diff options
| author | rwatson <rwatson@FreeBSD.org> | 2002-10-01 04:30:19 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2002-10-01 04:30:19 +0000 |
| commit | 0b0e14e4624b9a3dcbdb4c5764e7d1122f2b630a (patch) | |
| tree | 3052246bacd0c8ac5abab65c489c56a8ec0da52a /sys/kern/sys_pipe.c | |
| parent | d95d2f1aaec2d07243fcfa4bfbdcd43db58cf84f (diff) | |
| download | FreeBSD-src-0b0e14e4624b9a3dcbdb4c5764e7d1122f2b630a.zip FreeBSD-src-0b0e14e4624b9a3dcbdb4c5764e7d1122f2b630a.tar.gz | |
Improve locking of pipe mutexes in the context of MAC:
(1) Where previously the pipe mutex was selectively grabbed during
pipe_ioctl(), now always grab it and then release if if not
needed. This protects the call to mac_check_pipe_ioctl() to
make sure the label remains consistent. (Note: it looks
like sigio locking may be incorrect for fgetown() since we
call it not-by-reference and sigio locking assumes call by
reference).
(2) In pipe_stat(), lock the pipe if MAC is compiled in so that
the call to mac_check_pipe_stat() gets a locked pipe to
protect label consistency. We still release the lock before
returning actual stat() data, risking inconsistency, but
apparently our pipe locking model accepts that risk.
(3) In various pipe MAC authorization checks, assert that the pipe
lock is held.
(4) Grab the lock when performing a pipe relabel operation, and
assert it a little deeper in the stack.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/kern/sys_pipe.c')
| -rw-r--r-- | sys/kern/sys_pipe.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c index d87eb44..0931262 100644 --- a/sys/kern/sys_pipe.c +++ b/sys/kern/sys_pipe.c @@ -1165,8 +1165,11 @@ pipe_ioctl(fp, cmd, data, active_cred, td) struct pipe *mpipe = (struct pipe *)fp->f_data; #ifdef MAC int error; +#endif + + PIPE_LOCK(mpipe); - /* XXXMAC: Pipe should be locked for this check. */ +#ifdef MAC error = mac_check_pipe_ioctl(active_cred, mpipe, cmd, data); if (error) return (error); @@ -1175,10 +1178,10 @@ pipe_ioctl(fp, cmd, data, active_cred, td) switch (cmd) { case FIONBIO: + PIPE_UNLOCK(mpipe); return (0); case FIOASYNC: - PIPE_LOCK(mpipe); if (*(int *)data) { mpipe->pipe_state |= PIPE_ASYNC; } else { @@ -1188,7 +1191,6 @@ pipe_ioctl(fp, cmd, data, active_cred, td) return (0); case FIONREAD: - PIPE_LOCK(mpipe); if (mpipe->pipe_state & PIPE_DIRECTW) *(int *)data = mpipe->pipe_map.cnt; else @@ -1197,22 +1199,27 @@ pipe_ioctl(fp, cmd, data, active_cred, td) return (0); case FIOSETOWN: + PIPE_UNLOCK(mpipe); return (fsetown(*(int *)data, &mpipe->pipe_sigio)); case FIOGETOWN: + PIPE_UNLOCK(mpipe); *(int *)data = fgetown(mpipe->pipe_sigio); return (0); /* This is deprecated, FIOSETOWN should be used instead. */ case TIOCSPGRP: + PIPE_UNLOCK(mpipe); return (fsetown(-(*(int *)data), &mpipe->pipe_sigio)); /* This is deprecated, FIOGETOWN should be used instead. */ case TIOCGPGRP: + PIPE_UNLOCK(mpipe); *(int *)data = -fgetown(mpipe->pipe_sigio); return (0); } + PIPE_UNLOCK(mpipe); return (ENOTTY); } @@ -1288,8 +1295,9 @@ pipe_stat(fp, ub, active_cred, td) #ifdef MAC int error; - /* XXXMAC: Pipe should be locked for this check. */ + PIPE_LOCK(pipe); error = mac_check_pipe_stat(active_cred, pipe); + PIPE_UNLOCK(pipe); if (error) return (error); #endif |
