Date: Fri, 9 Jul 2004 18:37:07 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 56913 for review Message-ID: <200407091837.i69Ib7G3088860@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=56913 Change 56913 by rwatson@rwatson_tislabs on 2004/07/09 18:36:27 Use different enforcement flags for different System V IPC services, as they can be compiled in (or not) independently. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_internal.h#21 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_sysv_msg.c#7 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_sysv_sem.c#7 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_sysv_shm.c#6 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_internal.h#21 (text+ko) ==== @@ -65,7 +65,6 @@ extern int mac_enforce_network; extern int mac_enforce_process; extern int mac_enforce_socket; -extern int mac_enforce_sysv; extern int mac_enforce_vm; #ifndef MAC_ALWAYS_LABEL_MBUF extern int mac_labelmbufs; ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_sysv_msg.c#7 (text+ko) ==== @@ -53,10 +53,11 @@ #include <security/mac/mac_internal.h> -int mac_enforce_sysv = 1; +static int mac_enforce_sysv_msg = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv, CTLFLAG_RW, - &mac_enforce_sysv, 0, "Enforce MAC policy on System V IPC objects"); -TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv); + &mac_enforce_sysv_msg, 0, + "Enforce MAC policy on System V IPC Message Queues"); +TUNABLE_INT("security.mac.enforce_sysv_msg", &mac_enforce_sysv_msg); #ifdef MAC_DEBUG static unsigned int nmacipcmsgs, nmacipcmsqs; @@ -173,7 +174,7 @@ { int error; - if (!mac_enforce_sysv) + if (!mac_enforce_sysv_msg) return (0); MAC_CHECK(check_ipc_msgmsq, cred, msgptr, msgptr->label, msqkptr, @@ -187,7 +188,7 @@ { int error; - if (!mac_enforce_sysv) + if (!mac_enforce_sysv_msg) return (0); MAC_CHECK(check_ipc_msgrcv, cred, msgptr, msgptr->label); @@ -200,7 +201,7 @@ { int error; - if (!mac_enforce_sysv) + if (!mac_enforce_sysv_msg) return (0); MAC_CHECK(check_ipc_msgrmid, cred, msgptr, msgptr->label); @@ -213,7 +214,7 @@ { int error; - if (!mac_enforce_sysv) + if (!mac_enforce_sysv_msg) return (0); MAC_CHECK(check_ipc_msqget, cred, msqkptr, msqkptr->label); @@ -226,7 +227,7 @@ { int error; - if (!mac_enforce_sysv) + if (!mac_enforce_sysv_msg) return (0); MAC_CHECK(check_ipc_msqsnd, cred, msqkptr, msqkptr->label); @@ -239,7 +240,7 @@ { int error; - if (!mac_enforce_sysv) + if (!mac_enforce_sysv_msg) return (0); MAC_CHECK(check_ipc_msqrcv, cred, msqkptr, msqkptr->label); @@ -253,7 +254,7 @@ { int error; - if (!mac_enforce_sysv) + if (!mac_enforce_sysv_msg) return (0); MAC_CHECK(check_ipc_msqctl, cred, msqkptr, msqkptr->label, cmd); ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_sysv_sem.c#7 (text+ko) ==== @@ -53,6 +53,11 @@ #include <security/mac/mac_internal.h> +static int mac_enforce_sysv_sem = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv, CTLFLAG_RW, + &mac_enforce_sysv_sem, 0, "Enforce MAC policy on System V IPC Semaphores"); +TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_sem); + #ifdef MAC_DEBUG static unsigned int nmacipcsemas; SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_semas, CTLFLAG_RD, @@ -114,7 +119,7 @@ { int error; - if (!mac_enforce_sysv) + if (!mac_enforce_sysv_sem) return (0); MAC_CHECK(check_ipc_semctl, cred, semakptr, semakptr->label, cmd); @@ -127,7 +132,7 @@ { int error; - if (!mac_enforce_sysv) + if (!mac_enforce_sysv_sem) return (0); MAC_CHECK(check_ipc_semget, cred, semakptr, semakptr->label); @@ -141,7 +146,7 @@ { int error; - if (!mac_enforce_sysv) + if (!mac_enforce_sysv_sem) return (0); MAC_CHECK(check_ipc_semop, cred, semakptr, semakptr->label, ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_sysv_shm.c#6 (text+ko) ==== @@ -53,6 +53,12 @@ #include <security/mac/mac_internal.h> +static int mac_enforce_sysv_shm = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv, CTLFLAG_RW, + &mac_enforce_sysv_shm, 0, + "Enforce MAC policy on System V IPC shared memory"); +TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_shm); + #ifdef MAC_DEBUG static unsigned int nmacipcshms; SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_shms, CTLFLAG_RD, @@ -114,7 +120,7 @@ { int error; - if (!mac_enforce_sysv) + if (!mac_enforce_sysv_shm) return (0); MAC_CHECK(check_ipc_shmat, cred, shmsegptr, shmsegptr->label, @@ -129,7 +135,7 @@ { int error; - if (!mac_enforce_sysv) + if (!mac_enforce_sysv_shm) return (0); MAC_CHECK(check_ipc_shmctl, cred, shmsegptr, shmsegptr->label, @@ -143,7 +149,7 @@ { int error; - if (!mac_enforce_sysv) + if (!mac_enforce_sysv_shm) return (0); MAC_CHECK(check_ipc_shmdt, cred, shmsegptr, shmsegptr->label); @@ -157,7 +163,7 @@ { int error; - if (!mac_enforce_sysv) + if (!mac_enforce_sysv_shm) return (0); MAC_CHECK(check_ipc_shmget, cred, shmsegptr, shmsegptr->label,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200407091837.i69Ib7G3088860>