diff options
Diffstat (limited to 'sys/security/mac/mac_process.c')
| -rw-r--r-- | sys/security/mac/mac_process.c | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 607113e4cf8d..43a52bf43382 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -2572,6 +2572,11 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); return (error); @@ -2582,6 +2587,11 @@ mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); return (error); @@ -2592,6 +2602,11 @@ mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); @@ -2603,6 +2618,11 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); return (error); @@ -2613,6 +2633,11 @@ mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); return (error); @@ -2623,6 +2648,11 @@ mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + + if (!mac_enforce_pipe) + return (0); + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); return (error); @@ -2889,6 +2919,8 @@ mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) { int error; + PIPE_LOCK_ASSERT(pipe, MA_OWNED); + error = mac_check_pipe_relabel(cred, pipe, label); if (error) return (error); @@ -3192,7 +3224,9 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) break; case DTYPE_PIPE: pipe = (struct pipe *)fp->f_data; + PIPE_LOCK(pipe); error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); + PIPE_UNLOCK(pipe); break; default: error = EINVAL; |