Correct several issues in the integration of POSIX shared memory objects

and the new setmode and setowner fileops in FreeBSD 9.0:

- Add new MAC Framework entry point mac_posixshm_check_create() to allow
  MAC policies to authorise shared memory use.  Provide a stub policy and
  test policy templates.

- Add missing Biba and MLS implementations of mac_posixshm_check_setmode()
  and mac_posixshm_check_setowner().

- Add 'accmode' argument to mac_posixshm_check_open() -- unlike the
  mac_posixsem_check_open() entry point it was modeled on, the access mode
  is required as shared memory access can be read-only as well as writable;
  this isn't true of POSIX semaphores.

- Implement full range of POSIX shared memory entry points for Biba and MLS.

Sponsored by:   Google Inc.
Obtained from:	TrustedBSD Project
Approved by:    re (kib)

sys/kern/uipc_shm.c

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2006 Robert N. M. Watson
+ * Copyright (c) 2006, 2011 Robert N. M. Watson
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -31,25 +31,21 @@
  *
  * TODO:
  *
- * (2) Need to export data to a userland tool via a sysctl.  Should ipcs(1)
+ * (1) Need to export data to a userland tool via a sysctl.  Should ipcs(1)
  *     and ipcrm(1) be expanded or should new tools to manage both POSIX
  *     kernel semaphores and POSIX shared memory be written?
  *
- * (3) Add support for this file type to fstat(1).
+ * (2) Add support for this file type to fstat(1).
  *
- * (4) Resource limits?  Does this need its own resource limits or are the
+ * (3) Resource limits?  Does this need its own resource limits or are the
  *     existing limits in mmap(2) sufficient?
  *
- * (5) Partial page truncation.  vnode_pager_setsize() will zero any parts
+ * (4) Partial page truncation.  vnode_pager_setsize() will zero any parts
  *     of a partially mapped page as a result of ftruncate(2)/truncate(2).
  *     We can do the same (with the same pmap evil), but do we need to
  *     worry about the bits on disk if the page is swapped out or will the
  *     swapper zero the parts of a page that are invalid if the page is
  *     swapped back in for us?
- *
- * (6) Add MAC support in mac_biba(4) and mac_mls(4).
- *
- * (7) Add a MAC check_create() hook for creating new named objects.
  */
 
 #include <sys/cdefs.h>
@@ -551,8 +547,16 @@ shm_open(struct thread *td, struct shm_open_args *uap)
 		if (shmfd == NULL) {
 			/* Object does not yet exist, create it if requested. */
 			if (uap->flags & O_CREAT) {
-				shmfd = shm_alloc(td->td_ucred, cmode);
-				shm_insert(path, fnv, shmfd);
+#ifdef MAC
+				error = mac_posixshm_check_create(td->td_ucred,
+				    path);
+				if (error == 0) {
+#endif
+					shmfd = shm_alloc(td->td_ucred, cmode);
+					shm_insert(path, fnv, shmfd);
+#ifdef MAC
+				}
+#endif
 			} else {
 				free(path, M_SHMFD);
 				error = ENOENT;
@@ -569,7 +573,7 @@ shm_open(struct thread *td, struct shm_open_args *uap)
 			else {
 #ifdef MAC
 				error = mac_posixshm_check_open(td->td_ucred,
-				    shmfd);
+				    shmfd, FFLAGS(uap->flags & O_ACCMODE));
 				if (error == 0)
 #endif
 				error = shm_access(shmfd, td->td_ucred,

sys/security/mac/mac_framework.h

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * All rights reserved.
@@ -238,9 +238,11 @@ void 	mac_posixsem_create(struct ucred *cred, struct ksem *ks);
 void	mac_posixsem_destroy(struct ksem *);
 void	mac_posixsem_init(struct ksem *);
 
+int	mac_posixshm_check_create(struct ucred *cred, const char *path);
 int	mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
 	    int prot, int flags);
-int	mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd);
+int	mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
+	    accmode_t accmode);
 int	mac_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd,
 	    mode_t mode);
 int	mac_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd,

sys/security/mac/mac_policy.h

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
@@ -355,11 +355,14 @@ typedef void	(*mpo_posixsem_create_t)(struct ucred *cred,
 typedef void    (*mpo_posixsem_destroy_label_t)(struct label *label);
 typedef void    (*mpo_posixsem_init_label_t)(struct label *label);
 
+typedef int	(*mpo_posixshm_check_create_t)(struct ucred *cred,
+		    const char *path);
 typedef int	(*mpo_posixshm_check_mmap_t)(struct ucred *cred,
 		    struct shmfd *shmfd, struct label *shmlabel, int prot,
 		    int flags);
 typedef int	(*mpo_posixshm_check_open_t)(struct ucred *cred,
-		    struct shmfd *shmfd, struct label *shmlabel);
+		    struct shmfd *shmfd, struct label *shmlabel,
+		    accmode_t accmode);
 typedef int	(*mpo_posixshm_check_setmode_t)(struct ucred *cred,
 		    struct shmfd *shmfd, struct label *shmlabel,
 		    mode_t mode);
@@ -812,6 +815,7 @@ struct mac_policy_ops {
 	mpo_posixsem_destroy_label_t		mpo_posixsem_destroy_label;
 	mpo_posixsem_init_label_t		mpo_posixsem_init_label;
 
+	mpo_posixshm_check_create_t		mpo_posixshm_check_create;
 	mpo_posixshm_check_mmap_t		mpo_posixshm_check_mmap;
 	mpo_posixshm_check_open_t		mpo_posixshm_check_open;
 	mpo_posixshm_check_setmode_t		mpo_posixshm_check_setmode;

sys/security/mac/mac_posix_shm.c

@@ -1,6 +1,6 @@
 /*-
  * Copyright (c) 2003-2006 SPARTA, Inc.
- * Copyright (c) 2009 Robert N. M. Watson
+ * Copyright (c) 2009-2011 Robert N. M. Watson
  * All rights reserved.
  *
  * This software was developed for the FreeBSD Project in part by Network
@@ -101,6 +101,20 @@ mac_posixshm_create(struct ucred *cred, struct shmfd *shmfd)
 	    shmfd->shm_label);
 }
 
+MAC_CHECK_PROBE_DEFINE2(posixshm_check_create, "struct ucred *",
+    "const char *");
+
+int
+mac_posixshm_check_create(struct ucred *cred, const char *path)
+{
+	int error;
+
+	MAC_POLICY_CHECK_NOSLEEP(posixshm_check_create, cred, path);
+	MAC_CHECK_PROBE2(posixshm_check_create, error, cred, path);
+
+	return (error);
+}
+
 MAC_CHECK_PROBE_DEFINE4(posixshm_check_mmap, "struct ucred *",
     "struct shmfd *", "int", "int");
 
@@ -118,17 +132,18 @@ mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, int prot,
 	return (error);
 }
 
-MAC_CHECK_PROBE_DEFINE2(posixshm_check_open, "struct ucred *",
-    "struct shmfd *");
+MAC_CHECK_PROBE_DEFINE3(posixshm_check_open, "struct ucred *",
+    "struct shmfd *", "accmode_t accmode");
 
 int
-mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd)
+mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
+    accmode_t accmode)
 {
 	int error;
 
 	MAC_POLICY_CHECK_NOSLEEP(posixshm_check_open, cred, shmfd,
-	    shmfd->shm_label);
-	MAC_CHECK_PROBE2(posixshm_check_open, error, cred, shmfd);
+	    shmfd->shm_label, accmode);
+	MAC_CHECK_PROBE3(posixshm_check_open, error, cred, shmfd, accmode);
 
 	return (error);
 }

sys/security/mac_biba/mac_biba.c

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
@@ -14,6 +14,9 @@
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -1621,6 +1624,42 @@ biba_posixsem_check_openunlink(struct ucred *cred, struct ksem *ks,
 	return (0);
 }
 
+static int
+biba_posixsem_check_setmode(struct ucred *cred, struct ksem *ks,
+    struct label *kslabel, mode_t mode)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(kslabel);
+
+	if (!biba_dominate_effective(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+biba_posixsem_check_setowner(struct ucred *cred, struct ksem *ks,
+    struct label *kslabel, uid_t uid, gid_t gid)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(kslabel);
+
+	if (!biba_dominate_effective(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
 static int
 biba_posixsem_check_write(struct ucred *active_cred, struct ucred *file_cred,
     struct ksem *ks, struct label *kslabel)
@@ -1669,6 +1708,156 @@ biba_posixsem_create(struct ucred *cred, struct ksem *ks,
 	biba_copy_effective(source, dest);
 }
 
+static int
+biba_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel, int prot, int flags)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled || !revocation_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
+		if (!biba_dominate_effective(obj, subj))
+			return (EACCES);
+	}
+	if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) {
+		if (!biba_dominate_effective(subj, obj))
+			return (EACCES);
+	}
+
+	return (0);
+}
+
+static int
+biba_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel, accmode_t accmode)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (accmode & (VREAD | VEXEC | VSTAT_PERMS)) {
+		if (!biba_dominate_effective(obj, subj))
+			return (EACCES);
+	}
+	if (accmode & VMODIFY_PERMS) {
+		if (!biba_dominate_effective(subj, obj))
+			return (EACCES);
+	}
+
+	return (0);
+}
+
+static int
+biba_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel, mode_t mode)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!biba_dominate_effective(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+biba_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel, uid_t uid, gid_t gid)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!biba_dominate_effective(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+biba_posixshm_check_stat(struct ucred *active_cred, struct ucred *file_cred,
+    struct shmfd *shmfd, struct label *shmlabel)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(active_cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!biba_dominate_effective(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+biba_posixshm_check_truncate(struct ucred *active_cred,
+    struct ucred *file_cred, struct shmfd *shmfd, struct label *shmlabel)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(active_cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!biba_dominate_effective(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+biba_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!biba_dominate_effective(subj, obj))
+		return (EACCES);
+    
+	return (0);
+}
+
+static void
+biba_posixshm_create(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel)
+{
+	struct mac_biba *source, *dest;
+
+	source = SLOT(cred->cr_label);
+	dest = SLOT(shmlabel);
+
+	biba_copy_effective(source, dest);
+}
+
 /*
  * Some system privileges are allowed regardless of integrity grade; others
  * are allowed only when running with privilege with respect to the Biba
@@ -3455,6 +3644,8 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_posixsem_check_getvalue = biba_posixsem_check_rdonly,
 	.mpo_posixsem_check_open = biba_posixsem_check_openunlink,
 	.mpo_posixsem_check_post = biba_posixsem_check_write,
+	.mpo_posixsem_check_setmode = biba_posixsem_check_setmode,
+	.mpo_posixsem_check_setowner = biba_posixsem_check_setowner,
 	.mpo_posixsem_check_stat = biba_posixsem_check_rdonly,
 	.mpo_posixsem_check_unlink = biba_posixsem_check_openunlink,
 	.mpo_posixsem_check_wait = biba_posixsem_check_write,
@@ -3462,6 +3653,17 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_posixsem_destroy_label = biba_destroy_label,
 	.mpo_posixsem_init_label = biba_init_label,
 
+	.mpo_posixshm_check_mmap = biba_posixshm_check_mmap,
+	.mpo_posixshm_check_open = biba_posixshm_check_open,
+	.mpo_posixshm_check_setmode = biba_posixshm_check_setmode,
+	.mpo_posixshm_check_setowner = biba_posixshm_check_setowner,
+	.mpo_posixshm_check_stat = biba_posixshm_check_stat,
+	.mpo_posixshm_check_truncate = biba_posixshm_check_truncate,
+	.mpo_posixshm_check_unlink = biba_posixshm_check_unlink,
+	.mpo_posixshm_create = biba_posixshm_create,
+	.mpo_posixshm_destroy_label = biba_destroy_label,
+	.mpo_posixshm_init_label = biba_init_label,
+
 	.mpo_priv_check = biba_priv_check,
 
 	.mpo_proc_check_debug = biba_proc_check_debug,

sys/security/mac_mls/mac_mls.c

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
@@ -14,6 +14,9 @@
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -1531,6 +1534,42 @@ mls_posixsem_check_rdonly(struct ucred *active_cred, struct ucred *file_cred,
 	return (0);
 }
 
+static int
+mls_posixsem_check_setmode(struct ucred *cred, struct ksem *ks,
+    struct label *shmlabel, mode_t mode)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!mls_dominate_effective(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mls_posixsem_check_setowner(struct ucred *cred, struct ksem *ks,
+    struct label *shmlabel, uid_t uid, gid_t gid)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!mls_dominate_effective(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
 static int
 mls_posixsem_check_write(struct ucred *active_cred, struct ucred *file_cred,
     struct ksem *ks, struct label *kslabel)
@@ -1561,6 +1600,159 @@ mls_posixsem_create(struct ucred *cred, struct ksem *ks,
 	mls_copy_effective(source, dest);
 }
 
+static int
+mls_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel, int prot, int flags)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
+		if (!mls_dominate_effective(subj, obj))
+			return (EACCES);
+	}
+	if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) {
+		if (!mls_dominate_effective(obj, subj))
+			return (EACCES);
+	}
+
+	return (0);
+}
+
+static int
+mls_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel, accmode_t accmode)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (accmode & (VREAD | VEXEC | VSTAT_PERMS)) {
+		if (!mls_dominate_effective(subj, obj))
+			return (EACCES);
+	}
+	if (accmode & VMODIFY_PERMS) {
+		if (!mls_dominate_effective(obj, subj))
+			return (EACCES);
+	}
+
+	return (0);
+}
+
+static int
+mls_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel, mode_t mode)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!mls_dominate_effective(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mls_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel, uid_t uid, gid_t gid)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!mls_dominate_effective(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mls_posixshm_check_stat(struct ucred *active_cred, struct ucred *file_cred,
+    struct shmfd *shmfd, struct label *shmlabel)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(active_cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!mls_dominate_effective(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mls_posixshm_check_truncate(struct ucred *active_cred,
+    struct ucred *file_cred, struct shmfd *shmfd, struct label *shmlabel)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(active_cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!mls_dominate_effective(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mls_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmlabel);
+
+	if (!mls_dominate_effective(obj, subj))
+		return (EACCES);
+    
+	return (0);
+}
+
+static void
+mls_posixshm_create(struct ucred *cred, struct shmfd *shmfd,
+    struct label *shmlabel)
+{
+	struct mac_mls *source, *dest;
+
+	source = SLOT(cred->cr_label);
+	dest = SLOT(shmlabel);
+
+	mls_copy_effective(source, dest);
+}
+
 static int
 mls_proc_check_debug(struct ucred *cred, struct proc *p)
 {
@@ -3075,6 +3267,8 @@ static struct mac_policy_ops mls_ops =
 	.mpo_posixsem_check_getvalue = mls_posixsem_check_rdonly,
 	.mpo_posixsem_check_open = mls_posixsem_check_openunlink,
 	.mpo_posixsem_check_post = mls_posixsem_check_write,
+	.mpo_posixsem_check_setmode = mls_posixsem_check_setmode,
+	.mpo_posixsem_check_setowner = mls_posixsem_check_setowner,
 	.mpo_posixsem_check_stat = mls_posixsem_check_rdonly,
 	.mpo_posixsem_check_unlink = mls_posixsem_check_openunlink,
 	.mpo_posixsem_check_wait = mls_posixsem_check_write,
@@ -3082,6 +3276,17 @@ static struct mac_policy_ops mls_ops =
 	.mpo_posixsem_destroy_label = mls_destroy_label,
 	.mpo_posixsem_init_label = mls_init_label,
 
+	.mpo_posixshm_check_mmap = mls_posixshm_check_mmap,
+	.mpo_posixshm_check_open = mls_posixshm_check_open,
+	.mpo_posixshm_check_setmode = mls_posixshm_check_setmode,
+	.mpo_posixshm_check_setowner = mls_posixshm_check_setowner,
+	.mpo_posixshm_check_stat = mls_posixshm_check_stat,
+	.mpo_posixshm_check_truncate = mls_posixshm_check_truncate,
+	.mpo_posixshm_check_unlink = mls_posixshm_check_unlink,
+	.mpo_posixshm_create = mls_posixshm_create,
+	.mpo_posixshm_destroy_label = mls_destroy_label,
+	.mpo_posixshm_init_label = mls_init_label,
+
 	.mpo_proc_check_debug = mls_proc_check_debug,
 	.mpo_proc_check_sched = mls_proc_check_sched,
 	.mpo_proc_check_signal = mls_proc_check_signal,

sys/security/mac_stub/mac_stub.c

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
@@ -733,6 +733,13 @@ stub_posixsem_create(struct ucred *cred, struct ksem *ks,
 
 }
 
+static int
+stub_posixshm_check_create(struct ucred *cred, const char *path)
+{
+
+	return (0);
+}
+
 static int
 stub_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel, int prot, int flags)
@@ -743,7 +750,7 @@ stub_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
 
 static int
 stub_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
-    struct label *shmlabel)
+    struct label *shmlabel, accmode_t accmode)
 {
 
 	return (0);
@@ -1772,6 +1779,7 @@ static struct mac_policy_ops stub_ops =
 	.mpo_posixsem_destroy_label = stub_destroy_label,
 	.mpo_posixsem_init_label = stub_init_label,
 
+	.mpo_posixshm_check_create = stub_posixshm_check_create,
 	.mpo_posixshm_check_mmap = stub_posixshm_check_mmap,
 	.mpo_posixshm_check_open = stub_posixshm_check_open,
 	.mpo_posixshm_check_setmode = stub_posixshm_check_setmode,

sys/security/mac_test/mac_test.c

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
@@ -1390,6 +1390,15 @@ test_posixsem_init_label(struct label *label)
 	COUNTER_INC(posixsem_init_label);
 }
 
+COUNTER_DECL(posixshm_check_create);
+static int
+test_posixshm_check_create(struct ucred *cred, const char *path)
+{
+
+	COUNTER_INC(posixshm_check_create);
+	return (0);
+}
+
 COUNTER_DECL(posixshm_check_mmap);
 static int
 test_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
@@ -1405,7 +1414,7 @@ test_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
 COUNTER_DECL(posixshm_check_open);
 static int
 test_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
-    struct label *shmfdlabel)
+    struct label *shmfdlabel, accmode_t accmode)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
@@ -3102,6 +3111,7 @@ static struct mac_policy_ops test_ops =
 	.mpo_posixsem_destroy_label = test_posixsem_destroy_label,
 	.mpo_posixsem_init_label = test_posixsem_init_label,
 
+	.mpo_posixshm_check_create = test_posixshm_check_create,
 	.mpo_posixshm_check_mmap = test_posixshm_check_mmap,
 	.mpo_posixshm_check_open = test_posixshm_check_open,
 	.mpo_posixshm_check_setmode = test_posixshm_check_setmode,