_subject_privileged(subj); |
| 1480 if (error) 1481 return (error); 1482 } 1483 1484 /* 1485 * XXXMAC: Additional consistency tests regarding the 1486 * single and range of the new label might be performed 1487 * here. --- 180 unchanged lines hidden (view full) --- 1668 if (!mac_biba_single_in_range(new, subj)) 1669 return (EPERM); 1670 1671 /* 1672 * To change the Biba label on a pipe to be EQUAL, the 1673 * subject must have appropriate privilege. 1674 */ 1675 if (mac_biba_contains_equal(new)) { | 1480 if (error) 1481 return (error); 1482 } 1483 1484 /* 1485 * XXXMAC: Additional consistency tests regarding the 1486 * single and range of the new label might be performed 1487 * here. --- 180 unchanged lines hidden (view full) --- 1668 if (!mac_biba_single_in_range(new, subj)) 1669 return (EPERM); 1670 1671 /* 1672 * To change the Biba label on a pipe to be EQUAL, the 1673 * subject must have appropriate privilege. 1674 */ 1675 if (mac_biba_contains_equal(new)) { |
| 1676 error = mac_biba_subject_equal_ok(subj); | 1676 error = mac_biba_subject_privileged(subj); |
| 1677 if (error) 1678 return (error); 1679 } 1680 } 1681 1682 return (0); 1683} 1684 --- 145 unchanged lines hidden (view full) --- 1830 if (!mac_biba_single_in_range(new, subj)) 1831 return (EPERM); 1832 1833 /* 1834 * To change the Biba label on the socket to contain EQUAL, 1835 * the subject must have appropriate privilege. 1836 */ 1837 if (mac_biba_contains_equal(new)) { | 1677 if (error) 1678 return (error); 1679 } 1680 } 1681 1682 return (0); 1683} 1684 --- 145 unchanged lines hidden (view full) --- 1830 if (!mac_biba_single_in_range(new, subj)) 1831 return (EPERM); 1832 1833 /* 1834 * To change the Biba label on the socket to contain EQUAL, 1835 * the subject must have appropriate privilege. 1836 */ 1837 if (mac_biba_contains_equal(new)) { |
| 1838 error = mac_biba_subject_equal_ok(subj); | 1838 error = mac_biba_subject_privileged(subj); |
| 1839 if (error) 1840 return (error); 1841 } 1842 } 1843 1844 return (0); 1845} 1846 --- 369 unchanged lines hidden (view full) --- 2216 if (!mac_biba_single_in_range(new, subj)) 2217 return (EPERM); 2218 2219 /* 2220 * To change the Biba label on the vnode to be EQUAL, 2221 * the subject must have appropriate privilege. 2222 */ 2223 if (mac_biba_contains_equal(new)) { | 1839 if (error) 1840 return (error); 1841 } 1842 } 1843 1844 return (0); 1845} 1846 --- 369 unchanged lines hidden (view full) --- 2216 if (!mac_biba_single_in_range(new, subj)) 2217 return (EPERM); 2218 2219 /* 2220 * To change the Biba label on the vnode to be EQUAL, 2221 * the subject must have appropriate privilege. 2222 */ 2223 if (mac_biba_contains_equal(new)) { |
| 2224 error = mac_biba_subject_equal_ok(subj); | 2224 error = mac_biba_subject_privileged(subj); |
| 2225 if (error) 2226 return (error); 2227 } 2228 } 2229 2230 return (0); 2231} 2232 --- 478 unchanged lines hidden --- | 2225 if (error) 2226 return (error); 2227 } 2228 } 2229 2230 return (0); 2231} 2232 --- 478 unchanged lines hidden --- |