==== //depot/user/hdandeka/rishi_SystemVIPC/sys/kern/kern_mac.c#19 - /home/rwatson/p4/rishi_SystemVIPC/sys/kern/kern_mac.c ==== @@ -177,7 +177,7 @@ static int mac_enforce_sysv = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv, CTLFLAG_RW, - &mac_enforce_sysv, 0, "Enforce MAC policy on SystemV ipc system objects"); + &mac_enforce_sysv, 0, "Enforce MAC policy on System V IPC objects"); TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv); static int mac_enforce_vm = 1; @@ -189,6 +189,7 @@ SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW, &mac_mmap_revocation, 0, "Revoke mmap access to files on subject " "relabel"); + static int mac_mmap_revocation_via_cow = 1; SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " @@ -845,31 +846,33 @@ void mac_init_ipc_msgmsg(struct msg *msgptr) { - mac_init_label(&msgptr->label); - MAC_PERFORM(init_ipc_msgmsg_label, &msgptr->label); + + mac_init_label(&msgptr->label); + MAC_PERFORM(init_ipc_msgmsg_label, &msgptr->label); } void mac_init_ipc_msgqueue(struct msqid_kernel *msqkptr) { - mac_init_label(&msqkptr->label); - MAC_PERFORM(init_ipc_msgqueue_label, &msqkptr->label); + + mac_init_label(&msqkptr->label); + MAC_PERFORM(init_ipc_msgqueue_label, &msqkptr->label); } void mac_init_ipc_sema(struct semid_kernel *semakptr) { - mac_init_label(&semakptr->label); - MAC_PERFORM(init_ipc_sema_label, &semakptr->label); + mac_init_label(&semakptr->label); + MAC_PERFORM(init_ipc_sema_label, &semakptr->label); } void mac_init_ipc_shm(struct shmid_kernel *shmsegptr) { - mac_init_label(&shmsegptr->label); - MAC_PERFORM(init_ipc_shm_label, &shmsegptr->label); + mac_init_label(&shmsegptr->label); + MAC_PERFORM(init_ipc_shm_label, &shmsegptr->label); } int @@ -1146,8 +1149,8 @@ mac_destroy_ipc_shm(struct shmid_kernel *shmsegptr) { - MAC_PERFORM(destroy_ipc_shm_label, &shmsegptr->label); - mac_destroy_label(&shmsegptr->label); + MAC_PERFORM(destroy_ipc_shm_label, &shmsegptr->label); + mac_destroy_label(&shmsegptr->label); } void @@ -2591,6 +2594,7 @@ void mac_cleanup_ipc_msgmsg(struct msg *msgptr) { + MAC_PERFORM(cleanup_ipc_msgmsg, &msgptr->label); } @@ -2675,209 +2679,205 @@ mac_check_ipc_msgmsq(struct ucred *cred, struct msg *msgptr, struct msqid_kernel *msqkptr) { - int error; + int error; - if (!mac_enforce_sysv) - return (0); + if (!mac_enforce_sysv) + return (0); - //XXX: Should we also pass &msqkptr->label ?? - MAC_CHECK(check_ipc_msgmsq, cred, msgptr, msqkptr); + //XXX: Should we also pass &msqkptr->label ?? + MAC_CHECK(check_ipc_msgmsq, cred, msgptr, msqkptr); - - return(error); + return(error); } int mac_check_ipc_msgrcv(struct ucred *cred, struct msg *msgptr) { - int error; + int error; - if (!mac_enforce_sysv) - return (0); + if (!mac_enforce_sysv) + return (0); - //XXX: Should we also pass &msqkptr->label ?? - MAC_CHECK(check_ipc_msgrcv, cred, msgptr); + //XXX: Should we also pass &msqkptr->label ?? + MAC_CHECK(check_ipc_msgrcv, cred, msgptr); - - return(error); + return(error); } int mac_check_ipc_msgrmid(struct ucred *cred, struct msg *msgptr) { - int error; + int error; - if (!mac_enforce_sysv) - return (0); + if (!mac_enforce_sysv) + return (0); - //XXX: Should we also pass &msqkptr->label ?? - MAC_CHECK(check_ipc_msgrmid, cred, msgptr); + //XXX: Should we also pass &msqkptr->label ?? + MAC_CHECK(check_ipc_msgrmid, cred, msgptr); - - return(error); + return(error); } int mac_check_ipc_msqget(struct ucred *cred, struct msqid_kernel *msqkptr) { - int error; + int error; - if (!mac_enforce_sysv) - return (0); + if (!mac_enforce_sysv) + return (0); - //XXX: Should we also pass &msqkptr->label ?? - MAC_CHECK(check_ipc_msqget, cred, msqkptr); + //XXX: Should we also pass &msqkptr->label ?? + MAC_CHECK(check_ipc_msqget, cred, msqkptr); - - return(error); + return(error); } int mac_check_ipc_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr) { - int error; + int error; - if (!mac_enforce_sysv) - return (0); + if (!mac_enforce_sysv) + return (0); - //XXX: Should we also pass &msqkptr->label ?? - MAC_CHECK(check_ipc_msqsnd, cred, msqkptr); + //XXX: Should we also pass &msqkptr->label ?? + MAC_CHECK(check_ipc_msqsnd, cred, msqkptr); - return(error); + return(error); } int mac_check_ipc_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr) { - int error; + int error; - if (!mac_enforce_sysv) - return (0); + if (!mac_enforce_sysv) + return (0); - //XXX: Should we also pass &msqkptr->label ?? - MAC_CHECK(check_ipc_msqrcv, cred, msqkptr); + //XXX: Should we also pass &msqkptr->label ?? + MAC_CHECK(check_ipc_msqrcv, cred, msqkptr); - return(error); + return(error); } int -mac_check_ipc_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, int cmd) +mac_check_ipc_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, + int cmd) { - int error; + int error; - if (!mac_enforce_sysv) - return (0); + if (!mac_enforce_sysv) + return (0); - //XXX: Should we also pass &msqkptr->label ?? - MAC_CHECK(check_ipc_msqctl, cred, msqkptr, cmd); + //XXX: Should we also pass &msqkptr->label ?? + MAC_CHECK(check_ipc_msqctl, cred, msqkptr, cmd); - return(error); + return(error); } int -mac_check_ipc_semctl(struct ucred *cred, struct semid_kernel *semakptr, int cmd) +mac_check_ipc_semctl(struct ucred *cred, struct semid_kernel *semakptr, + int cmd) { - int error; + int error; - if (!mac_enforce_sysv) - return (0); + if (!mac_enforce_sysv) + return (0); - //XXX: Should we also pass &semakptr->label ?? - MAC_CHECK(check_ipc_semctl, cred, semakptr, cmd); + //XXX: Should we also pass &semakptr->label ?? + MAC_CHECK(check_ipc_semctl, cred, semakptr, cmd); - - return(error); + return(error); } int mac_check_ipc_semget(struct ucred *cred, struct semid_kernel *semakptr) { - int error; + int error; - if (!mac_enforce_sysv) - return (0); + if (!mac_enforce_sysv) + return (0); - //XXX: Should we also pass &semakptr->label ?? - MAC_CHECK(check_ipc_semget, cred, semakptr); + //XXX: Should we also pass &semakptr->label ?? + MAC_CHECK(check_ipc_semget, cred, semakptr); - return(error); + return(error); } int -mac_check_ipc_semop(struct ucred *cred, struct semid_kernel *semakptr, - size_t accesstype) +mac_check_ipc_semop(struct ucred *cred, struct semid_kernel *semakptr, + size_t accesstype) { - int error; + int error; - if (!mac_enforce_sysv) - return (0); + if (!mac_enforce_sysv) + return (0); - //XXX: Should we also pass &semakptr->label ?? - MAC_CHECK(check_ipc_semop, cred, semakptr, accesstype); + //XXX: Should we also pass &semakptr->label ?? + MAC_CHECK(check_ipc_semop, cred, semakptr, accesstype); - return(error); + return(error); } int mac_check_ipc_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, - int shmflg) + int shmflg) { - int error; + int error; - if (!mac_enforce_sysv) - return (0); + if (!mac_enforce_sysv) + return (0); - //XXX: Should we also pass &shmsegptr->label ?? - MAC_CHECK(check_ipc_shmat, cred, shmsegptr, shmflg); + //XXX: Should we also pass &shmsegptr->label ?? + MAC_CHECK(check_ipc_shmat, cred, shmsegptr, shmflg); - return(error); + return(error); } int mac_check_ipc_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, - int cmd) + int cmd) { - int error; + int error; - if (!mac_enforce_sysv) - return (0); + if (!mac_enforce_sysv) + return (0); - //XXX: Should we also pass &shmsegptr->label ?? - MAC_CHECK(check_ipc_shmctl, cred, shmsegptr, cmd); + //XXX: Should we also pass &shmsegptr->label ?? + MAC_CHECK(check_ipc_shmctl, cred, shmsegptr, cmd); - return(error); + return(error); } int mac_check_ipc_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr) { - int error; + int error; - if (!mac_enforce_sysv) - return (0); + if (!mac_enforce_sysv) + return (0); - //XXX: Should we also pass &shmsegptr->label ?? - MAC_CHECK(check_ipc_shmdt, cred, shmsegptr); + //XXX: Should we also pass &shmsegptr->label ?? + MAC_CHECK(check_ipc_shmdt, cred, shmsegptr); - return(error); + return(error); } int mac_check_ipc_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, - int shmflg) + int shmflg) { - int error; + int error; - if (!mac_enforce_sysv) - return (0); + if (!mac_enforce_sysv) + return (0); - //XXX: Should we also pass &shmsegptr->label ?? - MAC_CHECK(check_ipc_shmget, cred, shmsegptr, shmflg); + //XXX: Should we also pass &shmsegptr->label ?? + MAC_CHECK(check_ipc_shmget, cred, shmsegptr, shmflg); - return(error); + return(error); } - int mac_check_kenv_dump(struct ucred *cred) { ==== //depot/user/hdandeka/rishi_SystemVIPC/sys/security/mac_biba/mac_biba.c#7 - /home/rwatson/p4/rishi_SystemVIPC/sys/security/mac_biba/mac_biba.c ==== @@ -1160,7 +1160,7 @@ static void mac_biba_create_ipc_msgmsg(struct ucred *cred, struct msg *msgptr, - struct label *msglabel) + struct label *msglabel) { struct mac_biba *source, *dest; @@ -1168,11 +1168,11 @@ dest = SLOT(msglabel); mac_biba_copy_single(source, dest); -} +} -static void +static void mac_biba_create_ipc_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqlabel) + struct label *msqlabel) { struct mac_biba *source, *dest; @@ -1184,7 +1184,7 @@ static void mac_biba_create_ipc_sema(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semalabel) + struct label *semalabel) { struct mac_biba *source, *dest; @@ -1196,7 +1196,7 @@ static void mac_biba_create_ipc_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmlabel) + struct label *shmlabel) { struct mac_biba *source, *dest; @@ -1485,28 +1485,31 @@ /* * Label cleanup/flush operations */ -static void +static void mac_biba_cleanup_ipc_msgmsg(struct label *msglabel) { - bzero(SLOT(msglabel), sizeof(struct mac_biba)); + + bzero(SLOT(msglabel), sizeof(struct mac_biba)); } -static void +static void mac_biba_cleanup_ipc_msgqueue(struct label *msqlabel) { - bzero(SLOT(msqlabel), sizeof(struct mac_biba)); + + bzero(SLOT(msqlabel), sizeof(struct mac_biba)); } -static void +static void mac_biba_cleanup_ipc_sema(struct label *semalabel) { - bzero(SLOT(semalabel), sizeof(struct mac_biba)); + + bzero(SLOT(semalabel), sizeof(struct mac_biba)); } -static void +static void mac_biba_cleanup_ipc_shm(struct label *shmlabel) { - bzero(SLOT(shmlabel), sizeof(struct mac_biba)); + bzero(SLOT(shmlabel), sizeof(struct mac_biba)); } /* @@ -1671,11 +1674,9 @@ return (mac_biba_single_in_range(p, i) ? 0 : EACCES); } - static int mac_biba_check_ipc_msgrcv(struct ucred *cred, struct msg *msgptr) -{ - +{ struct mac_biba *subj, *obj; if (!mac_biba_enabled) @@ -1692,8 +1693,7 @@ static int mac_biba_check_ipc_msgrmid(struct ucred *cred, struct msg *msgptr) -{ - +{ struct mac_biba *subj, *obj; if (!mac_biba_enabled) @@ -1725,7 +1725,6 @@ return (0); } - static int mac_biba_check_ipc_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr) { @@ -1763,7 +1762,7 @@ static int mac_biba_check_ipc_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, - int cmd) + int cmd) { struct mac_biba *subj, *obj; @@ -1772,25 +1771,29 @@ subj = SLOT(&cred->cr_label); obj = SLOT(&msqkptr->label); + switch(cmd) { - case IPC_RMID: - case IPC_SET: - if (!mac_biba_dominate_single(subj, obj)) - return (EACCES); - break; - case IPC_STAT: - if (!mac_biba_dominate_single(obj, subj)) - return (EACCES); - break; - default: - return (EACCES); + case IPC_RMID: + case IPC_SET: + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + break; + + case IPC_STAT: + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + break; + + default: + return (EACCES); } + return (0); } static int mac_biba_check_ipc_semctl(struct ucred *cred, struct semid_kernel *semakptr, - int cmd) + int cmd) { struct mac_biba *subj, *obj; @@ -1799,26 +1802,30 @@ subj = SLOT(&cred->cr_label); obj = SLOT(&semakptr->label); + switch(cmd) { - case IPC_RMID: - case IPC_SET: - case SETVAL: - case SETALL: - if (!mac_biba_dominate_single(subj, obj)) - return (EACCES); - break; - case IPC_STAT: - case GETVAL: - case GETPID: - case GETNCNT: - case GETZCNT: - case GETALL: - if (!mac_biba_dominate_single(obj, subj)) - return (EACCES); - break; - default: - return (EACCES); + case IPC_RMID: + case IPC_SET: + case SETVAL: + case SETALL: + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + break; + + case IPC_STAT: + case GETVAL: + case GETPID: + case GETNCNT: + case GETZCNT: + case GETALL: + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + break; + + default: + return (EACCES); } + return (0); } @@ -1843,7 +1850,7 @@ static int mac_biba_check_ipc_semop(struct ucred *cred, struct semid_kernel *semakptr, - size_t accesstype) + size_t accesstype) { struct mac_biba *subj, *obj; @@ -1853,21 +1860,20 @@ subj = SLOT(&cred->cr_label); obj = SLOT(&semakptr->label); - if( accesstype & SEM_R ) + if (accesstype & SEM_R) if (!mac_biba_dominate_single(obj, subj)) return (EACCES); - if( accesstype & SEM_A ) + if (accesstype & SEM_A) if (!mac_biba_dominate_single(subj, obj)) return (EACCES); return (0); - } static int mac_biba_check_ipc_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, - int shmflg) + int shmflg) { struct mac_biba *subj, *obj; @@ -1878,17 +1884,18 @@ obj = SLOT(&shmsegptr->label); if (!mac_biba_dominate_single(obj, subj)) - return (EACCES); - if ((shmflg & SHM_RDONLY) == 0) + return (EACCES); + if ((shmflg & SHM_RDONLY) == 0) { if (!mac_biba_dominate_single(subj, obj)) return (EACCES); + } return (0); } static int mac_biba_check_ipc_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, - int cmd) + int cmd) { struct mac_biba *subj, *obj; @@ -1897,31 +1904,34 @@ subj = SLOT(&cred->cr_label); obj = SLOT(&shmsegptr->label); + switch(cmd) { - case IPC_RMID: - case IPC_SET: - if (!mac_biba_dominate_single(subj, obj)) - return (EACCES); - break; - case IPC_STAT: - case SHM_STAT: - if (!mac_biba_dominate_single(obj, subj)) - return (EACCES); - break; - default: - return (EACCES); + case IPC_RMID: + case IPC_SET: + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + break; + + case IPC_STAT: + case SHM_STAT: + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + break; + + default: + return (EACCES); } + return (0); } #if 0 -/* +/* * TODO: Do we check the integrity of the implicit write access caused - * by the bookkeeping tasks associated with the shmdt call, which may - * modify/delete the shmseg meta-data and/or the shared segment itself? + * by the bookkeeping tasks associated with the shmdt call, which may + * modify/delete the shmseg meta-data and/or the shared segment itself? */ - static int mac_biba_check_ipc_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr) { @@ -1942,7 +1952,7 @@ static int mac_biba_check_ipc_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, - int shmflg) + int shmflg) { struct mac_biba *subj, *obj; @@ -3038,9 +3048,9 @@ .mpo_init_devfsdirent_label = mac_biba_init_label, .mpo_init_ifnet_label = mac_biba_init_label, .mpo_init_ipc_msgmsg_label = mac_biba_init_label, - .mpo_init_ipc_msgqueue_label = mac_biba_init_label, - .mpo_init_ipc_sema_label = mac_biba_init_label, - .mpo_init_ipc_shm_label = mac_biba_init_label, + .mpo_init_ipc_msgqueue_label = mac_biba_init_label, + .mpo_init_ipc_sema_label = mac_biba_init_label, + .mpo_init_ipc_shm_label = mac_biba_init_label, .mpo_init_ipq_label = mac_biba_init_label_waitcheck, .mpo_init_mbuf_label = mac_biba_init_label_waitcheck, .mpo_init_mount_label = mac_biba_init_label, @@ -3054,9 +3064,9 @@ .mpo_destroy_devfsdirent_label = mac_biba_destroy_label, .mpo_destroy_ifnet_label = mac_biba_destroy_label, .mpo_destroy_ipc_msgmsg_label = mac_biba_destroy_label, - .mpo_destroy_ipc_msgqueue_label = mac_biba_destroy_label, - .mpo_destroy_ipc_sema_label = mac_biba_destroy_label, - .mpo_destroy_ipc_shm_label = mac_biba_destroy_label, + .mpo_destroy_ipc_msgqueue_label = mac_biba_destroy_label, + .mpo_destroy_ipc_sema_label = mac_biba_destroy_label, + .mpo_destroy_ipc_shm_label = mac_biba_destroy_label, .mpo_destroy_ipq_label = mac_biba_destroy_label, .mpo_destroy_mbuf_label = mac_biba_destroy_label, .mpo_destroy_mount_label = mac_biba_destroy_label, @@ -3104,9 +3114,9 @@ .mpo_create_fragment = mac_biba_create_fragment, .mpo_create_ifnet = mac_biba_create_ifnet, .mpo_create_ipc_msgmsg = mac_biba_create_ipc_msgmsg, - .mpo_create_ipc_msgqueue = mac_biba_create_ipc_msgqueue, - .mpo_create_ipc_sema = mac_biba_create_ipc_sema, - .mpo_create_ipc_shm = mac_biba_create_ipc_shm, + .mpo_create_ipc_msgqueue = mac_biba_create_ipc_msgqueue, + .mpo_create_ipc_sema = mac_biba_create_ipc_sema, + .mpo_create_ipc_shm = mac_biba_create_ipc_shm, .mpo_create_ipq = mac_biba_create_ipq, .mpo_create_mbuf_from_mbuf = mac_biba_create_mbuf_from_mbuf, .mpo_create_mbuf_linklayer = mac_biba_create_mbuf_linklayer, @@ -3130,19 +3140,19 @@ .mpo_check_cred_visible = mac_biba_check_cred_visible, .mpo_check_ifnet_relabel = mac_biba_check_ifnet_relabel, .mpo_check_ifnet_transmit = mac_biba_check_ifnet_transmit, - .mpo_check_ipc_msgrcv = mac_biba_check_ipc_msgrcv, + .mpo_check_ipc_msgrcv = mac_biba_check_ipc_msgrcv, .mpo_check_ipc_msgrmid = mac_biba_check_ipc_msgrmid, - .mpo_check_ipc_msqget = mac_biba_check_ipc_msqget, - .mpo_check_ipc_msqsnd = mac_biba_check_ipc_msqsnd, - .mpo_check_ipc_msqrcv = mac_biba_check_ipc_msqrcv, - .mpo_check_ipc_msqctl = mac_biba_check_ipc_msqctl, - .mpo_check_ipc_semctl = mac_biba_check_ipc_semctl, - .mpo_check_ipc_semget = mac_biba_check_ipc_semget, - .mpo_check_ipc_semop = mac_biba_check_ipc_semop, - .mpo_check_ipc_shmat = mac_biba_check_ipc_shmat, - .mpo_check_ipc_shmctl = mac_biba_check_ipc_shmctl, -/* .mpo_check_ipc_shmdt = mac_biba_check_ipc_shmdt, */ - .mpo_check_ipc_shmget = mac_biba_check_ipc_shmget, + .mpo_check_ipc_msqget = mac_biba_check_ipc_msqget, + .mpo_check_ipc_msqsnd = mac_biba_check_ipc_msqsnd, + .mpo_check_ipc_msqrcv = mac_biba_check_ipc_msqrcv, + .mpo_check_ipc_msqctl = mac_biba_check_ipc_msqctl, + .mpo_check_ipc_semctl = mac_biba_check_ipc_semctl, + .mpo_check_ipc_semget = mac_biba_check_ipc_semget, + .mpo_check_ipc_semop = mac_biba_check_ipc_semop, + .mpo_check_ipc_shmat = mac_biba_check_ipc_shmat, + .mpo_check_ipc_shmctl = mac_biba_check_ipc_shmctl, + /* .mpo_check_ipc_shmdt = mac_biba_check_ipc_shmdt, */ + .mpo_check_ipc_shmget = mac_biba_check_ipc_shmget, .mpo_check_kld_load = mac_biba_check_kld_load, .mpo_check_kld_unload = mac_biba_check_kld_unload, .mpo_check_mount_stat = mac_biba_check_mount_stat, ==== //depot/user/hdandeka/rishi_SystemVIPC/sys/security/mac_lomac/mac_lomac.c#4 - /home/rwatson/p4/rishi_SystemVIPC/sys/security/mac_lomac/mac_lomac.c ==== @@ -346,7 +346,7 @@ KASSERT((mac_lomac->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0, ("mac_lomac_high_single: mac_lomac not single")); - + return (mac_lomac->ml_single.mle_type == MAC_LOMAC_TYPE_HIGH); } @@ -1229,10 +1229,9 @@ /* * Labeling event operations: System V IPC objects. */ - static void mac_lomac_create_ipc_msgmsg(struct ucred *cred, struct msg *msgptr, - struct label *msglabel) + struct label *msglabel) { struct mac_lomac *source, *dest; @@ -1240,11 +1239,11 @@ dest = SLOT(msglabel); mac_lomac_copy_single(source, dest); -} +} -static void +static void mac_lomac_create_ipc_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqlabel) + struct label *msqlabel) { struct mac_lomac *source, *dest; @@ -1256,7 +1255,7 @@ static void mac_lomac_create_ipc_sema(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semalabel) + struct label *semalabel) { struct mac_lomac *source, *dest; @@ -1268,7 +1267,7 @@ static void mac_lomac_create_ipc_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmlabel) + struct label *shmlabel) { struct mac_lomac *source, *dest; @@ -1278,7 +1277,6 @@ mac_lomac_copy_single(source, dest); } - /* * Labeling event operations: network objects. */ @@ -1627,31 +1625,34 @@ /* * Label cleanup/flush operations */ -static void +static void mac_lomac_cleanup_ipc_msgmsg(struct label *msglabel) { - bzero(SLOT(msglabel), sizeof(struct mac_lomac)); + + bzero(SLOT(msglabel), sizeof(struct mac_lomac)); } -static void +static void mac_lomac_cleanup_ipc_msgqueue(struct label *msqlabel) { - bzero(SLOT(msqlabel), sizeof(struct mac_lomac)); + + bzero(SLOT(msqlabel), sizeof(struct mac_lomac)); } -static void +static void mac_lomac_cleanup_ipc_sema(struct label *semalabel) { - bzero(SLOT(semalabel), sizeof(struct mac_lomac)); + + bzero(SLOT(semalabel), sizeof(struct mac_lomac)); } -static void +static void mac_lomac_cleanup_ipc_shm(struct label *shmlabel) { - bzero(SLOT(shmlabel), sizeof(struct mac_lomac)); + + bzero(SLOT(shmlabel), sizeof(struct mac_lomac)); } - /* * Access control checks. */ @@ -1828,8 +1829,7 @@ static int mac_lomac_check_ipc_msgrcv(struct ucred *cred, struct msg *msgptr) -{ - +{ struct mac_lomac *subj, *obj; if (!mac_lomac_enabled) @@ -1846,8 +1846,7 @@ static int mac_lomac_check_ipc_msgrmid(struct ucred *cred, struct msg *msgptr) -{ - +{ struct mac_lomac *subj, *obj; if (!mac_lomac_enabled) @@ -1879,7 +1878,6 @@ return (0); } - static int mac_lomac_check_ipc_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr) { @@ -1914,10 +1912,9 @@ return (0); } - static int mac_lomac_check_ipc_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, - int cmd) + int cmd) { struct mac_lomac *subj, *obj; @@ -1926,25 +1923,30 @@ subj = SLOT(&cred->cr_label); obj = SLOT(&msqkptr->label); + switch(cmd) { - case IPC_RMID: - case IPC_SET: - if (!mac_lomac_dominate_single(subj, obj)) - return (EACCES); - break; - case IPC_STAT: - if (!mac_lomac_dominate_single(obj, subj)) - return (maybe_demote(subj, obj, "msqctl", "msg", NULL)); - break; - default: - return (EACCES); + case IPC_RMID: + case IPC_SET: + if (!mac_lomac_dominate_single(subj, obj)) + return (EACCES); + break; + + case IPC_STAT: + if (!mac_lomac_dominate_single(obj, subj)) + return (maybe_demote(subj, obj, "msqctl", "msg", + NULL)); + break; + + default: + return (EACCES); } + return (0); } static int mac_lomac_check_ipc_semctl(struct ucred *cred, struct semid_kernel *semakptr, - int cmd) + int cmd) { struct mac_lomac *subj, *obj; @@ -1953,30 +1955,34 @@ subj = SLOT(&cred->cr_label); obj = SLOT(&semakptr->label); + switch(cmd) { - case IPC_RMID: - case IPC_SET: - case SETVAL: - case SETALL: - if (!mac_lomac_dominate_single(subj, obj)) - return (EACCES); - break; - case IPC_STAT: - case GETVAL: - case GETPID: - case GETNCNT: - case GETZCNT: - case GETALL: - if (!mac_lomac_dominate_single(obj, subj)) - return (maybe_demote(subj, obj, "semctl", "sem", NULL)); - break; - default: - return (EACCES); + case IPC_RMID: + case IPC_SET: + case SETVAL: + case SETALL: + if (!mac_lomac_dominate_single(subj, obj)) + return (EACCES); + break; + + case IPC_STAT: + case GETVAL: + case GETPID: + case GETNCNT: + case GETZCNT: + case GETALL: + if (!mac_lomac_dominate_single(obj, subj)) + return (maybe_demote(subj, obj, "semctl", "sem", + NULL)); + break; + + default: + return (EACCES); } + return (0); } - static int mac_lomac_check_ipc_semget(struct ucred *cred, struct semid_kernel *semakptr) { @@ -1994,10 +2000,9 @@ return (0); } - static int mac_lomac_check_ipc_semop(struct ucred *cred, struct semid_kernel *semakptr, - size_t accesstype) + size_t accesstype) { struct mac_lomac *subj, *obj; @@ -2007,21 +2012,23 @@ subj = SLOT(&cred->cr_label); obj = SLOT(&semakptr->label); - if( accesstype & SEM_R ) + if (accesstype & SEM_R) { if (!mac_lomac_dominate_single(obj, subj)) - return (maybe_demote(subj, obj, "semop", "sem", NULL)); + return (maybe_demote(subj, obj, "semop", "sem", + NULL)); + } - if( accesstype & SEM_A ) + if (accesstype & SEM_A) { if (!mac_lomac_dominate_single(subj, obj)) return (EACCES); + } return (0); - } static int mac_lomac_check_ipc_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, - int shmflg) + int shmflg) { struct mac_lomac *subj, *obj; @@ -2032,17 +2039,19 @@ obj = SLOT(&shmsegptr->label); if (!mac_lomac_dominate_single(obj, subj)) - return (maybe_demote(subj, obj, "shmat", "shm", NULL)); - if ((shmflg & SHM_RDONLY) == 0) + return (maybe_demote(subj, obj, "shmat", "shm", + NULL)); + if ((shmflg & SHM_RDONLY) == 0) { if (!mac_lomac_dominate_single(subj, obj)) return (EACCES); + } return (0); } static int mac_lomac_check_ipc_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, - int cmd) + int cmd) { struct mac_lomac *subj, *obj; @@ -2051,31 +2060,34 @@ subj = SLOT(&cred->cr_label); obj = SLOT(&shmsegptr->label); + switch(cmd) { - case IPC_RMID: - case IPC_SET: - if (!mac_lomac_dominate_single(subj, obj)) - return (EACCES); - break; - case IPC_STAT: - case SHM_STAT: - if (!mac_lomac_dominate_single(obj, subj)) - return (maybe_demote(subj, obj, "shmctl", "shm", NULL)); - break; - default: - return (EACCES); + case IPC_RMID: + case IPC_SET: + if (!mac_lomac_dominate_single(subj, obj)) + return (EACCES); + break; + + case IPC_STAT: + case SHM_STAT: + if (!mac_lomac_dominate_single(obj, subj)) + return (maybe_demote(subj, obj, "shmctl", "shm", + NULL)); + break; + + default: + return (EACCES); } + return (0); } #if 0 - -/* +/* * TODO: Do we check the integrity of the implicit write access caused - * by the bookkeeping tasks associated with the shmdt call, which may - * modify/delete the shmseg meta-data and/or the shared segment itself? + * by the bookkeeping tasks associated with the shmdt call, which may + * modify/delete the shmseg meta-data and/or the shared segment itself? */ - static int mac_lomac_check_ipc_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr) { @@ -2096,7 +2108,7 @@ static int mac_lomac_check_ipc_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, - int shmflg) + int shmflg) { struct mac_lomac *subj, *obj; @@ -2978,9 +2990,9 @@ .mpo_init_devfsdirent_label = mac_lomac_init_label, .mpo_init_ifnet_label = mac_lomac_init_label, .mpo_init_ipc_msgmsg_label = mac_lomac_init_label, - .mpo_init_ipc_msgqueue_label = mac_lomac_init_label, - .mpo_init_ipc_sema_label = mac_lomac_init_label, - .mpo_init_ipc_shm_label = mac_lomac_init_label, + .mpo_init_ipc_msgqueue_label = mac_lomac_init_label, + .mpo_init_ipc_sema_label = mac_lomac_init_label, + .mpo_init_ipc_shm_label = mac_lomac_init_label, .mpo_init_ipq_label = mac_lomac_init_label_waitcheck, .mpo_init_mbuf_label = mac_lomac_init_label_waitcheck, .mpo_init_mount_label = mac_lomac_init_label, @@ -2995,9 +3007,9 @@ .mpo_destroy_devfsdirent_label = mac_lomac_destroy_label, .mpo_destroy_ifnet_label = mac_lomac_destroy_label, .mpo_destroy_ipc_msgmsg_label = mac_lomac_destroy_label, - .mpo_destroy_ipc_msgqueue_label = mac_lomac_destroy_label, - .mpo_destroy_ipc_sema_label = mac_lomac_destroy_label, - .mpo_destroy_ipc_shm_label = mac_lomac_destroy_label, + .mpo_destroy_ipc_msgqueue_label = mac_lomac_destroy_label, + .mpo_destroy_ipc_sema_label = mac_lomac_destroy_label, + .mpo_destroy_ipc_shm_label = mac_lomac_destroy_label, .mpo_destroy_ipq_label = mac_lomac_destroy_label, .mpo_destroy_mbuf_label = mac_lomac_destroy_label, .mpo_destroy_mount_label = mac_lomac_destroy_label, @@ -3047,9 +3059,9 @@ .mpo_create_fragment = mac_lomac_create_fragment, .mpo_create_ifnet = mac_lomac_create_ifnet, .mpo_create_ipc_msgmsg = mac_lomac_create_ipc_msgmsg, - .mpo_create_ipc_msgqueue = mac_lomac_create_ipc_msgqueue, - .mpo_create_ipc_sema = mac_lomac_create_ipc_sema, - .mpo_create_ipc_shm = mac_lomac_create_ipc_shm, + .mpo_create_ipc_msgqueue = mac_lomac_create_ipc_msgqueue, + .mpo_create_ipc_sema = mac_lomac_create_ipc_sema, + .mpo_create_ipc_shm = mac_lomac_create_ipc_shm, .mpo_create_ipq = mac_lomac_create_ipq, .mpo_create_mbuf_from_mbuf = mac_lomac_create_mbuf_from_mbuf, .mpo_create_mbuf_linklayer = mac_lomac_create_mbuf_linklayer, @@ -3076,20 +3088,20 @@ .mpo_check_cred_visible = mac_lomac_check_cred_visible, .mpo_check_ifnet_relabel = mac_lomac_check_ifnet_relabel, .mpo_check_ifnet_transmit = mac_lomac_check_ifnet_transmit, -/* .mpo_check_ipc_msgmsq = mac_lomac_check_ipc_msgmsq, */ - .mpo_check_ipc_msgrcv = mac_lomac_check_ipc_msgrcv, + /* .mpo_check_ipc_msgmsq = mac_lomac_check_ipc_msgmsq, */ + .mpo_check_ipc_msgrcv = mac_lomac_check_ipc_msgrcv, .mpo_check_ipc_msgrmid = mac_lomac_check_ipc_msgrmid, - .mpo_check_ipc_msqget = mac_lomac_check_ipc_msqget, - .mpo_check_ipc_msqsnd = mac_lomac_check_ipc_msqsnd, - .mpo_check_ipc_msqrcv = mac_lomac_check_ipc_msqrcv, - .mpo_check_ipc_msqctl = mac_lomac_check_ipc_msqctl, - .mpo_check_ipc_semctl = mac_lomac_check_ipc_semctl, - .mpo_check_ipc_semget = mac_lomac_check_ipc_semget, - .mpo_check_ipc_semop = mac_lomac_check_ipc_semop, - .mpo_check_ipc_shmat = mac_lomac_check_ipc_shmat, - .mpo_check_ipc_shmctl = mac_lomac_check_ipc_shmctl, -/* .mpo_check_ipc_shmdt = mac_lomac_check_ipc_shmdt, */ - .mpo_check_ipc_shmget = mac_lomac_check_ipc_shmget, + .mpo_check_ipc_msqget = mac_lomac_check_ipc_msqget, + .mpo_check_ipc_msqsnd = mac_lomac_check_ipc_msqsnd, + .mpo_check_ipc_msqrcv = mac_lomac_check_ipc_msqrcv, + .mpo_check_ipc_msqctl = mac_lomac_check_ipc_msqctl, + .mpo_check_ipc_semctl = mac_lomac_check_ipc_semctl, + .mpo_check_ipc_semget = mac_lomac_check_ipc_semget, + .mpo_check_ipc_semop = mac_lomac_check_ipc_semop, + .mpo_check_ipc_shmat = mac_lomac_check_ipc_shmat, + .mpo_check_ipc_shmctl = mac_lomac_check_ipc_shmctl, + /* .mpo_check_ipc_shmdt = mac_lomac_check_ipc_shmdt, */ + .mpo_check_ipc_shmget = mac_lomac_check_ipc_shmget, .mpo_check_kld_load = mac_lomac_check_kld_load, .mpo_check_kld_unload = mac_lomac_check_kld_unload, .mpo_check_pipe_ioctl = mac_lomac_check_pipe_ioctl, ==== //depot/user/hdandeka/rishi_SystemVIPC/sys/security/mac_mls/mac_mls.c#6 - /home/rwatson/p4/rishi_SystemVIPC/sys/security/mac_mls/mac_mls.c ==== @@ -1126,7 +1126,7 @@ static void mac_mls_create_ipc_msgmsg(struct ucred *cred, struct msg *msgptr, - struct label *msglabel) + struct label *msglabel) { struct mac_mls *source, *dest; @@ -1134,11 +1134,11 @@ dest = SLOT(msglabel); mac_mls_copy_single(source, dest); -} +} -static void +static void mac_mls_create_ipc_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqlabel) + struct label *msqlabel) { struct mac_mls *source, *dest; @@ -1150,7 +1150,7 @@ static void mac_mls_create_ipc_sema(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semalabel) + struct label *semalabel) { struct mac_mls *source, *dest; @@ -1162,7 +1162,7 @@ static void mac_mls_create_ipc_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmlabel) + struct label *shmlabel) { struct mac_mls *source, *dest; @@ -1418,9 +1418,8 @@ } /* - * Label cleanup/flush operations + * Label cleanup/flush operations. */ - static void mac_mls_cleanup_ipc_msgmsg(struct label *msglabel) { @@ -1432,7 +1431,7 @@ mac_mls_cleanup_ipc_msgqueue(struct label *msqlabel) { - bzero(SLOT(msqlabel), sizeof(struct mac_mls)); + bzero(SLOT(msqlabel), sizeof(struct mac_mls)); } static void @@ -1606,8 +1605,7 @@ static int mac_mls_check_ipc_msgrcv(struct ucred *cred, struct msg *msgptr) -{ - +{ struct mac_mls *subj, *obj; if (!mac_mls_enabled) @@ -1624,8 +1622,7 @@ static int mac_mls_check_ipc_msgrmid(struct ucred *cred, struct msg *msgptr) -{ - +{ struct mac_mls *subj, *obj; if (!mac_mls_enabled) @@ -1657,7 +1654,6 @@ return (0); } - static int mac_mls_check_ipc_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr) { @@ -1692,10 +1688,9 @@ return (0); } - static int mac_mls_check_ipc_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, - int cmd) + int cmd) { struct mac_mls *subj, *obj; @@ -1704,25 +1699,29 @@ subj = SLOT(&cred->cr_label); obj = SLOT(&msqkptr->label); + switch(cmd) { - case IPC_RMID: - case IPC_SET: - if (!mac_mls_dominate_single(obj, subj)) - return (EACCES); - break; - case IPC_STAT: - if (!mac_mls_dominate_single(subj, obj)) - return (EACCES); - break; - default: - return (EACCES); + case IPC_RMID: + case IPC_SET: + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + break; + + case IPC_STAT: + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + break; + + default: + return (EACCES); } + return (0); } static int mac_mls_check_ipc_semctl(struct ucred *cred, struct semid_kernel *semakptr, - int cmd) + int cmd) { struct mac_mls *subj, *obj; @@ -1731,30 +1730,33 @@ subj = SLOT(&cred->cr_label); obj = SLOT(&semakptr->label); + switch(cmd) { - case IPC_RMID: - case IPC_SET: - case SETVAL: - case SETALL: - if (!mac_mls_dominate_single(obj, subj)) - return (EACCES); - break; - case IPC_STAT: - case GETVAL: - case GETPID: - case GETNCNT: - case GETZCNT: - case GETALL: - if (!mac_mls_dominate_single(subj, obj)) - return (EACCES); - break; - default: - return (EACCES); + case IPC_RMID: + case IPC_SET: + case SETVAL: + case SETALL: + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + break; + + case IPC_STAT: + case GETVAL: + case GETPID: + case GETNCNT: + case GETZCNT: + case GETALL: + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + break; + + default: + return (EACCES); } + return (0); } - static int mac_mls_check_ipc_semget(struct ucred *cred, struct semid_kernel *semakptr) { @@ -1772,10 +1774,9 @@ return (0); } - static int mac_mls_check_ipc_semop(struct ucred *cred, struct semid_kernel *semakptr, - size_t accesstype) + size_t accesstype) { struct mac_mls *subj, *obj; @@ -1794,12 +1795,11 @@ return (EACCES); return (0); - } static int mac_mls_check_ipc_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, - int shmflg) + int shmflg) { struct mac_mls *subj, *obj; @@ -1811,7 +1811,7 @@ if (!mac_mls_dominate_single(subj, obj)) return (EACCES); - if ((shmflg & SHM_RDONLY) == 0) + if ((shmflg & SHM_RDONLY) == 0) if (!mac_mls_dominate_single(obj, subj)) return (EACCES); @@ -1820,7 +1820,7 @@ static int mac_mls_check_ipc_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, - int cmd) + int cmd) { struct mac_mls *subj, *obj; @@ -1829,31 +1829,33 @@ subj = SLOT(&cred->cr_label); obj = SLOT(&shmsegptr->label); + switch(cmd) { - case IPC_RMID: - case IPC_SET: - if (!mac_mls_dominate_single(obj, subj)) - return (EACCES); - break; - case IPC_STAT: - case SHM_STAT: - if (!mac_mls_dominate_single(subj, obj)) - return (EACCES); - break; - default: - return (EACCES); + case IPC_RMID: + case IPC_SET: + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + break; + + case IPC_STAT: + case SHM_STAT: + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + break; + + default: + return (EACCES); } + return (0); } #if 0 - -/* +/* * TODO: Do we check the integrity of the implicit write access caused - * by the bookkeeping tasks associated with the shmdt call, which may - * modify/delete the shmseg meta-data and/or the shared segment itself? + * by the bookkeeping tasks associated with the shmdt call, which may + * modify/delete the shmseg meta-data and/or the shared segment itself? */ - static int mac_mls_check_ipc_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr) { @@ -1874,7 +1876,7 @@ static int mac_mls_check_ipc_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, - int shmflg) + int shmflg) { struct mac_mls *subj, *obj; @@ -2813,9 +2815,9 @@ .mpo_init_devfsdirent_label = mac_mls_init_label, .mpo_init_ifnet_label = mac_mls_init_label, .mpo_init_ipc_msgmsg_label = mac_mls_init_label, - .mpo_init_ipc_msgqueue_label = mac_mls_init_label, - .mpo_init_ipc_sema_label = mac_mls_init_label, - .mpo_init_ipc_shm_label = mac_mls_init_label, + .mpo_init_ipc_msgqueue_label = mac_mls_init_label, + .mpo_init_ipc_sema_label = mac_mls_init_label, + .mpo_init_ipc_shm_label = mac_mls_init_label, .mpo_init_ipq_label = mac_mls_init_label_waitcheck, .mpo_init_mbuf_label = mac_mls_init_label_waitcheck, .mpo_init_mount_label = mac_mls_init_label, @@ -2829,9 +2831,9 @@ .mpo_destroy_devfsdirent_label = mac_mls_destroy_label, .mpo_destroy_ifnet_label = mac_mls_destroy_label, .mpo_destroy_ipc_msgmsg_label = mac_mls_destroy_label, - .mpo_destroy_ipc_msgqueue_label = mac_mls_destroy_label, - .mpo_destroy_ipc_sema_label = mac_mls_destroy_label, - .mpo_destroy_ipc_shm_label = mac_mls_destroy_label, + .mpo_destroy_ipc_msgqueue_label = mac_mls_destroy_label, + .mpo_destroy_ipc_sema_label = mac_mls_destroy_label, + .mpo_destroy_ipc_shm_label = mac_mls_destroy_label, .mpo_destroy_ipq_label = mac_mls_destroy_label, .mpo_destroy_mbuf_label = mac_mls_destroy_label, .mpo_destroy_mount_label = mac_mls_destroy_label, @@ -2880,9 +2882,9 @@ .mpo_create_ifnet = mac_mls_create_ifnet, .mpo_create_ipq = mac_mls_create_ipq, .mpo_create_ipc_msgmsg = mac_mls_create_ipc_msgmsg, - .mpo_create_ipc_msgqueue = mac_mls_create_ipc_msgqueue, - .mpo_create_ipc_sema = mac_mls_create_ipc_sema, - .mpo_create_ipc_shm = mac_mls_create_ipc_shm, + .mpo_create_ipc_msgqueue = mac_mls_create_ipc_msgqueue, + .mpo_create_ipc_sema = mac_mls_create_ipc_sema, + .mpo_create_ipc_shm = mac_mls_create_ipc_shm, .mpo_create_mbuf_from_mbuf = mac_mls_create_mbuf_from_mbuf, .mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer, .mpo_create_mbuf_from_bpfdesc = mac_mls_create_mbuf_from_bpfdesc, @@ -2897,27 +2899,27 @@ .mpo_create_proc1 = mac_mls_create_proc1, .mpo_relabel_cred = mac_mls_relabel_cred, .mpo_cleanup_ipc_msgmsg = mac_mls_cleanup_ipc_msgmsg, - .mpo_cleanup_ipc_msgqueue = mac_mls_cleanup_ipc_msgqueue, - .mpo_cleanup_ipc_sema = mac_mls_cleanup_ipc_sema, - .mpo_cleanup_ipc_shm = mac_mls_cleanup_ipc_shm, + .mpo_cleanup_ipc_msgqueue = mac_mls_cleanup_ipc_msgqueue, + .mpo_cleanup_ipc_sema = mac_mls_cleanup_ipc_sema, + .mpo_cleanup_ipc_shm = mac_mls_cleanup_ipc_shm, .mpo_check_bpfdesc_receive = mac_mls_check_bpfdesc_receive, .mpo_check_cred_relabel = mac_mls_check_cred_relabel, .mpo_check_cred_visible = mac_mls_check_cred_visible, .mpo_check_ifnet_relabel = mac_mls_check_ifnet_relabel, .mpo_check_ifnet_transmit = mac_mls_check_ifnet_transmit, - .mpo_check_ipc_msgrcv = mac_mls_check_ipc_msgrcv, + .mpo_check_ipc_msgrcv = mac_mls_check_ipc_msgrcv, .mpo_check_ipc_msgrmid = mac_mls_check_ipc_msgrmid, - .mpo_check_ipc_msqget = mac_mls_check_ipc_msqget, - .mpo_check_ipc_msqsnd = mac_mls_check_ipc_msqsnd, - .mpo_check_ipc_msqrcv = mac_mls_check_ipc_msqrcv, - .mpo_check_ipc_msqctl = mac_mls_check_ipc_msqctl, - .mpo_check_ipc_semctl = mac_mls_check_ipc_semctl, - .mpo_check_ipc_semget = mac_mls_check_ipc_semget, - .mpo_check_ipc_semop = mac_mls_check_ipc_semop, - .mpo_check_ipc_shmat = mac_mls_check_ipc_shmat, - .mpo_check_ipc_shmctl = mac_mls_check_ipc_shmctl, -/* .mpo_check_ipc_shmdt = mac_mls_check_ipc_shmdt, */ - .mpo_check_ipc_shmget = mac_mls_check_ipc_shmget, + .mpo_check_ipc_msqget = mac_mls_check_ipc_msqget, + .mpo_check_ipc_msqsnd = mac_mls_check_ipc_msqsnd, + .mpo_check_ipc_msqrcv = mac_mls_check_ipc_msqrcv, + .mpo_check_ipc_msqctl = mac_mls_check_ipc_msqctl, + .mpo_check_ipc_semctl = mac_mls_check_ipc_semctl, + .mpo_check_ipc_semget = mac_mls_check_ipc_semget, + .mpo_check_ipc_semop = mac_mls_check_ipc_semop, + .mpo_check_ipc_shmat = mac_mls_check_ipc_shmat, + .mpo_check_ipc_shmctl = mac_mls_check_ipc_shmctl, + /* .mpo_check_ipc_shmdt = mac_mls_check_ipc_shmdt, */ + .mpo_check_ipc_shmget = mac_mls_check_ipc_shmget, .mpo_check_mount_stat = mac_mls_check_mount_stat, .mpo_check_pipe_ioctl = mac_mls_check_pipe_ioctl, .mpo_check_pipe_poll = mac_mls_check_pipe_poll, ==== //depot/user/hdandeka/rishi_SystemVIPC/sys/security/mac_none/mac_none.c#5 - /home/rwatson/p4/rishi_SystemVIPC/sys/security/mac_none/mac_none.c ==== @@ -333,30 +333,30 @@ } -static void -mac_none_create_ipc_msgmsg(struct ucred *cred, struct msg *msgptr, - struct label *msglabel) +static void +mac_none_create_ipc_msgmsg(struct ucred *cred, struct msg *msgptr, + struct label *msglabel) { } -static void -mac_none_create_ipc_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqlabel) +static void +mac_none_create_ipc_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr, + struct label *msqlabel) { } -static void +static void mac_none_create_ipc_sema(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semalabel) + struct label *semalabel) { } -static void -mac_none_create_ipc_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmalabel) +static void +mac_none_create_ipc_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, + struct label *shmalabel) { } @@ -500,31 +500,30 @@ /* * Label cleanup/flush operations */ -static void +static void mac_none_cleanup_ipc_msgmsg(struct label *msglabel) { } -static void +static void mac_none_cleanup_ipc_msgqueue(struct label *msqlabel) { } -static void +static void mac_none_cleanup_ipc_sema(struct label *semalabel) { } -static void +static void mac_none_cleanup_ipc_shm(struct label *shmlabel) { } - /* * Access control checks. */ @@ -567,18 +566,18 @@ } static int -mac_none_check_ipc_msgmsq(struct ucred *cred, struct msg *msgptr, - struct msqid_kernel *msqkptr) +mac_none_check_ipc_msgmsq(struct ucred *cred, struct msg *msgptr, + struct msqid_kernel *msqkptr) { - return (0); + return (0); } static int mac_none_check_ipc_msgrcv(struct ucred *cred, struct msg *msgptr) { - return (0); + return (0); } @@ -586,7 +585,7 @@ mac_none_check_ipc_msgrmid(struct ucred *cred, struct msg *msgptr) { - return (0); + return (0); } @@ -594,7 +593,7 @@ mac_none_check_ipc_msqget(struct ucred *cred, struct msqid_kernel *msqkptr) { - return (0); + return (0); } @@ -602,85 +601,80 @@ mac_none_check_ipc_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr) { - return (0); + return (0); } - static int mac_none_check_ipc_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr) { - return (0); + return (0); } static int mac_none_check_ipc_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, - int cmd) + int cmd) { - return (0); + return (0); } static int mac_none_check_ipc_semctl(struct ucred *cred, struct semid_kernel *semakptr, - int cmd) + int cmd) { - return (0); + return (0); } - static int mac_none_check_ipc_semget(struct ucred *cred, struct semid_kernel *semakptr) { - return (0); + return (0); } static int mac_none_check_ipc_semop(struct ucred *cred, struct semid_kernel *semakptr, - size_t accesstype) + size_t accesstype) { - return (0); + return (0); } - static int mac_none_check_ipc_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, - int shmflg) + int shmflg) { - return (0); + return (0); } - static int mac_none_check_ipc_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, - int cmd) + int cmd) { - return (0); + return (0); } - static int mac_none_check_ipc_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr) { - return (0); + return (0); } static int mac_none_check_ipc_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, - int shmflg) + int shmflg) { - return (0); + return (0); } static int @@ -1167,8 +1161,8 @@ .mpo_init_ifnet_label = mac_none_init_label, .mpo_init_ipc_msgmsg_label = mac_none_init_label, .mpo_init_ipc_msgqueue_label = mac_none_init_label, - .mpo_init_ipc_sema_label = mac_none_init_label, - .mpo_init_ipc_shm_label = mac_none_init_label, + .mpo_init_ipc_sema_label = mac_none_init_label, + .mpo_init_ipc_shm_label = mac_none_init_label, .mpo_init_ipq_label = mac_none_init_label_waitcheck, .mpo_init_mbuf_label = mac_none_init_label_waitcheck, .mpo_init_mount_label = mac_none_init_label, @@ -1183,8 +1177,8 @@ .mpo_destroy_ifnet_label = mac_none_destroy_label, .mpo_destroy_ipc_msgmsg_label = mac_none_destroy_label, .mpo_destroy_ipc_msgqueue_label = mac_none_destroy_label, - .mpo_destroy_ipc_sema_label = mac_none_destroy_label, - .mpo_destroy_ipc_shm_label = mac_none_destroy_label, + .mpo_destroy_ipc_sema_label = mac_none_destroy_label, + .mpo_destroy_ipc_shm_label = mac_none_destroy_label, .mpo_destroy_ipq_label = mac_none_destroy_label, .mpo_destroy_mbuf_label = mac_none_destroy_label, .mpo_destroy_mount_label = mac_none_destroy_label, ==== //depot/user/hdandeka/rishi_SystemVIPC/sys/security/mac_test/mac_test.c#5 - /home/rwatson/p4/rishi_SystemVIPC/sys/security/mac_test/mac_test.c ==== @@ -951,9 +951,9 @@ { ASSERT_SYSVIPCMSG_LABEL(msglabel); -} +} -static void +static void mac_test_create_ipc_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel) { @@ -1183,28 +1183,28 @@ /* * Label cleanup/flush operations */ -static void +static void mac_test_cleanup_ipc_msgmsg(struct label *msglabel) { ASSERT_SYSVIPCMSG_LABEL(msglabel); } -static void +static void mac_test_cleanup_ipc_msgqueue(struct label *msqlabel) { ASSERT_SYSVIPCMSQ_LABEL(msqlabel); } -static void +static void mac_test_cleanup_ipc_sema(struct label *semalabel) { ASSERT_SYSVIPCSEM_LABEL(semalabel); } -static void +static void mac_test_cleanup_ipc_shm(struct label *shmlabel) { @@ -1268,7 +1268,7 @@ } static int -mac_test_check_ipc_msgmsq(struct ucred *cred, struct msg *msgptr, +mac_test_check_ipc_msgmsq(struct ucred *cred, struct msg *msgptr, struct msqid_kernel *msqkptr) { ASSERT_SYSVIPCMSQ_LABEL(&msqkptr->label); @@ -1276,10 +1276,10 @@ ASSERT_CRED_LABEL(&cred->cr_label); return (0); } - + static int mac_test_check_ipc_msgrcv(struct ucred *cred, struct msg *msgptr) -{ +{ ASSERT_SYSVIPCMSG_LABEL(&msgptr->label); ASSERT_CRED_LABEL(&cred->cr_label); @@ -1359,7 +1359,7 @@ mac_test_check_ipc_semop(struct ucred *cred, struct semid_kernel *semakptr, size_t accesstype) { - + ASSERT_CRED_LABEL(&cred->cr_label); ASSERT_SYSVIPCSEM_LABEL(&semakptr->label); return (0); @@ -1832,7 +1832,7 @@ } static int -mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) {