diff options
Diffstat (limited to 'sys/security/mac_mls/mac_mls.c')
| -rw-r--r-- | sys/security/mac_mls/mac_mls.c | 336 |
1 files changed, 168 insertions, 168 deletions
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 4fcf0140634f..ee390c34d7bd 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -216,31 +216,31 @@ mac_mls_range_in_range(struct mac_mls *rangea, struct mac_mls *rangeb) } static int -mac_mls_single_in_range(struct mac_mls *single, struct mac_mls *range) +mac_mls_effective_in_range(struct mac_mls *effective, struct mac_mls *range) { - KASSERT((single->mm_flags & MAC_MLS_FLAG_SINGLE) != 0, - ("mac_mls_single_in_range: a not single")); + KASSERT((effective->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0, + ("mac_mls_effective_in_range: a not effective")); KASSERT((range->mm_flags & MAC_MLS_FLAG_RANGE) != 0, - ("mac_mls_single_in_range: b not range")); + ("mac_mls_effective_in_range: b not range")); return (mac_mls_dominate_element(&range->mm_rangehigh, - &single->mm_single) && - mac_mls_dominate_element(&single->mm_single, + &effective->mm_effective) && + mac_mls_dominate_element(&effective->mm_effective, &range->mm_rangelow)); return (1); } static int -mac_mls_dominate_single(struct mac_mls *a, struct mac_mls *b) +mac_mls_dominate_effective(struct mac_mls *a, struct mac_mls *b) { - KASSERT((a->mm_flags & MAC_MLS_FLAG_SINGLE) != 0, - ("mac_mls_dominate_single: a not single")); - KASSERT((b->mm_flags & MAC_MLS_FLAG_SINGLE) != 0, - ("mac_mls_dominate_single: b not single")); + KASSERT((a->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0, + ("mac_mls_dominate_effective: a not effective")); + KASSERT((b->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0, + ("mac_mls_dominate_effective: b not effective")); - return (mac_mls_dominate_element(&a->mm_single, &b->mm_single)); + return (mac_mls_dominate_element(&a->mm_effective, &b->mm_effective)); } static int @@ -255,23 +255,23 @@ mac_mls_equal_element(struct mac_mls_element *a, struct mac_mls_element *b) } static int -mac_mls_equal_single(struct mac_mls *a, struct mac_mls *b) +mac_mls_equal_effective(struct mac_mls *a, struct mac_mls *b) { - KASSERT((a->mm_flags & MAC_MLS_FLAG_SINGLE) != 0, - ("mac_mls_equal_single: a not single")); - KASSERT((b->mm_flags & MAC_MLS_FLAG_SINGLE) != 0, - ("mac_mls_equal_single: b not single")); + KASSERT((a->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0, + ("mac_mls_equal_effective: a not effective")); + KASSERT((b->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0, + ("mac_mls_equal_effective: b not effective")); - return (mac_mls_equal_element(&a->mm_single, &b->mm_single)); + return (mac_mls_equal_element(&a->mm_effective, &b->mm_effective)); } static int mac_mls_contains_equal(struct mac_mls *mac_mls) { - if (mac_mls->mm_flags & MAC_MLS_FLAG_SINGLE) - if (mac_mls->mm_single.mme_type == MAC_MLS_TYPE_EQUAL) + if (mac_mls->mm_flags & MAC_MLS_FLAG_EFFECTIVE) + if (mac_mls->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL) return (1); if (mac_mls->mm_flags & MAC_MLS_FLAG_RANGE) { @@ -292,8 +292,8 @@ mac_mls_subject_privileged(struct mac_mls *mac_mls) MAC_MLS_FLAGS_BOTH, ("mac_mls_subject_privileged: subject doesn't have both labels")); - /* If the single is EQUAL, it's ok. */ - if (mac_mls->mm_single.mme_type == MAC_MLS_TYPE_EQUAL) + /* If the effective is EQUAL, it's ok. */ + if (mac_mls->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL) return (0); /* If either range endpoint is EQUAL, it's ok. */ @@ -314,17 +314,17 @@ static int mac_mls_valid(struct mac_mls *mac_mls) { - if (mac_mls->mm_flags & MAC_MLS_FLAG_SINGLE) { - switch (mac_mls->mm_single.mme_type) { + if (mac_mls->mm_flags & MAC_MLS_FLAG_EFFECTIVE) { + switch (mac_mls->mm_effective.mme_type) { case MAC_MLS_TYPE_LEVEL: break; case MAC_MLS_TYPE_EQUAL: case MAC_MLS_TYPE_HIGH: case MAC_MLS_TYPE_LOW: - if (mac_mls->mm_single.mme_level != 0 || + if (mac_mls->mm_effective.mme_level != 0 || !MAC_MLS_BIT_SET_EMPTY( - mac_mls->mm_single.mme_compartments)) + mac_mls->mm_effective.mme_compartments)) return (EINVAL); break; @@ -332,7 +332,7 @@ mac_mls_valid(struct mac_mls *mac_mls) return (EINVAL); } } else { - if (mac_mls->mm_single.mme_type != MAC_MLS_TYPE_UNDEF) + if (mac_mls->mm_effective.mme_type != MAC_MLS_TYPE_UNDEF) return (EINVAL); } @@ -404,16 +404,16 @@ mac_mls_set_range(struct mac_mls *mac_mls, u_short typelow, } static void -mac_mls_set_single(struct mac_mls *mac_mls, u_short type, u_short level, +mac_mls_set_effective(struct mac_mls *mac_mls, u_short type, u_short level, u_char *compartments) { - mac_mls->mm_single.mme_type = type; - mac_mls->mm_single.mme_level = level; + mac_mls->mm_effective.mme_type = type; + mac_mls->mm_effective.mme_level = level; if (compartments != NULL) - memcpy(mac_mls->mm_single.mme_compartments, compartments, - sizeof(mac_mls->mm_single.mme_compartments)); - mac_mls->mm_flags |= MAC_MLS_FLAG_SINGLE; + memcpy(mac_mls->mm_effective.mme_compartments, compartments, + sizeof(mac_mls->mm_effective.mme_compartments)); + mac_mls->mm_flags |= MAC_MLS_FLAG_EFFECTIVE; } static void @@ -429,22 +429,22 @@ mac_mls_copy_range(struct mac_mls *labelfrom, struct mac_mls *labelto) } static void -mac_mls_copy_single(struct mac_mls *labelfrom, struct mac_mls *labelto) +mac_mls_copy_effective(struct mac_mls *labelfrom, struct mac_mls *labelto) { - KASSERT((labelfrom->mm_flags & MAC_MLS_FLAG_SINGLE) != 0, - ("mac_mls_copy_single: labelfrom not single")); + KASSERT((labelfrom->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0, + ("mac_mls_copy_effective: labelfrom not effective")); - labelto->mm_single = labelfrom->mm_single; - labelto->mm_flags |= MAC_MLS_FLAG_SINGLE; + labelto->mm_effective = labelfrom->mm_effective; + labelto->mm_flags |= MAC_MLS_FLAG_EFFECTIVE; } static void mac_mls_copy(struct mac_mls *source, struct mac_mls *dest) { - if (source->mm_flags & MAC_MLS_FLAG_SINGLE) - mac_mls_copy_single(source, dest); + if (source->mm_flags & MAC_MLS_FLAG_EFFECTIVE) + mac_mls_copy_effective(source, dest); if (source->mm_flags & MAC_MLS_FLAG_RANGE) mac_mls_copy_range(source, dest); } @@ -547,8 +547,8 @@ static int mac_mls_to_string(struct sbuf *sb, struct mac_mls *mac_mls) { - if (mac_mls->mm_flags & MAC_MLS_FLAG_SINGLE) { - if (mac_mls_element_to_string(sb, &mac_mls->mm_single) + if (mac_mls->mm_flags & MAC_MLS_FLAG_EFFECTIVE) { + if (mac_mls_element_to_string(sb, &mac_mls->mm_effective) == -1) return (EINVAL); } @@ -653,12 +653,12 @@ mac_mls_parse_element(struct mac_mls_element *element, char *string) static int mac_mls_parse(struct mac_mls *mac_mls, char *string) { - char *rangehigh, *rangelow, *single; + char *rangehigh, *rangelow, *effective; int error; - single = strsep(&string, "("); - if (*single == '\0') - single = NULL; + effective = strsep(&string, "("); + if (*effective == '\0') + effective = NULL; if (string != NULL) { rangelow = strsep(&string, "-"); @@ -679,11 +679,11 @@ mac_mls_parse(struct mac_mls *mac_mls, char *string) ("mac_mls_parse: range mismatch")); bzero(mac_mls, sizeof(*mac_mls)); - if (single != NULL) { - error = mac_mls_parse_element(&mac_mls->mm_single, single); + if (effective != NULL) { + error = mac_mls_parse_element(&mac_mls->mm_effective, effective); if (error) return (error); - mac_mls->mm_flags |= MAC_MLS_FLAG_SINGLE; + mac_mls->mm_flags |= MAC_MLS_FLAG_EFFECTIVE; } if (rangelow != NULL) { @@ -760,7 +760,7 @@ mac_mls_create_devfs_device(struct mount *mp, struct cdev *dev, mls_type = MAC_MLS_TYPE_EQUAL; else mls_type = MAC_MLS_TYPE_LOW; - mac_mls_set_single(mac_mls, mls_type, 0, NULL); + mac_mls_set_effective(mac_mls, mls_type, 0, NULL); } static void @@ -770,7 +770,7 @@ mac_mls_create_devfs_directory(struct mount *mp, char *dirname, struct mac_mls *mac_mls; mac_mls = SLOT(label); - mac_mls_set_single(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL); + mac_mls_set_effective(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL); } static void @@ -783,7 +783,7 @@ mac_mls_create_devfs_symlink(struct ucred *cred, struct mount *mp, source = SLOT(cred->cr_label); dest = SLOT(delabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static void @@ -794,9 +794,9 @@ mac_mls_create_mount(struct ucred *cred, struct mount *mp, source = SLOT(cred->cr_label); dest = SLOT(mntlabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); dest = SLOT(fslabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static void @@ -807,9 +807,9 @@ mac_mls_create_root_mount(struct ucred *cred, struct mount *mp, /* Always mount root as high integrity. */ mac_mls = SLOT(fslabel); - mac_mls_set_single(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL); + mac_mls_set_effective(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL); mac_mls = SLOT(mntlabel); - mac_mls_set_single(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL); + mac_mls_set_effective(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL); } static void @@ -834,7 +834,7 @@ mac_mls_update_devfsdirent(struct mount *mp, source = SLOT(vnodelabel); dest = SLOT(direntlabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static void @@ -847,7 +847,7 @@ mac_mls_associate_vnode_devfs(struct mount *mp, struct label *fslabel, source = SLOT(delabel); dest = SLOT(vlabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static int @@ -867,7 +867,7 @@ mac_mls_associate_vnode_extattr(struct mount *mp, struct label *fslabel, MAC_MLS_EXTATTR_NAME, &buflen, (char *) &temp, curthread); if (error == ENOATTR || error == EOPNOTSUPP) { /* Fall back to the fslabel. */ - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); return (0); } else if (error) return (error); @@ -881,12 +881,12 @@ mac_mls_associate_vnode_extattr(struct mount *mp, struct label *fslabel, printf("mac_mls_associate_vnode_extattr: invalid\n"); return (EPERM); } - if ((temp.mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_SINGLE) { - printf("mac_mls_associated_vnode_extattr: not single\n"); + if ((temp.mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_EFFECTIVE) { + printf("mac_mls_associated_vnode_extattr: not effective\n"); return (EPERM); } - mac_mls_copy_single(&temp, dest); + mac_mls_copy_effective(&temp, dest); return (0); } @@ -899,7 +899,7 @@ mac_mls_associate_vnode_singlelabel(struct mount *mp, source = SLOT(fslabel); dest = SLOT(vlabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static int @@ -916,12 +916,12 @@ mac_mls_create_vnode_extattr(struct ucred *cred, struct mount *mp, source = SLOT(cred->cr_label); dest = SLOT(vlabel); - mac_mls_copy_single(source, &temp); + mac_mls_copy_effective(source, &temp); error = vn_extattr_set(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE, MAC_MLS_EXTATTR_NAME, buflen, (char *) &temp, curthread); if (error == 0) - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); return (error); } @@ -937,10 +937,10 @@ mac_mls_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, bzero(&temp, buflen); source = SLOT(intlabel); - if ((source->mm_flags & MAC_MLS_FLAG_SINGLE) == 0) + if ((source->mm_flags & MAC_MLS_FLAG_EFFECTIVE) == 0) return (0); - mac_mls_copy_single(source, &temp); + mac_mls_copy_effective(source, &temp); error = vn_extattr_set(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE, MAC_MLS_EXTATTR_NAME, buflen, (char *) &temp, curthread); @@ -959,7 +959,7 @@ mac_mls_create_inpcb_from_socket(struct socket *so, struct label *solabel, source = SLOT(solabel); dest = SLOT(inplabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static void @@ -971,7 +971,7 @@ mac_mls_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, source = SLOT(socketlabel); dest = SLOT(mbuflabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static void @@ -983,7 +983,7 @@ mac_mls_create_socket(struct ucred *cred, struct socket *socket, source = SLOT(cred->cr_label); dest = SLOT(socketlabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static void @@ -995,7 +995,7 @@ mac_mls_create_pipe(struct ucred *cred, struct pipepair *pp, source = SLOT(cred->cr_label); dest = SLOT(pipelabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static void @@ -1008,7 +1008,7 @@ mac_mls_create_socket_from_socket(struct socket *oldsocket, source = SLOT(oldsocketlabel); dest = SLOT(newsocketlabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static void @@ -1044,7 +1044,7 @@ mac_mls_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, source = SLOT(mbuflabel); dest = SLOT(socketpeerlabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } /* @@ -1060,7 +1060,7 @@ mac_mls_set_socket_peer_from_socket(struct socket *oldsocket, source = SLOT(oldsocketlabel); dest = SLOT(newsocketpeerlabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static void @@ -1072,7 +1072,7 @@ mac_mls_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, source = SLOT(cred->cr_label); dest = SLOT(bpflabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static void @@ -1088,7 +1088,7 @@ mac_mls_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) else type = MAC_MLS_TYPE_LOW; - mac_mls_set_single(dest, type, 0, NULL); + mac_mls_set_effective(dest, type, 0, NULL); mac_mls_set_range(dest, type, 0, NULL, type, 0, NULL); } @@ -1101,7 +1101,7 @@ mac_mls_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, source = SLOT(fragmentlabel); dest = SLOT(ipqlabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static void @@ -1114,7 +1114,7 @@ mac_mls_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, dest = SLOT(datagramlabel); /* Just use the head, since we require them all to match. */ - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static void @@ -1126,7 +1126,7 @@ mac_mls_create_fragment(struct mbuf *datagram, struct label *datagramlabel, source = SLOT(datagramlabel); dest = SLOT(fragmentlabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static void @@ -1138,7 +1138,7 @@ mac_mls_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, source = SLOT(inplabel); dest = SLOT(mlabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static void @@ -1170,7 +1170,7 @@ mac_mls_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, dest = SLOT(mbuflabel); - mac_mls_set_single(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); + mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); } static void @@ -1182,7 +1182,7 @@ mac_mls_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, source = SLOT(bpflabel); dest = SLOT(mbuflabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static void @@ -1194,7 +1194,7 @@ mac_mls_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, source = SLOT(ifnetlabel); dest = SLOT(mbuflabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static void @@ -1207,7 +1207,7 @@ mac_mls_create_mbuf_multicast_encap(struct mbuf *oldmbuf, source = SLOT(oldmbuflabel); dest = SLOT(newmbuflabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static void @@ -1219,7 +1219,7 @@ mac_mls_create_mbuf_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel, source = SLOT(oldmbuflabel); dest = SLOT(newmbuflabel); - mac_mls_copy_single(source, dest); + mac_mls_copy_effective(source, dest); } static int @@ -1231,7 +1231,7 @@ mac_mls_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, a = SLOT(ipqlabel); b = SLOT(fragmentlabel); - return (mac_mls_equal_single(a, b)); + return (mac_mls_equal_effective(a, b)); } static void @@ -1276,7 +1276,7 @@ mac_mls_create_proc0(struct ucred *cred) dest = SLOT(cred->cr_label); - mac_mls_set_single(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); + mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, NULL); } @@ -1288,7 +1288,7 @@ mac_mls_create_proc1(struct ucred *cred) dest = SLOT(cred->cr_label); - mac_mls_set_single(dest, MAC_MLS_TYPE_LOW, 0, NULL); + mac_mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL); mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, NULL); } @@ -1319,7 +1319,7 @@ mac_mls_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, a = SLOT(bpflabel); b = SLOT(ifnetlabel); - if (mac_mls_equal_single(a, b)) + if (mac_mls_equal_effective(a, b)) return (0); return (EACCES); } @@ -1335,7 +1335,7 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) /* * If there is an MLS label update for the credential, it may be - * an update of single, range, or both. + * an update of effective, range, or both. */ error = mls_atmostflags(new, MAC_MLS_FLAGS_BOTH); if (error) @@ -1346,21 +1346,21 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) */ if (new->mm_flags & MAC_MLS_FLAGS_BOTH) { /* - * If the change request modifies both the MLS label single - * and range, check that the new single will be in the + * If the change request modifies both the MLS label effective + * and range, check that the new effective will be in the * new range. */ if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) == MAC_MLS_FLAGS_BOTH && - !mac_mls_single_in_range(new, new)) + !mac_mls_effective_in_range(new, new)) return (EINVAL); /* - * To change the MLS single label on a credential, the - * new single label must be in the current range. + * To change the MLS effective label on a credential, the + * new effective label must be in the current range. */ - if (new->mm_flags & MAC_MLS_FLAG_SINGLE && - !mac_mls_single_in_range(new, subj)) + if (new->mm_flags & MAC_MLS_FLAG_EFFECTIVE && + !mac_mls_effective_in_range(new, subj)) return (EPERM); /* @@ -1398,7 +1398,7 @@ mac_mls_check_cred_visible(struct ucred *u1, struct ucred *u2) obj = SLOT(u2->cr_label); /* XXX: range */ - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (ESRCH); return (0); @@ -1416,7 +1416,7 @@ mac_mls_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, /* * If there is an MLS label update for the interface, it may - * be an update of single, range, or both. + * be an update of effective, range, or both. */ error = mls_atmostflags(new, MAC_MLS_FLAGS_BOTH); if (error) @@ -1442,7 +1442,7 @@ mac_mls_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, p = SLOT(mbuflabel); i = SLOT(ifnetlabel); - return (mac_mls_single_in_range(p, i) ? 0 : EACCES); + return (mac_mls_effective_in_range(p, i) ? 0 : EACCES); } static int @@ -1457,7 +1457,7 @@ mac_mls_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, p = SLOT(mlabel); i = SLOT(inplabel); - return (mac_mls_equal_single(p, i) ? 0 : EACCES); + return (mac_mls_equal_effective(p, i) ? 0 : EACCES); } static int @@ -1472,7 +1472,7 @@ mac_mls_check_mount_stat(struct ucred *cred, struct mount *mp, subj = SLOT(cred->cr_label); obj = SLOT(mntlabel); - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); return (0); @@ -1503,7 +1503,7 @@ mac_mls_check_pipe_poll(struct ucred *cred, struct pipepair *pp, subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); return (0); @@ -1521,7 +1521,7 @@ mac_mls_check_pipe_read(struct ucred *cred, struct pipepair *pp, subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); return (0); @@ -1540,9 +1540,9 @@ mac_mls_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, /* * If there is an MLS label update for a pipe, it must be a - * single update. + * effective update. */ - error = mls_atmostflags(new, MAC_MLS_FLAG_SINGLE); + error = mls_atmostflags(new, MAC_MLS_FLAG_EFFECTIVE); if (error) return (error); @@ -1550,18 +1550,18 @@ mac_mls_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, * To perform a relabel of a pipe (MLS label or not), MLS must * authorize the relabel. */ - if (!mac_mls_single_in_range(obj, subj)) + if (!mac_mls_effective_in_range(obj, subj)) return (EPERM); /* * If the MLS label is to be changed, authorize as appropriate. */ - if (new->mm_flags & MAC_MLS_FLAG_SINGLE) { + if (new->mm_flags & MAC_MLS_FLAG_EFFECTIVE) { /* * To change the MLS label on a pipe, the new pipe label * must be in the subject range. */ - if (!mac_mls_single_in_range(new, subj)) + if (!mac_mls_effective_in_range(new, subj)) return (EPERM); /* @@ -1590,7 +1590,7 @@ mac_mls_check_pipe_stat(struct ucred *cred, struct pipepair *pp, subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); return (0); @@ -1608,7 +1608,7 @@ mac_mls_check_pipe_write(struct ucred *cred, struct pipepair *pp, subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); return (0); @@ -1626,9 +1626,9 @@ mac_mls_check_proc_debug(struct ucred *cred, struct proc *proc) obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (ESRCH); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); return (0); @@ -1646,9 +1646,9 @@ mac_mls_check_proc_sched(struct ucred *cred, struct proc *proc) obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (ESRCH); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); return (0); @@ -1666,9 +1666,9 @@ mac_mls_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (ESRCH); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); return (0); @@ -1686,7 +1686,7 @@ mac_mls_check_socket_deliver(struct socket *so, struct label *socketlabel, p = SLOT(mbuflabel); s = SLOT(socketlabel); - return (mac_mls_equal_single(p, s) ? 0 : EACCES); + return (mac_mls_equal_effective(p, s) ? 0 : EACCES); } static int @@ -1702,28 +1702,28 @@ mac_mls_check_socket_relabel(struct ucred *cred, struct socket *socket, /* * If there is an MLS label update for the socket, it may be - * an update of single. + * an update of effective. */ - error = mls_atmostflags(new, MAC_MLS_FLAG_SINGLE); + error = mls_atmostflags(new, MAC_MLS_FLAG_EFFECTIVE); if (error) return (error); /* - * To relabel a socket, the old socket single must be in the subject + * To relabel a socket, the old socket effective must be in the subject * range. */ - if (!mac_mls_single_in_range(obj, subj)) + if (!mac_mls_effective_in_range(obj, subj)) return (EPERM); /* * If the MLS label is to be changed, authorize as appropriate. */ - if (new->mm_flags & MAC_MLS_FLAG_SINGLE) { + if (new->mm_flags & MAC_MLS_FLAG_EFFECTIVE) { /* - * To relabel a socket, the new socket single must be in + * To relabel a socket, the new socket effective must be in * the subject range. */ - if (!mac_mls_single_in_range(new, subj)) + if (!mac_mls_effective_in_range(new, subj)) return (EPERM); /* @@ -1752,7 +1752,7 @@ mac_mls_check_socket_visible(struct ucred *cred, struct socket *socket, subj = SLOT(cred->cr_label); obj = SLOT(socketlabel); - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (ENOENT); return (0); @@ -1770,8 +1770,8 @@ mac_mls_check_system_swapon(struct ucred *cred, struct vnode *vp, subj = SLOT(cred->cr_label); obj = SLOT(label); - if (!mac_mls_dominate_single(obj, subj) || - !mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(obj, subj) || + !mac_mls_dominate_effective(subj, obj)) return (EACCES); return (0); @@ -1789,7 +1789,7 @@ mac_mls_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, subj = SLOT(cred->cr_label); obj = SLOT(dlabel); - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); return (0); @@ -1807,7 +1807,7 @@ mac_mls_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, subj = SLOT(cred->cr_label); obj = SLOT(dlabel); - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); return (0); @@ -1825,7 +1825,7 @@ mac_mls_check_vnode_create(struct ucred *cred, struct vnode *dvp, subj = SLOT(cred->cr_label); obj = SLOT(dlabel); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); return (0); @@ -1844,12 +1844,12 @@ mac_mls_check_vnode_delete(struct ucred *cred, struct vnode *dvp, subj = SLOT(cred->cr_label); obj = SLOT(dlabel); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); obj = SLOT(label); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); return (0); @@ -1867,7 +1867,7 @@ mac_mls_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, subj = SLOT(cred->cr_label); obj = SLOT(label); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); return (0); @@ -1885,7 +1885,7 @@ mac_mls_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, subj = SLOT(cred->cr_label); obj = SLOT(label); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); return (0); @@ -1917,7 +1917,7 @@ mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp, subj = SLOT(cred->cr_label); obj = SLOT(label); - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); return (0); @@ -1935,7 +1935,7 @@ mac_mls_check_vnode_getacl(struct ucred *cred, struct vnode *vp, subj = SLOT(cred->cr_label); obj = SLOT(label); - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); return (0); @@ -1953,7 +1953,7 @@ mac_mls_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, subj = SLOT(cred->cr_label); obj = SLOT(label); - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); return (0); @@ -1972,11 +1972,11 @@ mac_mls_check_vnode_link(struct ucred *cred, struct vnode *dvp, subj = SLOT(cred->cr_label); obj = SLOT(dlabel); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); obj = SLOT(dlabel); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); return (0); @@ -1995,7 +1995,7 @@ mac_mls_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, subj = SLOT(cred->cr_label); obj = SLOT(label); - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); return (0); @@ -2013,7 +2013,7 @@ mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, subj = SLOT(cred->cr_label); obj = SLOT(dlabel); - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); return (0); @@ -2036,11 +2036,11 @@ mac_mls_check_vnode_mmap(struct ucred *cred, struct vnode *vp, obj = SLOT(label); if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) { - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); } if (prot & VM_PROT_WRITE) { - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); } @@ -2061,11 +2061,11 @@ mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp, /* XXX privilege override for admin? */ if (acc_mode & (VREAD | VEXEC | VSTAT)) { - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); } if (acc_mode & (VWRITE | VAPPEND | VADMIN)) { - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); } @@ -2084,7 +2084,7 @@ mac_mls_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, subj = SLOT(active_cred->cr_label); obj = SLOT(label); - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); return (0); @@ -2102,7 +2102,7 @@ mac_mls_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, subj = SLOT(active_cred->cr_label); obj = SLOT(label); - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); return (0); @@ -2120,7 +2120,7 @@ mac_mls_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, subj = SLOT(cred->cr_label); obj = SLOT(dlabel); - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); return (0); @@ -2138,7 +2138,7 @@ mac_mls_check_vnode_readlink(struct ucred *cred, struct vnode *vp, subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); return (0); @@ -2157,9 +2157,9 @@ mac_mls_check_vnode_relabel(struct ucred *cred, struct vnode *vp, /* * If there is an MLS label update for the vnode, it must be a - * single label. + * effective label. */ - error = mls_atmostflags(new, MAC_MLS_FLAG_SINGLE); + error = mls_atmostflags(new, MAC_MLS_FLAG_EFFECTIVE); if (error) return (error); @@ -2167,18 +2167,18 @@ mac_mls_check_vnode_relabel(struct ucred *cred, struct vnode *vp, * To perform a relabel of the vnode (MLS label or not), MLS must * authorize the relabel. */ - if (!mac_mls_single_in_range(old, subj)) + if (!mac_mls_effective_in_range(old, subj)) return (EPERM); /* * If the MLS label is to be changed, authorize as appropriate. */ - if (new->mm_flags & MAC_MLS_FLAG_SINGLE) { + if (new->mm_flags & MAC_MLS_FLAG_EFFECTIVE) { /* * To change the MLS label on a vnode, the new vnode label * must be in the subject range. */ - if (!mac_mls_single_in_range(new, subj)) + if (!mac_mls_effective_in_range(new, subj)) return (EPERM); /* @@ -2209,12 +2209,12 @@ mac_mls_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, subj = SLOT(cred->cr_label); obj = SLOT(dlabel); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); obj = SLOT(label); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); return (0); @@ -2233,13 +2233,13 @@ mac_mls_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, subj = SLOT(cred->cr_label); obj = SLOT(dlabel); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); if (vp != NULL) { obj = SLOT(label); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); } @@ -2258,7 +2258,7 @@ mac_mls_check_vnode_revoke(struct ucred *cred, struct vnode *vp, subj = SLOT(cred->cr_label); obj = SLOT(label); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); return (0); @@ -2276,7 +2276,7 @@ mac_mls_check_vnode_setacl(struct ucred *cred, struct vnode *vp, subj = SLOT(cred->cr_label); obj = SLOT(label); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); return (0); @@ -2295,7 +2295,7 @@ mac_mls_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); /* XXX: protect the MAC EA in a special way? */ @@ -2315,7 +2315,7 @@ mac_mls_check_vnode_setflags(struct ucred *cred, struct vnode *vp, subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); return (0); @@ -2333,7 +2333,7 @@ mac_mls_check_vnode_setmode(struct ucred *cred, struct vnode *vp, subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); return (0); @@ -2351,7 +2351,7 @@ mac_mls_check_vnode_setowner(struct ucred *cred, struct vnode *vp, subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); return (0); @@ -2369,7 +2369,7 @@ mac_mls_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); return (0); @@ -2387,7 +2387,7 @@ mac_mls_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, subj = SLOT(active_cred->cr_label); obj = SLOT(vnodelabel); - if (!mac_mls_dominate_single(subj, obj)) + if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); return (0); @@ -2405,7 +2405,7 @@ mac_mls_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, subj = SLOT(active_cred->cr_label); obj = SLOT(label); - if (!mac_mls_dominate_single(obj, subj)) + if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); return (0); |