PERFORCE change 38830 for review
Hrishikesh Dandekar
hdandeka at FreeBSD.org
Tue Sep 30 01:51:00 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=38830
Change 38830 by hdandeka at hdandeka_yash on 2003/09/29 18:50:05
Integrate the System V IPC and Posix semaphores related changes from
the trustedbsd_mac parent branch.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/include/Makefile#6 integrate
.. //depot/projects/trustedbsd/sebsd/lib/libc/sys/sem.c#4 edit
.. //depot/projects/trustedbsd/sebsd/sys/kern/kern_mac.c#9 integrate
.. //depot/projects/trustedbsd/sebsd/sys/kern/sysv_ipc.c#5 integrate
.. //depot/projects/trustedbsd/sebsd/sys/kern/sysv_msg.c#5 integrate
.. //depot/projects/trustedbsd/sebsd/sys/kern/sysv_sem.c#5 integrate
.. //depot/projects/trustedbsd/sebsd/sys/kern/sysv_shm.c#5 integrate
.. //depot/projects/trustedbsd/sebsd/sys/kern/uipc_sem.c#5 integrate
.. //depot/projects/trustedbsd/sebsd/sys/modules/mac_stub/Makefile#4 integrate
.. //depot/projects/trustedbsd/sebsd/sys/modules/sysvipc/sysvmsg/Makefile#4 integrate
.. //depot/projects/trustedbsd/sebsd/sys/modules/sysvipc/sysvsem/Makefile#4 integrate
.. //depot/projects/trustedbsd/sebsd/sys/modules/sysvipc/sysvshm/Makefile#4 integrate
.. //depot/projects/trustedbsd/sebsd/sys/posix4/ksem.h#1 branch
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_biba/mac_biba.c#5 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_biba/mac_biba.h#3 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_lomac/mac_lomac.c#5 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_mls/mac_mls.c#5 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_stub/mac_stub.c#4 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_test/mac_test.c#5 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/mac.h#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/mac_policy.h#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/msg.h#5 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/msg_msg.h#1 branch
.. //depot/projects/trustedbsd/sebsd/sys/sys/sem.h#5 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/shm.h#5 integrate
.. //depot/projects/trustedbsd/sebsd/usr.bin/ipcs/ipcs.c#4 integrate
Differences ...
==== //depot/projects/trustedbsd/sebsd/include/Makefile#6 (text+ko) ====
@@ -22,7 +22,7 @@
MHDRS= float.h floatingpoint.h stdarg.h varargs.h
# posix4/mqueue.h is useless without an implementation and isn't installed:
-PHDRS= sched.h semaphore.h _semaphore.h # mqueue.h
+PHDRS= sched.h semaphore.h _semaphore.h ksem.h# mqueue.h
LHDRS= aio.h errno.h fcntl.h linker_set.h poll.h stdint.h syslog.h \
termios.h ucontext.h
==== //depot/projects/trustedbsd/sebsd/lib/libc/sys/sem.c#4 (text+ko) ====
@@ -115,21 +115,20 @@
* Range check the arguments.
*/
if (pshared != 0) {
- retval = ksem_init(&semid, value);
- if (retval == -1)
- goto RETURN;
+ if ((retval = ksem_init(&semid, value))) {
+ errno = retval;
+ return (-1);
+ }
got_system_sem = 1;
}
(*sem) = sem_alloc(value, semid, got_system_sem);
- if ((*sem) == NULL)
- retval = -1;
- else
- retval = 0;
- RETURN:
- if (retval != 0 && got_system_sem)
+ if ((*sem) == NULL) {
+ errno = ENOSPC;
ksem_destroy(semid);
- return retval;
+ return (-1);
+ }
+ return (0);
}
int
@@ -145,8 +144,9 @@
* make sure there are no waiters.
*/
if ((*sem)->syssem != 0) {
- retval = ksem_destroy((*sem)->semid);
- if (retval == -1) {
+ if ((retval = ksem_destroy((*sem)->semid))) {
+ errno = retval;
+ retval = -1;
_pthread_mutex_unlock(&(*sem)->lock);
goto RETURN;
}
@@ -173,6 +173,7 @@
semid_t semid;
mode_t mode;
unsigned int value;
+ int retval;
mode = 0;
value = 0;
@@ -189,8 +190,10 @@
* we can be lazy and let the kernel handle the "oflag",
* we'll just merge duplicate IDs into our list.
*/
- if (ksem_open(&semid, name, oflag, mode, value) == -1)
+ if ((retval = ksem_open(&semid, name, oflag, mode, value))) {
+ errno = retval;
return (SEM_FAILED);
+ }
/*
* search for a duplicate ID, we must return the same sem_t *
* if we locate one.
@@ -230,13 +233,15 @@
int
sem_close(sem_t *sem)
{
+ int retval;
if ((*sem)->syssem == 0) {
errno = EINVAL;
return (-1);
}
_pthread_mutex_lock(&named_sems_mtx);
- if (ksem_close((*sem)->semid) == -1) {
+ if ((retval = ksem_close((*sem)->semid))) {
+ errno = retval;
_pthread_mutex_unlock(&named_sems_mtx);
return (-1);
}
@@ -250,8 +255,13 @@
int
sem_unlink(const char *name)
{
+ int retval;
- return (ksem_unlink(name));
+ if ((retval = ksem_unlink(name))) {
+ errno = retval;
+ return (-1);
+ }
+ return (0);
}
int
@@ -262,9 +272,13 @@
_SEM_CHECK_VALIDITY(sem);
if ((*sem)->syssem != 0) {
- retval = ksem_wait((*sem)->semid);
- goto RETURN;
+ if ((retval = ksem_wait((*sem)->semid))) {
+ errno = retval;
+ return (-1);
+ }
+ return (0);
}
+ retval = 0;
_pthread_mutex_lock(&(*sem)->lock);
@@ -276,9 +290,7 @@
(*sem)->count--;
_pthread_mutex_unlock(&(*sem)->lock);
-
- retval = 0;
- RETURN:
+RETURN:
return retval;
}
@@ -290,8 +302,11 @@
_SEM_CHECK_VALIDITY(sem);
if ((*sem)->syssem != 0) {
- retval = ksem_trywait((*sem)->semid);
- goto RETURN;
+ if ((retval = ksem_trywait((*sem)->semid))) {
+ errno = retval;
+ return (-1);
+ }
+ return (0);
}
_pthread_mutex_lock(&(*sem)->lock);
@@ -305,8 +320,7 @@
}
_pthread_mutex_unlock(&(*sem)->lock);
-
- RETURN:
+RETURN:
return retval;
}
@@ -318,10 +332,14 @@
_SEM_CHECK_VALIDITY(sem);
if ((*sem)->syssem != 0) {
- retval = ksem_post((*sem)->semid);
- goto RETURN;
+ if ((retval = ksem_post((*sem)->semid))) {
+ errno = retval;
+ return (-1);
+ }
+ return (0);
}
+ retval = 0;
_pthread_mutex_lock(&(*sem)->lock);
(*sem)->count++;
@@ -329,9 +347,7 @@
_pthread_cond_signal(&(*sem)->gtzero);
_pthread_mutex_unlock(&(*sem)->lock);
-
- retval = 0;
- RETURN:
+RETURN:
return retval;
}
@@ -343,15 +359,17 @@
_SEM_CHECK_VALIDITY(sem);
if ((*sem)->syssem != 0) {
- retval = ksem_getvalue((*sem)->semid, sval);
- goto RETURN;
+ if ((retval = ksem_getvalue((*sem)->semid, sval))) {
+ errno = retval;
+ return (-1);
+ }
+ return (0);
}
+ retval = 0;
_pthread_mutex_lock(&(*sem)->lock);
*sval = (int)(*sem)->count;
_pthread_mutex_unlock(&(*sem)->lock);
-
- retval = 0;
- RETURN:
+RETURN:
return retval;
}
==== //depot/projects/trustedbsd/sebsd/sys/kern/kern_mac.c#9 (text+ko) ====
@@ -40,10 +40,11 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/kern/kern_mac.c,v 1.94 2003/08/01 15:45:14 rwatson Exp $");
+__FBSDID("$FreeBSD: src/sys/kern/kern_mac.c,v 1.97 2003/08/21 18:21:22 rwatson Exp $");
#include "opt_mac.h"
#include "opt_devfs.h"
+#include "opt_posix.h"
#include <sys/param.h>
#include <sys/condvar.h>
@@ -68,6 +69,12 @@
#include <sys/pipe.h>
#include <sys/socketvar.h>
#include <sys/sysctl.h>
+#include <sys/msg.h>
+#include <sys/msg_msg.h>
+#include <sys/sem.h>
+#include <sys/shm.h>
+
+#include <posix4/ksem.h>
#include <vm/vm.h>
#include <vm/pmap.h>
@@ -161,6 +168,11 @@
&mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations");
TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe);
+static int mac_enforce_posix_sem = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_posix_sem, CTLFLAG_RW,
+ &mac_enforce_posix_sem, 0, "Enforce MAC policy on global POSIX semaphores");
+TUNABLE_INT("security.mac.enforce_posix_sem", &mac_enforce_posix_sem);
+
static int mac_enforce_process = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
&mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
@@ -176,6 +188,11 @@
&mac_enforce_system, 0, "Enforce MAC policy on system operations");
TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system);
+static int mac_enforce_sysv = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv, CTLFLAG_RW,
+ &mac_enforce_sysv, 0, "Enforce MAC policy on System V IPC objects");
+TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv);
+
static int mac_enforce_vm = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
&mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
@@ -185,6 +202,7 @@
SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW,
&mac_mmap_revocation, 0, "Revoke mmap access to files on subject "
"relabel");
+
static int mac_mmap_revocation_via_cow = 1;
SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW,
&mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
@@ -206,7 +224,8 @@
static unsigned int nmacmbufs, nmaccreds, nmacfiles, nmacifnets, nmacbpfdescs,
nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
- nmacipqs, nmacpipes, nmacprocs;
+ nmacipqs, nmacpipes, nmacprocs, nmacipcmsgs, nmacipcmsqs,
+ nmacipcsemas, nmacipcshms, nmacposixksems;
#define MAC_DEBUG_COUNTER_INC(x) atomic_add_int(x, 1);
#define MAC_DEBUG_COUNTER_DEC(x) atomic_subtract_int(x, 1);
@@ -237,6 +256,16 @@
&nmacvnodes, 0, "number of vnodes in use");
SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD,
&nmacdevfsdirents, 0, "number of devfs dirents inuse");
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_msgs, CTLFLAG_RD,
+ &nmacipcmsgs, 0, "number of sysv ipc messages inuse");
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_msqs, CTLFLAG_RD,
+ &nmacipcmsqs, 0, "number of sysv ipc message queue identifiers inuse");
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_semas, CTLFLAG_RD,
+ &nmacipcsemas, 0, "number of sysv ipc semaphore identifiers inuse");
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_shms, CTLFLAG_RD,
+ &nmacipcshms, 0, "number of sysv ipc shm identifiers inuse");
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, posix_ksems, CTLFLAG_RD,
+ &nmacposixksems, 0, "number of posix global semaphores inuse");
#else
#define MAC_DEBUG_COUNTER_INC(x)
#define MAC_DEBUG_COUNTER_DEC(x)
@@ -277,9 +306,11 @@
* exclusive consumers that they should try to acquire the lock if a
* first attempt at exclusive access fails.
*/
+#ifndef MAC_STATIC
static struct mtx mac_policy_mtx;
static struct cv mac_policy_cv;
static int mac_policy_count;
+#endif
static LIST_HEAD(, mac_policy_conf) mac_policy_list;
static LIST_HEAD(, mac_policy_conf) mac_static_policy_list;
@@ -295,42 +326,54 @@
static __inline void
mac_policy_grab_exclusive(void)
{
+
+#ifndef MAC_STATIC
WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
"mac_policy_grab_exclusive() at %s:%d", __FILE__, __LINE__);
mtx_lock(&mac_policy_mtx);
while (mac_policy_count != 0)
cv_wait(&mac_policy_cv, &mac_policy_mtx);
+#endif
}
static __inline void
mac_policy_assert_exclusive(void)
{
+
+#ifndef MAC_STATIC
mtx_assert(&mac_policy_mtx, MA_OWNED);
KASSERT(mac_policy_count == 0,
("mac_policy_assert_exclusive(): not exclusive"));
+#endif
}
static __inline void
mac_policy_release_exclusive(void)
{
+#ifndef MAC_STATIC
KASSERT(mac_policy_count == 0,
("mac_policy_release_exclusive(): not exclusive"));
mtx_unlock(&mac_policy_mtx);
cv_signal(&mac_policy_cv);
+#endif
}
static __inline void
mac_policy_list_busy(void)
{
+
+#ifndef MAC_STATIC
mtx_lock(&mac_policy_mtx);
mac_policy_count++;
mtx_unlock(&mac_policy_mtx);
+#endif
}
static __inline int
mac_policy_list_conditional_busy(void)
{
+#ifndef MAC_STATIC
int ret;
mtx_lock(&mac_policy_mtx);
@@ -341,17 +384,23 @@
ret = 0;
mtx_unlock(&mac_policy_mtx);
return (ret);
+#else
+ return (0);
+#endif
}
static __inline void
mac_policy_list_unbusy(void)
{
+
+#ifndef MAC_STATIC
mtx_lock(&mac_policy_mtx);
mac_policy_count--;
KASSERT(mac_policy_count >= 0, ("MAC_POLICY_LIST_LOCK"));
if (mac_policy_count == 0)
cv_signal(&mac_policy_cv);
mtx_unlock(&mac_policy_mtx);
+#endif
}
/*
@@ -510,8 +559,10 @@
LIST_INIT(&mac_static_policy_list);
LIST_INIT(&mac_policy_list);
+#ifndef MAC_STATIC
mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF);
cv_init(&mac_policy_cv, "mac_policy_cv");
+#endif
}
/*
@@ -566,6 +617,13 @@
error = 0;
mpc = (struct mac_policy_conf *) data;
+#ifdef MAC_STATIC
+ if (mac_late) {
+ printf("mac_policy_modevent: MAC_STATIC and late\n");
+ return (EBUSY);
+ }
+#endif
+
switch (type) {
case MOD_LOAD:
if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE &&
@@ -840,6 +898,42 @@
mac_init_ifnet_label(&ifp->if_label);
}
+void
+mac_init_ipc_msgmsg(struct msg *msgptr)
+{
+
+ mac_init_label(&msgptr->label);
+ MAC_PERFORM(init_ipc_msgmsg_label, &msgptr->label);
+ MAC_DEBUG_COUNTER_INC(&nmacipcmsgs);
+}
+
+void
+mac_init_ipc_msgqueue(struct msqid_kernel *msqkptr)
+{
+
+ mac_init_label(&msqkptr->label);
+ MAC_PERFORM(init_ipc_msgqueue_label, &msqkptr->label);
+ MAC_DEBUG_COUNTER_INC(&nmacipcmsqs);
+}
+
+void
+mac_init_ipc_sema(struct semid_kernel *semakptr)
+{
+
+ mac_init_label(&semakptr->label);
+ MAC_PERFORM(init_ipc_sema_label, &semakptr->label);
+ MAC_DEBUG_COUNTER_INC(&nmacipcsemas);
+}
+
+void
+mac_init_ipc_shm(struct shmid_kernel *shmsegptr)
+{
+
+ mac_init_label(&shmsegptr->label);
+ MAC_PERFORM(init_ipc_shm_label, &shmsegptr->label);
+ MAC_DEBUG_COUNTER_INC(&nmacipcshms);
+}
+
int
mac_init_ipq(struct ipq *ipq, int flag)
{
@@ -936,6 +1030,15 @@
mac_init_pipe_label(label);
}
+void
+mac_init_posix_ksem(struct ksem *ksemptr)
+{
+
+ mac_init_label(&ksemptr->ks_label);
+ MAC_PERFORM(init_posix_ksem_label, &ksemptr->ks_label);
+ MAC_DEBUG_COUNTER_INC(&nmacposixksems);
+}
+
void
mac_init_proc(struct proc *p)
{
@@ -1071,6 +1174,42 @@
}
void
+mac_destroy_ipc_msgmsg(struct msg *msgptr)
+{
+
+ MAC_PERFORM(destroy_ipc_msgmsg_label, &msgptr->label);
+ mac_destroy_label(&msgptr->label);
+ MAC_DEBUG_COUNTER_DEC(&nmacipcmsgs);
+}
+
+void
+mac_destroy_ipc_msgqueue(struct msqid_kernel *msqkptr)
+{
+
+ MAC_PERFORM(destroy_ipc_msgqueue_label, &msqkptr->label);
+ mac_destroy_label(&msqkptr->label);
+ MAC_DEBUG_COUNTER_DEC(&nmacipcmsqs);
+}
+
+void
+mac_destroy_ipc_sema(struct semid_kernel *semakptr)
+{
+
+ MAC_PERFORM(destroy_ipc_sema_label, &semakptr->label);
+ mac_destroy_label(&semakptr->label);
+ MAC_DEBUG_COUNTER_DEC(&nmacipcsemas);
+}
+
+void
+mac_destroy_ipc_shm(struct shmid_kernel *shmsegptr)
+{
+
+ MAC_PERFORM(destroy_ipc_shm_label, &shmsegptr->label);
+ mac_destroy_label(&shmsegptr->label);
+ MAC_DEBUG_COUNTER_DEC(&nmacipcshms);
+}
+
+void
mac_destroy_ipq(struct ipq *ipq)
{
@@ -1120,6 +1259,15 @@
}
void
+mac_destroy_posix_ksem(struct ksem *ksemptr)
+{
+
+ MAC_PERFORM(destroy_posix_ksem_label, &ksemptr->ks_label);
+ mac_destroy_label(&ksemptr->ks_label);
+ MAC_DEBUG_COUNTER_DEC(&nmacposixksems);
+}
+
+void
mac_destroy_proc(struct proc *p)
{
@@ -2373,6 +2521,41 @@
}
void
+mac_create_ipc_msgmsg(struct ucred *cred, struct msg *msgptr)
+{
+
+ MAC_PERFORM(create_ipc_msgmsg, cred, msgptr, &msgptr->label);
+}
+
+void
+mac_create_ipc_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr)
+{
+
+ MAC_PERFORM(create_ipc_msgqueue, cred, msqkptr, &msqkptr->label);
+}
+
+void
+mac_create_ipc_sema(struct ucred *cred, struct semid_kernel *semakptr)
+{
+
+ MAC_PERFORM(create_ipc_sema, cred, semakptr, &semakptr->label);
+}
+
+void
+mac_create_ipc_shm(struct ucred *cred, struct shmid_kernel *shmsegptr)
+{
+
+ MAC_PERFORM(create_ipc_shm, cred, shmsegptr, &shmsegptr->label);
+}
+
+void
+mac_create_posix_ksem(struct ucred *cred, struct ksem *ksemptr)
+{
+
+ MAC_PERFORM(create_posix_ksem, cred, ksemptr, &ksemptr->ks_label);
+}
+
+void
mac_create_file(struct ucred *cred, struct file *fp)
{
@@ -2630,6 +2813,34 @@
&mp->mnt_fslabel);
}
+void
+mac_cleanup_ipc_msgmsg(struct msg *msgptr)
+{
+
+ MAC_PERFORM(cleanup_ipc_msgmsg, &msgptr->label);
+}
+
+void
+mac_cleanup_ipc_msgqueue(struct msqid_kernel *msqkptr)
+{
+
+ MAC_PERFORM(cleanup_ipc_msgqueue, &msqkptr->label);
+}
+
+void
+mac_cleanup_ipc_sema(struct semid_kernel *semakptr)
+{
+
+ MAC_PERFORM(cleanup_ipc_sema, &semakptr->label);
+}
+
+void
+mac_cleanup_ipc_shm(struct shmid_kernel *shmsegptr)
+{
+
+ MAC_PERFORM(cleanup_ipc_shm, &shmsegptr->label);
+}
+
int
mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet)
{
@@ -2697,6 +2908,209 @@
}
int
+mac_check_ipc_msgmsq(struct ucred *cred, struct msg *msgptr,
+ struct msqid_kernel *msqkptr)
+{
+ int error;
+
+ if (!mac_enforce_sysv)
+ return (0);
+
+ //XXX: Should we also pass &msqkptr->label ??
+ MAC_CHECK(check_ipc_msgmsq, cred, msgptr, msqkptr);
+
+ return(error);
+}
+
+int
+mac_check_ipc_msgrcv(struct ucred *cred, struct msg *msgptr)
+{
+ int error;
+
+ if (!mac_enforce_sysv)
+ return (0);
+
+ //XXX: Should we also pass &msqkptr->label ??
+ MAC_CHECK(check_ipc_msgrcv, cred, msgptr);
+
+ return(error);
+}
+
+int
+mac_check_ipc_msgrmid(struct ucred *cred, struct msg *msgptr)
+{
+ int error;
+
+ if (!mac_enforce_sysv)
+ return (0);
+
+ //XXX: Should we also pass &msqkptr->label ??
+ MAC_CHECK(check_ipc_msgrmid, cred, msgptr);
+
+ return(error);
+}
+
+int
+mac_check_ipc_msqget(struct ucred *cred, struct msqid_kernel *msqkptr)
+{
+ int error;
+
+ if (!mac_enforce_sysv)
+ return (0);
+
+ //XXX: Should we also pass &msqkptr->label ??
+ MAC_CHECK(check_ipc_msqget, cred, msqkptr);
+
+ return(error);
+}
+
+int
+mac_check_ipc_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr)
+{
+ int error;
+
+ if (!mac_enforce_sysv)
+ return (0);
+
+ //XXX: Should we also pass &msqkptr->label ??
+ MAC_CHECK(check_ipc_msqsnd, cred, msqkptr);
+
+ return(error);
+}
+
+int
+mac_check_ipc_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr)
+{
+ int error;
+
+ if (!mac_enforce_sysv)
+ return (0);
+
+ //XXX: Should we also pass &msqkptr->label ??
+ MAC_CHECK(check_ipc_msqrcv, cred, msqkptr);
+
+ return(error);
+}
+
+int
+mac_check_ipc_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
+ int cmd)
+{
+ int error;
+
+ if (!mac_enforce_sysv)
+ return (0);
+
+ //XXX: Should we also pass &msqkptr->label ??
+ MAC_CHECK(check_ipc_msqctl, cred, msqkptr, cmd);
+
+ return(error);
+}
+
+int
+mac_check_ipc_semctl(struct ucred *cred, struct semid_kernel *semakptr,
+ int cmd)
+{
+ int error;
+
+ if (!mac_enforce_sysv)
+ return (0);
+
+ //XXX: Should we also pass &semakptr->label ??
+ MAC_CHECK(check_ipc_semctl, cred, semakptr, cmd);
+
+ return(error);
+}
+
+int
+mac_check_ipc_semget(struct ucred *cred, struct semid_kernel *semakptr)
+{
+ int error;
+
+ if (!mac_enforce_sysv)
+ return (0);
+
+ //XXX: Should we also pass &semakptr->label ??
+ MAC_CHECK(check_ipc_semget, cred, semakptr);
+
+ return(error);
+}
+
+int
+mac_check_ipc_semop(struct ucred *cred, struct semid_kernel *semakptr,
+ size_t accesstype)
+{
+ int error;
+
+ if (!mac_enforce_sysv)
+ return (0);
+
+ //XXX: Should we also pass &semakptr->label ??
+ MAC_CHECK(check_ipc_semop, cred, semakptr, accesstype);
+
+ return(error);
+}
+
+int
+mac_check_ipc_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
+ int shmflg)
+{
+ int error;
+
+ if (!mac_enforce_sysv)
+ return (0);
+
+ //XXX: Should we also pass &shmsegptr->label ??
+ MAC_CHECK(check_ipc_shmat, cred, shmsegptr, shmflg);
+
+ return(error);
+}
+
+int
+mac_check_ipc_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
+ int cmd)
+{
+ int error;
+
+ if (!mac_enforce_sysv)
+ return (0);
+
+ //XXX: Should we also pass &shmsegptr->label ??
+ MAC_CHECK(check_ipc_shmctl, cred, shmsegptr, cmd);
+
+ return(error);
+}
+
+int
+mac_check_ipc_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr)
+{
+ int error;
+
+ if (!mac_enforce_sysv)
+ return (0);
+
+ //XXX: Should we also pass &shmsegptr->label ??
+ MAC_CHECK(check_ipc_shmdt, cred, shmsegptr);
+
+ return(error);
+}
+
+int
+mac_check_ipc_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
+ int shmflg)
+{
+ int error;
+
+ if (!mac_enforce_sysv)
+ return (0);
+
+ //XXX: Should we also pass &shmsegptr->label ??
+ MAC_CHECK(check_ipc_shmget, cred, shmsegptr, shmflg);
+
+ return(error);
+}
+
+int
mac_check_kenv_dump(struct ucred *cred)
{
int error;
@@ -2895,6 +3309,105 @@
}
int
+mac_check_posix_sem_close(struct ucred *cred, struct ksem *ksemptr)
+{
+ int error;
+
+ if (!mac_enforce_posix_sem)
+ return (0);
+
+ //XXX: Should we also pass &ksemptr->ks_label ??
+ MAC_CHECK(check_posix_sem_close, cred, ksemptr);
+
+ return(error);
+}
+
+int
+mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ksemptr)
+{
+ int error;
+
+ if (!mac_enforce_posix_sem)
+ return (0);
+
+ //XXX: Should we also pass &ksemptr->ks_label ??
+ MAC_CHECK(check_posix_sem_destroy, cred, ksemptr);
+
+ return(error);
+}
+
+int
+mac_check_posix_sem_openexisting(struct ucred *cred, struct ksem *ksemptr)
+{
+ int error;
+
+ if (!mac_enforce_posix_sem)
+ return (0);
+
+ //XXX: Should we also pass &ksemptr->ks_label ??
+ MAC_CHECK(check_posix_sem_openexisting, cred, ksemptr);
+
+ return(error);
+}
+
+int
+mac_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ksemptr)
+{
+ int error;
+
+ if (!mac_enforce_posix_sem)
+ return (0);
+
+ //XXX: Should we also pass &ksemptr->ks_label ??
+ MAC_CHECK(check_posix_sem_getvalue, cred, ksemptr);
+
+ return(error);
+}
+
+int
+mac_check_posix_sem_post(struct ucred *cred, struct ksem *ksemptr)
+{
+ int error;
+
+ if (!mac_enforce_posix_sem)
+ return (0);
+
+ //XXX: Should we also pass &ksemptr->ks_label ??
+ MAC_CHECK(check_posix_sem_post, cred, ksemptr);
+
+ return(error);
+}
+
+int
+mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ksemptr)
+{
+ int error;
+
+ if (!mac_enforce_posix_sem)
+ return (0);
+
+ //XXX: Should we also pass &ksemptr->ks_label ??
+ MAC_CHECK(check_posix_sem_unlink, cred, ksemptr);
+
+ return(error);
+}
+
+int
+mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr)
+{
+ int error;
+
+ if (!mac_enforce_posix_sem)
+ return (0);
+
+ //XXX: Should we also pass &ksemptr->ks_label ??
+ MAC_CHECK(check_posix_sem_wait, cred, ksemptr);
+
+ return(error);
+}
+
+
+int
mac_check_proc_debug(struct ucred *cred, struct proc *proc)
{
int error;
==== //depot/projects/trustedbsd/sebsd/sys/kern/sysv_ipc.c#5 (text+ko) ====
@@ -71,6 +71,13 @@
* Check for ipc permission
*/
+
+/*
+ * Note: The MAC Framework doesnt add any hook to the ipcperm function as
+ * fine-grained hooks are inserted throughout the ipc primitives. These hooks
+ * compliment the ipcperm check.
+ */
+
int
ipcperm(td, perm, mode)
struct thread *td;
==== //depot/projects/trustedbsd/sebsd/sys/kern/sysv_msg.c#5 (text+ko) ====
@@ -21,6 +21,7 @@
__FBSDID("$FreeBSD: src/sys/kern/sysv_msg.c,v 1.49 2003/06/11 00:56:57 obrien Exp $");
#include "opt_sysvipc.h"
+#include "opt_mac.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -36,6 +37,11 @@
#include <sys/malloc.h>
#include <sys/jail.h>
#include <sys/capability.h>
+#ifdef MAC
+#include <sys/msg_msg.h>
+#include <sys/_label.h>
+#include <sys/mac.h>
+#endif
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list