diff options
author | kib <kib@FreeBSD.org> | 2011-08-16 20:07:47 +0000 |
---|---|---|
committer | kib <kib@FreeBSD.org> | 2011-08-16 20:07:47 +0000 |
commit | 011f42054d1f861cd2435866ba646fa0cf752103 (patch) | |
tree | 368bd0d481caa3081d9e36be04c87a458ccd8975 /sys/security/mac | |
parent | a5a39a26b2ea8ab4d283505d58396a5e76d38c7a (diff) | |
download | FreeBSD-src-011f42054d1f861cd2435866ba646fa0cf752103.zip FreeBSD-src-011f42054d1f861cd2435866ba646fa0cf752103.tar.gz |
Add the fo_chown and fo_chmod methods to struct fileops and use them
to implement fchown(2) and fchmod(2) support for several file types
that previously lacked it. Add MAC entries for chown/chmod done on
posix shared memory and (old) in-kernel posix semaphores.
Based on the submission by: glebius
Reviewed by: rwatson
Approved by: re (bz)
Diffstat (limited to 'sys/security/mac')
-rw-r--r-- | sys/security/mac/mac_framework.h | 8 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 16 | ||||
-rw-r--r-- | sys/security/mac/mac_posix_sem.c | 32 | ||||
-rw-r--r-- | sys/security/mac/mac_posix_shm.c | 32 |
4 files changed, 88 insertions, 0 deletions
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index f515e98e..011cb86 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -225,6 +225,10 @@ int mac_posixsem_check_getvalue(struct ucred *active_cred, int mac_posixsem_check_open(struct ucred *cred, struct ksem *ks); int mac_posixsem_check_post(struct ucred *active_cred, struct ucred *file_cred, struct ksem *ks); +int mac_posixsem_check_setmode(struct ucred *cred, struct ksem *ks, + mode_t mode); +int mac_posixsem_check_setowner(struct ucred *cred, struct ksem *ks, + uid_t uid, gid_t gid); int mac_posixsem_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct ksem *ks); int mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks); @@ -237,6 +241,10 @@ void mac_posixsem_init(struct ksem *); int mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, int prot, int flags); int mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd); +int mac_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd, + mode_t mode); +int mac_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd, + uid_t uid, gid_t gid); int mac_posixshm_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct shmfd *shmfd); int mac_posixshm_check_truncate(struct ucred *active_cred, diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index b874c41..b7ef07b 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -336,6 +336,12 @@ typedef int (*mpo_posixsem_check_open_t)(struct ucred *cred, typedef int (*mpo_posixsem_check_post_t)(struct ucred *active_cred, struct ucred *file_cred, struct ksem *ks, struct label *kslabel); +typedef int (*mpo_posixsem_check_setmode_t)(struct ucred *cred, + struct ksem *ks, struct label *shmlabel, + mode_t mode); +typedef int (*mpo_posixsem_check_setowner_t)(struct ucred *cred, + struct ksem *ks, struct label *shmlabel, + uid_t uid, gid_t gid); typedef int (*mpo_posixsem_check_stat_t)(struct ucred *active_cred, struct ucred *file_cred, struct ksem *ks, struct label *kslabel); @@ -354,6 +360,12 @@ typedef int (*mpo_posixshm_check_mmap_t)(struct ucred *cred, int flags); typedef int (*mpo_posixshm_check_open_t)(struct ucred *cred, struct shmfd *shmfd, struct label *shmlabel); +typedef int (*mpo_posixshm_check_setmode_t)(struct ucred *cred, + struct shmfd *shmfd, struct label *shmlabel, + mode_t mode); +typedef int (*mpo_posixshm_check_setowner_t)(struct ucred *cred, + struct shmfd *shmfd, struct label *shmlabel, + uid_t uid, gid_t gid); typedef int (*mpo_posixshm_check_stat_t)(struct ucred *active_cred, struct ucred *file_cred, struct shmfd *shmfd, struct label *shmlabel); @@ -791,6 +803,8 @@ struct mac_policy_ops { mpo_posixsem_check_getvalue_t mpo_posixsem_check_getvalue; mpo_posixsem_check_open_t mpo_posixsem_check_open; mpo_posixsem_check_post_t mpo_posixsem_check_post; + mpo_posixsem_check_setmode_t mpo_posixsem_check_setmode; + mpo_posixsem_check_setowner_t mpo_posixsem_check_setowner; mpo_posixsem_check_stat_t mpo_posixsem_check_stat; mpo_posixsem_check_unlink_t mpo_posixsem_check_unlink; mpo_posixsem_check_wait_t mpo_posixsem_check_wait; @@ -800,6 +814,8 @@ struct mac_policy_ops { mpo_posixshm_check_mmap_t mpo_posixshm_check_mmap; mpo_posixshm_check_open_t mpo_posixshm_check_open; + mpo_posixshm_check_setmode_t mpo_posixshm_check_setmode; + mpo_posixshm_check_setowner_t mpo_posixshm_check_setowner; mpo_posixshm_check_stat_t mpo_posixshm_check_stat; mpo_posixshm_check_truncate_t mpo_posixshm_check_truncate; mpo_posixshm_check_unlink_t mpo_posixshm_check_unlink; diff --git a/sys/security/mac/mac_posix_sem.c b/sys/security/mac/mac_posix_sem.c index 9035d60..461e5db 100644 --- a/sys/security/mac/mac_posix_sem.c +++ b/sys/security/mac/mac_posix_sem.c @@ -198,3 +198,35 @@ mac_posixsem_check_wait(struct ucred *active_cred, struct ucred *file_cred, return (error); } + +MAC_CHECK_PROBE_DEFINE3(posixsem_check_setmode, "struct ucred *", + "struct ksem *", "mode_t"); + +int +mac_posixsem_check_setmode(struct ucred *cred, struct ksem *ks, mode_t mode) +{ + int error; + + MAC_POLICY_CHECK_NOSLEEP(posixsem_check_setmode, cred, ks, + ks->ks_label, mode); + MAC_CHECK_PROBE3(posixsem_check_setmode, error, cred, ks, mode); + + return (error); +} + +MAC_CHECK_PROBE_DEFINE4(posixsem_check_setowner, "struct ucred *", + "struct ks *", "uid_t", "gid_t"); + +int +mac_posixsem_check_setowner(struct ucred *cred, struct ksem *ks, uid_t uid, + gid_t gid) +{ + int error; + + MAC_POLICY_CHECK_NOSLEEP(posixsem_check_setowner, cred, ks, + ks->ks_label, uid, gid); + MAC_CHECK_PROBE4(posixsem_check_setowner, error, cred, ks, + uid, gid); + + return (error); +} diff --git a/sys/security/mac/mac_posix_shm.c b/sys/security/mac/mac_posix_shm.c index 4432a98..7e1c3f7 100644 --- a/sys/security/mac/mac_posix_shm.c +++ b/sys/security/mac/mac_posix_shm.c @@ -181,3 +181,35 @@ mac_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd) return (error); } + +MAC_CHECK_PROBE_DEFINE3(posixshm_check_setmode, "struct ucred *", + "struct shmfd *", "mode_t"); + +int +mac_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd, mode_t mode) +{ + int error; + + MAC_POLICY_CHECK_NOSLEEP(posixshm_check_setmode, cred, shmfd, + shmfd->shm_label, mode); + MAC_CHECK_PROBE3(posixshm_check_setmode, error, cred, shmfd, mode); + + return (error); +} + +MAC_CHECK_PROBE_DEFINE4(posixshm_check_setowner, "struct ucred *", + "struct shmfd *", "uid_t", "gid_t"); + +int +mac_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd, uid_t uid, + gid_t gid) +{ + int error; + + MAC_POLICY_CHECK_NOSLEEP(posixshm_check_setowner, cred, shmfd, + shmfd->shm_label, uid, gid); + MAC_CHECK_PROBE4(posixshm_check_setowner, error, cred, shmfd, + uid, gid); + + return (error); +} |