From 3c6157dcec8563160d0e3361149672558f3eee89 Mon Sep 17 00:00:00 2001 From: rwatson Date: Fri, 2 Sep 2011 17:40:39 +0000 Subject: Correct several issues in the integration of POSIX shared memory objects and the new setmode and setowner fileops in FreeBSD 9.0: - Add new MAC Framework entry point mac_posixshm_check_create() to allow MAC policies to authorise shared memory use. Provide a stub policy and test policy templates. - Add missing Biba and MLS implementations of mac_posixshm_check_setmode() and mac_posixshm_check_setowner(). - Add 'accmode' argument to mac_posixshm_check_open() -- unlike the mac_posixsem_check_open() entry point it was modeled on, the access mode is required as shared memory access can be read-only as well as writable; this isn't true of POSIX semaphores. - Implement full range of POSIX shared memory entry points for Biba and MLS. Sponsored by: Google Inc. Obtained from: TrustedBSD Project Approved by: re (kib) --- sys/security/mac_mls/mac_mls.c | 207 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 206 insertions(+), 1 deletion(-) (limited to 'sys/security/mac_mls/mac_mls.c') diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index d41799d..b68790d 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. @@ -14,6 +14,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -1532,6 +1535,42 @@ mls_posixsem_check_rdonly(struct ucred *active_cred, struct ucred *file_cred, } static int +mls_posixsem_check_setmode(struct ucred *cred, struct ksem *ks, + struct label *shmlabel, mode_t mode) +{ + struct mac_mls *subj, *obj; + + if (!mls_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(shmlabel); + + if (!mls_dominate_effective(obj, subj)) + return (EACCES); + + return (0); +} + +static int +mls_posixsem_check_setowner(struct ucred *cred, struct ksem *ks, + struct label *shmlabel, uid_t uid, gid_t gid) +{ + struct mac_mls *subj, *obj; + + if (!mls_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(shmlabel); + + if (!mls_dominate_effective(obj, subj)) + return (EACCES); + + return (0); +} + +static int mls_posixsem_check_write(struct ucred *active_cred, struct ucred *file_cred, struct ksem *ks, struct label *kslabel) { @@ -1562,6 +1601,159 @@ mls_posixsem_create(struct ucred *cred, struct ksem *ks, } static int +mls_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, + struct label *shmlabel, int prot, int flags) +{ + struct mac_mls *subj, *obj; + + if (!mls_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(shmlabel); + + if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) { + if (!mls_dominate_effective(subj, obj)) + return (EACCES); + } + if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) { + if (!mls_dominate_effective(obj, subj)) + return (EACCES); + } + + return (0); +} + +static int +mls_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd, + struct label *shmlabel, accmode_t accmode) +{ + struct mac_mls *subj, *obj; + + if (!mls_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(shmlabel); + + subj = SLOT(cred->cr_label); + obj = SLOT(shmlabel); + + if (accmode & (VREAD | VEXEC | VSTAT_PERMS)) { + if (!mls_dominate_effective(subj, obj)) + return (EACCES); + } + if (accmode & VMODIFY_PERMS) { + if (!mls_dominate_effective(obj, subj)) + return (EACCES); + } + + return (0); +} + +static int +mls_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd, + struct label *shmlabel, mode_t mode) +{ + struct mac_mls *subj, *obj; + + if (!mls_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(shmlabel); + + if (!mls_dominate_effective(obj, subj)) + return (EACCES); + + return (0); +} + +static int +mls_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd, + struct label *shmlabel, uid_t uid, gid_t gid) +{ + struct mac_mls *subj, *obj; + + if (!mls_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(shmlabel); + + if (!mls_dominate_effective(obj, subj)) + return (EACCES); + + return (0); +} + +static int +mls_posixshm_check_stat(struct ucred *active_cred, struct ucred *file_cred, + struct shmfd *shmfd, struct label *shmlabel) +{ + struct mac_mls *subj, *obj; + + if (!mls_enabled) + return (0); + + subj = SLOT(active_cred->cr_label); + obj = SLOT(shmlabel); + + if (!mls_dominate_effective(subj, obj)) + return (EACCES); + + return (0); +} + +static int +mls_posixshm_check_truncate(struct ucred *active_cred, + struct ucred *file_cred, struct shmfd *shmfd, struct label *shmlabel) +{ + struct mac_mls *subj, *obj; + + if (!mls_enabled) + return (0); + + subj = SLOT(active_cred->cr_label); + obj = SLOT(shmlabel); + + if (!mls_dominate_effective(obj, subj)) + return (EACCES); + + return (0); +} + +static int +mls_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd, + struct label *shmlabel) +{ + struct mac_mls *subj, *obj; + + if (!mls_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(shmlabel); + + if (!mls_dominate_effective(obj, subj)) + return (EACCES); + + return (0); +} + +static void +mls_posixshm_create(struct ucred *cred, struct shmfd *shmfd, + struct label *shmlabel) +{ + struct mac_mls *source, *dest; + + source = SLOT(cred->cr_label); + dest = SLOT(shmlabel); + + mls_copy_effective(source, dest); +} + +static int mls_proc_check_debug(struct ucred *cred, struct proc *p) { struct mac_mls *subj, *obj; @@ -3075,6 +3267,8 @@ static struct mac_policy_ops mls_ops = .mpo_posixsem_check_getvalue = mls_posixsem_check_rdonly, .mpo_posixsem_check_open = mls_posixsem_check_openunlink, .mpo_posixsem_check_post = mls_posixsem_check_write, + .mpo_posixsem_check_setmode = mls_posixsem_check_setmode, + .mpo_posixsem_check_setowner = mls_posixsem_check_setowner, .mpo_posixsem_check_stat = mls_posixsem_check_rdonly, .mpo_posixsem_check_unlink = mls_posixsem_check_openunlink, .mpo_posixsem_check_wait = mls_posixsem_check_write, @@ -3082,6 +3276,17 @@ static struct mac_policy_ops mls_ops = .mpo_posixsem_destroy_label = mls_destroy_label, .mpo_posixsem_init_label = mls_init_label, + .mpo_posixshm_check_mmap = mls_posixshm_check_mmap, + .mpo_posixshm_check_open = mls_posixshm_check_open, + .mpo_posixshm_check_setmode = mls_posixshm_check_setmode, + .mpo_posixshm_check_setowner = mls_posixshm_check_setowner, + .mpo_posixshm_check_stat = mls_posixshm_check_stat, + .mpo_posixshm_check_truncate = mls_posixshm_check_truncate, + .mpo_posixshm_check_unlink = mls_posixshm_check_unlink, + .mpo_posixshm_create = mls_posixshm_create, + .mpo_posixshm_destroy_label = mls_destroy_label, + .mpo_posixshm_init_label = mls_init_label, + .mpo_proc_check_debug = mls_proc_check_debug, .mpo_proc_check_sched = mls_proc_check_sched, .mpo_proc_check_signal = mls_proc_check_signal, -- cgit v1.1