PERFORCE change 56913 for review

Robert Watson rwatson at FreeBSD.org
Fri Jul 9 11:37:08 PDT 2004 

http://perforce.freebsd.org/chv.cgi?CH=56913

Change 56913 by rwatson at rwatson_tislabs on 2004/07/09 18:36:27

	Use different enforcement flags for different System V IPC
	services, as they can be compiled in (or not) independently.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_internal.h#21 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_sysv_msg.c#7 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_sysv_sem.c#7 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_sysv_shm.c#6 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_internal.h#21 (text+ko) ====

@@ -65,7 +65,6 @@
 extern int				mac_enforce_network;
 extern int				mac_enforce_process;
 extern int				mac_enforce_socket;
-extern int				mac_enforce_sysv;
 extern int				mac_enforce_vm;
 #ifndef MAC_ALWAYS_LABEL_MBUF
 extern int				mac_labelmbufs;

==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_sysv_msg.c#7 (text+ko) ====

@@ -53,10 +53,11 @@
 
 #include <security/mac/mac_internal.h>
 
-int	mac_enforce_sysv = 1;
+static int	mac_enforce_sysv_msg = 1;
 SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv, CTLFLAG_RW,
-    &mac_enforce_sysv, 0, "Enforce MAC policy on System V IPC objects");
-TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv);
+    &mac_enforce_sysv_msg, 0,
+    "Enforce MAC policy on System V IPC Message Queues");
+TUNABLE_INT("security.mac.enforce_sysv_msg", &mac_enforce_sysv_msg);
 
 #ifdef MAC_DEBUG
 static unsigned int nmacipcmsgs, nmacipcmsqs;
@@ -173,7 +174,7 @@
 {
 	int error;
 
-	if (!mac_enforce_sysv)
+	if (!mac_enforce_sysv_msg)
 		return (0);
 
 	MAC_CHECK(check_ipc_msgmsq, cred,  msgptr, msgptr->label, msqkptr,
@@ -187,7 +188,7 @@
 {
 	int error;
 
-	if (!mac_enforce_sysv)
+	if (!mac_enforce_sysv_msg)
 		return (0);
 
 	MAC_CHECK(check_ipc_msgrcv, cred, msgptr, msgptr->label);
@@ -200,7 +201,7 @@
 {
 	int error;
 
-	if (!mac_enforce_sysv)
+	if (!mac_enforce_sysv_msg)
 		return (0);
 
 	MAC_CHECK(check_ipc_msgrmid, cred,  msgptr, msgptr->label);
@@ -213,7 +214,7 @@
 {
 	int error;
 
-	if (!mac_enforce_sysv)
+	if (!mac_enforce_sysv_msg)
 		return (0);
 
 	MAC_CHECK(check_ipc_msqget, cred, msqkptr, msqkptr->label);
@@ -226,7 +227,7 @@
 {
 	int error;
 
-	if (!mac_enforce_sysv)
+	if (!mac_enforce_sysv_msg)
 		return (0);
 
 	MAC_CHECK(check_ipc_msqsnd, cred, msqkptr, msqkptr->label);
@@ -239,7 +240,7 @@
 {
 	int error;
 
-	if (!mac_enforce_sysv)
+	if (!mac_enforce_sysv_msg)
 		return (0);
 
 	MAC_CHECK(check_ipc_msqrcv, cred, msqkptr, msqkptr->label);
@@ -253,7 +254,7 @@
 {
 	int error;
 
-	if (!mac_enforce_sysv)
+	if (!mac_enforce_sysv_msg)
 		return (0);
 
 	MAC_CHECK(check_ipc_msqctl, cred, msqkptr, msqkptr->label, cmd);

==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_sysv_sem.c#7 (text+ko) ====

@@ -53,6 +53,11 @@
 
 #include <security/mac/mac_internal.h>
 
+static int	mac_enforce_sysv_sem = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv, CTLFLAG_RW,
+    &mac_enforce_sysv_sem, 0, "Enforce MAC policy on System V IPC Semaphores");
+TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_sem);
+
 #ifdef MAC_DEBUG
 static unsigned int nmacipcsemas;
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_semas, CTLFLAG_RD,
@@ -114,7 +119,7 @@
 {
 	int error;
 
-	if (!mac_enforce_sysv)
+	if (!mac_enforce_sysv_sem)
 		return (0);
 
 	MAC_CHECK(check_ipc_semctl, cred, semakptr, semakptr->label, cmd);
@@ -127,7 +132,7 @@
 {
 	int error;
 
-	if (!mac_enforce_sysv)
+	if (!mac_enforce_sysv_sem)
 		return (0);
 
 	MAC_CHECK(check_ipc_semget, cred, semakptr, semakptr->label);
@@ -141,7 +146,7 @@
 {
 	int error;
 
-	if (!mac_enforce_sysv)
+	if (!mac_enforce_sysv_sem)
 		return (0);
 
 	MAC_CHECK(check_ipc_semop, cred, semakptr, semakptr->label,

==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_sysv_shm.c#6 (text+ko) ====

@@ -53,6 +53,12 @@
 
 #include <security/mac/mac_internal.h>
 
+static int	mac_enforce_sysv_shm = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv, CTLFLAG_RW,
+    &mac_enforce_sysv_shm, 0,
+    "Enforce MAC policy on System V IPC shared memory");
+TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_shm);
+
 #ifdef MAC_DEBUG
 static unsigned int nmacipcshms;
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_shms, CTLFLAG_RD,
@@ -114,7 +120,7 @@
 {
 	int error;
 
-	if (!mac_enforce_sysv)
+	if (!mac_enforce_sysv_shm)
 		return (0);
 
 	MAC_CHECK(check_ipc_shmat, cred, shmsegptr, shmsegptr->label,
@@ -129,7 +135,7 @@
 {
 	int error;
 
-	if (!mac_enforce_sysv)
+	if (!mac_enforce_sysv_shm)
 		return (0);
 
 	MAC_CHECK(check_ipc_shmctl, cred, shmsegptr, shmsegptr->label,
@@ -143,7 +149,7 @@
 {
 	int error;
 
-	if (!mac_enforce_sysv)
+	if (!mac_enforce_sysv_shm)
 		return (0);
 
 	MAC_CHECK(check_ipc_shmdt, cred, shmsegptr, shmsegptr->label);
@@ -157,7 +163,7 @@
 {
 	int error;
 
-	if (!mac_enforce_sysv)
+	if (!mac_enforce_sysv_shm)
 		return (0);
 
 	MAC_CHECK(check_ipc_shmget, cred, shmsegptr, shmsegptr->label,

More information about the p4-projects mailing list