3 files changed, 31 insertions, 10 deletions

diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 011cb86..92aedea 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * All rights reserved.
@@ -238,9 +238,11 @@ void 	mac_posixsem_create(struct ucred *cred, struct ksem *ks);
 void	mac_posixsem_destroy(struct ksem *);
 void	mac_posixsem_init(struct ksem *);
 
+int	mac_posixshm_check_create(struct ucred *cred, const char *path);
 int	mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
 	    int prot, int flags);
-int	mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd);
+int	mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
+	    accmode_t accmode);
 int	mac_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd,
 	    mode_t mode);
 int	mac_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd,
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index b7ef07b..090dc40 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
@@ -355,11 +355,14 @@ typedef void	(*mpo_posixsem_create_t)(struct ucred *cred,
 typedef void    (*mpo_posixsem_destroy_label_t)(struct label *label);
 typedef void    (*mpo_posixsem_init_label_t)(struct label *label);
 
+typedef int	(*mpo_posixshm_check_create_t)(struct ucred *cred,
+		    const char *path);
 typedef int	(*mpo_posixshm_check_mmap_t)(struct ucred *cred,
 		    struct shmfd *shmfd, struct label *shmlabel, int prot,
 		    int flags);
 typedef int	(*mpo_posixshm_check_open_t)(struct ucred *cred,
-		    struct shmfd *shmfd, struct label *shmlabel);
+		    struct shmfd *shmfd, struct label *shmlabel,
+		    accmode_t accmode);
 typedef int	(*mpo_posixshm_check_setmode_t)(struct ucred *cred,
 		    struct shmfd *shmfd, struct label *shmlabel,
 		    mode_t mode);
@@ -812,6 +815,7 @@ struct mac_policy_ops {
 	mpo_posixsem_destroy_label_t		mpo_posixsem_destroy_label;
 	mpo_posixsem_init_label_t		mpo_posixsem_init_label;
 
+	mpo_posixshm_check_create_t		mpo_posixshm_check_create;
 	mpo_posixshm_check_mmap_t		mpo_posixshm_check_mmap;
 	mpo_posixshm_check_open_t		mpo_posixshm_check_open;
 	mpo_posixshm_check_setmode_t		mpo_posixshm_check_setmode;
diff --git a/sys/security/mac/mac_posix_shm.c b/sys/security/mac/mac_posix_shm.c
index 7e1c3f7..d5d15fc 100644
--- a/sys/security/mac/mac_posix_shm.c
+++ b/sys/security/mac/mac_posix_shm.c
@@ -1,6 +1,6 @@
 /*-
  * Copyright (c) 2003-2006 SPARTA, Inc.
- * Copyright (c) 2009 Robert N. M. Watson
+ * Copyright (c) 2009-2011 Robert N. M. Watson
  * All rights reserved.
  *
  * This software was developed for the FreeBSD Project in part by Network
@@ -101,6 +101,20 @@ mac_posixshm_create(struct ucred *cred, struct shmfd *shmfd)
 	    shmfd->shm_label);
 }
 
+MAC_CHECK_PROBE_DEFINE2(posixshm_check_create, "struct ucred *",
+    "const char *");
+
+int
+mac_posixshm_check_create(struct ucred *cred, const char *path)
+{
+	int error;
+
+	MAC_POLICY_CHECK_NOSLEEP(posixshm_check_create, cred, path);
+	MAC_CHECK_PROBE2(posixshm_check_create, error, cred, path);
+
+	return (error);
+}
+
 MAC_CHECK_PROBE_DEFINE4(posixshm_check_mmap, "struct ucred *",
     "struct shmfd *", "int", "int");
 
@@ -118,17 +132,18 @@ mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, int prot,
 	return (error);
 }
 
-MAC_CHECK_PROBE_DEFINE2(posixshm_check_open, "struct ucred *",
-    "struct shmfd *");
+MAC_CHECK_PROBE_DEFINE3(posixshm_check_open, "struct ucred *",
+    "struct shmfd *", "accmode_t accmode");
 
 int
-mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd)
+mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
+    accmode_t accmode)
 {
 	int error;
 
 	MAC_POLICY_CHECK_NOSLEEP(posixshm_check_open, cred, shmfd,
-	    shmfd->shm_label);
-	MAC_CHECK_PROBE2(posixshm_check_open, error, cred, shmfd);
+	    shmfd->shm_label, accmode);
+	MAC_CHECK_PROBE3(posixshm_check_open, error, cred, shmfd, accmode);
 
 	return (error);
 }