diff options
-rw-r--r-- | sys/kern/kern_mac.c | 34 | ||||
-rw-r--r-- | sys/kern/sys_pipe.c | 16 | ||||
-rw-r--r-- | sys/security/mac/mac_framework.c | 34 | ||||
-rw-r--r-- | sys/security/mac/mac_internal.h | 34 | ||||
-rw-r--r-- | sys/security/mac/mac_net.c | 34 | ||||
-rw-r--r-- | sys/security/mac/mac_pipe.c | 34 | ||||
-rw-r--r-- | sys/security/mac/mac_process.c | 34 | ||||
-rw-r--r-- | sys/security/mac/mac_syscalls.c | 34 | ||||
-rw-r--r-- | sys/security/mac/mac_system.c | 34 | ||||
-rw-r--r-- | sys/security/mac/mac_vfs.c | 34 |
10 files changed, 318 insertions, 4 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index 607113e..43a52bf 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -2572,6 +2572,11 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); @@ -2582,6 +2587,11 @@ mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); return (error); @@ -2592,6 +2602,11 @@ mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); @@ -2603,6 +2618,11 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); @@ -2613,6 +2633,11 @@ mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); return (error); @@ -2623,6 +2648,11 @@ mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); return (error); @@ -2889,6 +2919,8 @@ mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); @@ -3192,7 +3224,9 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; + PIPE_LOCK(pipe); error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); + PIPE_UNLOCK(pipe); break; default: error = EINVAL; diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c index d87eb44..0931262 100644 --- a/sys/kern/sys_pipe.c +++ b/sys/kern/sys_pipe.c @@ -1165,8 +1165,11 @@ pipe_ioctl(fp, cmd, data, active_cred, td) struct pipe *mpipe = (struct pipe *)fp->f_data; #ifdef MAC int error; +#endif + + PIPE_LOCK(mpipe); - /* XXXMAC: Pipe should be locked for this check. */ +#ifdef MAC error = mac_check_pipe_ioctl(active_cred, mpipe, cmd, data); if (error) return (error); @@ -1175,10 +1178,10 @@ pipe_ioctl(fp, cmd, data, active_cred, td) switch (cmd) { case FIONBIO: + PIPE_UNLOCK(mpipe); return (0); case FIOASYNC: - PIPE_LOCK(mpipe); if (*(int *)data) { mpipe->pipe_state |= PIPE_ASYNC; } else { @@ -1188,7 +1191,6 @@ pipe_ioctl(fp, cmd, data, active_cred, td) return (0); case FIONREAD: - PIPE_LOCK(mpipe); if (mpipe->pipe_state & PIPE_DIRECTW) *(int *)data = mpipe->pipe_map.cnt; else @@ -1197,22 +1199,27 @@ pipe_ioctl(fp, cmd, data, active_cred, td) return (0); case FIOSETOWN: + PIPE_UNLOCK(mpipe); return (fsetown(*(int *)data, &mpipe->pipe_sigio)); case FIOGETOWN: + PIPE_UNLOCK(mpipe); *(int *)data = fgetown(mpipe->pipe_sigio); return (0); /* This is deprecated, FIOSETOWN should be used instead. */ case TIOCSPGRP: + PIPE_UNLOCK(mpipe); return (fsetown(-(*(int *)data), &mpipe->pipe_sigio)); /* This is deprecated, FIOGETOWN should be used instead. */ case TIOCGPGRP: + PIPE_UNLOCK(mpipe); *(int *)data = -fgetown(mpipe->pipe_sigio); return (0); } + PIPE_UNLOCK(mpipe); return (ENOTTY); } @@ -1288,8 +1295,9 @@ pipe_stat(fp, ub, active_cred, td) #ifdef MAC int error; - /* XXXMAC: Pipe should be locked for this check. */ + PIPE_LOCK(pipe); error = mac_check_pipe_stat(active_cred, pipe); + PIPE_UNLOCK(pipe); if (error) return (error); #endif diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 607113e..43a52bf 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -2572,6 +2572,11 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); @@ -2582,6 +2587,11 @@ mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); return (error); @@ -2592,6 +2602,11 @@ mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); @@ -2603,6 +2618,11 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); @@ -2613,6 +2633,11 @@ mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); return (error); @@ -2623,6 +2648,11 @@ mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); return (error); @@ -2889,6 +2919,8 @@ mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); @@ -3192,7 +3224,9 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; + PIPE_LOCK(pipe); error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); + PIPE_UNLOCK(pipe); break; default: error = EINVAL; diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 607113e..43a52bf 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -2572,6 +2572,11 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); @@ -2582,6 +2587,11 @@ mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); return (error); @@ -2592,6 +2602,11 @@ mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); @@ -2603,6 +2618,11 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); @@ -2613,6 +2633,11 @@ mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); return (error); @@ -2623,6 +2648,11 @@ mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); return (error); @@ -2889,6 +2919,8 @@ mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); @@ -3192,7 +3224,9 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; + PIPE_LOCK(pipe); error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); + PIPE_UNLOCK(pipe); break; default: error = EINVAL; diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 607113e..43a52bf 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -2572,6 +2572,11 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); @@ -2582,6 +2587,11 @@ mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); return (error); @@ -2592,6 +2602,11 @@ mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); @@ -2603,6 +2618,11 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); @@ -2613,6 +2633,11 @@ mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); return (error); @@ -2623,6 +2648,11 @@ mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); return (error); @@ -2889,6 +2919,8 @@ mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); @@ -3192,7 +3224,9 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; + PIPE_LOCK(pipe); error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); + PIPE_UNLOCK(pipe); break; default: error = EINVAL; diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 607113e..43a52bf 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -2572,6 +2572,11 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); @@ -2582,6 +2587,11 @@ mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); return (error); @@ -2592,6 +2602,11 @@ mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); @@ -2603,6 +2618,11 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); @@ -2613,6 +2633,11 @@ mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); return (error); @@ -2623,6 +2648,11 @@ mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); return (error); @@ -2889,6 +2919,8 @@ mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); @@ -3192,7 +3224,9 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; + PIPE_LOCK(pipe); error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); + PIPE_UNLOCK(pipe); break; default: error = EINVAL; diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 607113e..43a52bf 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -2572,6 +2572,11 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); @@ -2582,6 +2587,11 @@ mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); return (error); @@ -2592,6 +2602,11 @@ mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); @@ -2603,6 +2618,11 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); @@ -2613,6 +2633,11 @@ mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); return (error); @@ -2623,6 +2648,11 @@ mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); return (error); @@ -2889,6 +2919,8 @@ mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); @@ -3192,7 +3224,9 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; + PIPE_LOCK(pipe); error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); + PIPE_UNLOCK(pipe); break; default: error = EINVAL; diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index 607113e..43a52bf 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -2572,6 +2572,11 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); @@ -2582,6 +2587,11 @@ mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); return (error); @@ -2592,6 +2602,11 @@ mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); @@ -2603,6 +2618,11 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); @@ -2613,6 +2633,11 @@ mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); return (error); @@ -2623,6 +2648,11 @@ mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); return (error); @@ -2889,6 +2919,8 @@ mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); @@ -3192,7 +3224,9 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; + PIPE_LOCK(pipe); error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); + PIPE_UNLOCK(pipe); break; default: error = EINVAL; diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 607113e..43a52bf 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -2572,6 +2572,11 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); @@ -2582,6 +2587,11 @@ mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); return (error); @@ -2592,6 +2602,11 @@ mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); @@ -2603,6 +2618,11 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); @@ -2613,6 +2633,11 @@ mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); return (error); @@ -2623,6 +2648,11 @@ mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); return (error); @@ -2889,6 +2919,8 @@ mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); @@ -3192,7 +3224,9 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; + PIPE_LOCK(pipe); error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); + PIPE_UNLOCK(pipe); break; default: error = EINVAL; diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 607113e..43a52bf 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -2572,6 +2572,11 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); @@ -2582,6 +2587,11 @@ mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); return (error); @@ -2592,6 +2602,11 @@ mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); @@ -2603,6 +2618,11 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); @@ -2613,6 +2633,11 @@ mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); return (error); @@ -2623,6 +2648,11 @@ mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); return (error); @@ -2889,6 +2919,8 @@ mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); @@ -3192,7 +3224,9 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; + PIPE_LOCK(pipe); error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); + PIPE_UNLOCK(pipe); break; default: error = EINVAL; |