Introduce MAC Framework and MAC Policy entry points to label and control

access to POSIX Semaphores:

mac_init_posix_sem()            Initialize label for POSIX semaphore
mac_create_posix_sem()          Create POSIX semaphore
mac_destroy_posix_sem()         Destroy POSIX semaphore
mac_check_posix_sem_destroy()   Check whether semaphore may be destroyed
mac_check_posix_sem_getvalue()  Check whether semaphore may be queried
mac_check_possix_sem_open()     Check whether semaphore may be opened
mac_check_posix_sem_post()      Check whether semaphore may be posted to
mac_check_posix_sem_unlink()    Check whether semaphore may be unlinked
mac_check_posix_sem_wait()      Check whether may wait on semaphore

Update Biba, MLS, Stub, and Test policies to implement these entry points.
For information flow policies, most semaphore operations are effectively
read/write.

Submitted by:	Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Sponsored by:	DARPA, McAfee, SPARTA
Obtained from:	TrustedBSD Project

1 files changed, 59 insertions, 0 deletions

diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 1ff1f0f..b1c7900 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -65,6 +65,8 @@
 #include <sys/sem.h>
 #include <sys/shm.h>
 
+#include <posix4/ksem.h>
+
 #include <fs/devfs/devfs.h>
 
 #include <net/bpfdesc.h>
@@ -1035,6 +1037,18 @@ mac_biba_create_pipe(struct ucred *cred, struct pipepair *pp,
 }
 
 static void
+mac_biba_create_posix_sem(struct ucred *cred, struct ksem *ksemptr,
+    struct label *ks_label)
+{
+	struct mac_biba *source, *dest;
+
+	source = SLOT(cred->cr_label);
+	dest = SLOT(ks_label);
+
+	mac_biba_copy_effective(source, dest);
+}
+
+static void
 mac_biba_create_socket_from_socket(struct socket *oldsocket,
     struct label *oldsocketlabel, struct socket *newsocket,
     struct label *newsocketlabel)
@@ -2088,6 +2102,42 @@ mac_biba_check_pipe_write(struct ucred *cred, struct pipepair *pp,
 }
 
 static int
+mac_biba_check_posix_sem_write(struct ucred *cred, struct ksem *ksemptr,
+    struct label *ks_label)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!mac_biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(ks_label);
+
+	if (!mac_biba_dominate_effective(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mac_biba_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ksemptr,
+    struct label *ks_label)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!mac_biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(ks_label);
+
+	if (!mac_biba_dominate_effective(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
 mac_biba_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	struct mac_biba *subj, *obj;
@@ -3014,6 +3064,7 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_init_mount_label = mac_biba_init_label,
 	.mpo_init_mount_fs_label = mac_biba_init_label,
 	.mpo_init_pipe_label = mac_biba_init_label,
+	.mpo_init_posix_sem_label = mac_biba_init_label,
 	.mpo_init_socket_label = mac_biba_init_label_waitcheck,
 	.mpo_init_socket_peer_label = mac_biba_init_label_waitcheck,
 	.mpo_init_vnode_label = mac_biba_init_label,
@@ -3031,6 +3082,7 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_destroy_mount_label = mac_biba_destroy_label,
 	.mpo_destroy_mount_fs_label = mac_biba_destroy_label,
 	.mpo_destroy_pipe_label = mac_biba_destroy_label,
+	.mpo_destroy_posix_sem_label = mac_biba_destroy_label,
 	.mpo_destroy_socket_label = mac_biba_destroy_label,
 	.mpo_destroy_socket_peer_label = mac_biba_destroy_label,
 	.mpo_destroy_vnode_label = mac_biba_destroy_label,
@@ -3065,6 +3117,7 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_setlabel_vnode_extattr = mac_biba_setlabel_vnode_extattr,
 	.mpo_create_mbuf_from_socket = mac_biba_create_mbuf_from_socket,
 	.mpo_create_pipe = mac_biba_create_pipe,
+	.mpo_create_posix_sem = mac_biba_create_posix_sem,
 	.mpo_create_socket = mac_biba_create_socket,
 	.mpo_create_socket_from_socket = mac_biba_create_socket_from_socket,
 	.mpo_relabel_pipe = mac_biba_relabel_pipe,
@@ -3126,6 +3179,12 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_check_pipe_relabel = mac_biba_check_pipe_relabel,
 	.mpo_check_pipe_stat = mac_biba_check_pipe_stat,
 	.mpo_check_pipe_write = mac_biba_check_pipe_write,
+	.mpo_check_posix_sem_destroy = mac_biba_check_posix_sem_write,
+	.mpo_check_posix_sem_getvalue = mac_biba_check_posix_sem_rdonly,
+	.mpo_check_posix_sem_open = mac_biba_check_posix_sem_write,
+	.mpo_check_posix_sem_post = mac_biba_check_posix_sem_write,
+	.mpo_check_posix_sem_unlink = mac_biba_check_posix_sem_write,
+	.mpo_check_posix_sem_wait = mac_biba_check_posix_sem_write,
 	.mpo_check_proc_debug = mac_biba_check_proc_debug,
 	.mpo_check_proc_sched = mac_biba_check_proc_sched,
 	.mpo_check_proc_signal = mac_biba_check_proc_signal,