mac_posix_sem.c revision 145855 
1285SN/A/*-
2367SN/A * Copyright (c) 2003-2005 SPARTA, Inc.
3285SN/A * All rights reserved.
4285SN/A *
5285SN/A * This software was developed for the FreeBSD Project in part by Network
6285SN/A * Associates Laboratories, the Security Research Division of Network
7285SN/A * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
8285SN/A * as part of the DARPA CHATS research program.
9285SN/A *
10285SN/A * Redistribution and use in source and binary forms, with or without
11285SN/A * modification, are permitted provided that the following conditions
12285SN/A * are met:
13285SN/A * 1. Redistributions of source code must retain the above copyright
14285SN/A *    notice, this list of conditions and the following disclaimer.
15285SN/A * 2. Redistributions in binary form must reproduce the above copyright
16285SN/A *    notice, this list of conditions and the following disclaimer in the
17285SN/A *    documentation and/or other materials provided with the distribution.
18285SN/A *
19285SN/A * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20285SN/A * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21285SN/A * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22285SN/A * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23285SN/A * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24285SN/A * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25285SN/A * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26285SN/A * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27285SN/A * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28285SN/A * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29285SN/A * SUCH DAMAGE.
30285SN/A */
31285SN/A
32285SN/A#include <sys/cdefs.h>
33285SN/A__FBSDID("$FreeBSD: head/sys/security/mac/mac_posix_sem.c 145855 2005-05-04 10:39:15Z rwatson $");
34285SN/A
35285SN/A#include "opt_mac.h"
36285SN/A#include "opt_posix.h"
37285SN/A
38285SN/A#include <sys/param.h>
39285SN/A#include <sys/kernel.h>
40285SN/A#include <sys/malloc.h>
41285SN/A#include <sys/mac.h>
42285SN/A#include <sys/module.h>
43285SN/A#include <sys/systm.h>
44285SN/A#include <sys/sysctl.h>
45285SN/A
46285SN/A#include <posix4/ksem.h>
47285SN/A
48285SN/A#include <sys/mac_policy.h>
49285SN/A
50285SN/A#include <security/mac/mac_internal.h>
51285SN/A
52285SN/Astatic int	mac_enforce_posix_sem = 1;
53285SN/ASYSCTL_INT(_security_mac, OID_AUTO, enforce_posix_sem, CTLFLAG_RW,
54285SN/A    &mac_enforce_posix_sem, 0, "Enforce MAC policy on global POSIX semaphores");
55285SN/ATUNABLE_INT("security.mac.enforce_posix_sem", &mac_enforce_posix_sem);
56285SN/A
57367SN/A#ifdef MAC_DEBUG
58285SN/Astatic unsigned int nmacposixsems;
59285SN/ASYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, posix_sems, CTLFLAG_RD,
60285SN/A    &nmacposixsems, 0, "number of posix global semaphores inuse");
61285SN/A#endif
62285SN/A
63285SN/Astatic struct label *
64285SN/Amac_posix_sem_label_alloc(void)
65285SN/A{
66285SN/A	struct label *label;
67285SN/A
68285SN/A	label = mac_labelzone_alloc(M_WAITOK);
69367SN/A	MAC_PERFORM(init_posix_sem_label, label);
70285SN/A	MAC_DEBUG_COUNTER_INC(&nmacposixsems);
71285SN/A	return (label);
72285SN/A}
73285SN/A
74285SN/Avoid
75285SN/Amac_init_posix_sem(struct ksem *ksemptr)
76285SN/A{
77285SN/A
78367SN/A	ksemptr->ks_label = mac_posix_sem_label_alloc();
79285SN/A}
80285SN/A
81285SN/Astatic void
82285SN/Amac_posix_sem_label_free(struct label *label)
83285SN/A{
84367SN/A
85285SN/A	MAC_PERFORM(destroy_posix_sem_label, label);
86285SN/A	MAC_DEBUG_COUNTER_DEC(&nmacposixsems);
87285SN/A}
88285SN/A
89285SN/Avoid
90285SN/Amac_destroy_posix_sem(struct ksem *ksemptr)
91367SN/A{
92367SN/A
93285SN/A	mac_posix_sem_label_free(ksemptr->ks_label);
94285SN/A	ksemptr->ks_label = NULL;
95285SN/A}
96285SN/A
97285SN/Avoid
98285SN/Amac_create_posix_sem(struct ucred *cred, struct ksem *ksemptr)
99285SN/A{
100285SN/A
101285SN/A	MAC_PERFORM(create_posix_sem, cred, ksemptr, ksemptr->ks_label);
102285SN/A}
103285SN/A
104285SN/Aint
105285SN/Amac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ksemptr)
106285SN/A{
107285SN/A	int error;
108285SN/A
109285SN/A	if (!mac_enforce_posix_sem)
110285SN/A		return (0);
111285SN/A
112285SN/A	MAC_CHECK(check_posix_sem_destroy, cred, ksemptr, ksemptr->ks_label);
113285SN/A
114285SN/A	return(error);
115285SN/A}
116285SN/A
117285SN/Aint
118285SN/Amac_check_posix_sem_open(struct ucred *cred, struct ksem *ksemptr)
119285SN/A{
120285SN/A	int error;
121285SN/A
122285SN/A	if (!mac_enforce_posix_sem)
123285SN/A		return (0);
124285SN/A
125285SN/A	MAC_CHECK(check_posix_sem_open, cred, ksemptr, ksemptr->ks_label);
126285SN/A
127285SN/A	return(error);
128285SN/A}
129285SN/A
130285SN/Aint
131285SN/Amac_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ksemptr)
132285SN/A{
133285SN/A	int error;
134285SN/A
135285SN/A	if (!mac_enforce_posix_sem)
136285SN/A		return (0);
137285SN/A
138285SN/A	MAC_CHECK(check_posix_sem_getvalue, cred, ksemptr,
139285SN/A	    ksemptr->ks_label);
140285SN/A
141	return(error);
142}
143
144int
145mac_check_posix_sem_post(struct ucred *cred, struct ksem *ksemptr)
146{
147	int error;
148
149	if (!mac_enforce_posix_sem)
150		return (0);
151
152	MAC_CHECK(check_posix_sem_post, cred, ksemptr, ksemptr->ks_label);
153
154	return(error);
155}
156
157int
158mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ksemptr)
159{
160	int error;
161
162	if (!mac_enforce_posix_sem)
163		return (0);
164
165	MAC_CHECK(check_posix_sem_unlink, cred, ksemptr, ksemptr->ks_label);
166
167	return(error);
168}
169
170int
171mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr)
172{
173	int error;
174
175	if (!mac_enforce_posix_sem)
176		return (0);
177
178	MAC_CHECK(check_posix_sem_wait, cred, ksemptr, ksemptr->ks_label);
179
180	return(error);
181}
182