Assert process locks in proces-related access control checks.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs

8 files changed, 48 insertions, 0 deletions

diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index abda929..0d6a898 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -2517,6 +2517,8 @@ mac_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
@@ -2530,6 +2532,8 @@ mac_check_proc_sched(struct ucred *cred, struct proc *proc)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
@@ -2543,6 +2547,8 @@ mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index abda929..0d6a898 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -2517,6 +2517,8 @@ mac_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
@@ -2530,6 +2532,8 @@ mac_check_proc_sched(struct ucred *cred, struct proc *proc)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
@@ -2543,6 +2547,8 @@ mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index abda929..0d6a898 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -2517,6 +2517,8 @@ mac_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
@@ -2530,6 +2532,8 @@ mac_check_proc_sched(struct ucred *cred, struct proc *proc)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
@@ -2543,6 +2547,8 @@ mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c
index abda929..0d6a898 100644
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@@ -2517,6 +2517,8 @@ mac_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
@@ -2530,6 +2532,8 @@ mac_check_proc_sched(struct ucred *cred, struct proc *proc)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
@@ -2543,6 +2547,8 @@ mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index abda929..0d6a898 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -2517,6 +2517,8 @@ mac_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
@@ -2530,6 +2532,8 @@ mac_check_proc_sched(struct ucred *cred, struct proc *proc)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
@@ -2543,6 +2547,8 @@ mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index abda929..0d6a898 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -2517,6 +2517,8 @@ mac_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
@@ -2530,6 +2532,8 @@ mac_check_proc_sched(struct ucred *cred, struct proc *proc)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
@@ -2543,6 +2547,8 @@ mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index abda929..0d6a898 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -2517,6 +2517,8 @@ mac_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
@@ -2530,6 +2532,8 @@ mac_check_proc_sched(struct ucred *cred, struct proc *proc)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
@@ -2543,6 +2547,8 @@ mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index abda929..0d6a898 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -2517,6 +2517,8 @@ mac_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
@@ -2530,6 +2532,8 @@ mac_check_proc_sched(struct ucred *cred, struct proc *proc)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);
 
@@ -2543,6 +2547,8 @@ mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
 {
 	int error;
 
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
 	if (!mac_enforce_process)
 		return (0);