PERFORCE change 41829 for review
Robert Watson
rwatson at FreeBSD.org
Sun Nov 9 14:36:27 PST 2003
http://perforce.freebsd.org/chv.cgi?CH=41829
Change 41829 by rwatson at rwatson_paprika on 2003/11/09 14:36:15
Integrate recent changes to trustedbsd_mac branch: move to a
zone allocator and externally stored labels in preference to
embedded labels inside existing kernel structures. This has
several benefits, including reducing the need for policies
(and the MAC Framework) to grub around in external data
structures, permitting changes in the label structure without
breaking the ABI for external data structures, and permitting
(in the long term) use of the slab allocator to improve
allocation efficiency. This will require further manual
resolution of differences due to local changes in the SEBSD
branch, so it may be a few hours before it compiles cleanly.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/MACREADME#2 integrate
.. //depot/projects/trustedbsd/sebsd/sys/conf/files#10 integrate
.. //depot/projects/trustedbsd/sebsd/sys/fs/devfs/devfs.h#3 integrate
.. //depot/projects/trustedbsd/sebsd/sys/i386/conf/MAC#8 integrate
.. //depot/projects/trustedbsd/sebsd/sys/kern/kern_exec.c#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/kern/kern_mac.c#16 integrate
.. //depot/projects/trustedbsd/sebsd/sys/kern/sysv_ipc.c#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/kern/sysv_msg.c#8 integrate
.. //depot/projects/trustedbsd/sebsd/sys/kern/sysv_sem.c#8 integrate
.. //depot/projects/trustedbsd/sebsd/sys/kern/sysv_shm.c#8 integrate
.. //depot/projects/trustedbsd/sebsd/sys/kern/uipc_sem.c#8 integrate
.. //depot/projects/trustedbsd/sebsd/sys/net/bpfdesc.h#4 integrate
.. //depot/projects/trustedbsd/sebsd/sys/net/if_var.h#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netinet/ip_var.h#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/posix4/ksem.h#2 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_internal.h#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_label.c#1 branch
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#3 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_pipe.c#3 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_posix_sem.c#2 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_process.c#3 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_system.c#4 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_sysv_msg.c#2 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_sysv_sem.c#2 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_sysv_shm.c#2 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_vfs.c#4 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_biba/mac_biba.c#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_lomac/mac_lomac.c#8 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_mls/mac_mls.c#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_partition/mac_partition.c#5 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_stub/mac_stub.c#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_test/mac_test.c#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/mac_policy.h#10 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/mount.h#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/msg.h#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/msg_msg.h#2 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/pipe.h#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/proc.h#8 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/sem.h#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/shm.h#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/socketvar.h#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/ucred.h#5 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/vnode.h#6 integrate
Differences ...
==== //depot/projects/trustedbsd/sebsd/MACREADME#2 (text+ko) ====
@@ -8,6 +8,8 @@
options MAC # Mandatory Access Control
#options MAC_DEBUG # Might also be useful
+#options MAC_ALWAYS_LABEL_MBUF # Don't conditionally label mbufs
+#options MAC_STATIC # Optimize out dynamic loading support
Rebuild and reinstall world and kernel. Make sure that login.conf is
in sync with that provided in the MAC repository, and that login.conf.db
@@ -21,11 +23,13 @@
mac_biba_load="NO" # Biba MAC policy (boot only)
mac_bsdextended_load="NO" # BSD/extended MAC policy
mac_ifoff="NO" # Interface silencing policy
+mac_lomac_load="NO" # Low-Watermark Mandatory Access Control
mac_mls_load="NO" # MLS MAC policy (boot only)
mac_none_load="NO" # Null MAC policy
mac_partition_load="NO" # Partition MAC policy
+mac_portacl_load="NO" # IP port access control lists
mac_seeotheruids_load="NO" # UID visbility MAC policy
-sebsd_load="NO" # Port of SELinux/FLASK (boot only)
+mac_test_load="NO" # Regression test module
Kernel options known not to work with MAC
@@ -73,9 +77,7 @@
The NFS server code in many places currently ignores MAC protection.
This may or may not be the best behavior, as in the past NFS could
always override discretionary access control due to running in the
-kernel as root all the time. However, because NFS sometimes invokes
-higher level VFS functionality, such as namei(), MAC protections
-may be inconsistently enforced. CODA support is probably in the same
+kernel as root all the time. CODA support is probably in the same
condition.
Client-side NFS locking is known to Do The Wrong Thing, for a variety
==== //depot/projects/trustedbsd/sebsd/sys/conf/files#10 (text+ko) ====
@@ -1598,6 +1598,7 @@
posix4/posix4_mib.c standard
kern/uipc_sem.c optional p1003_1b_semaphores
security/mac/mac_file.c optional mac
+security/mac/mac_label.c optional mac
security/mac/mac_net.c optional mac
security/mac/mac_pipe.c optional mac
security/mac/mac_posix_sem.c optional mac
==== //depot/projects/trustedbsd/sebsd/sys/fs/devfs/devfs.h#3 (text+ko) ====
@@ -159,7 +159,7 @@
mode_t de_mode;
uid_t de_uid;
gid_t de_gid;
- struct label de_label;
+ struct label *de_label;
struct timespec de_atime;
struct timespec de_mtime;
struct timespec de_ctime;
==== //depot/projects/trustedbsd/sebsd/sys/i386/conf/MAC#8 (text+ko) ====
@@ -32,7 +32,7 @@
options MAC
#options MAC_ALWAYS_LABEL_MBUF
-#options MAC_DEBUG
+options MAC_DEBUG
#options MAC_STATIC
options UFS_EXTATTR
options UFS_EXTATTR_AUTOSTART
==== //depot/projects/trustedbsd/sebsd/sys/kern/kern_exec.c#7 (text+ko) ====
@@ -341,7 +341,7 @@
NDFREE(ndp, NDF_ONLY_PNBUF);
#ifdef MAC
mac_init_vnode_label(&interplabel);
- mac_copy_vnode_label(&ndp->ni_vp->v_label, &interplabel);
+ mac_copy_vnode_label(ndp->ni_vp->v_label, &interplabel);
interplabelvalid = 1;
#endif
vput(ndp->ni_vp);
==== //depot/projects/trustedbsd/sebsd/sys/kern/kern_mac.c#16 (text+ko) ====
@@ -270,6 +270,7 @@
LIST_INIT(&mac_static_policy_list);
LIST_INIT(&mac_policy_list);
+ mac_labelzone_init();
#ifndef MAC_STATIC
mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF);
@@ -588,8 +589,8 @@
}
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
- error = mac_externalize_cred_label(&tcred->cr_label, elements,
- buffer, mac.m_buflen, M_WAITOK);
+ error = mac_externalize_cred_label(tcred->cr_label, elements,
+ buffer, mac.m_buflen);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -625,8 +626,8 @@
}
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
- error = mac_externalize_cred_label(&td->td_ucred->cr_label,
- elements, buffer, mac.m_buflen, M_WAITOK);
+ error = mac_externalize_cred_label(td->td_ucred->cr_label,
+ elements, buffer, mac.m_buflen);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -755,7 +756,7 @@
mac_init_vnode_label(&intlabel);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
- mac_copy_vnode_label(&vp->v_label, &intlabel);
+ mac_copy_vnode_label(vp->v_label, &intlabel);
VOP_UNLOCK(vp, 0, td);
break;
@@ -780,12 +781,12 @@
case DTYPE_VNODE:
if (error == 0)
error = mac_externalize_vnode_label(&intlabel,
- elements, buffer, mac.m_buflen, M_WAITOK);
+ elements, buffer, mac.m_buflen);
mac_destroy_vnode_label(&intlabel);
break;
case DTYPE_PIPE:
error = mac_externalize_pipe_label(&intlabel, elements,
- buffer, mac.m_buflen, M_WAITOK);
+ buffer, mac.m_buflen);
mac_destroy_pipe_label(&intlabel);
break;
default:
@@ -839,9 +840,9 @@
goto out;
mac_init_vnode_label(&intlabel);
- mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
+ mac_copy_vnode_label(nd.ni_vp->v_label, &intlabel);
error = mac_externalize_vnode_label(&intlabel, elements, buffer,
- mac.m_buflen, M_WAITOK);
+ mac.m_buflen);
NDFREE(&nd, 0);
mac_destroy_vnode_label(&intlabel);
@@ -894,9 +895,9 @@
goto out;
mac_init_vnode_label(&intlabel);
- mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
+ mac_copy_vnode_label(nd.ni_vp->v_label, &intlabel);
error = mac_externalize_vnode_label(&intlabel, elements, buffer,
- mac.m_buflen, M_WAITOK);
+ mac.m_buflen);
NDFREE(&nd, 0);
mac_destroy_vnode_label(&intlabel);
==== //depot/projects/trustedbsd/sebsd/sys/kern/sysv_ipc.c#6 (text+ko) ====
@@ -73,9 +73,9 @@
/*
- * Note: The MAC Framework doesnt add any hook to the ipcperm function as
+ * Note: The MAC Framework doesnt add any hook to the ipcperm function as
* fine-grained hooks are inserted throughout the ipc primitives. These hooks
- * compliment the ipcperm check.
+ * compliment the ipcperm check.
*/
int
==== //depot/projects/trustedbsd/sebsd/sys/kern/sysv_msg.c#8 (text+ko) ====
@@ -39,7 +39,6 @@
#include <sys/capability.h>
#ifdef MAC
#include <sys/msg_msg.h>
-#include <sys/_label.h>
#include <sys/mac.h>
#endif
@@ -57,7 +56,7 @@
#ifdef MAC_DEBUG
#define MPRINTF(a) printf(a)
#else
-#define MPRINTF(a)
+#define MPRINTF(a)
#endif
static void msg_freehdr(struct msg *msghdr);
@@ -75,7 +74,7 @@
long msg_type; /* type of this message */
/* >0 -> type of this message */
/* 0 -> free header */
- unsigned short msg_ts; /* size of this message */
+ u_short msg_ts; /* size of this message */
short msg_spot; /* location of start of msg in buffer */
};
#endif
@@ -168,7 +167,8 @@
msghdrs = malloc(sizeof(struct msg) * msginfo.msgtql, M_MSG, M_WAITOK);
if (msghdrs == NULL)
panic("msghdrs is NULL");
- msqids = malloc(sizeof(struct msqid_kernel) * msginfo.msgmni, M_MSG, M_WAITOK);
+ msqids = malloc(sizeof(struct msqid_kernel) * msginfo.msgmni, M_MSG,
+ M_WAITOK);
if (msqids == NULL)
panic("msqids is NULL");
@@ -230,14 +230,14 @@
}
mtx_init(&msq_mtx, "msq", NULL, MTX_DEF);
refcount = 0;
- /*
- * It is not permissible to pass the same mutex to mtx_init() multiple
- * times without intervening calls to mtx_destroy().
- * Since we cannot destroy the refcnt_mtx during msgunload, we check if the
- * mtx_init has ever been called. If so, we dont need to do mtx_init as the
- * mutex is already initialized.
+ /*
+ * It is not permissible to pass the same mutex to mtx_init()
+ * multiple times without intervening calls to mtx_destroy(). Since
+ * we cannot destroy the refcnt_mtx during msgunload, we check if the
+ * mtx_init has ever been called. If so, we dont need to do mtx_init
+ * as the mutex is already initialized.
*/
- if ( mtx_initialized(&refcnt_mtx) == 0 )
+ if (mtx_initialized(&refcnt_mtx) == 0)
mtx_init(&refcnt_mtx, "msgrefcnt", NULL, MTX_DEF);
}
@@ -247,12 +247,12 @@
struct msqid_kernel *msqkptr;
int msqid;
- /*
- * Make sure that the msgunload maintains the consistency of the msqids
- * and msghdrs data structures. This assures that the unload doesn't take
- * place if any thread is in any of the code-paths (tinkering with the
- * data structures), and also that no thread can enter the code-paths once
- * the module is unloaded.
+ /*
+ * Make sure that the msgunload maintains the consistency of the
+ * msqids and msghdrs data structures. This assures that the unload
+ * doesn't take place if any thread is in any of the code-paths
+ * (tinkering with the data structures), and also that no thread
+ * can enter the code-paths once the module is unloaded.
*/
mtx_lock(&refcnt_mtx);
if (refcount > 0) {
@@ -282,20 +282,20 @@
#ifdef MAC
int i;
/* Clean up the MAC label associated with the msg objects. */
- for (i = 0; i < msginfo.msgtql; i++)
+ for (i = 0; i < msginfo.msgtql; i++)
mac_destroy_ipc_msgmsg(&msghdrs[i]);
/* Clean up the MAC label associated with the msq objects. */
- for (msqid = 0; msqid < msginfo.msgmni; msqid++)
+ for (msqid = 0; msqid < msginfo.msgmni; msqid++)
mac_destroy_ipc_msgqueue(&msqids[msqid]);
-#endif
+#endif
free(msgpool, M_MSG);
free(msgmaps, M_MSG);
free(msghdrs, M_MSG);
free(msqids, M_MSG);
mtx_destroy(&msq_mtx);
- /*
- * NOTE: We cannot destroy the refcnt_mtx as it is possible that some thread
- * might (attempt to) hold the mutex.
+ /*
+ * NOTE: We cannot destroy the refcnt_mtx as it is possible that
+ * some thread might (attempt to) hold the mutex.
*/
/* mtx_destroy(&refcnt_mtx); */
return (0);
@@ -423,7 +423,10 @@
if (!jail_sysvipc_allowed && jailed(td->td_ucred))
return (ENOSYS);
- /* Prevent thread from going any further if module is (being) unloaded */
+ /*
+ * Prevent thread from going any further if module is (being)
+ * unloaded.
+ */
mtx_lock(&refcnt_mtx);
if (refcount < 0 ) {
mtx_unlock(&refcnt_mtx);
@@ -441,7 +444,7 @@
goto done3;
}
if (cmd == IPC_SET &&
- (error = copyin(user_msqptr, &msqbuf, sizeof(msqbuf))) != 0)
+ (error = copyin(user_msqptr, &msqbuf, sizeof(msqbuf))) != 0)
goto done3;
msqkptr = &msqids[msqid];
@@ -458,9 +461,9 @@
goto done2;
}
#ifdef MAC
- if ((error = mac_check_ipc_msqctl(td->td_ucred,msqkptr,cmd)))
- {
- MPRINTF(("MAC Framework: mac_check_ipc_msqctl permission denied!\n"));
+ if ((error = mac_check_ipc_msqctl(td->td_ucred,msqkptr,cmd))) {
+ MPRINTF((
+ "MAC Framework: mac_check_ipc_msqctl permission denied!\n"));
goto done2;
}
#endif
@@ -478,22 +481,25 @@
goto done2;
#ifdef MAC
- /*
- * Check that the thread has MAC access permissions to individual
- * msghdrs.
- * Note: We need to do this in a separate loop because the actual loop
- * alters the msq/msghdr info as it progresses, and there is no going
- * back if half the way through we discover that the thread cannot free
- * a certain msghdr. The msq will get into an inconsistent state.
- */
+ /*
+ * Check that the thread has MAC access permissions to
+ * individual msghdrs. Note: We need to do this in a
+ * separate loop because the actual loop alters the
+ * msq/msghdr info as it progresses, and there is no going
+ * back if half the way through we discover that the
+ * thread cannot free a certain msghdr. The msq will get
+ * into an inconsistent state.
+ */
msghdr = msqkptr->u.msg_first;
while (msghdr != NULL) {
- if((error = mac_check_ipc_msgrmid(td->td_ucred,msghdr))) {
- MPRINTF("MAC Framework: mac_check_ipc_msgrmid permission denied\n");
- /* XXX wakeup(msqkptr); ??? */
- goto done2;
- }
- msghdr = msghdr->msg_next;
+ if ((error = mac_check_ipc_msgrmid(td->td_ucred,
+ msghdr))) {
+ MPRINTF(
+ "MAC Framework: mac_check_ipc_msgrmid permission denied\n");
+ /* XXX wakeup(msqkptr); ??? */
+ goto done2;
+ }
+ msghdr = msghdr->msg_next;
}
#endif
@@ -605,7 +611,10 @@
if (!jail_sysvipc_allowed && jailed(td->td_ucred))
return (ENOSYS);
- /* Prevent thread from going any further if module is (being) unloaded */
+ /*
+ * Prevent thread from going any further if module is (being)
+ * unloaded.
+ */
mtx_lock(&refcnt_mtx);
if (refcount < 0 ) {
mtx_unlock(&refcnt_mtx);
@@ -635,8 +644,9 @@
goto done2;
}
#ifdef MAC
- if(( error = mac_check_ipc_msqget(cred, msqkptr) )) {
- MPRINTF("MAC Framework: mac_check_ipc_msqget access denied\n");
+ if ((error = mac_check_ipc_msqget(cred, msqkptr))) {
+ MPRINTF(
+ "MAC Framework: mac_check_ipc_msqget access denied\n");
goto done2;
}
#endif
@@ -733,7 +743,10 @@
if (!jail_sysvipc_allowed && jailed(td->td_ucred))
return (ENOSYS);
- /* Prevent thread from going any further if module is (being) unloaded */
+ /*
+ * Prevent thread from going any further if module is (being)
+ * unloaded.
+ */
mtx_lock(&refcnt_mtx);
if (refcount < 0 ) {
mtx_unlock(&refcnt_mtx);
@@ -769,10 +782,14 @@
goto done2;
}
-#ifdef MAC
- /* Make sure that the thread has access rights to the message queue */
+#ifdef MAC
+ /*
+ * Make sure that the thread has access rights to the message
+ * queue.
+ */
if ((error = mac_check_ipc_msqsnd(td->td_ucred, msqkptr))) {
- MPRINTF(("MAC Framework: mac_check_ipc_msqsnd permission denied\n"));
+ MPRINTF((
+"MAC Framework: mac_check_ipc_msqsnd permission denied\n"));
goto done2;
}
#endif
@@ -892,12 +909,11 @@
msghdr->msg_ts = msgsz;
#ifdef MAC
mac_create_ipc_msgmsg(td->td_ucred, msqkptr, msghdr);
- /*
- * XXX: Should the mac_check_ipc_msgmsq check follow here immediately ?
- * Or, should it be checked just before the msg is enqueued in the msgq
- * (as it is done now) ?
+ /*
+ * XXX: Should the mac_check_ipc_msgmsq check follow here
+ * immediately? Or, should it be checked just before the msg is
+ * enqueued in the msgq (as it is done now)?
*/
-
#endif
/*
@@ -1009,17 +1025,19 @@
#ifdef MAC
/*
- * Note: Since the task/thread allocates the msghdr and usually primes
- * it with its own MAC label,for a majority of policies, it won't be
- * necessary to check whether the msghdr has access permissions to the
- * msgq. The mac_check_ipc_msqsnd check would suffice in that case.
- * However, this hook may be required where individual policies derive
- * a non-identical label for the msghdr from the current thread label
- * and may want to check the msghdr enqueue permissions, along with
- * read/write permissions to the msgq.
+ * Note: Since the task/thread allocates the msghdr and usually
+ * primes it with its own MAC label,for a majority of policies, it
+ * won't be necessary to check whether the msghdr has access
+ * permissions to the msgq. The mac_check_ipc_msqsnd check would
+ * suffice in that case. However, this hook may be required where
+ * individual policies derive a non-identical label for the msghdr
+ * from the current thread label and may want to check the msghdr
+ * enqueue permissions, along with read/write permissions to the
+ * msgq.
*/
- if((error= mac_check_ipc_msgmsq(td->td_ucred,msghdr,msqkptr))) {
- MPRINTF(("MAC Framework: mac_check_ipc_msqmsq permission denied\n"));
+ if ((error = mac_check_ipc_msgmsq(td->td_ucred,msghdr,msqkptr))) {
+ MPRINTF((
+ "MAC Framework: mac_check_ipc_msqmsq permission denied\n"));
msg_freehdr(msghdr);
wakeup(msqkptr);
goto done2;
@@ -1085,7 +1103,10 @@
if (!jail_sysvipc_allowed && jailed(td->td_ucred))
return (ENOSYS);
- /* Prevent thread from going any further if module is (being) unloaded */
+ /*
+ * Prevent thread from going any further if module is (being)
+ * unloaded.
+ */
mtx_lock(&refcnt_mtx);
if (refcount < 0 ) {
mtx_unlock(&refcnt_mtx);
@@ -1121,10 +1142,13 @@
goto done2;
}
-#ifdef MAC
- /* Make sure that the thread has access rights to the message queue */
+#ifdef MAC
+ /*
+ * Make sure that the thread has access rights to the message queue.
+ */
if ((error = mac_check_ipc_msqrcv(td->td_ucred, msqkptr))) {
- MPRINTF(("MAC Framework: mac_check_ipc_msqrcv permission denied\n"));
+ MPRINTF((
+"MAC Framework: mac_check_ipc_msqrcv permission denied\n"));
goto done2;
}
#endif
@@ -1143,14 +1167,18 @@
goto done2;
}
#ifdef MAC
- /* Make sure that the thread has access rights to the message header */
- if ((error = mac_check_ipc_msgrcv(td->td_ucred,
+ /*
+ * Make sure that the thread has access
+ * rights to the message header.
+ */
+ if ((error = mac_check_ipc_msgrcv(td->td_ucred,
msghdr))) {
- MPRINTF(("MAC Framework: mac_check_ipc_msgrcv permission denied\n"));
+ MPRINTF((
+ "MAC Framework: mac_check_ipc_msgrcv permission denied\n"));
goto done2;
}
#endif
- if (msqkptr->u.msg_first == msqkptr->u.msg_last) {
+ if (msqkptr->u.msg_first == msqkptr->u.msg_last) {
msqkptr->u.msg_first = NULL;
msqkptr->u.msg_last = NULL;
} else {
@@ -1190,9 +1218,16 @@
goto done2;
}
#ifdef MAC
- /* Make sure that the thread has access rights to the message header */
- if ((error = mac_check_ipc_msgrcv(td->td_ucred, msghdr))) {
- MPRINTF(("MAC Framework: mac_check_ipc_msgrcv permission denied\n"));
+ /*
+ * Make sure that the thread has
+ * access rights to the message
+ * header.
+ */
+ if ((error =
+ mac_check_ipc_msgrcv(td->td_ucred,
+ msghdr))) {
+ MPRINTF((
+ "MAC Framework: mac_check_ipc_msgrcv permission denied\n"));
goto done2;
}
#endif
==== //depot/projects/trustedbsd/sebsd/sys/kern/sysv_sem.c#8 (text+ko) ====
@@ -27,7 +27,6 @@
#include <sys/malloc.h>
#include <sys/jail.h>
#ifdef MAC
-#include <sys/_label.h>
#include <sys/mac.h>
#endif
@@ -41,7 +40,7 @@
#ifdef MAC_DEBUG
#define MPRINTF(a) printf(a)
#else
-#define MPRINTF(a)
+#define MPRINTF(a)
#endif
static void seminit(void);
@@ -49,7 +48,7 @@
static int semunload(void);
static void semexit_myhook(void *arg, struct proc *p);
static int sysctl_sema(SYSCTL_HANDLER_ARGS);
-static int semvalid(int semid, struct semid_kernel *semakptr);
+static int semvalid(int semid, struct semid_kernel *semakptr);
#ifndef _SYS_SYSPROTO_H_
struct __semctl_args;
@@ -61,7 +60,7 @@
#endif
static struct sem_undo *semu_alloc(struct thread *td);
-static int semundo_adjust(struct thread *td, struct sem_undo **supptr,
+static int semundo_adjust(struct thread *td, struct sem_undo **supptr,
int semid, int semnum, int adjval);
static void semundo_clear(int semid, int semnum);
@@ -73,7 +72,7 @@
static struct mtx sem_mtx; /* semaphore global lock */
static int semtot = 0;
-static struct semid_kernel *sema; /* semaphore id pool */
+static struct semid_kernel *sema; /* semaphore id pool */
static struct mtx *sema_mtx; /* semaphore id pool mutexes*/
static struct sem *sem; /* semaphore pool */
SLIST_HEAD(, sem_undo) semu_list; /* list of active undo structures */
@@ -201,7 +200,7 @@
TUNABLE_INT_FETCH("kern.ipc.semaem", &seminfo.semaem);
sem = malloc(sizeof(struct sem) * seminfo.semmns, M_SEM, M_WAITOK);
- sema = malloc(sizeof(struct semid_kernel ) * seminfo.semmni, M_SEM,
+ sema = malloc(sizeof(struct semid_kernel) * seminfo.semmni, M_SEM,
M_WAITOK);
sema_mtx = malloc(sizeof(struct mtx) * seminfo.semmni, M_SEM,
M_WAITOK | M_ZERO);
@@ -223,14 +222,14 @@
SLIST_INIT(&semu_list);
mtx_init(&sem_mtx, "sem", NULL, MTX_DEF);
refcount =0;
- /*
- * It is not permissible to pass the same mutex to mtx_init() multiple
- * times without intervening calls to mtx_destroy().
- * Since we cannot destroy the refcnt_mtx during semunload, we check if
- * the mtx_init has ever been called. If so, we dont need to do mtx_init
- * as the mutex is already initialized.
+ /*
+ * It is not permissible to pass the same mutex to mtx_init()
+ * multiple times without intervening calls to mtx_destroy().
+ * Since we cannot destroy the refcnt_mtx during semunload, we check
+ * if the mtx_init has ever been called. If so, we dont need to do
+ * mtx_init as the mutex is already initialized.
*/
- if ( mtx_initialized(&refcnt_mtx) == 0 )
+ if (mtx_initialized(&refcnt_mtx) == 0)
mtx_init(&refcnt_mtx, "semrefcnt", NULL, MTX_DEF);
semexit_tag = EVENTHANDLER_REGISTER(process_exit, semexit_myhook, NULL,
EVENTHANDLER_PRI_ANY);
@@ -241,12 +240,12 @@
{
int i;
- /*
- * Make sure that the semunload maintains the consistency of the sem
+ /*
+ * Make sure that the semunload maintains the consistency of the sem
* and sema data structures. This assures that the unload doesn't take
* place if any thread is in any of the code-paths (tinkering with the
- * data structures), and also that no thread can enter the code-paths
- * once the module is unloaded.
+ * data structures), and also that no thread can enter the code-paths
+ * once the module is unloaded.
*/
mtx_lock(&refcnt_mtx);
if ((refcount > 0) || (semtot != 0)) {
@@ -258,17 +257,17 @@
EVENTHANDLER_DEREGISTER(process_exit, semexit_tag);
#ifdef MAC
- for (i = 0; i < seminfo.semmni; i++)
+ for (i = 0; i < seminfo.semmni; i++)
mac_destroy_ipc_sema(&sema[i]);
-#endif
+#endif
free(sem, M_SEM);
free(sema, M_SEM);
free(semu, M_SEM);
for (i = 0; i < seminfo.semmni; i++)
mtx_destroy(&sema_mtx[i]);
mtx_destroy(&sem_mtx);
- /*
- * NOTE: We cannot destroy the refcnt_mtx as it is possible that some
+ /*
+ * NOTE: We cannot destroy the refcnt_mtx as it is possible that some
* thread might (attempt to) hold the mutex.
*/
/* mtx_destroy(&refcnt_mtx); */
@@ -517,7 +516,7 @@
static int
semvalid(semid, semakptr)
int semid;
- struct semid_kernel *semakptr;
+ struct semid_kernel *semakptr;
{
return ((semakptr->u.sem_perm.mode & SEM_ALLOC) == 0 ||
@@ -553,7 +552,7 @@
struct ucred *cred = td->td_ucred;
int i, rval, error;
struct semid_ds sbuf;
- struct semid_kernel *semakptr;
+ struct semid_kernel *semakptr;
struct mtx *sema_mtxp;
u_short usval, count;
@@ -562,7 +561,10 @@
if (!jail_sysvipc_allowed && jailed(td->td_ucred))
return (ENOSYS);
- /* Prevent thread from going any further if module is (being) unloaded */
+ /*
+ * Prevent thread from going any further if module is (being)
+ * unloaded.
+ */
mtx_lock(&refcnt_mtx);
if (refcount < 0 ) {
mtx_unlock(&refcnt_mtx);
@@ -576,7 +578,7 @@
switch(cmd) {
case SEM_STAT:
if (semid < 0 || semid >= seminfo.semmni) {
- error = EINVAL;
+ error = EINVAL;
goto done3;
}
if ((error = copyin(arg, &real_arg, sizeof(real_arg))) != 0)
@@ -591,14 +593,16 @@
if ((error = ipcperm(td, &semakptr->u.sem_perm, IPC_R)))
goto done2;
#ifdef MAC
- if(( error = mac_check_ipc_semctl(cred,semakptr,cmd) )) {
- MPRINTF(("MAC Framework: mac_check_ipc_semctl access denied\n"));
- goto done2;
- }
+ if ((error = mac_check_ipc_semctl(cred, semakptr, cmd))) {
+ MPRINTF((
+ "MAC Framework: mac_check_ipc_semctl access denied\n"));
+ goto done2;
+ }
#endif
mtx_unlock(sema_mtxp);
- error = copyout(&semakptr->u, real_arg.buf, sizeof(struct semid_ds));
- rval = IXSEQ_TO_IPCID(semid,semakptr->u.sem_perm);
+ error = copyout(&semakptr->u, real_arg.buf,
+ sizeof(struct semid_ds));
+ rval = IXSEQ_TO_IPCID(semid, semakptr->u.sem_perm);
if (error == 0)
td->td_retval[0] = rval;
goto done3;
@@ -613,14 +617,15 @@
semakptr = &sema[semid];
sema_mtxp = &sema_mtx[semid];
#ifdef MAC
- mtx_lock(sema_mtxp);
- /*
+ mtx_lock(sema_mtxp);
+ /*
* The MAC framework lets the policies decide what type of access
* is permitted, based on the cmd.
*/
- if(( error = mac_check_ipc_semctl(cred,semakptr,cmd) )) {
- MPRINTF(("MAC Framework: mac_check_ipc_semctl access denied\n"));
- goto done2;
+ if ((error = mac_check_ipc_semctl(cred, semakptr, cmd))) {
+ MPRINTF((
+ "MAC Framework: mac_check_ipc_semctl access denied\n"));
+ goto done2;
}
mtx_unlock(sema_mtxp);
#endif
@@ -668,8 +673,8 @@
goto done2;
semakptr->u.sem_perm.uid = sbuf.sem_perm.uid;
semakptr->u.sem_perm.gid = sbuf.sem_perm.gid;
- semakptr->u.sem_perm.mode = (semakptr->u.sem_perm.mode & ~0777) |
- (sbuf.sem_perm.mode & 0777);
+ semakptr->u.sem_perm.mode = (semakptr->u.sem_perm.mode &
+ ~0777) | (sbuf.sem_perm.mode & 0777);
semakptr->u.sem_ctime = time_second;
break;
@@ -862,7 +867,10 @@
if (!jail_sysvipc_allowed && jailed(td->td_ucred))
return (ENOSYS);
- /* Prevent thread from going any further if module is (being) unloaded */
+ /*
+ * Prevent thread from going any further if module is (being)
+ * unloaded.
+ */
mtx_lock(&refcnt_mtx);
if (refcount < 0 ) {
mtx_unlock(&refcnt_mtx);
@@ -894,17 +902,19 @@
error = EEXIST;
goto done2;
}
-#ifdef MAC
- if(( error = mac_check_ipc_semget(cred,&sema[semid]) )) {
- MPRINTF(("MAC Framework: mac_check_ipc_semget access denied\n"));
- goto done2;
+#ifdef MAC
+ if ((error = mac_check_ipc_semget(cred,
+ &sema[semid]))) {
+ MPRINTF((
+ "MAC Framework: mac_check_ipc_semget access denied\n"));
+ goto done2;
}
#endif
goto found;
}
}
- DPRINTF(("need to allocate the semid_kernel \n"));
+ DPRINTF(("need to allocate the semid_kernel\n"));
if (key == IPC_PRIVATE || (semflg & IPC_CREAT)) {
if (nsems <= 0 || nsems > seminfo.semmsl) {
DPRINTF(("nsems out of range (0<%d<=%d)\n", nsems,
@@ -924,7 +934,7 @@
break;
}
if (semid == seminfo.semmni) {
- DPRINTF(("no more semid_kernel 's available\n"));
+ DPRINTF(("no more semid_kernel's available\n"));
error = ENOSPC;
goto done2;
}
@@ -947,8 +957,8 @@
#ifdef MAC
mac_create_ipc_sema(cred, &sema[semid]);
#endif
- DPRINTF(("sembase = 0x%x, next = 0x%x\n", sema[semid].u.sem_base,
- &sem[semtot]));
+ DPRINTF(("sembase = 0x%x, next = 0x%x\n",
+ sema[semid].u.sem_base, &sem[semtot]));
} else {
DPRINTF(("didn't find it and wasn't asked to create it\n"));
error = ENOENT;
@@ -984,7 +994,7 @@
int semid = uap->semid;
size_t nsops = uap->nsops;
struct sembuf *sops;
- struct semid_kernel *semakptr;
+ struct semid_kernel *semakptr;
struct sembuf *sopptr = 0;
struct sem *semptr = 0;
struct sem_undo *suptr;
@@ -998,7 +1008,10 @@
if (!jail_sysvipc_allowed && jailed(td->td_ucred))
return (ENOSYS);
- /* Prevent thread from going any further if module is (being) unloaded */
+ /*
+ * Prevent thread from going any further if module is (being)
+ * unloaded
+ */
mtx_lock(&refcnt_mtx);
if (refcount < 0 ) {
mtx_unlock(&refcnt_mtx);
@@ -1063,12 +1076,14 @@
goto done2;
}
#ifdef MAC
- /*
- * The MAC hook checks whether the thread has read ( and possibly write)
- * permissions to the semaphore array based on the sopptr->sem_op value.
+ /*
+ * The MAC hook checks whether the thread has read (and possibly
+ * write) permissions to the semaphore array based on the
+ * sopptr->sem_op value.
*/
if ((error = mac_check_ipc_semop(td->td_ucred, semakptr, j))) {
- MPRINTF(("MAC Framework: mac_check_ipc_semop access denied\n"));
+ MPRINTF((
+ "MAC Framework: mac_check_ipc_semop access denied\n"));
goto done2;
}
#endif
@@ -1310,7 +1325,7 @@
int semid = suptr->un_ent[ix].un_id;
int semnum = suptr->un_ent[ix].un_num;
int adjval = suptr->un_ent[ix].un_adjval;
- struct semid_kernel *semakptr;
+ struct semid_kernel *semakptr;
struct mtx *sema_mtxp;
semakptr = &sema[semid];
@@ -1330,7 +1345,8 @@
semakptr->u.sem_base[semnum].semval));
if (adjval < 0) {
- if (semakptr->u.sem_base[semnum].semval < -adjval)
+ if (semakptr->u.sem_base[semnum].semval <
+ -adjval)
semakptr->u.sem_base[semnum].semval = 0;
else
semakptr->u.sem_base[semnum].semval +=
==== //depot/projects/trustedbsd/sebsd/sys/kern/sysv_shm.c#8 (text+ko) ====
@@ -53,7 +53,6 @@
#include <sys/sysproto.h>
#include <sys/jail.h>
#ifdef MAC
-#include <sys/_label.h>
#include <sys/mac.h>
#endif
@@ -279,7 +278,10 @@
if (!jail_sysvipc_allowed && jailed(td->td_ucred))
return (ENOSYS);
- /* Prevent thread from going any further if module is (being) unloaded */
+ /*
+ * Prevent thread from going any further if module is (being)
+ * unloaded.
+ */
mtx_lock(&refcnt_mtx);
if (refcount < 0 ) {
mtx_unlock(&refcnt_mtx);
@@ -305,13 +307,17 @@
goto done2;
}
#ifdef MAC
- /* XXX It might be useful to move this into the shm_delete_mapping function */
+ /*
+ * XXX: It might be useful to move this into the shm_delete_mapping
+ * function
+ */
struct shmid_kernel *shmsegptr;
shmsegptr = &shmsegs[IPCID_TO_IX(shmmap_s->shmid)];
- if(( error = mac_check_ipc_shmdt(td->td_ucred, shmsegptr) )) {
- MPRINTF(("MAC Framework: mac_check_ipc_shmdt access denied\n"));
- goto done2;
- }
+ if ((error = mac_check_ipc_shmdt(td->td_ucred, shmsegptr))) {
+ MPRINTF((
+ "MAC Framework: mac_check_ipc_shmdt access denied\n"));
+ goto done2;
+ }
#endif
error = shm_delete_mapping(p->p_vmspace, shmmap_s);
done2:
@@ -355,7 +361,10 @@
if (!jail_sysvipc_allowed && jailed(td->td_ucred))
return (ENOSYS);
- /* Prevent thread from going any further if module is (being) unloaded */
+ /*
+ * Prevent thread from going any further if module is (being)
+ * unloaded.
+ */
mtx_lock(&refcnt_mtx);
if (refcount < 0 ) {
mtx_unlock(&refcnt_mtx);
@@ -383,10 +392,11 @@
if (error)
goto done2;
#ifdef MAC
- if(( error = mac_check_ipc_shmat(td->td_ucred, shmseg, shmflg) )) {
- MPRINTF(("MAC Framework: mac_check_ipc_shmat access denied\n"));
- goto done2;
- }
+ if ((error = mac_check_ipc_shmat(td->td_ucred, shmseg, shmflg))) {
+ MPRINTF((
+ "MAC Framework: mac_check_ipc_shmat access denied\n"));
+ goto done2;
+ }
#endif
for (i = 0; i < shminfo.shmseg; i++) {
if (shmmap_s->shmid == -1)
@@ -450,7 +460,7 @@
return (error);
}
>>> TRUNCATED FOR MAIL (1000 lines) <<<
More information about the p4-projects
mailing list