summaryrefslogtreecommitdiffstats
path: root/sys/security/mac_mls/mac_mls.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/security/mac_mls/mac_mls.c')
-rw-r--r--sys/security/mac_mls/mac_mls.c84
1 files changed, 66 insertions, 18 deletions
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index 4dca581..a61dd60 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -1247,8 +1247,8 @@ mac_mls_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
}
static int
-mac_mls_check_pipe_op(struct ucred *cred, struct pipe *pipe,
- struct label *pipelabel, int op)
+mac_mls_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
+ struct label *pipelabel)
{
struct mac_mls *subj, *obj;
@@ -1258,20 +1258,26 @@ mac_mls_check_pipe_op(struct ucred *cred, struct pipe *pipe,
subj = SLOT(&cred->cr_label);
obj = SLOT((pipelabel));
- switch(op) {
- case MAC_OP_PIPE_READ:
- case MAC_OP_PIPE_STAT:
- case MAC_OP_PIPE_POLL:
- if (!mac_mls_dominate_single(subj, obj))
- return (EACCES);
- break;
- case MAC_OP_PIPE_WRITE:
- if (!mac_mls_dominate_single(obj, subj))
- return (EACCES);
- break;
- default:
- panic("mac_mls_check_pipe_op: invalid pipe operation");
- }
+ if (!mac_mls_dominate_single(subj, obj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
+mac_mls_check_pipe_read(struct ucred *cred, struct pipe *pipe,
+ struct label *pipelabel)
+{
+ struct mac_mls *subj, *obj;
+
+ if (!mac_mls_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT((pipelabel));
+
+ if (!mac_mls_dominate_single(subj, obj))
+ return (EACCES);
return (0);
}
@@ -1311,6 +1317,42 @@ mac_mls_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
}
static int
+mac_mls_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
+ struct label *pipelabel)
+{
+ struct mac_mls *subj, *obj;
+
+ if (!mac_mls_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT((pipelabel));
+
+ if (!mac_mls_dominate_single(subj, obj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
+mac_mls_check_pipe_write(struct ucred *cred, struct pipe *pipe,
+ struct label *pipelabel)
+{
+ struct mac_mls *subj, *obj;
+
+ if (!mac_mls_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT((pipelabel));
+
+ if (!mac_mls_dominate_single(obj, subj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
mac_mls_check_proc_debug(struct ucred *cred, struct proc *proc)
{
struct mac_mls *subj, *obj;
@@ -2126,10 +2168,16 @@ static struct mac_policy_op_entry mac_mls_ops[] =
(macop_t)mac_mls_check_mount_stat },
{ MAC_CHECK_PIPE_IOCTL,
(macop_t)mac_mls_check_pipe_ioctl },
- { MAC_CHECK_PIPE_OP,
- (macop_t)mac_mls_check_pipe_op },
+ { MAC_CHECK_PIPE_POLL,
+ (macop_t)mac_mls_check_pipe_poll },
+ { MAC_CHECK_PIPE_READ,
+ (macop_t)mac_mls_check_pipe_read },
{ MAC_CHECK_PIPE_RELABEL,
(macop_t)mac_mls_check_pipe_relabel },
+ { MAC_CHECK_PIPE_STAT,
+ (macop_t)mac_mls_check_pipe_stat },
+ { MAC_CHECK_PIPE_WRITE,
+ (macop_t)mac_mls_check_pipe_write },
{ MAC_CHECK_PROC_DEBUG,
(macop_t)mac_mls_check_proc_debug },
{ MAC_CHECK_PROC_SCHED,
OpenPOWER on IntegriCloud