diff options
Diffstat (limited to 'sys/security')
-rw-r--r-- | sys/security/mac/mac_framework.h | 11 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 19 | ||||
-rw-r--r-- | sys/security/mac/mac_posix_sem.c | 30 | ||||
-rw-r--r-- | sys/security/mac_biba/mac_biba.c | 31 | ||||
-rw-r--r-- | sys/security/mac_mls/mac_mls.c | 31 | ||||
-rw-r--r-- | sys/security/mac_stub/mac_stub.c | 21 | ||||
-rw-r--r-- | sys/security/mac_test/mac_test.c | 35 |
7 files changed, 136 insertions, 42 deletions
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index c68d2d1..2a8b00c 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -189,11 +189,16 @@ void mac_pipe_init(struct pipepair *); int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp, struct label *label); -int mac_posixsem_check_getvalue(struct ucred *cred,struct ksem *ks); +int mac_posixsem_check_getvalue(struct ucred *active_cred, + struct ucred *file_cred, struct ksem *ks); int mac_posixsem_check_open(struct ucred *cred, struct ksem *ks); -int mac_posixsem_check_post(struct ucred *cred, struct ksem *ks); +int mac_posixsem_check_post(struct ucred *active_cred, + struct ucred *file_cred, struct ksem *ks); +int mac_posixsem_check_stat(struct ucred *active_cred, + struct ucred *file_cred, struct ksem *ks); int mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks); -int mac_posixsem_check_wait(struct ucred *cred, struct ksem *ks); +int mac_posixsem_check_wait(struct ucred *active_cred, + struct ucred *file_cred, struct ksem *ks); void mac_posixsem_create(struct ucred *cred, struct ksem *ks); void mac_posixsem_destroy(struct ksem *); void mac_posixsem_init(struct ksem *); diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index f0fa755..532ca24 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -288,16 +288,22 @@ typedef int (*mpo_pipe_internalize_label_t)(struct label *label, typedef void (*mpo_pipe_relabel_t)(struct ucred *cred, struct pipepair *pp, struct label *oldlabel, struct label *newlabel); -typedef int (*mpo_posixsem_check_getvalue_t)(struct ucred *cred, - struct ksem *ks, struct label *kslabel); +typedef int (*mpo_posixsem_check_getvalue_t)(struct ucred *active_cred, + struct ucred *file_cred, struct ksem *ks, + struct label *kslabel); typedef int (*mpo_posixsem_check_open_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_posixsem_check_post_t)(struct ucred *cred, - struct ksem *ks, struct label *kslabel); +typedef int (*mpo_posixsem_check_post_t)(struct ucred *active_cred, + struct ucred *file_cred, struct ksem *ks, + struct label *kslabel); +typedef int (*mpo_posixsem_check_stat_t)(struct ucred *active_cred, + struct ucred *file_cred, struct ksem *ks, + struct label *kslabel); typedef int (*mpo_posixsem_check_unlink_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_posixsem_check_wait_t)(struct ucred *cred, - struct ksem *ks, struct label *kslabel); +typedef int (*mpo_posixsem_check_wait_t)(struct ucred *active_cred, + struct ucred *file_cred, struct ksem *ks, + struct label *kslabel); typedef void (*mpo_posixsem_create_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); typedef void (*mpo_posixsem_destroy_label_t)(struct label *label); @@ -742,6 +748,7 @@ struct mac_policy_ops { mpo_posixsem_check_getvalue_t mpo_posixsem_check_getvalue; mpo_posixsem_check_open_t mpo_posixsem_check_open; mpo_posixsem_check_post_t mpo_posixsem_check_post; + mpo_posixsem_check_stat_t mpo_posixsem_check_stat; mpo_posixsem_check_unlink_t mpo_posixsem_check_unlink; mpo_posixsem_check_wait_t mpo_posixsem_check_wait; mpo_posixsem_create_t mpo_posixsem_create; diff --git a/sys/security/mac/mac_posix_sem.c b/sys/security/mac/mac_posix_sem.c index 68fb56c..2296afe 100644 --- a/sys/security/mac/mac_posix_sem.c +++ b/sys/security/mac/mac_posix_sem.c @@ -101,21 +101,37 @@ mac_posixsem_check_open(struct ucred *cred, struct ksem *ks) } int -mac_posixsem_check_getvalue(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_getvalue(struct ucred *active_cred, struct ucred *file_cred, + struct ksem *ks) { int error; - MAC_CHECK(posixsem_check_getvalue, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_getvalue, active_cred, file_cred, ks, + ks->ks_label); return (error); } int -mac_posixsem_check_post(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_post(struct ucred *active_cred, struct ucred *file_cred, + struct ksem *ks) { int error; - MAC_CHECK(posixsem_check_post, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_post, active_cred, file_cred, ks, + ks->ks_label); + + return (error); +} + +int +mac_posixsem_check_stat(struct ucred *active_cred, struct ucred *file_cred, + struct ksem *ks) +{ + int error; + + MAC_CHECK(posixsem_check_stat, active_cred, file_cred, ks, + ks->ks_label); return (error); } @@ -131,11 +147,13 @@ mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks) } int -mac_posixsem_check_wait(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_wait(struct ucred *active_cred, struct ucred *file_cred, + struct ksem *ks) { int error; - MAC_CHECK(posixsem_check_wait, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_wait, active_cred, file_cred, ks, + ks->ks_label); return (error); } diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 4c0c85b..960591c 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1504,7 +1504,7 @@ biba_pipe_relabel(struct ucred *cred, struct pipepair *pp, } static int -biba_posixsem_check_write(struct ucred *cred, struct ksem *ks, +biba_posixsem_check_openunlink(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_biba *subj, *obj; @@ -1522,15 +1522,33 @@ biba_posixsem_check_write(struct ucred *cred, struct ksem *ks, } static int -biba_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks, - struct label *kslabel) +biba_posixsem_check_write(struct ucred *active_cred, struct ucred *file_cred, + struct ksem *ks, struct label *kslabel) { struct mac_biba *subj, *obj; if (!biba_enabled) return (0); - subj = SLOT(cred->cr_label); + subj = SLOT(active_cred->cr_label); + obj = SLOT(kslabel); + + if (!biba_dominate_effective(subj, obj)) + return (EACCES); + + return (0); +} + +static int +biba_posixsem_check_rdonly(struct ucred *active_cred, struct ucred *file_cred, + struct ksem *ks, struct label *kslabel) +{ + struct mac_biba *subj, *obj; + + if (!biba_enabled) + return (0); + + subj = SLOT(active_cred->cr_label); obj = SLOT(kslabel); if (!biba_dominate_effective(obj, subj)) @@ -3335,9 +3353,10 @@ static struct mac_policy_ops mac_biba_ops = .mpo_pipe_relabel = biba_pipe_relabel, .mpo_posixsem_check_getvalue = biba_posixsem_check_rdonly, - .mpo_posixsem_check_open = biba_posixsem_check_write, + .mpo_posixsem_check_open = biba_posixsem_check_openunlink, .mpo_posixsem_check_post = biba_posixsem_check_write, - .mpo_posixsem_check_unlink = biba_posixsem_check_write, + .mpo_posixsem_check_stat = biba_posixsem_check_rdonly, + .mpo_posixsem_check_unlink = biba_posixsem_check_openunlink, .mpo_posixsem_check_wait = biba_posixsem_check_write, .mpo_posixsem_create = biba_posixsem_create, .mpo_posixsem_destroy_label = biba_destroy_label, diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index cff9d88..34c618c 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1400,7 +1400,7 @@ mls_pipe_relabel(struct ucred *cred, struct pipepair *pp, } static int -mls_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks, +mls_posixsem_check_openunlink(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_mls *subj, *obj; @@ -1411,6 +1411,24 @@ mls_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks, subj = SLOT(cred->cr_label); obj = SLOT(kslabel); + if (!mls_dominate_effective(obj, subj)) + return (EACCES); + + return (0); +} + +static int +mls_posixsem_check_rdonly(struct ucred *active_cred, struct ucred *file_cred, + struct ksem *ks, struct label *kslabel) +{ + struct mac_mls *subj, *obj; + + if (!mls_enabled) + return (0); + + subj = SLOT(active_cred->cr_label); + obj = SLOT(kslabel); + if (!mls_dominate_effective(subj, obj)) return (EACCES); @@ -1418,15 +1436,15 @@ mls_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks, } static int -mls_posixsem_check_write(struct ucred *cred, struct ksem *ks, - struct label *kslabel) +mls_posixsem_check_write(struct ucred *active_cred, struct ucred *file_cred, + struct ksem *ks, struct label *kslabel) { struct mac_mls *subj, *obj; if (!mls_enabled) return (0); - subj = SLOT(cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(kslabel); if (!mls_dominate_effective(obj, subj)) @@ -2958,9 +2976,10 @@ static struct mac_policy_ops mls_ops = .mpo_pipe_relabel = mls_pipe_relabel, .mpo_posixsem_check_getvalue = mls_posixsem_check_rdonly, - .mpo_posixsem_check_open = mls_posixsem_check_write, + .mpo_posixsem_check_open = mls_posixsem_check_openunlink, .mpo_posixsem_check_post = mls_posixsem_check_write, - .mpo_posixsem_check_unlink = mls_posixsem_check_write, + .mpo_posixsem_check_stat = mls_posixsem_check_rdonly, + .mpo_posixsem_check_unlink = mls_posixsem_check_openunlink, .mpo_posixsem_check_wait = mls_posixsem_check_write, .mpo_posixsem_create = mls_posixsem_create, .mpo_posixsem_destroy_label = mls_destroy_label, diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 34f5cad..36339b5 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -523,8 +523,8 @@ stub_pipe_relabel(struct ucred *cred, struct pipepair *pp, } static int -stub_posixsem_check_getvalue(struct ucred *cred, struct ksem *ks, - struct label *kslabel) +stub_posixsem_check_getvalue(struct ucred *active_cred, struct ucred *file_cred, + struct ksem *ks, struct label *kslabel) { return (0); @@ -539,8 +539,16 @@ stub_posixsem_check_open(struct ucred *cred, struct ksem *ks, } static int -stub_posixsem_check_post(struct ucred *cred, struct ksem *ks, - struct label *kslabel) +stub_posixsem_check_post(struct ucred *active_cred, struct ucred *file_cred, + struct ksem *ks, struct label *kslabel) +{ + + return (0); +} + +static int +stub_posixsem_check_stat(struct ucred *active_cred, struct ucred *file_cred, + struct ksem *ks, struct label *kslabel) { return (0); @@ -555,8 +563,8 @@ stub_posixsem_check_unlink(struct ucred *cred, struct ksem *ks, } static int -stub_posixsem_check_wait(struct ucred *cred, struct ksem *ks, - struct label *kslabel) +stub_posixsem_check_wait(struct ucred *active_cred, struct ucred *file_cred, + struct ksem *ks, struct label *kslabel) { return (0); @@ -1582,6 +1590,7 @@ static struct mac_policy_ops stub_ops = .mpo_posixsem_check_getvalue = stub_posixsem_check_getvalue, .mpo_posixsem_check_open = stub_posixsem_check_open, .mpo_posixsem_check_post = stub_posixsem_check_post, + .mpo_posixsem_check_stat = stub_posixsem_check_stat, .mpo_posixsem_check_unlink = stub_posixsem_check_unlink, .mpo_posixsem_check_wait = stub_posixsem_check_wait, .mpo_posixsem_create = stub_posixsem_create, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index c25e937..5e788b9 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1012,11 +1012,12 @@ test_pipe_relabel(struct ucred *cred, struct pipepair *pp, COUNTER_DECL(posixsem_check_getvalue); static int -test_posixsem_check_getvalue(struct ucred *cred, struct ksem *ks, - struct label *kslabel) +test_posixsem_check_getvalue(struct ucred *active_cred, struct ucred *file_cred, + struct ksem *ks, struct label *kslabel) { - LABEL_CHECK(cred->cr_label, MAGIC_CRED); + LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); + LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); COUNTER_INC(posixsem_check_getvalue); @@ -1038,17 +1039,31 @@ test_posixsem_check_open(struct ucred *cred, struct ksem *ks, COUNTER_DECL(posixsem_check_post); static int -test_posixsem_check_post(struct ucred *cred, struct ksem *ks, - struct label *kslabel) +test_posixsem_check_post(struct ucred *active_cred, struct ucred *file_cred, + struct ksem *ks, struct label *kslabel) { - LABEL_CHECK(cred->cr_label, MAGIC_CRED); + LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); + LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); COUNTER_INC(posixsem_check_post); return (0); } +COUNTER_DECL(posixsem_check_stat); +static int +test_posixsem_check_stat(struct ucred *active_cred, + struct ucred *file_cred, struct ksem *ks, struct label *kslabel) +{ + + LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); + LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); + LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); + COUNTER_INC(posixsem_check_stat); + return (0); +} + COUNTER_DECL(posixsem_check_unlink); static int test_posixsem_check_unlink(struct ucred *cred, struct ksem *ks, @@ -1064,11 +1079,12 @@ test_posixsem_check_unlink(struct ucred *cred, struct ksem *ks, COUNTER_DECL(posixsem_check_wait); static int -test_posixsem_check_wait(struct ucred *cred, struct ksem *ks, - struct label *kslabel) +test_posixsem_check_wait(struct ucred *active_cred, struct ucred *file_cred, + struct ksem *ks, struct label *kslabel) { - LABEL_CHECK(cred->cr_label, MAGIC_CRED); + LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); + LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); COUNTER_INC(posixsem_check_wait); @@ -2881,6 +2897,7 @@ static struct mac_policy_ops test_ops = .mpo_posixsem_check_getvalue = test_posixsem_check_getvalue, .mpo_posixsem_check_open = test_posixsem_check_open, .mpo_posixsem_check_post = test_posixsem_check_post, + .mpo_posixsem_check_stat = test_posixsem_check_stat, .mpo_posixsem_check_unlink = test_posixsem_check_unlink, .mpo_posixsem_check_wait = test_posixsem_check_wait, .mpo_posixsem_create = test_posixsem_create, |