From c4f3a35a545ad3f76e9a9bac783ee6fad70183bf Mon Sep 17 00:00:00 2001 From: John Baldwin Date: Mon, 23 Jun 2008 21:37:53 +0000 Subject: [PATCH] Remove the posixsem_check_destroy() MAC check. It is semantically identical to doing a MAC check for close(), but no other types of close() (including close(2) and ksem_close(2)) have MAC checks. Discussed with: rwatson --- sys/kern/uipc_sem.c | 5 ----- sys/security/mac/mac_framework.h | 1 - sys/security/mac/mac_policy.h | 3 --- sys/security/mac/mac_posix_sem.c | 10 ---------- sys/security/mac_biba/mac_biba.c | 1 - sys/security/mac_mls/mac_mls.c | 1 - sys/security/mac_stub/mac_stub.c | 9 --------- sys/security/mac_test/mac_test.c | 14 -------------- 8 files changed, 44 deletions(-) diff --git a/sys/kern/uipc_sem.c b/sys/kern/uipc_sem.c index a91096ffb3f9..9603b1d31fe9 100644 --- a/sys/kern/uipc_sem.c +++ b/sys/kern/uipc_sem.c @@ -807,11 +807,6 @@ ksem_destroy(struct thread *td, struct ksem_destroy_args *uap) error = EINVAL; goto err; } -#ifdef MAC - error = mac_posixsem_check_destroy(td->td_ucred, ks); - if (error) - goto err; -#endif if (ks->ks_waiters != 0) { error = EBUSY; goto err; diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 9b02e4f8f4b1..c68d2d1ff8e0 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -189,7 +189,6 @@ void mac_pipe_init(struct pipepair *); int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp, struct label *label); -int mac_posixsem_check_destroy(struct ucred *cred, struct ksem *ks); int mac_posixsem_check_getvalue(struct ucred *cred,struct ksem *ks); int mac_posixsem_check_open(struct ucred *cred, struct ksem *ks); int mac_posixsem_check_post(struct ucred *cred, struct ksem *ks); diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 8f27ebbc637a..f0fa7558674b 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -288,8 +288,6 @@ typedef int (*mpo_pipe_internalize_label_t)(struct label *label, typedef void (*mpo_pipe_relabel_t)(struct ucred *cred, struct pipepair *pp, struct label *oldlabel, struct label *newlabel); -typedef int (*mpo_posixsem_check_destroy_t)(struct ucred *cred, - struct ksem *ks, struct label *kslabel); typedef int (*mpo_posixsem_check_getvalue_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); typedef int (*mpo_posixsem_check_open_t)(struct ucred *cred, @@ -741,7 +739,6 @@ struct mac_policy_ops { mpo_pipe_internalize_label_t mpo_pipe_internalize_label; mpo_pipe_relabel_t mpo_pipe_relabel; - mpo_posixsem_check_destroy_t mpo_posixsem_check_destroy; mpo_posixsem_check_getvalue_t mpo_posixsem_check_getvalue; mpo_posixsem_check_open_t mpo_posixsem_check_open; mpo_posixsem_check_post_t mpo_posixsem_check_post; diff --git a/sys/security/mac/mac_posix_sem.c b/sys/security/mac/mac_posix_sem.c index 4b401425e4d5..68fb56c2d1cf 100644 --- a/sys/security/mac/mac_posix_sem.c +++ b/sys/security/mac/mac_posix_sem.c @@ -90,16 +90,6 @@ mac_posixsem_create(struct ucred *cred, struct ksem *ks) MAC_PERFORM(posixsem_create, cred, ks, ks->ks_label); } -int -mac_posixsem_check_destroy(struct ucred *cred, struct ksem *ks) -{ - int error; - - MAC_CHECK(posixsem_check_destroy, cred, ks, ks->ks_label); - - return (error); -} - int mac_posixsem_check_open(struct ucred *cred, struct ksem *ks) { diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 08b735f82c6e..4c0c85b21f54 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -3334,7 +3334,6 @@ static struct mac_policy_ops mac_biba_ops = .mpo_pipe_internalize_label = biba_internalize_label, .mpo_pipe_relabel = biba_pipe_relabel, - .mpo_posixsem_check_destroy = biba_posixsem_check_write, .mpo_posixsem_check_getvalue = biba_posixsem_check_rdonly, .mpo_posixsem_check_open = biba_posixsem_check_write, .mpo_posixsem_check_post = biba_posixsem_check_write, diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index d92b7398281f..cff9d887181e 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -2957,7 +2957,6 @@ static struct mac_policy_ops mls_ops = .mpo_pipe_internalize_label = mls_internalize_label, .mpo_pipe_relabel = mls_pipe_relabel, - .mpo_posixsem_check_destroy = mls_posixsem_check_write, .mpo_posixsem_check_getvalue = mls_posixsem_check_rdonly, .mpo_posixsem_check_open = mls_posixsem_check_write, .mpo_posixsem_check_post = mls_posixsem_check_write, diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 6c8f2f530605..34f5cadeab2a 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -522,14 +522,6 @@ stub_pipe_relabel(struct ucred *cred, struct pipepair *pp, } -static int -stub_posixsem_check_destroy(struct ucred *cred, struct ksem *ks, - struct label *kslabel) -{ - - return (0); -} - static int stub_posixsem_check_getvalue(struct ucred *cred, struct ksem *ks, struct label *kslabel) @@ -1587,7 +1579,6 @@ static struct mac_policy_ops stub_ops = .mpo_pipe_internalize_label = stub_internalize_label, .mpo_pipe_relabel = stub_pipe_relabel, - .mpo_posixsem_check_destroy = stub_posixsem_check_destroy, .mpo_posixsem_check_getvalue = stub_posixsem_check_getvalue, .mpo_posixsem_check_open = stub_posixsem_check_open, .mpo_posixsem_check_post = stub_posixsem_check_post, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index bacebd4cb4fe..8a3d646db4cd 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1010,19 +1010,6 @@ test_pipe_relabel(struct ucred *cred, struct pipepair *pp, COUNTER_INC(pipe_relabel); } -COUNTER_DECL(posixsem_check_destroy); -static int -test_posixsem_check_destroy(struct ucred *cred, struct ksem *ks, - struct label *kslabel) -{ - - LABEL_CHECK(cred->cr_label, MAGIC_CRED); - LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); - COUNTER_INC(posixsem_check_destroy); - - return (0); -} - COUNTER_DECL(posixsem_check_getvalue); static int test_posixsem_check_getvalue(struct ucred *cred, struct ksem *ks, @@ -2886,7 +2873,6 @@ static struct mac_policy_ops test_ops = .mpo_pipe_internalize_label = test_pipe_internalize_label, .mpo_pipe_relabel = test_pipe_relabel, - .mpo_posixsem_check_destroy = test_posixsem_check_destroy, .mpo_posixsem_check_getvalue = test_posixsem_check_getvalue, .mpo_posixsem_check_open = test_posixsem_check_open, .mpo_posixsem_check_post = test_posixsem_check_post,