Add a new file descriptor type for IPC shared memory objects and use it to

implement shm_open(2) and shm_unlink(2) in the kernel:
- Each shared memory file descriptor is associated with a swap-backed vm
  object which provides the backing store.  Each descriptor starts off with
  a size of zero, but the size can be altered via ftruncate(2).  The shared
  memory file descriptors also support fstat(2).  read(2), write(2),
  ioctl(2), select(2), poll(2), and kevent(2) are not supported on shared
  memory file descriptors.
- shm_open(2) and shm_unlink(2) are now implemented as system calls that
  manage shared memory file descriptors.  The virtual namespace that maps
  pathnames to shared memory file descriptors is implemented as a hash
  table where the hash key is generated via the 32-bit Fowler/Noll/Vo hash
  of the pathname.
- As an extension, the constant 'SHM_ANON' may be specified in place of the
  path argument to shm_open(2).  In this case, an unnamed shared memory
  file descriptor will be created similar to the IPC_PRIVATE key for
  shmget(2).  Note that the shared memory object can still be shared among
  processes by sharing the file descriptor via fork(2) or sendmsg(2), but
  it is unnamed.  This effectively serves to implement the getmemfd() idea
  bandied about the lists several times over the years.
- The backing store for shared memory file descriptors are garbage
  collected when they are not referenced by any open file descriptors or
  the shm_open(2) virtual namespace.

Submitted by:	dillon, peter (previous versions)
Submitted by:	rwatson (I based this on his version)
Reviewed by:	alc (suggested converting getmemfd() to shm_open())

5 files changed, 339 insertions, 0 deletions

diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index f3d41df..e607d32 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -71,6 +71,7 @@ struct msg;
 struct msqid_kernel;
 struct proc;
 struct semid_kernel;
+struct shmfd;
 struct shmid_kernel;
 struct sockaddr;
 struct socket;
@@ -198,6 +199,18 @@ void 	mac_posixsem_create(struct ucred *cred, struct ksem *ks);
 void	mac_posixsem_destroy(struct ksem *);
 void	mac_posixsem_init(struct ksem *);
 
+int	mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
+	    int prot, int flags);
+int	mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd);
+int	mac_posixshm_check_stat(struct ucred *active_cred,
+	    struct ucred *file_cred, struct shmfd *shmfd);
+int	mac_posixshm_check_truncate(struct ucred *active_cred,
+	    struct ucred *file_cred, struct shmfd *shmfd);
+int	mac_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd);
+void 	mac_posixshm_create(struct ucred *cred, struct shmfd *shmfd);
+void	mac_posixshm_destroy(struct shmfd *);
+void	mac_posixshm_init(struct shmfd *);
+
 int	mac_priv_check(struct ucred *cred, int priv);
 int	mac_priv_grant(struct ucred *cred, int priv);
 
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 3d494db..c7aef52 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -83,6 +83,7 @@ struct pipepair;
 struct proc;
 struct sbuf;
 struct semid_kernel;
+struct shmfd;
 struct shmid_kernel;
 struct sockaddr;
 struct socket;
@@ -305,6 +306,24 @@ typedef void	(*mpo_posixsem_create_t)(struct ucred *cred,
 typedef void    (*mpo_posixsem_destroy_label_t)(struct label *label);
 typedef void    (*mpo_posixsem_init_label_t)(struct label *label);
 
+typedef int	(*mpo_posixshm_check_mmap_t)(struct ucred *cred,
+		    struct shmfd *shmfd, struct label *shmlabel, int prot,
+		    int flags);
+typedef int	(*mpo_posixshm_check_open_t)(struct ucred *cred,
+		    struct shmfd *shmfd, struct label *shmlabel);
+typedef int	(*mpo_posixshm_check_stat_t)(struct ucred *active_cred,
+		    struct ucred *file_cred, struct shmfd *shmfd,
+		    struct label *shmlabel);
+typedef int	(*mpo_posixshm_check_truncate_t)(struct ucred *active_cred,
+		    struct ucred *file_cred, struct shmfd *shmfd,
+		    struct label *shmlabel);
+typedef int	(*mpo_posixshm_check_unlink_t)(struct ucred *cred,
+		    struct shmfd *shmfd, struct label *shmlabel);
+typedef void	(*mpo_posixshm_create_t)(struct ucred *cred,
+		    struct shmfd *shmfd, struct label *shmlabel);
+typedef void	(*mpo_posixshm_destroy_label_t)(struct label *label);
+typedef void	(*mpo_posixshm_init_label_t)(struct label *label);
+
 typedef int	(*mpo_priv_check_t)(struct ucred *cred, int priv);
 typedef int	(*mpo_priv_grant_t)(struct ucred *cred, int priv);
 
@@ -733,6 +752,15 @@ struct mac_policy_ops {
 	mpo_posixsem_destroy_label_t		mpo_posixsem_destroy_label;
 	mpo_posixsem_init_label_t		mpo_posixsem_init_label;
 
+	mpo_posixshm_check_mmap_t		mpo_posixshm_check_mmap;
+	mpo_posixshm_check_open_t		mpo_posixshm_check_open;
+	mpo_posixshm_check_stat_t		mpo_posixshm_check_stat;
+	mpo_posixshm_check_truncate_t		mpo_posixshm_check_truncate;
+	mpo_posixshm_check_unlink_t		mpo_posixshm_check_unlink;
+	mpo_posixshm_create_t			mpo_posixshm_create;
+	mpo_posixshm_destroy_label_t		mpo_posixshm_destroy_label;
+	mpo_posixshm_init_label_t		mpo_posixshm_init_label;
+
 	mpo_priv_check_t			mpo_priv_check;
 	mpo_priv_grant_t			mpo_priv_grant;
 
diff --git a/sys/security/mac/mac_posix_shm.c b/sys/security/mac/mac_posix_shm.c
new file mode 100644
index 0000000..b9da7b3
--- /dev/null
+++ b/sys/security/mac/mac_posix_shm.c
@@ -0,0 +1,146 @@
+/*-
+ * Copyright (c) 2003-2006 SPARTA, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project in part by Network
+ * Associates Laboratories, the Security Research Division of Network
+ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+ * as part of the DARPA CHATS research program.
+ *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include "opt_mac.h"
+
+#include <sys/param.h>
+#include <sys/kernel.h>
+#include <sys/mman.h>
+#include <sys/malloc.h>
+#include <sys/module.h>
+#include <sys/systm.h>
+#include <sys/sysctl.h>
+
+#include <security/mac/mac_framework.h>
+#include <security/mac/mac_internal.h>
+#include <security/mac/mac_policy.h>
+
+static struct label *
+mac_posixshm_label_alloc(void)
+{
+	struct label *label;
+
+	label = mac_labelzone_alloc(M_WAITOK);
+	MAC_PERFORM(posixshm_init_label, label);
+	return (label);
+}
+
+void
+mac_posixshm_init(struct shmfd *shmfd)
+{
+
+	shmfd->shm_label = mac_posixshm_label_alloc();
+}
+
+static void
+mac_posixshm_label_free(struct label *label)
+{
+
+	MAC_PERFORM(posixshm_destroy_label, label);
+	mac_labelzone_free(label);
+}
+
+void
+mac_posixshm_destroy(struct shmfd *shmfd)
+{
+
+	mac_posixshm_label_free(shmfd->shm_label);
+	shmfd->shm_label = NULL;
+}
+
+void
+mac_posixshm_create(struct ucred *cred, struct shmfd *shmfd)
+{
+
+	MAC_PERFORM(posixshm_create, cred, shmfd, shmfd->shm_label);
+}
+
+int
+mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, int prot,
+    int flags)
+{
+	int error;
+
+	MAC_CHECK(posixshm_check_mmap, cred, shmfd, shmfd->shm_label, prot,
+	    flags);
+
+	return (error);
+}
+
+int
+mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd)
+{
+	int error;
+
+	MAC_CHECK(posixshm_check_open, cred, shmfd, shmfd->shm_label);
+
+	return (error);
+}
+
+int
+mac_posixshm_check_stat(struct ucred *active_cred, struct ucred *file_cred,
+    struct shmfd *shmfd)
+{
+	int error;
+
+	MAC_CHECK(posixshm_check_stat, active_cred, file_cred, shmfd,
+	    shmfd->shm_label);
+
+	return (error);
+}
+
+int
+mac_posixshm_check_truncate(struct ucred *active_cred, struct ucred *file_cred,
+    struct shmfd *shmfd)
+{
+	int error;
+
+	MAC_CHECK(posixshm_check_truncate, active_cred, file_cred, shmfd,
+	    shmfd->shm_label);
+
+	return (error);
+}
+
+int
+mac_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd)
+{
+	int error;
+
+	MAC_CHECK(posixshm_check_unlink, cred, shmfd, shmfd->shm_label);
+
+	return (error);
+}
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index 50463a0..165e7bb 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -578,6 +578,53 @@ stub_posixsem_create(struct ucred *cred, struct ksem *ks,
 }
 
 static int
+stub_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel, int prot, int flags)
+{
+
+	return (0);
+}
+
+static int
+stub_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel)
+{
+
+	return (0);
+}
+
+static int
+stub_posixshm_check_stat(struct ucred *active_cred, struct ucred *file_cred,
+    struct shmfd *shmfd, struct label *shmlabel)
+{
+
+	return (0);
+}
+
+static int
+stub_posixshm_check_truncate(struct ucred *active_cred,
+    struct ucred *file_cred, struct shmfd *shmfd, struct label *shmlabel)
+{
+
+	return (0);
+}
+
+static int
+stub_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel)
+{
+
+	return (0);
+}
+
+static void
+stub_posixshm_create(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel)
+{
+
+}
+
+static int
 stub_priv_check(struct ucred *cred, int priv)
 {
 
@@ -1550,6 +1597,15 @@ static struct mac_policy_ops stub_ops =
 	.mpo_posixsem_destroy_label = stub_destroy_label,
 	.mpo_posixsem_init_label = stub_init_label,
 
+	.mpo_posixshm_check_mmap = stub_posixshm_check_mmap,
+	.mpo_posixshm_check_open = stub_posixshm_check_open,
+	.mpo_posixshm_check_stat = stub_posixshm_check_stat,
+	.mpo_posixshm_check_truncate = stub_posixshm_check_truncate,
+	.mpo_posixshm_check_unlink = stub_posixshm_check_unlink,
+	.mpo_posixshm_create = stub_posixshm_create,
+	.mpo_posixshm_destroy_label = stub_destroy_label,
+	.mpo_posixshm_init_label = stub_init_label,
+
 	.mpo_priv_check = stub_priv_check,
 	.mpo_priv_grant = stub_priv_grant,
 
diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c
index e28e4c3..14d3b80 100644
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@@ -94,6 +94,7 @@ SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0,
 #define	MAGIC_SYSV_SHM	0x76119ab0
 #define	MAGIC_PIPE	0xdc6c9919
 #define	MAGIC_POSIX_SEM	0x78ae980c
+#define	MAGIC_POSIX_SHM	0x4e853fc9
 #define	MAGIC_PROC	0x3b4be98f
 #define	MAGIC_CRED	0x9a5a4987
 #define	MAGIC_VNODE	0x1a67a45c
@@ -1116,6 +1117,92 @@ test_posixsem_init_label(struct label *label)
 	COUNTER_INC(posixsem_init_label);
 }
 
+COUNTER_DECL(posixshm_check_mmap);
+static int
+test_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmfdlabel, int prot, int flags)
+{
+
+	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
+	return (0);
+}
+
+COUNTER_DECL(posixshm_check_open);
+static int
+test_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmfdlabel)
+{
+
+	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
+	return (0);
+}
+
+COUNTER_DECL(posixshm_check_stat);
+static int
+test_posixshm_check_stat(struct ucred *active_cred,
+    struct ucred *file_cred, struct shmfd *shmfd, struct label *shmfdlabel)
+{
+
+	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
+	LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
+	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
+	return (0);
+}
+
+COUNTER_DECL(posixshm_check_truncate);
+static int
+test_posixshm_check_truncate(struct ucred *active_cred,
+    struct ucred *file_cred, struct shmfd *shmfd, struct label *shmfdlabel)
+{
+
+	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
+	LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
+	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
+	return (0);
+}
+
+COUNTER_DECL(posixshm_check_unlink);
+static int
+test_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmfdlabel)
+{
+
+	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
+	return (0);
+}
+
+COUNTER_DECL(posixshm_create);
+static void
+test_posixshm_create(struct ucred *cred, struct shmfd *shmfd,
+   struct label *shmfdlabel)
+{
+
+	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
+	COUNTER_INC(posixshm_create);
+}
+
+COUNTER_DECL(posixshm_destroy_label);
+static void
+test_posixshm_destroy_label(struct label *label)
+{
+
+	LABEL_DESTROY(label, MAGIC_POSIX_SHM);
+	COUNTER_INC(posixshm_destroy_label);
+}
+
+COUNTER_DECL(posixshm_init_label);
+static void
+test_posixshm_init_label(struct label *label)
+{
+
+	LABEL_INIT(label, MAGIC_POSIX_SHM);
+	COUNTER_INC(posixshm_init_label);
+}
+
 COUNTER_DECL(proc_check_debug);
 static int
 test_proc_check_debug(struct ucred *cred, struct proc *p)
@@ -2809,6 +2896,15 @@ static struct mac_policy_ops test_ops =
 	.mpo_posixsem_destroy_label = test_posixsem_destroy_label,
 	.mpo_posixsem_init_label = test_posixsem_init_label,
 
+	.mpo_posixshm_check_mmap = test_posixshm_check_mmap,
+	.mpo_posixshm_check_open = test_posixshm_check_open,
+	.mpo_posixshm_check_stat = test_posixshm_check_stat,
+	.mpo_posixshm_check_truncate = test_posixshm_check_truncate,
+	.mpo_posixshm_check_unlink = test_posixshm_check_unlink,
+	.mpo_posixshm_create = test_posixshm_create,
+	.mpo_posixshm_destroy_label = test_posixshm_destroy_label,
+	.mpo_posixshm_init_label = test_posixshm_init_label,
+
 	.mpo_proc_check_debug = test_proc_check_debug,
 	.mpo_proc_check_sched = test_proc_check_sched,
 	.mpo_proc_check_setaudit = test_proc_check_setaudit,