Correct several issues in the integration of POSIX shared memory objects

and the new setmode and setowner fileops in FreeBSD 9.0:

- Add new MAC Framework entry point mac_posixshm_check_create() to allow
  MAC policies to authorise shared memory use.  Provide a stub policy and
  test policy templates.

- Add missing Biba and MLS implementations of mac_posixshm_check_setmode()
  and mac_posixshm_check_setowner().

- Add 'accmode' argument to mac_posixshm_check_open() -- unlike the
  mac_posixsem_check_open() entry point it was modeled on, the access mode
  is required as shared memory access can be read-only as well as writable;
  this isn't true of POSIX semaphores.

- Implement full range of POSIX shared memory entry points for Biba and MLS.

Sponsored by:   Google Inc.
Obtained from:	TrustedBSD Project
Approved by:    re (kib)

7 files changed, 462 insertions, 16 deletions

diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 011cb86..92aedea 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * All rights reserved.
@@ -238,9 +238,11 @@ void 	mac_posixsem_create(struct ucred *cred, struct ksem *ks);
 void	mac_posixsem_destroy(struct ksem *);
 void	mac_posixsem_init(struct ksem *);
 
+int	mac_posixshm_check_create(struct ucred *cred, const char *path);
 int	mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
 	    int prot, int flags);
-int	mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd);
+int	mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
+	    accmode_t accmode);
 int	mac_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd,
 	    mode_t mode);
 int	mac_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd,
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index b7ef07b..090dc40 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
@@ -355,11 +355,14 @@ typedef void	(*mpo_posixsem_create_t)(struct ucred *cred,
 typedef void    (*mpo_posixsem_destroy_label_t)(struct label *label);
 typedef void    (*mpo_posixsem_init_label_t)(struct label *label);
 
+typedef int	(*mpo_posixshm_check_create_t)(struct ucred *cred,
+		    const char *path);
 typedef int	(*mpo_posixshm_check_mmap_t)(struct ucred *cred,
 		    struct shmfd *shmfd, struct label *shmlabel, int prot,
 		    int flags);
 typedef int	(*mpo_posixshm_check_open_t)(struct ucred *cred,
-		    struct shmfd *shmfd, struct label *shmlabel);
+		    struct shmfd *shmfd, struct label *shmlabel,
+		    accmode_t accmode);
 typedef int	(*mpo_posixshm_check_setmode_t)(struct ucred *cred,
 		    struct shmfd *shmfd, struct label *shmlabel,
 		    mode_t mode);
@@ -812,6 +815,7 @@ struct mac_policy_ops {
 	mpo_posixsem_destroy_label_t		mpo_posixsem_destroy_label;
 	mpo_posixsem_init_label_t		mpo_posixsem_init_label;
 
+	mpo_posixshm_check_create_t		mpo_posixshm_check_create;
 	mpo_posixshm_check_mmap_t		mpo_posixshm_check_mmap;
 	mpo_posixshm_check_open_t		mpo_posixshm_check_open;
 	mpo_posixshm_check_setmode_t		mpo_posixshm_check_setmode;
diff --git a/sys/security/mac/mac_posix_shm.c b/sys/security/mac/mac_posix_shm.c
index 7e1c3f7..d5d15fc 100644
--- a/sys/security/mac/mac_posix_shm.c
+++ b/sys/security/mac/mac_posix_shm.c
@@ -1,6 +1,6 @@
 /*-
  * Copyright (c) 2003-2006 SPARTA, Inc.
- * Copyright (c) 2009 Robert N. M. Watson
+ * Copyright (c) 2009-2011 Robert N. M. Watson
  * All rights reserved.
  *
  * This software was developed for the FreeBSD Project in part by Network
@@ -101,6 +101,20 @@ mac_posixshm_create(struct ucred *cred, struct shmfd *shmfd)
 	    shmfd->shm_label);
 }
 
+MAC_CHECK_PROBE_DEFINE2(posixshm_check_create, "struct ucred *",
+    "const char *");
+
+int
+mac_posixshm_check_create(struct ucred *cred, const char *path)
+{
+	int error;
+
+	MAC_POLICY_CHECK_NOSLEEP(posixshm_check_create, cred, path);
+	MAC_CHECK_PROBE2(posixshm_check_create, error, cred, path);
+
+	return (error);
+}
+
 MAC_CHECK_PROBE_DEFINE4(posixshm_check_mmap, "struct ucred *",
     "struct shmfd *", "int", "int");
 
@@ -118,17 +132,18 @@ mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, int prot,
 	return (error);
 }
 
-MAC_CHECK_PROBE_DEFINE2(posixshm_check_open, "struct ucred *",
-    "struct shmfd *");
+MAC_CHECK_PROBE_DEFINE3(posixshm_check_open, "struct ucred *",
+    "struct shmfd *", "accmode_t accmode");
 
 int
-mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd)
+mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
+    accmode_t accmode)
 {
 	int error;
 
 	MAC_POLICY_CHECK_NOSLEEP(posixshm_check_open, cred, shmfd,
-	    shmfd->shm_label);
-	MAC_CHECK_PROBE2(posixshm_check_open, error, cred, shmfd);
+	    shmfd->shm_label, accmode);
+	MAC_CHECK_PROBE3(posixshm_check_open, error, cred, shmfd, accmode);
 
 	return (error);
 }
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index fcede07..b7ca4e0 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
@@ -14,6 +14,9 @@
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -1622,6 +1625,42 @@ biba_posixsem_check_openunlink(struct ucred *cred, struct ksem *ks,
 }
 
 static int
+biba_posixsem_check_setmode(struct ucred *cred, struct ksem *ks,
+    struct label *kslabel, mode_t mode)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(kslabel);
+
+	if (!biba_dominate_effective(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+biba_posixsem_check_setowner(struct ucred *cred, struct ksem *ks,
+    struct label *kslabel, uid_t uid, gid_t gid)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(kslabel);
+
+	if (!biba_dominate_effective(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
 biba_posixsem_check_write(struct ucred *active_cred, struct ucred *file_cred,
     struct ksem *ks, struct label *kslabel)
 {
@@ -1669,6 +1708,156 @@ biba_posixsem_create(struct ucred *cred, struct ksem *ks,
 	biba_copy_effective(source, dest);
 }
 
+static int
+biba_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel, int prot, int flags)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled || !revocation_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
+		if (!biba_dominate_effective(obj, subj))
+			return (EACCES);
+	}
+	if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) {
+		if (!biba_dominate_effective(subj, obj))
+			return (EACCES);
+	}
+
+	return (0);
+}
+
+static int
+biba_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel, accmode_t accmode)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (accmode & (VREAD | VEXEC | VSTAT_PERMS)) {
+		if (!biba_dominate_effective(obj, subj))
+			return (EACCES);
+	}
+	if (accmode & VMODIFY_PERMS) {
+		if (!biba_dominate_effective(subj, obj))
+			return (EACCES);
+	}
+
+	return (0);
+}
+
+static int
+biba_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel, mode_t mode)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!biba_dominate_effective(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+biba_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel, uid_t uid, gid_t gid)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!biba_dominate_effective(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+biba_posixshm_check_stat(struct ucred *active_cred, struct ucred *file_cred,
+    struct shmfd *shmfd, struct label *shmlabel)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(active_cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!biba_dominate_effective(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+biba_posixshm_check_truncate(struct ucred *active_cred,
+    struct ucred *file_cred, struct shmfd *shmfd, struct label *shmlabel)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(active_cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!biba_dominate_effective(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+biba_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!biba_dominate_effective(subj, obj))
+		return (EACCES);
+    
+	return (0);
+}
+
+static void
+biba_posixshm_create(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel)
+{
+	struct mac_biba *source, *dest;
+
+	source = SLOT(cred->cr_label);
+	dest = SLOT(shmlabel);
+
+	biba_copy_effective(source, dest);
+}
+
 /*
  * Some system privileges are allowed regardless of integrity grade; others
  * are allowed only when running with privilege with respect to the Biba
@@ -3455,6 +3644,8 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_posixsem_check_getvalue = biba_posixsem_check_rdonly,
 	.mpo_posixsem_check_open = biba_posixsem_check_openunlink,
 	.mpo_posixsem_check_post = biba_posixsem_check_write,
+	.mpo_posixsem_check_setmode = biba_posixsem_check_setmode,
+	.mpo_posixsem_check_setowner = biba_posixsem_check_setowner,
 	.mpo_posixsem_check_stat = biba_posixsem_check_rdonly,
 	.mpo_posixsem_check_unlink = biba_posixsem_check_openunlink,
 	.mpo_posixsem_check_wait = biba_posixsem_check_write,
@@ -3462,6 +3653,17 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_posixsem_destroy_label = biba_destroy_label,
 	.mpo_posixsem_init_label = biba_init_label,
 
+	.mpo_posixshm_check_mmap = biba_posixshm_check_mmap,
+	.mpo_posixshm_check_open = biba_posixshm_check_open,
+	.mpo_posixshm_check_setmode = biba_posixshm_check_setmode,
+	.mpo_posixshm_check_setowner = biba_posixshm_check_setowner,
+	.mpo_posixshm_check_stat = biba_posixshm_check_stat,
+	.mpo_posixshm_check_truncate = biba_posixshm_check_truncate,
+	.mpo_posixshm_check_unlink = biba_posixshm_check_unlink,
+	.mpo_posixshm_create = biba_posixshm_create,
+	.mpo_posixshm_destroy_label = biba_destroy_label,
+	.mpo_posixshm_init_label = biba_init_label,
+
 	.mpo_priv_check = biba_priv_check,
 
 	.mpo_proc_check_debug = biba_proc_check_debug,
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index d41799d..b68790d 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
@@ -14,6 +14,9 @@
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -1532,6 +1535,42 @@ mls_posixsem_check_rdonly(struct ucred *active_cred, struct ucred *file_cred,
 }
 
 static int
+mls_posixsem_check_setmode(struct ucred *cred, struct ksem *ks,
+    struct label *shmlabel, mode_t mode)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!mls_dominate_effective(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mls_posixsem_check_setowner(struct ucred *cred, struct ksem *ks,
+    struct label *shmlabel, uid_t uid, gid_t gid)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!mls_dominate_effective(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
 mls_posixsem_check_write(struct ucred *active_cred, struct ucred *file_cred,
     struct ksem *ks, struct label *kslabel)
 {
@@ -1562,6 +1601,159 @@ mls_posixsem_create(struct ucred *cred, struct ksem *ks,
 }
 
 static int
+mls_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel, int prot, int flags)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
+		if (!mls_dominate_effective(subj, obj))
+			return (EACCES);
+	}
+	if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) {
+		if (!mls_dominate_effective(obj, subj))
+			return (EACCES);
+	}
+
+	return (0);
+}
+
+static int
+mls_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel, accmode_t accmode)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (accmode & (VREAD | VEXEC | VSTAT_PERMS)) {
+		if (!mls_dominate_effective(subj, obj))
+			return (EACCES);
+	}
+	if (accmode & VMODIFY_PERMS) {
+		if (!mls_dominate_effective(obj, subj))
+			return (EACCES);
+	}
+
+	return (0);
+}
+
+static int
+mls_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel, mode_t mode)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!mls_dominate_effective(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mls_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel, uid_t uid, gid_t gid)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!mls_dominate_effective(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mls_posixshm_check_stat(struct ucred *active_cred, struct ucred *file_cred,
+    struct shmfd *shmfd, struct label *shmlabel)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(active_cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!mls_dominate_effective(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mls_posixshm_check_truncate(struct ucred *active_cred,
+    struct ucred *file_cred, struct shmfd *shmfd, struct label *shmlabel)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(active_cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!mls_dominate_effective(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mls_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!mls_dominate_effective(obj, subj))
+		return (EACCES);
+    
+	return (0);
+}
+
+static void
+mls_posixshm_create(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel)
+{
+	struct mac_mls *source, *dest;
+
+	source = SLOT(cred->cr_label);
+	dest = SLOT(shmlabel);
+
+	mls_copy_effective(source, dest);
+}
+
+static int
 mls_proc_check_debug(struct ucred *cred, struct proc *p)
 {
 	struct mac_mls *subj, *obj;
@@ -3075,6 +3267,8 @@ static struct mac_policy_ops mls_ops =
 	.mpo_posixsem_check_getvalue = mls_posixsem_check_rdonly,
 	.mpo_posixsem_check_open = mls_posixsem_check_openunlink,
 	.mpo_posixsem_check_post = mls_posixsem_check_write,
+	.mpo_posixsem_check_setmode = mls_posixsem_check_setmode,
+	.mpo_posixsem_check_setowner = mls_posixsem_check_setowner,
 	.mpo_posixsem_check_stat = mls_posixsem_check_rdonly,
 	.mpo_posixsem_check_unlink = mls_posixsem_check_openunlink,
 	.mpo_posixsem_check_wait = mls_posixsem_check_write,
@@ -3082,6 +3276,17 @@ static struct mac_policy_ops mls_ops =
 	.mpo_posixsem_destroy_label = mls_destroy_label,
 	.mpo_posixsem_init_label = mls_init_label,
 
+	.mpo_posixshm_check_mmap = mls_posixshm_check_mmap,
+	.mpo_posixshm_check_open = mls_posixshm_check_open,
+	.mpo_posixshm_check_setmode = mls_posixshm_check_setmode,
+	.mpo_posixshm_check_setowner = mls_posixshm_check_setowner,
+	.mpo_posixshm_check_stat = mls_posixshm_check_stat,
+	.mpo_posixshm_check_truncate = mls_posixshm_check_truncate,
+	.mpo_posixshm_check_unlink = mls_posixshm_check_unlink,
+	.mpo_posixshm_create = mls_posixshm_create,
+	.mpo_posixshm_destroy_label = mls_destroy_label,
+	.mpo_posixshm_init_label = mls_init_label,
+
 	.mpo_proc_check_debug = mls_proc_check_debug,
 	.mpo_proc_check_sched = mls_proc_check_sched,
 	.mpo_proc_check_signal = mls_proc_check_signal,
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index 361bb15..f1d3e10 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
@@ -734,6 +734,13 @@ stub_posixsem_create(struct ucred *cred, struct ksem *ks,
 }
 
 static int
+stub_posixshm_check_create(struct ucred *cred, const char *path)
+{
+
+	return (0);
+}
+
+static int
 stub_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel, int prot, int flags)
 {
@@ -743,7 +750,7 @@ stub_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
 
 static int
 stub_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
-    struct label *shmlabel)
+    struct label *shmlabel, accmode_t accmode)
 {
 
 	return (0);
@@ -1772,6 +1779,7 @@ static struct mac_policy_ops stub_ops =
 	.mpo_posixsem_destroy_label = stub_destroy_label,
 	.mpo_posixsem_init_label = stub_init_label,
 
+	.mpo_posixshm_check_create = stub_posixshm_check_create,
 	.mpo_posixshm_check_mmap = stub_posixshm_check_mmap,
 	.mpo_posixshm_check_open = stub_posixshm_check_open,
 	.mpo_posixshm_check_setmode = stub_posixshm_check_setmode,
diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c
index 2aa2e38..c92c418 100644
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
@@ -1390,6 +1390,15 @@ test_posixsem_init_label(struct label *label)
 	COUNTER_INC(posixsem_init_label);
 }
 
+COUNTER_DECL(posixshm_check_create);
+static int
+test_posixshm_check_create(struct ucred *cred, const char *path)
+{
+
+	COUNTER_INC(posixshm_check_create);
+	return (0);
+}
+
 COUNTER_DECL(posixshm_check_mmap);
 static int
 test_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
@@ -1405,7 +1414,7 @@ test_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
 COUNTER_DECL(posixshm_check_open);
 static int
 test_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
-    struct label *shmfdlabel)
+    struct label *shmfdlabel, accmode_t accmode)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
@@ -3102,6 +3111,7 @@ static struct mac_policy_ops test_ops =
 	.mpo_posixsem_destroy_label = test_posixsem_destroy_label,
 	.mpo_posixsem_init_label = test_posixsem_init_label,
 
+	.mpo_posixshm_check_create = test_posixshm_check_create,
 	.mpo_posixshm_check_mmap = test_posixshm_check_mmap,
 	.mpo_posixshm_check_open = test_posixshm_check_open,
 	.mpo_posixshm_check_setmode = test_posixshm_check_setmode,