diff options
Diffstat (limited to 'sys/security/mac')
-rw-r--r-- | sys/security/mac/mac_framework.h | 6 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 8 | ||||
-rw-r--r-- | sys/security/mac/mac_posix_shm.c | 27 |
3 files changed, 31 insertions, 10 deletions
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 011cb86..92aedea 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. @@ -238,9 +238,11 @@ void mac_posixsem_create(struct ucred *cred, struct ksem *ks); void mac_posixsem_destroy(struct ksem *); void mac_posixsem_init(struct ksem *); +int mac_posixshm_check_create(struct ucred *cred, const char *path); int mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, int prot, int flags); -int mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd); +int mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd, + accmode_t accmode); int mac_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd, mode_t mode); int mac_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd, diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index b7ef07b..090dc40 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. * Copyright (c) 2008 Apple Inc. @@ -355,11 +355,14 @@ typedef void (*mpo_posixsem_create_t)(struct ucred *cred, typedef void (*mpo_posixsem_destroy_label_t)(struct label *label); typedef void (*mpo_posixsem_init_label_t)(struct label *label); +typedef int (*mpo_posixshm_check_create_t)(struct ucred *cred, + const char *path); typedef int (*mpo_posixshm_check_mmap_t)(struct ucred *cred, struct shmfd *shmfd, struct label *shmlabel, int prot, int flags); typedef int (*mpo_posixshm_check_open_t)(struct ucred *cred, - struct shmfd *shmfd, struct label *shmlabel); + struct shmfd *shmfd, struct label *shmlabel, + accmode_t accmode); typedef int (*mpo_posixshm_check_setmode_t)(struct ucred *cred, struct shmfd *shmfd, struct label *shmlabel, mode_t mode); @@ -812,6 +815,7 @@ struct mac_policy_ops { mpo_posixsem_destroy_label_t mpo_posixsem_destroy_label; mpo_posixsem_init_label_t mpo_posixsem_init_label; + mpo_posixshm_check_create_t mpo_posixshm_check_create; mpo_posixshm_check_mmap_t mpo_posixshm_check_mmap; mpo_posixshm_check_open_t mpo_posixshm_check_open; mpo_posixshm_check_setmode_t mpo_posixshm_check_setmode; diff --git a/sys/security/mac/mac_posix_shm.c b/sys/security/mac/mac_posix_shm.c index 7e1c3f7..d5d15fc 100644 --- a/sys/security/mac/mac_posix_shm.c +++ b/sys/security/mac/mac_posix_shm.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2003-2006 SPARTA, Inc. - * Copyright (c) 2009 Robert N. M. Watson + * Copyright (c) 2009-2011 Robert N. M. Watson * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -101,6 +101,20 @@ mac_posixshm_create(struct ucred *cred, struct shmfd *shmfd) shmfd->shm_label); } +MAC_CHECK_PROBE_DEFINE2(posixshm_check_create, "struct ucred *", + "const char *"); + +int +mac_posixshm_check_create(struct ucred *cred, const char *path) +{ + int error; + + MAC_POLICY_CHECK_NOSLEEP(posixshm_check_create, cred, path); + MAC_CHECK_PROBE2(posixshm_check_create, error, cred, path); + + return (error); +} + MAC_CHECK_PROBE_DEFINE4(posixshm_check_mmap, "struct ucred *", "struct shmfd *", "int", "int"); @@ -118,17 +132,18 @@ mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, int prot, return (error); } -MAC_CHECK_PROBE_DEFINE2(posixshm_check_open, "struct ucred *", - "struct shmfd *"); +MAC_CHECK_PROBE_DEFINE3(posixshm_check_open, "struct ucred *", + "struct shmfd *", "accmode_t accmode"); int -mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd) +mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd, + accmode_t accmode) { int error; MAC_POLICY_CHECK_NOSLEEP(posixshm_check_open, cred, shmfd, - shmfd->shm_label); - MAC_CHECK_PROBE2(posixshm_check_open, error, cred, shmfd); + shmfd->shm_label, accmode); + MAC_CHECK_PROBE3(posixshm_check_open, error, cred, shmfd, accmode); return (error); } |