diff options
author | rwatson <rwatson@FreeBSD.org> | 2011-09-02 17:40:39 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2011-09-02 17:40:39 +0000 |
commit | 3c6157dcec8563160d0e3361149672558f3eee89 (patch) | |
tree | 90d6a1e521654063f793d1133a459149761f42da /sys/security/mac_test | |
parent | 3eec7d02646590de620f301b9374dde0852a3348 (diff) | |
download | FreeBSD-src-3c6157dcec8563160d0e3361149672558f3eee89.zip FreeBSD-src-3c6157dcec8563160d0e3361149672558f3eee89.tar.gz |
Correct several issues in the integration of POSIX shared memory objects
and the new setmode and setowner fileops in FreeBSD 9.0:
- Add new MAC Framework entry point mac_posixshm_check_create() to allow
MAC policies to authorise shared memory use. Provide a stub policy and
test policy templates.
- Add missing Biba and MLS implementations of mac_posixshm_check_setmode()
and mac_posixshm_check_setowner().
- Add 'accmode' argument to mac_posixshm_check_open() -- unlike the
mac_posixsem_check_open() entry point it was modeled on, the access mode
is required as shared memory access can be read-only as well as writable;
this isn't true of POSIX semaphores.
- Implement full range of POSIX shared memory entry points for Biba and MLS.
Sponsored by: Google Inc.
Obtained from: TrustedBSD Project
Approved by: re (kib)
Diffstat (limited to 'sys/security/mac_test')
-rw-r--r-- | sys/security/mac_test/mac_test.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 2aa2e38..c92c418 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2006 SPARTA, Inc. * Copyright (c) 2008 Apple Inc. @@ -1390,6 +1390,15 @@ test_posixsem_init_label(struct label *label) COUNTER_INC(posixsem_init_label); } +COUNTER_DECL(posixshm_check_create); +static int +test_posixshm_check_create(struct ucred *cred, const char *path) +{ + + COUNTER_INC(posixshm_check_create); + return (0); +} + COUNTER_DECL(posixshm_check_mmap); static int test_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, @@ -1405,7 +1414,7 @@ test_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, COUNTER_DECL(posixshm_check_open); static int test_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd, - struct label *shmfdlabel) + struct label *shmfdlabel, accmode_t accmode) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); @@ -3102,6 +3111,7 @@ static struct mac_policy_ops test_ops = .mpo_posixsem_destroy_label = test_posixsem_destroy_label, .mpo_posixsem_init_label = test_posixsem_init_label, + .mpo_posixshm_check_create = test_posixshm_check_create, .mpo_posixshm_check_mmap = test_posixshm_check_mmap, .mpo_posixshm_check_open = test_posixshm_check_open, .mpo_posixshm_check_setmode = test_posixshm_check_setmode, |