xnu-2782.30.5.tar.gz

[apple/xnu.git] / bsd / kern / sysv_shm.c
diff --git a/bsd/kern/sysv_shm.c b/bsd/kern/sysv_shm.c

index 09f12c6d52d665a56ef61abd6c11645eec121f91..caed4c433c277da2bf3a9e2efe4b484e02215af2 100644 (file)
--- a/bsd/kern/sysv_shm.c
+++ b/bsd/kern/sysv_shm.c
@@ -1,23 +1,29 @@
  /*
  /*
- * Copyright (c) 2000-2004 Apple Computer, Inc. All rights reserved.
+ * Copyright (c) 2000-2007 Apple Inc. All rights reserved.
   *
   *
- * @APPLE_LICENSE_HEADER_START@
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
   * 
   * 
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License").  You may not use this file except in compliance with the
- * License.  Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. The rights granted to you under the License
+ * may not be used to create, or enable the creation or redistribution of,
+ * unlawful or unlicensed copies of an Apple operating system, or to
+ * circumvent, violate, or enable the circumvention or violation of, any
+ * terms of an Apple operating system software license agreement.
   * 
   * 
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this file.
+ * 
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
   * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
   * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
   * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
   * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
- * License for the specific language governing rights and limitations
- * under the License.
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
   * 
   * 
- * @APPLE_LICENSE_HEADER_END@
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
   */
  /*     $NetBSD: sysv_shm.c,v 1.23 1994/07/04 23:25:12 glass Exp $      */
  
   */
  /*     $NetBSD: sysv_shm.c,v 1.23 1994/07/04 23:25:12 glass Exp $      */
  
@@ -50,6 +56,13 @@
   * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   */
   * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   */
+/*
+ * NOTICE: This file was modified by McAfee Research in 2004 to introduce
+ * support for mandatory and extensible security protections.  This notice
+ * is included in support of clause 2.2 (b) of the Apple Public License,
+ * Version 2.0.
+ * Copyright (c) 2005-2006 SPARTA, Inc.
+*/
  
  
  #include <sys/appleapiopts.h>
  
  
  #include <sys/appleapiopts.h>
@@ -66,8 +79,11 @@
  #include <sys/ipcs.h>
  #include <sys/sysent.h>
  #include <sys/sysproto.h>
  #include <sys/ipcs.h>
  #include <sys/sysent.h>
  #include <sys/sysproto.h>
+#if CONFIG_MACF
+#include <security/mac_framework.h>
+#endif
  
  
-#include <bsm/audit_kernel.h>
+#include <security/audit/audit.h>
  
  #include <mach/mach_types.h>
  #include <mach/vm_inherit.h>
  
  #include <mach/mach_types.h>
  #include <mach/vm_inherit.h>
@@ -76,15 +92,23 @@
  #include <mach/mach_vm.h>
  
  #include <vm/vm_map.h>
  #include <mach/mach_vm.h>
  
  #include <vm/vm_map.h>
-#include <vm/vm_shared_memory_server.h>
  #include <vm/vm_protos.h>
  
  #include <kern/locks.h>
  
  #include <vm/vm_protos.h>
  
  #include <kern/locks.h>
  
+/* Uncomment this line to see MAC debugging output. */
+/* #define MAC_DEBUG */
+#if CONFIG_MACF_DEBUG
+#define        MPRINTF(a)      printf a
+#else
+#define        MPRINTF(a)     
+#endif
+
+#if SYSV_SHM
  static void shminit(void *);
  #if 0
  SYSINIT(sysv_shm, SI_SUB_SYSV_SHM, SI_ORDER_FIRST, shminit, NULL)
  static void shminit(void *);
  #if 0
  SYSINIT(sysv_shm, SI_SUB_SYSV_SHM, SI_ORDER_FIRST, shminit, NULL)
-#endif 0
+#endif
  
  static lck_grp_t       *sysv_shm_subsys_lck_grp;
  static lck_grp_attr_t  *sysv_shm_subsys_lck_grp_attr;
  
  static lck_grp_t       *sysv_shm_subsys_lck_grp;
  static lck_grp_attr_t  *sysv_shm_subsys_lck_grp_attr;
@@ -97,8 +121,8 @@ static lck_mtx_t        sysv_shm_subsys_mutex;
  static int oshmctl(void *p, void *uap, void *retval);
  static int shmget_allocate_segment(struct proc *p, struct shmget_args *uap, int mode, int * retval);
  static int shmget_existing(struct shmget_args *uap, int mode, int segnum, int  * retval);
  static int oshmctl(void *p, void *uap, void *retval);
  static int shmget_allocate_segment(struct proc *p, struct shmget_args *uap, int mode, int * retval);
  static int shmget_existing(struct shmget_args *uap, int mode, int segnum, int  * retval);
-static void shmid_ds_64to32(struct user_shmid_ds *in, struct shmid_ds *out);
-static void shmid_ds_32to64(struct shmid_ds *in, struct user_shmid_ds *out);
+static void shmid_ds_64to32(struct user_shmid_ds *in, struct user32_shmid_ds *out);
+static void shmid_ds_32to64(struct user32_shmid_ds *in, struct user_shmid_ds *out);
  
  /* XXX casting to (sy_call_t *) is bogus, as usual. */
  static sy_call_t *shmcalls[] = {
  
  /* XXX casting to (sy_call_t *) is bogus, as usual. */
  static sy_call_t *shmcalls[] = {
@@ -113,11 +137,20 @@ static sy_call_t *shmcalls[] = {
  #define        SHMSEG_WANTED           0x1000
  
  static int shm_last_free, shm_nused, shm_committed;
  #define        SHMSEG_WANTED           0x1000
  
  static int shm_last_free, shm_nused, shm_committed;
-struct user_shmid_ds   *shmsegs;       /* 64 bit version */
+struct shmid_kernel    *shmsegs;       /* 64 bit version */
  static int shm_inited = 0;
  
  static int shm_inited = 0;
  
+/*
+ * Since anonymous memory chunks are limited to ANON_MAX_SIZE bytes,
+ * we have to keep a list of chunks when we want to handle a shared memory
+ * segment bigger than ANON_MAX_SIZE.
+ * Each chunk points to a VM named entry of up to ANON_MAX_SIZE bytes
+ * of anonymous memory.
+ */
  struct shm_handle {
  struct shm_handle {
-       void * shm_object;              /* vm_offset_t kva; */
+       void * shm_object;                      /* named entry for this chunk*/
+       memory_object_size_t shm_handle_size;   /* size of this chunk */
+       struct shm_handle *shm_handle_next;     /* next chunk */
  };
  
  struct shmmap_state {
  };
  
  struct shmmap_state {
@@ -125,18 +158,23 @@ struct shmmap_state {
         int shmid;                      /* segment id */
  };
  
         int shmid;                      /* segment id */
  };
  
-static void shm_deallocate_segment(struct user_shmid_ds *);
+static void shm_deallocate_segment(struct shmid_kernel *);
  static int shm_find_segment_by_key(key_t);
  static int shm_find_segment_by_key(key_t);
-static struct user_shmid_ds *shm_find_segment_by_shmid(int);
+static struct shmid_kernel *shm_find_segment_by_shmid(int);
  static int shm_delete_mapping(struct proc *, struct shmmap_state *, int);
  
  #ifdef __APPLE_API_PRIVATE
  static int shm_delete_mapping(struct proc *, struct shmmap_state *, int);
  
  #ifdef __APPLE_API_PRIVATE
+#define DEFAULT_SHMMAX (4 * 1024 * 1024)
+#define DEFAULT_SHMMIN 1
+#define DEFAULT_SHMMNI 32
+#define DEFAULT_SHMSEG 8
+#define DEFAULT_SHMALL 1024
  struct  shminfo shminfo = {
  struct  shminfo shminfo = {
-        -1,    /* SHMMAX 4096 *1024 */
-        -1,    /* SHMMIN = 1 */
-        -1,    /* SHMMNI = 1 */
-        -1,    /* SHMSEG = 8 */
-        -1     /* SHMALL = 1024 */
+        DEFAULT_SHMMAX,
+        DEFAULT_SHMMIN,
+        DEFAULT_SHMMNI,
+       DEFAULT_SHMSEG,
+       DEFAULT_SHMALL
  };
  #endif /* __APPLE_API_PRIVATE */
  
  };
  #endif /* __APPLE_API_PRIVATE */
  
@@ -157,17 +195,17 @@ sysv_shmtime(void)
   * NOTE: Source and target may *NOT* overlap! (target is smaller)
   */
  static void
   * NOTE: Source and target may *NOT* overlap! (target is smaller)
   */
  static void
-shmid_ds_64to32(struct user_shmid_ds *in, struct shmid_ds *out)
+shmid_ds_64to32(struct user_shmid_ds *in, struct user32_shmid_ds *out)
  {
         out->shm_perm = in->shm_perm;
  {
         out->shm_perm = in->shm_perm;
-       out->shm_segsz = (size_t)in->shm_segsz;
+       out->shm_segsz = in->shm_segsz;
         out->shm_lpid = in->shm_lpid;
         out->shm_cpid = in->shm_cpid;
         out->shm_nattch = in->shm_nattch;
         out->shm_atime = in->shm_atime;
         out->shm_dtime = in->shm_dtime;
         out->shm_ctime = in->shm_ctime;
         out->shm_lpid = in->shm_lpid;
         out->shm_cpid = in->shm_cpid;
         out->shm_nattch = in->shm_nattch;
         out->shm_atime = in->shm_atime;
         out->shm_dtime = in->shm_dtime;
         out->shm_ctime = in->shm_ctime;
-       out->shm_internal = CAST_DOWN(void *,in->shm_internal);
+       out->shm_internal = CAST_DOWN_EXPLICIT(int,in->shm_internal);
  }
  
  /*
  }
  
  /*
@@ -176,16 +214,16 @@ shmid_ds_64to32(struct user_shmid_ds *in, struct shmid_ds *out)
   * the beginning.
   */
  static void
   * the beginning.
   */
  static void
-shmid_ds_32to64(struct shmid_ds *in, struct user_shmid_ds *out)
+shmid_ds_32to64(struct user32_shmid_ds *in, struct user_shmid_ds *out)
  {
  {
-       out->shm_internal = CAST_USER_ADDR_T(in->shm_internal);
+       out->shm_internal = in->shm_internal;
         out->shm_ctime = in->shm_ctime;
         out->shm_dtime = in->shm_dtime;
         out->shm_atime = in->shm_atime;
         out->shm_nattch = in->shm_nattch;
         out->shm_cpid = in->shm_cpid;
         out->shm_lpid = in->shm_lpid;
         out->shm_ctime = in->shm_ctime;
         out->shm_dtime = in->shm_dtime;
         out->shm_atime = in->shm_atime;
         out->shm_nattch = in->shm_nattch;
         out->shm_cpid = in->shm_cpid;
         out->shm_lpid = in->shm_lpid;
-       out->shm_segsz = (user_size_t)in->shm_segsz;
+       out->shm_segsz = in->shm_segsz;
         out->shm_perm = in->shm_perm;
  }
  
         out->shm_perm = in->shm_perm;
  }
  
@@ -196,66 +234,73 @@ shm_find_segment_by_key(key_t key)
         int i;
  
         for (i = 0; i < shminfo.shmmni; i++)
         int i;
  
         for (i = 0; i < shminfo.shmmni; i++)
-               if ((shmsegs[i].shm_perm.mode & SHMSEG_ALLOCATED) &&
-                   shmsegs[i].shm_perm.key == key)
+               if ((shmsegs[i].u.shm_perm.mode & SHMSEG_ALLOCATED) &&
+                   shmsegs[i].u.shm_perm._key == key)
                         return i;
         return -1;
  }
  
                         return i;
         return -1;
  }
  
-static struct user_shmid_ds *
+static struct shmid_kernel *
  shm_find_segment_by_shmid(int shmid)
  {
         int segnum;
  shm_find_segment_by_shmid(int shmid)
  {
         int segnum;
-       struct user_shmid_ds *shmseg;
+       struct shmid_kernel *shmseg;
  
         segnum = IPCID_TO_IX(shmid);
         if (segnum < 0 || segnum >= shminfo.shmmni)
                 return NULL;
         shmseg = &shmsegs[segnum];
  
         segnum = IPCID_TO_IX(shmid);
         if (segnum < 0 || segnum >= shminfo.shmmni)
                 return NULL;
         shmseg = &shmsegs[segnum];
-       if ((shmseg->shm_perm.mode & (SHMSEG_ALLOCATED | SHMSEG_REMOVED))
+       if ((shmseg->u.shm_perm.mode & (SHMSEG_ALLOCATED | SHMSEG_REMOVED))
             != SHMSEG_ALLOCATED ||
             != SHMSEG_ALLOCATED ||
-           shmseg->shm_perm.seq != IPCID_TO_SEQ(shmid))
+           shmseg->u.shm_perm._seq != IPCID_TO_SEQ(shmid))
                 return NULL;
         return shmseg;
  }
  
  static void
                 return NULL;
         return shmseg;
  }
  
  static void
-shm_deallocate_segment(struct user_shmid_ds *shmseg)
+shm_deallocate_segment(struct shmid_kernel *shmseg)
  {
  {
-       struct shm_handle *shm_handle;
+       struct shm_handle *shm_handle, *shm_handle_next;
         mach_vm_size_t size;
  
         mach_vm_size_t size;
  
-       shm_handle = CAST_DOWN(void *,shmseg->shm_internal);    /* tunnel */
-       size = mach_vm_round_page(shmseg->shm_segsz);
-       mach_memory_entry_port_release(shm_handle->shm_object);
-       shm_handle->shm_object = NULL;
-       FREE((caddr_t)shm_handle, M_SHM);
-       shmseg->shm_internal = USER_ADDR_NULL;          /* tunnel */
+       for (shm_handle = CAST_DOWN(void *,shmseg->u.shm_internal); /* tunnel */
+            shm_handle != NULL;
+            shm_handle = shm_handle_next) {
+               shm_handle_next = shm_handle->shm_handle_next;
+               mach_memory_entry_port_release(shm_handle->shm_object);
+               FREE((caddr_t) shm_handle, M_SHM);
+       }
+       shmseg->u.shm_internal = USER_ADDR_NULL;                /* tunnel */
+       size = mach_vm_round_page(shmseg->u.shm_segsz);
         shm_committed -= btoc(size);
         shm_nused--;
         shm_committed -= btoc(size);
         shm_nused--;
-       shmseg->shm_perm.mode = SHMSEG_FREE;
+       shmseg->u.shm_perm.mode = SHMSEG_FREE;
+#if CONFIG_MACF
+       /* Reset the MAC label */
+       mac_sysvshm_label_recycle(shmseg);
+#endif
  }
  
  static int
  shm_delete_mapping(__unused struct proc *p, struct shmmap_state *shmmap_s,
         int deallocate)
  {
  }
  
  static int
  shm_delete_mapping(__unused struct proc *p, struct shmmap_state *shmmap_s,
         int deallocate)
  {
-       struct user_shmid_ds *shmseg;
+       struct shmid_kernel *shmseg;
         int segnum, result;
         mach_vm_size_t size;
  
         segnum = IPCID_TO_IX(shmmap_s->shmid);
         shmseg = &shmsegs[segnum];
         int segnum, result;
         mach_vm_size_t size;
  
         segnum = IPCID_TO_IX(shmmap_s->shmid);
         shmseg = &shmsegs[segnum];
-       size = mach_vm_round_page(shmseg->shm_segsz);   /* XXX done for us? */
+       size = mach_vm_round_page(shmseg->u.shm_segsz); /* XXX done for us? */
         if (deallocate) {
         result = mach_vm_deallocate(current_map(), shmmap_s->va, size);
         if (result != KERN_SUCCESS)
                 return EINVAL;
         }
         shmmap_s->shmid = -1;
         if (deallocate) {
         result = mach_vm_deallocate(current_map(), shmmap_s->va, size);
         if (result != KERN_SUCCESS)
                 return EINVAL;
         }
         shmmap_s->shmid = -1;
-       shmseg->shm_dtime = sysv_shmtime();
-       if ((--shmseg->shm_nattch <= 0) &&
-           (shmseg->shm_perm.mode & SHMSEG_REMOVED)) {
+       shmseg->u.shm_dtime = sysv_shmtime();
+       if ((--shmseg->u.shm_nattch <= 0) &&
+           (shmseg->u.shm_perm.mode & SHMSEG_REMOVED)) {
                 shm_deallocate_segment(shmseg);
                 shm_last_free = segnum;
         }
                 shm_deallocate_segment(shmseg);
                 shm_last_free = segnum;
         }
@@ -263,20 +308,21 @@ shm_delete_mapping(__unused struct proc *p, struct shmmap_state *shmmap_s,
  }
  
  int
  }
  
  int
-shmdt(struct proc *p, struct shmdt_args *uap, register_t *retval)
+shmdt(struct proc *p, struct shmdt_args *uap, int32_t *retval)
  {
  {
+#if CONFIG_MACF
+       struct shmid_kernel *shmsegptr;
+#endif
         struct shmmap_state *shmmap_s;
         int i;
         int shmdtret = 0;
  
         struct shmmap_state *shmmap_s;
         int i;
         int shmdtret = 0;
  
-       // LP64todo - fix this
-       AUDIT_ARG(svipc_addr, CAST_DOWN(void *,uap->shmaddr));
+       AUDIT_ARG(svipc_addr, uap->shmaddr);
  
         SYSV_SHM_SUBSYS_LOCK();
  
         if (!shm_inited) {
  
         SYSV_SHM_SUBSYS_LOCK();
  
         if (!shm_inited) {
-               shmdtret = EINVAL;
-               goto shmdt_out;
+               shminit(NULL);
         }
         shmmap_s = (struct shmmap_state *)p->vm_shm;
         if (shmmap_s == NULL) {
         }
         shmmap_s = (struct shmmap_state *)p->vm_shm;
         if (shmmap_s == NULL) {
@@ -292,6 +338,16 @@ shmdt(struct proc *p, struct shmdt_args *uap, register_t *retval)
                 shmdtret = EINVAL;
                 goto shmdt_out;
         }
                 shmdtret = EINVAL;
                 goto shmdt_out;
         }
+#if CONFIG_MACF
+       /*
+        * XXX: It might be useful to move this into the shm_delete_mapping
+        * function
+        */
+       shmsegptr = &shmsegs[IPCID_TO_IX(shmmap_s->shmid)];
+       shmdtret = mac_sysvshm_check_shmdt(kauth_cred_get(), shmsegptr);
+       if (shmdtret)
+               goto shmdt_out;
+#endif
         i = shm_delete_mapping(p, shmmap_s, 1);
  
         if (i == 0)
         i = shm_delete_mapping(p, shmmap_s, 1);
  
         if (i == 0)
@@ -303,28 +359,30 @@ shmdt_out:
  }
  
  int
  }
  
  int
-shmat(struct proc *p, struct shmat_args *uap, register_t *retval)
+shmat(struct proc *p, struct shmat_args *uap, user_addr_t *retval)
  {
         int error, i, flags;
  {
         int error, i, flags;
-       struct user_shmid_ds    *shmseg;
+       struct shmid_kernel     *shmseg;
         struct shmmap_state     *shmmap_s = NULL;
         struct shm_handle       *shm_handle;
         mach_vm_address_t       attach_va;      /* attach address in/out */
         mach_vm_size_t          map_size;       /* size of map entry */
         struct shmmap_state     *shmmap_s = NULL;
         struct shm_handle       *shm_handle;
         mach_vm_address_t       attach_va;      /* attach address in/out */
         mach_vm_size_t          map_size;       /* size of map entry */
+       mach_vm_size_t          mapped_size;
         vm_prot_t               prot;
         size_t                  size;
         kern_return_t           rv;
         vm_prot_t               prot;
         size_t                  size;
         kern_return_t           rv;
-       int shmat_ret = 0;
+       int                     shmat_ret;
+       int                     vm_flags;
+
+       shmat_ret = 0;
  
         AUDIT_ARG(svipc_id, uap->shmid);
  
         AUDIT_ARG(svipc_id, uap->shmid);
-       // LP64todo - fix this
-       AUDIT_ARG(svipc_addr, CAST_DOWN(void *,uap->shmaddr));
+       AUDIT_ARG(svipc_addr, uap->shmaddr);
  
         SYSV_SHM_SUBSYS_LOCK();
  
         if (!shm_inited) {
  
         SYSV_SHM_SUBSYS_LOCK();
  
         if (!shm_inited) {
-               shmat_ret = EINVAL;
-               goto shmat_out;
+               shminit(NULL);
         }
  
         shmmap_s = (struct shmmap_state *)p->vm_shm;
         }
  
         shmmap_s = (struct shmmap_state *)p->vm_shm;
@@ -346,14 +404,21 @@ shmat(struct proc *p, struct shmat_args *uap, register_t *retval)
                 goto shmat_out;
         }
  
                 goto shmat_out;
         }
  
-       AUDIT_ARG(svipc_perm, &shmseg->shm_perm);
-       error = ipcperm(kauth_cred_get(), &shmseg->shm_perm,
+       AUDIT_ARG(svipc_perm, &shmseg->u.shm_perm);
+       error = ipcperm(kauth_cred_get(), &shmseg->u.shm_perm,
             (uap->shmflg & SHM_RDONLY) ? IPC_R : IPC_R|IPC_W);
         if (error) {
                 shmat_ret = error;
                 goto shmat_out;
         }
  
             (uap->shmflg & SHM_RDONLY) ? IPC_R : IPC_R|IPC_W);
         if (error) {
                 shmat_ret = error;
                 goto shmat_out;
         }
  
+#if CONFIG_MACF
+       error = mac_sysvshm_check_shmat(kauth_cred_get(), shmseg, uap->shmflg);
+       if (error) {
+               shmat_ret = error;
+               goto shmat_out;
+       }
+#endif
         for (i = 0; i < shminfo.shmseg; i++) {
                 if (shmmap_s->shmid == -1)
                         break;
         for (i = 0; i < shminfo.shmseg; i++) {
                 if (shmmap_s->shmid == -1)
                         break;
@@ -364,7 +429,7 @@ shmat(struct proc *p, struct shmat_args *uap, register_t *retval)
                 goto shmat_out;
         }
  
                 goto shmat_out;
         }
  
-       map_size = mach_vm_round_page(shmseg->shm_segsz);
+       map_size = mach_vm_round_page(shmseg->u.shm_segsz);
         prot = VM_PROT_READ;
         if ((uap->shmflg & SHM_RDONLY) == 0)
                 prot |= VM_PROT_WRITE;
         prot = VM_PROT_READ;
         if ((uap->shmflg & SHM_RDONLY) == 0)
                 prot |= VM_PROT_WRITE;
@@ -380,45 +445,80 @@ shmat(struct proc *p, struct shmat_args *uap, register_t *retval)
                 goto shmat_out;
         }
  
                 goto shmat_out;
         }
  
-       shm_handle = CAST_DOWN(void *, shmseg->shm_internal);   /* tunnel */
+       if (flags & MAP_FIXED) {
+               vm_flags = VM_FLAGS_FIXED;
+       } else {
+               vm_flags = VM_FLAGS_ANYWHERE;
+       }
+
+       mapped_size = 0;
+
+       /* first reserve enough space... */
+       rv = mach_vm_map(current_map(),
+                        &attach_va,
+                        map_size,
+                        0,
+                        vm_flags,
+                        IPC_PORT_NULL,
+                        0,
+                        FALSE,
+                        VM_PROT_NONE,
+                        VM_PROT_NONE,
+                        VM_INHERIT_NONE);
+       if (rv != KERN_SUCCESS) {
+               goto out;
+       }
+
+       shmmap_s->va = attach_va;
  
  
-       rv = mach_vm_map(current_map(),                 /* process map */
-                       &attach_va,                     /* attach address */
-                       map_size,                       /* segment size */
-                       (mach_vm_offset_t)0,            /* alignment mask */
-               (flags & MAP_FIXED)? VM_FLAGS_FIXED: VM_FLAGS_ANYWHERE,
+       /* ... then map the shared memory over the reserved space */
+       for (shm_handle = CAST_DOWN(void *, shmseg->u.shm_internal);/* tunnel */
+            shm_handle != NULL;
+            shm_handle = shm_handle->shm_handle_next) {
+
+               rv = vm_map_enter_mem_object(
+                       current_map(),          /* process map */
+                       &attach_va,             /* attach address */
+                       shm_handle->shm_handle_size, /* segment size */
+                       (mach_vm_offset_t)0,    /* alignment mask */
+                       VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE,
                         shm_handle->shm_object,
                         (mach_vm_offset_t)0,
                         FALSE,
                         prot,
                         prot,
                         shm_handle->shm_object,
                         (mach_vm_offset_t)0,
                         FALSE,
                         prot,
                         prot,
-                       VM_INHERIT_DEFAULT);
-       if (rv != KERN_SUCCESS) 
+                       VM_INHERIT_SHARE);
+               if (rv != KERN_SUCCESS) 
                         goto out;
  
                         goto out;
  
-       rv = mach_vm_inherit(current_map(), attach_va, map_size, VM_INHERIT_SHARE);
-       if (rv != KERN_SUCCESS) {
-               (void)mach_vm_deallocate(current_map(), attach_va, map_size);
-               goto out;
+               mapped_size += shm_handle->shm_handle_size;
+               attach_va = attach_va + shm_handle->shm_handle_size;
         }
  
         }
  
-       shmmap_s->va = attach_va;
         shmmap_s->shmid = uap->shmid;
         shmmap_s->shmid = uap->shmid;
-       shmseg->shm_lpid = p->p_pid;
-       shmseg->shm_atime = sysv_shmtime();
-       shmseg->shm_nattch++;
-       *retval = attach_va;    /* XXX return -1 on error */
+       shmseg->u.shm_lpid = p->p_pid;
+       shmseg->u.shm_atime = sysv_shmtime();
+       shmseg->u.shm_nattch++;
+       *retval = shmmap_s->va; /* XXX return -1 on error */
         shmat_ret = 0;
         goto shmat_out;
  out:
         shmat_ret = 0;
         goto shmat_out;
  out:
+       if (mapped_size > 0) {
+               (void) mach_vm_deallocate(current_map(),
+                                         shmmap_s->va,
+                                         mapped_size);
+       }
         switch (rv) {
         case KERN_INVALID_ADDRESS:
         case KERN_NO_SPACE:
                 shmat_ret = ENOMEM;
         switch (rv) {
         case KERN_INVALID_ADDRESS:
         case KERN_NO_SPACE:
                 shmat_ret = ENOMEM;
+               break;
         case KERN_PROTECTION_FAILURE:
                 shmat_ret = EACCES;
         case KERN_PROTECTION_FAILURE:
                 shmat_ret = EACCES;
+               break;
         default:
                 shmat_ret = EINVAL;
         default:
                 shmat_ret = EINVAL;
+               break;
         }
  shmat_out:
         SYSV_SHM_SUBSYS_UNLOCK();
         }
  shmat_out:
         SYSV_SHM_SUBSYS_UNLOCK();
@@ -431,14 +531,21 @@ oshmctl(__unused void *p, __unused void *uap, __unused void *retval)
         return EINVAL;
  }
  
         return EINVAL;
  }
  
+/*
+ * Returns:    0                       Success
+ *             EINVAL
+ *     copyout:EFAULT
+ *     copyin:EFAULT
+ *     ipcperm:EPERM
+ *     ipcperm:EACCES
+ */
  int
  int
-shmctl(__unused struct proc *p, struct shmctl_args *uap, register_t *retval)
+shmctl(__unused struct proc *p, struct shmctl_args *uap, int32_t *retval)
  {
         int error;
         kauth_cred_t cred = kauth_cred_get();
         struct user_shmid_ds inbuf;
  {
         int error;
         kauth_cred_t cred = kauth_cred_get();
         struct user_shmid_ds inbuf;
-       struct user_shmid_ds *shmseg;
-       size_t shmid_ds_sz = sizeof(struct user_shmid_ds);
+       struct shmid_kernel *shmseg;
  
         int shmctl_ret = 0;
  
  
         int shmctl_ret = 0;
  
@@ -448,13 +555,9 @@ shmctl(__unused struct proc *p, struct shmctl_args *uap, register_t *retval)
         SYSV_SHM_SUBSYS_LOCK();
  
         if (!shm_inited) {
         SYSV_SHM_SUBSYS_LOCK();
  
         if (!shm_inited) {
-               shmctl_ret = EINVAL;
-               goto shmctl_out;
+               shminit(NULL);
         }
  
         }
  
-       if (!IS_64BIT_PROCESS(p))
-               shmid_ds_sz = sizeof(struct shmid_ds);
-
         shmseg = shm_find_segment_by_shmid(uap->shmid);
         if (shmseg == NULL) {
                 shmctl_ret = EINVAL;
         shmseg = shm_find_segment_by_shmid(uap->shmid);
         if (shmseg == NULL) {
                 shmctl_ret = EINVAL;
@@ -464,22 +567,39 @@ shmctl(__unused struct proc *p, struct shmctl_args *uap, register_t *retval)
         /* XXAUDIT: This is the perms BEFORE any change by this call. This 
          * may not be what is desired.
          */
         /* XXAUDIT: This is the perms BEFORE any change by this call. This 
          * may not be what is desired.
          */
-       AUDIT_ARG(svipc_perm, &shmseg->shm_perm);
+       AUDIT_ARG(svipc_perm, &shmseg->u.shm_perm);
  
  
+#if CONFIG_MACF
+       error = mac_sysvshm_check_shmctl(cred, shmseg, uap->cmd);
+       if (error) {
+               shmctl_ret = error;
+               goto shmctl_out;
+       }
+#endif
         switch (uap->cmd) {
         case IPC_STAT:
         switch (uap->cmd) {
         case IPC_STAT:
-               error = ipcperm(cred, &shmseg->shm_perm, IPC_R);
+               error = ipcperm(cred, &shmseg->u.shm_perm, IPC_R);
                 if (error) {
                         shmctl_ret = error;
                         goto shmctl_out;
                 }
  
                 if (IS_64BIT_PROCESS(p)) {
                 if (error) {
                         shmctl_ret = error;
                         goto shmctl_out;
                 }
  
                 if (IS_64BIT_PROCESS(p)) {
-                       error = copyout(shmseg, uap->buf, sizeof(struct user_shmid_ds));
+                       struct user_shmid_ds shmid_ds;
+                       memcpy(&shmid_ds, &shmseg->u, sizeof(struct user_shmid_ds));
+                       
+                       /* Clear kernel reserved pointer before copying to user space */
+                       shmid_ds.shm_internal = USER_ADDR_NULL;
+                       
+                       error = copyout(&shmid_ds, uap->buf, sizeof(shmid_ds));
                 } else {
                 } else {
-                       struct shmid_ds shmid_ds32;
-                       shmid_ds_64to32(shmseg, &shmid_ds32);
-                       error = copyout(&shmid_ds32, uap->buf, sizeof(struct shmid_ds));
+                       struct user32_shmid_ds shmid_ds32;
+                       shmid_ds_64to32(&shmseg->u, &shmid_ds32);
+                       
+                       /* Clear kernel reserved pointer before copying to user space */
+                       shmid_ds32.shm_internal = (user32_addr_t)0;
+                       
+                       error = copyout(&shmid_ds32, uap->buf, sizeof(shmid_ds32));
                 }
                 if (error) {
                         shmctl_ret = error;
                 }
                 if (error) {
                         shmctl_ret = error;
@@ -487,7 +607,7 @@ shmctl(__unused struct proc *p, struct shmctl_args *uap, register_t *retval)
                 }
                 break;
         case IPC_SET:
                 }
                 break;
         case IPC_SET:
-               error = ipcperm(cred, &shmseg->shm_perm, IPC_M);
+               error = ipcperm(cred, &shmseg->u.shm_perm, IPC_M);
                 if (error) {
                         shmctl_ret = error;
                         goto shmctl_out;
                 if (error) {
                         shmctl_ret = error;
                         goto shmctl_out;
@@ -495,30 +615,31 @@ shmctl(__unused struct proc *p, struct shmctl_args *uap, register_t *retval)
                 if (IS_64BIT_PROCESS(p)) {
                         error = copyin(uap->buf, &inbuf, sizeof(struct user_shmid_ds));
                 } else {
                 if (IS_64BIT_PROCESS(p)) {
                         error = copyin(uap->buf, &inbuf, sizeof(struct user_shmid_ds));
                 } else {
-                       error = copyin(uap->buf, &inbuf, sizeof(struct shmid_ds));
+                       struct user32_shmid_ds shmid_ds32;
+                       error = copyin(uap->buf, &shmid_ds32, sizeof(shmid_ds32));
                         /* convert in place; ugly, but safe */
                         /* convert in place; ugly, but safe */
-                       shmid_ds_32to64((struct shmid_ds *)&inbuf, &inbuf);
+                       shmid_ds_32to64(&shmid_ds32, &inbuf);
                 }
                 if (error) {
                         shmctl_ret = error;
                         goto shmctl_out;
                 }
                 }
                 if (error) {
                         shmctl_ret = error;
                         goto shmctl_out;
                 }
-               shmseg->shm_perm.uid = inbuf.shm_perm.uid;
-               shmseg->shm_perm.gid = inbuf.shm_perm.gid;
-               shmseg->shm_perm.mode =
-                   (shmseg->shm_perm.mode & ~ACCESSPERMS) |
+               shmseg->u.shm_perm.uid = inbuf.shm_perm.uid;
+               shmseg->u.shm_perm.gid = inbuf.shm_perm.gid;
+               shmseg->u.shm_perm.mode =
+                   (shmseg->u.shm_perm.mode & ~ACCESSPERMS) |
                     (inbuf.shm_perm.mode & ACCESSPERMS);
                     (inbuf.shm_perm.mode & ACCESSPERMS);
-               shmseg->shm_ctime = sysv_shmtime();
+               shmseg->u.shm_ctime = sysv_shmtime();
                 break;
         case IPC_RMID:
                 break;
         case IPC_RMID:
-               error = ipcperm(cred, &shmseg->shm_perm, IPC_M);
+               error = ipcperm(cred, &shmseg->u.shm_perm, IPC_M);
                 if (error) {
                         shmctl_ret = error;
                         goto shmctl_out;
                 }
                 if (error) {
                         shmctl_ret = error;
                         goto shmctl_out;
                 }
-               shmseg->shm_perm.key = IPC_PRIVATE;
-               shmseg->shm_perm.mode |= SHMSEG_REMOVED;
-               if (shmseg->shm_nattch <= 0) {
+               shmseg->u.shm_perm._key = IPC_PRIVATE;
+               shmseg->u.shm_perm.mode |= SHMSEG_REMOVED;
+               if (shmseg->u.shm_nattch <= 0) {
                         shm_deallocate_segment(shmseg);
                         shm_last_free = IPCID_TO_IX(uap->shmid);
                 }
                         shm_deallocate_segment(shmseg);
                         shm_last_free = IPCID_TO_IX(uap->shmid);
                 }
@@ -541,30 +662,47 @@ shmctl_out:
  static int
  shmget_existing(struct shmget_args *uap, int mode, int segnum, int *retval)
  {
  static int
  shmget_existing(struct shmget_args *uap, int mode, int segnum, int *retval)
  {
-       struct user_shmid_ds *shmseg;
-       int error;
+       struct shmid_kernel *shmseg;
+       int error = 0;
  
         shmseg = &shmsegs[segnum];
  
         shmseg = &shmsegs[segnum];
-       if (shmseg->shm_perm.mode & SHMSEG_REMOVED) {
+       if (shmseg->u.shm_perm.mode & SHMSEG_REMOVED) {
                 /*
                  * This segment is in the process of being allocated.  Wait
                  * until it's done, and look the key up again (in case the
                  * allocation failed or it was freed).
                  */
                 /*
                  * This segment is in the process of being allocated.  Wait
                  * until it's done, and look the key up again (in case the
                  * allocation failed or it was freed).
                  */
-               shmseg->shm_perm.mode |= SHMSEG_WANTED;
+               shmseg->u.shm_perm.mode |= SHMSEG_WANTED;
                 error = tsleep((caddr_t)shmseg, PLOCK | PCATCH, "shmget", 0);
                 if (error)
                         return error;
                 return EAGAIN;
         }
                 error = tsleep((caddr_t)shmseg, PLOCK | PCATCH, "shmget", 0);
                 if (error)
                         return error;
                 return EAGAIN;
         }
-       error = ipcperm(kauth_cred_get(), &shmseg->shm_perm, mode);
-       if (error)
-               return error;
-       if (uap->size && uap->size > shmseg->shm_segsz)
+
+       /*
+        * The low 9 bits of shmflag are the mode bits being requested, which
+        * are the actual mode bits desired on the segment, and not in IPC_R
+        * form; therefore it would be incorrect to call ipcperm() to validate
+        * them; instead, we AND the existing mode with the requested mode, and
+        * verify that it matches the requested mode; otherwise, we fail with
+        * EACCES (access denied).
+        */
+       if ((shmseg->u.shm_perm.mode & mode) != mode)
+               return EACCES;
+
+#if CONFIG_MACF
+       error = mac_sysvshm_check_shmget(kauth_cred_get(), shmseg, uap->shmflg);
+       if (error) 
+               return (error);
+#endif
+
+       if (uap->size && uap->size > shmseg->u.shm_segsz)
                 return EINVAL;
                 return EINVAL;
+
         if ((uap->shmflg & (IPC_CREAT | IPC_EXCL)) == (IPC_CREAT | IPC_EXCL))
                 return EEXIST;
         if ((uap->shmflg & (IPC_CREAT | IPC_EXCL)) == (IPC_CREAT | IPC_EXCL))
                 return EEXIST;
-       *retval = IXSEQ_TO_IPCID(segnum, shmseg->shm_perm);
+
+       *retval = IXSEQ_TO_IPCID(segnum, shmseg->u.shm_perm);
         return 0;
  }
  
         return 0;
  }
  
@@ -572,25 +710,26 @@ static int
  shmget_allocate_segment(struct proc *p, struct shmget_args *uap, int mode,
         int *retval)
  {
  shmget_allocate_segment(struct proc *p, struct shmget_args *uap, int mode,
         int *retval)
  {
-       int i, segnum, shmid, size;
+       int i, segnum, shmid;
         kauth_cred_t cred = kauth_cred_get();
         kauth_cred_t cred = kauth_cred_get();
-       struct user_shmid_ds *shmseg;
+       struct shmid_kernel *shmseg;
         struct shm_handle *shm_handle;
         kern_return_t kret;
         struct shm_handle *shm_handle;
         kern_return_t kret;
-       vm_offset_t user_addr;
+       mach_vm_size_t total_size, size, alloc_size;
         void * mem_object;
         void * mem_object;
+       struct shm_handle *shm_handle_next, **shm_handle_next_p;
  
         if (uap->size < (user_size_t)shminfo.shmmin ||
             uap->size > (user_size_t)shminfo.shmmax)
                 return EINVAL;
         if (shm_nused >= shminfo.shmmni) /* any shmids left? */
                 return ENOSPC;
  
         if (uap->size < (user_size_t)shminfo.shmmin ||
             uap->size > (user_size_t)shminfo.shmmax)
                 return EINVAL;
         if (shm_nused >= shminfo.shmmni) /* any shmids left? */
                 return ENOSPC;
-       size = mach_vm_round_page(uap->size);
-       if (shm_committed + btoc(size) > shminfo.shmall)
+       total_size = mach_vm_round_page(uap->size);
+       if ((user_ssize_t)(shm_committed + btoc(total_size)) > shminfo.shmall)
                 return ENOMEM;
         if (shm_last_free < 0) {
                 for (i = 0; i < shminfo.shmmni; i++)
                 return ENOMEM;
         if (shm_last_free < 0) {
                 for (i = 0; i < shminfo.shmmni; i++)
-                       if (shmsegs[i].shm_perm.mode & SHMSEG_FREE)
+                       if (shmsegs[i].u.shm_perm.mode & SHMSEG_FREE)
                                 break;
                 if (i == shminfo.shmmni)
                         panic("shmseg free count inconsistent");
                                 break;
                 if (i == shminfo.shmmni)
                         panic("shmseg free count inconsistent");
@@ -600,60 +739,88 @@ shmget_allocate_segment(struct proc *p, struct shmget_args *uap, int mode,
                 shm_last_free = -1;
         }
         shmseg = &shmsegs[segnum];
                 shm_last_free = -1;
         }
         shmseg = &shmsegs[segnum];
+
         /*
          * In case we sleep in malloc(), mark the segment present but deleted
          * so that noone else tries to create the same key.
         /*
          * In case we sleep in malloc(), mark the segment present but deleted
          * so that noone else tries to create the same key.
+        * XXX but we don't release the global lock !?
          */
          */
-       kret = vm_allocate(current_map(), &user_addr, size, VM_FLAGS_ANYWHERE);
-       if (kret != KERN_SUCCESS) 
-               goto out;
-
-       kret = mach_make_memory_entry (current_map(), &size, user_addr, 
-               VM_PROT_DEFAULT, (mem_entry_name_port_t *)&mem_object, 0);
-
-       if (kret != KERN_SUCCESS) 
-               goto out;
-
-       vm_deallocate(current_map(), user_addr, size);
-
-       shmseg->shm_perm.mode = SHMSEG_ALLOCATED | SHMSEG_REMOVED;
-       shmseg->shm_perm.key = uap->key;
-       shmseg->shm_perm.seq = (shmseg->shm_perm.seq + 1) & 0x7fff;
-       MALLOC(shm_handle, struct shm_handle *, sizeof(struct shm_handle), M_SHM, M_WAITOK);
-       if (shm_handle == NULL) {
-               kret = KERN_NO_SPACE;
-               mach_memory_entry_port_release(mem_object);
-               mem_object = NULL;
-               goto out;
+       shmseg->u.shm_perm.mode = SHMSEG_ALLOCATED | SHMSEG_REMOVED;
+       shmseg->u.shm_perm._key = uap->key;
+       shmseg->u.shm_perm._seq = (shmseg->u.shm_perm._seq + 1) & 0x7fff;
+
+       shm_handle_next_p = NULL;
+       for (alloc_size = 0;
+            alloc_size < total_size;
+            alloc_size += size) {
+               size = MIN(total_size - alloc_size, ANON_MAX_SIZE);
+               kret = mach_make_memory_entry_64(
+                       VM_MAP_NULL,
+                       (memory_object_size_t *) &size,
+                       (memory_object_offset_t) 0,
+                       MAP_MEM_NAMED_CREATE | VM_PROT_DEFAULT,
+                       (ipc_port_t *) &mem_object, 0);
+               if (kret != KERN_SUCCESS) 
+                       goto out;
+               
+               MALLOC(shm_handle, struct shm_handle *, sizeof(struct shm_handle), M_SHM, M_WAITOK);
+               if (shm_handle == NULL) {
+                       kret = KERN_NO_SPACE;
+                       mach_memory_entry_port_release(mem_object);
+                       mem_object = NULL;
+                       goto out;
+               }
+               shm_handle->shm_object = mem_object;
+               shm_handle->shm_handle_size = size;
+               shm_handle->shm_handle_next = NULL;
+               if (shm_handle_next_p == NULL) {
+                       shmseg->u.shm_internal = CAST_USER_ADDR_T(shm_handle);/* tunnel */
+               } else {
+                       *shm_handle_next_p = shm_handle;
+               }
+               shm_handle_next_p = &shm_handle->shm_handle_next;
         }
         }
-       shm_handle->shm_object = mem_object;
-       shmid = IXSEQ_TO_IPCID(segnum, shmseg->shm_perm);
  
  
-       shmseg->shm_internal = CAST_USER_ADDR_T(shm_handle);    /* tunnel */
-       shmseg->shm_perm.cuid = shmseg->shm_perm.uid = kauth_cred_getuid(cred);
-       shmseg->shm_perm.cgid = shmseg->shm_perm.gid = cred->cr_gid;
-       shmseg->shm_perm.mode = (shmseg->shm_perm.mode & SHMSEG_WANTED) |
+       shmid = IXSEQ_TO_IPCID(segnum, shmseg->u.shm_perm);
+
+       shmseg->u.shm_perm.cuid = shmseg->u.shm_perm.uid = kauth_cred_getuid(cred);
+       shmseg->u.shm_perm.cgid = shmseg->u.shm_perm.gid = kauth_cred_getgid(cred);
+       shmseg->u.shm_perm.mode = (shmseg->u.shm_perm.mode & SHMSEG_WANTED) |
             (mode & ACCESSPERMS) | SHMSEG_ALLOCATED;
             (mode & ACCESSPERMS) | SHMSEG_ALLOCATED;
-       shmseg->shm_segsz = uap->size;
-       shmseg->shm_cpid = p->p_pid;
-       shmseg->shm_lpid = shmseg->shm_nattch = 0;
-       shmseg->shm_atime = shmseg->shm_dtime = 0;
-       shmseg->shm_ctime = sysv_shmtime();
+       shmseg->u.shm_segsz = uap->size;
+       shmseg->u.shm_cpid = p->p_pid;
+       shmseg->u.shm_lpid = shmseg->u.shm_nattch = 0;
+       shmseg->u.shm_atime = shmseg->u.shm_dtime = 0;
+#if CONFIG_MACF
+       mac_sysvshm_label_associate(cred, shmseg);
+#endif
+       shmseg->u.shm_ctime = sysv_shmtime();
         shm_committed += btoc(size);
         shm_nused++;
         shm_committed += btoc(size);
         shm_nused++;
-       AUDIT_ARG(svipc_perm, &shmseg->shm_perm);
-       if (shmseg->shm_perm.mode & SHMSEG_WANTED) {
+       AUDIT_ARG(svipc_perm, &shmseg->u.shm_perm);
+       if (shmseg->u.shm_perm.mode & SHMSEG_WANTED) {
                 /*
                  * Somebody else wanted this key while we were asleep.  Wake
                  * them up now.
                  */
                 /*
                  * Somebody else wanted this key while we were asleep.  Wake
                  * them up now.
                  */
-               shmseg->shm_perm.mode &= ~SHMSEG_WANTED;
+               shmseg->u.shm_perm.mode &= ~SHMSEG_WANTED;
                 wakeup((caddr_t)shmseg);
         }
         *retval = shmid;
         AUDIT_ARG(svipc_id, shmid);
         return 0;
  out: 
                 wakeup((caddr_t)shmseg);
         }
         *retval = shmid;
         AUDIT_ARG(svipc_id, shmid);
         return 0;
  out: 
+       if (kret != KERN_SUCCESS) {
+               for (shm_handle = CAST_DOWN(void *,shmseg->u.shm_internal); /* tunnel */
+                    shm_handle != NULL;
+                    shm_handle = shm_handle_next) {
+                       shm_handle_next = shm_handle->shm_handle_next;
+                       mach_memory_entry_port_release(shm_handle->shm_object);
+                       FREE((caddr_t) shm_handle, M_SHM);
+               }
+               shmseg->u.shm_internal = USER_ADDR_NULL; /* tunnel */
+       }
+
         switch (kret) {
         case KERN_INVALID_ADDRESS:
         case KERN_NO_SPACE:
         switch (kret) {
         case KERN_INVALID_ADDRESS:
         case KERN_NO_SPACE:
@@ -667,7 +834,7 @@ out:
  }
  
  int
  }
  
  int
-shmget(struct proc *p, struct shmget_args *uap, register_t *retval)
+shmget(struct proc *p, struct shmget_args *uap, int32_t *retval)
  {
         int segnum, mode, error;
         int shmget_ret = 0;
  {
         int segnum, mode, error;
         int shmget_ret = 0;
@@ -677,8 +844,7 @@ shmget(struct proc *p, struct shmget_args *uap, register_t *retval)
         SYSV_SHM_SUBSYS_LOCK();
  
         if (!shm_inited) {
         SYSV_SHM_SUBSYS_LOCK();
  
         if (!shm_inited) {
-               shmget_ret = EINVAL;
-               goto shmget_out;
+               shminit(NULL);
         }
  
         mode = uap->shmflg & ACCESSPERMS;
         }
  
         mode = uap->shmflg & ACCESSPERMS;
@@ -705,9 +871,29 @@ shmget_out:
  
  }
  
  
  }
  
-/* XXX actually varargs. */
+/*
+ * shmsys
+ *
+ * Entry point for all SHM calls: shmat, oshmctl, shmdt, shmget, shmctl
+ *
+ * Parameters: p       Process requesting the call
+ *             uap     User argument descriptor (see below)
+ *             retval  Return value of the selected shm call
+ *
+ * Indirect parameters:        uap->which      msg call to invoke (index in array of shm calls)
+ *                     uap->a2         User argument descriptor
+ * 
+ * Returns:    0       Success
+ *             !0      Not success
+ *
+ * Implicit returns: retval     Return value of the selected shm call
+ *
+ * DEPRECATED:  This interface should not be used to call the other SHM 
+ *             functions (shmat, oshmctl, shmdt, shmget, shmctl). The correct 
+ *             usage is to call the other SHM functions directly.
+ */
  int
  int
-shmsys(struct proc *p, struct shmsys_args *uap, register_t *retval)
+shmsys(struct proc *p, struct shmsys_args *uap, int32_t *retval)
  {
  
         /* The routine that we are dispatching already does this */
  {
  
         /* The routine that we are dispatching already does this */
@@ -731,8 +917,7 @@ shmfork(struct proc *p1, struct proc *p2)
         SYSV_SHM_SUBSYS_LOCK();
  
         if (!shm_inited) {
         SYSV_SHM_SUBSYS_LOCK();
  
         if (!shm_inited) {
-               shmfork_ret = 0;
-               goto shmfork_out;
+               shminit(NULL);
         }
                 
         size = shminfo.shmseg * sizeof(struct shmmap_state);
         }
                 
         size = shminfo.shmseg * sizeof(struct shmmap_state);
@@ -742,7 +927,7 @@ shmfork(struct proc *p1, struct proc *p2)
                 p2->vm_shm = (caddr_t)shmmap_s;
                 for (i = 0; i < shminfo.shmseg; i++, shmmap_s++)
                         if (shmmap_s->shmid != -1)
                 p2->vm_shm = (caddr_t)shmmap_s;
                 for (i = 0; i < shminfo.shmseg; i++, shmmap_s++)
                         if (shmmap_s->shmid != -1)
-                               shmsegs[IPCID_TO_IX(shmmap_s->shmid)].shm_nattch++;
+                               shmsegs[IPCID_TO_IX(shmmap_s->shmid)].u.shm_nattch++;
                 shmfork_ret = 0;
                 goto shmfork_out;
         }
                 shmfork_ret = 0;
                 goto shmfork_out;
         }
@@ -764,6 +949,10 @@ shmexit(struct proc *p)
         SYSV_SHM_SUBSYS_LOCK();
         for (i = 0; i < shminfo.shmseg; i++, shmmap_s++)
                 if (shmmap_s->shmid != -1)
         SYSV_SHM_SUBSYS_LOCK();
         for (i = 0; i < shminfo.shmseg; i++, shmmap_s++)
                 if (shmmap_s->shmid != -1)
+                       /*
+                        * XXX: Should the MAC framework enforce
+                        * check here as well.
+                        */
                         shm_delete_mapping(p, shmmap_s, 1);
         FREE((caddr_t)p->vm_shm, M_SHM);
         p->vm_shm = NULL;
                         shm_delete_mapping(p, shmmap_s, 1);
         FREE((caddr_t)p->vm_shm, M_SHM);
         p->vm_shm = NULL;
@@ -806,16 +995,19 @@ shminit(__unused void *dummy)
                  * dictates this filed be a size_t, which is 64 bits when
                  * running 64 bit binaries.
                  */
                  * dictates this filed be a size_t, which is 64 bits when
                  * running 64 bit binaries.
                  */
-               s = sizeof(struct user_shmid_ds) * shminfo.shmmni;
+               s = sizeof(struct shmid_kernel) * shminfo.shmmni;
  
  
-               MALLOC(shmsegs, struct user_shmid_ds *, s, M_SHM, M_WAITOK);
+               MALLOC(shmsegs, struct shmid_kernel *, s, M_SHM, M_WAITOK);
                 if (shmsegs == NULL) {
                         /* XXX fail safely: leave shared memory uninited */
                         return;
                 }
                 for (i = 0; i < shminfo.shmmni; i++) {
                 if (shmsegs == NULL) {
                         /* XXX fail safely: leave shared memory uninited */
                         return;
                 }
                 for (i = 0; i < shminfo.shmmni; i++) {
-                       shmsegs[i].shm_perm.mode = SHMSEG_FREE;
-                       shmsegs[i].shm_perm.seq = 0;
+                       shmsegs[i].u.shm_perm.mode = SHMSEG_FREE;
+                       shmsegs[i].u.shm_perm._seq = 0;
+#if CONFIG_MACF
+                       mac_sysvshm_label_init(&shmsegs[i]);
+#endif
                 }
                 shm_last_free = 0;
                 shm_nused = 0;
                 }
                 shm_last_free = 0;
                 shm_nused = 0;
@@ -844,35 +1036,32 @@ sysctl_shminfo(__unused struct sysctl_oid *oidp, void *arg1,
  {
         int error = 0;
         int sysctl_shminfo_ret = 0;
  {
         int error = 0;
         int sysctl_shminfo_ret = 0;
+       uint64_t        saved_shmmax;
  
         error = SYSCTL_OUT(req, arg1, sizeof(int64_t));
         if (error || req->newptr == USER_ADDR_NULL)
                 return(error);
  
         SYSV_SHM_SUBSYS_LOCK();
  
         error = SYSCTL_OUT(req, arg1, sizeof(int64_t));
         if (error || req->newptr == USER_ADDR_NULL)
                 return(error);
  
         SYSV_SHM_SUBSYS_LOCK();
-       /* Set the values only if shared memory is not initialised */
-       if (!shm_inited) {
-               if ((error = SYSCTL_IN(req, arg1, sizeof(int64_t))) 
-                   != 0) {
-                       sysctl_shminfo_ret = error;
-                       goto sysctl_shminfo_out;
-               }
  
  
-               if (arg1 == &shminfo.shmmax) {
-                       if (shminfo.shmmax & PAGE_MASK_64) {
-                               shminfo.shmmax = (int64_t)-1;
-                               sysctl_shminfo_ret = EINVAL;
-                               goto sysctl_shminfo_out;
-                       }
-               }
+       /* shmmni can not be changed after SysV SHM has been initialized */
+       if (shm_inited && arg1 == &shminfo.shmmni) {
+               sysctl_shminfo_ret = EPERM;
+               goto sysctl_shminfo_out;
+       }
+       saved_shmmax = shminfo.shmmax;
  
  
-               /* Initialize only when all values are set */
-               if ((shminfo.shmmax != (int64_t)-1) &&
-                       (shminfo.shmmin != (int64_t)-1) &&      
-                       (shminfo.shmmni != (int64_t)-1) &&
-                       (shminfo.shmseg != (int64_t)-1) &&
-                       (shminfo.shmall != (int64_t)-1)) {
-                               shminit(NULL);
+       if ((error = SYSCTL_IN(req, arg1, sizeof(int64_t))) != 0) {
+               sysctl_shminfo_ret = error;
+               goto sysctl_shminfo_out;
+       }
+
+       if (arg1 == &shminfo.shmmax) {
+               /* shmmax needs to be page-aligned */
+               if (shminfo.shmmax & PAGE_MASK_64) {
+                       shminfo.shmmax = saved_shmmax;
+                       sysctl_shminfo_ret = EINVAL;
+                       goto sysctl_shminfo_out;
                 }
         }
         sysctl_shminfo_ret = 0;
                 }
         }
         sysctl_shminfo_ret = 0;
@@ -888,27 +1077,25 @@ IPCS_shm_sysctl(__unused struct sysctl_oid *oidp, __unused void *arg1,
         int error;
         int cursor;
         union {
         int error;
         int cursor;
         union {
-               struct IPCS_command u32;
+               struct user32_IPCS_command u32;
                 struct user_IPCS_command u64;
         } ipcs;
                 struct user_IPCS_command u64;
         } ipcs;
-       struct shmid_ds shmid_ds32;     /* post conversion, 32 bit version */
+       struct user32_shmid_ds shmid_ds32;      /* post conversion, 32 bit version */
+       struct user_shmid_ds   shmid_ds;        /* 64 bit version */
         void *shmid_dsp;
         size_t ipcs_sz = sizeof(struct user_IPCS_command);
         size_t shmid_ds_sz = sizeof(struct user_shmid_ds);
         struct proc *p = current_proc();
  
         void *shmid_dsp;
         size_t ipcs_sz = sizeof(struct user_IPCS_command);
         size_t shmid_ds_sz = sizeof(struct user_shmid_ds);
         struct proc *p = current_proc();
  
-       int ipcs__shminfo_ret = 0;
-
         SYSV_SHM_SUBSYS_LOCK();
  
         if (!shm_inited) {
         SYSV_SHM_SUBSYS_LOCK();
  
         if (!shm_inited) {
-               error = EINVAL;
-               goto ipcs_shm_sysctl_out;
+               shminit(NULL);
         }
  
         if (!IS_64BIT_PROCESS(p)) {
         }
  
         if (!IS_64BIT_PROCESS(p)) {
-               ipcs_sz = sizeof(struct IPCS_command);
-               shmid_ds_sz = sizeof(struct shmid_ds);
+               ipcs_sz = sizeof(struct user32_IPCS_command);
+               shmid_ds_sz = sizeof(struct user32_shmid_ds);
         }
  
         /* Copy in the command structure */
         }
  
         /* Copy in the command structure */
@@ -945,11 +1132,11 @@ IPCS_shm_sysctl(__unused struct sysctl_oid *oidp, __unused void *arg1,
                         break;
                 }
                 if (ipcs.u64.ipcs_datalen != (int)shmid_ds_sz) {
                         break;
                 }
                 if (ipcs.u64.ipcs_datalen != (int)shmid_ds_sz) {
-                       error = ENOMEM;
+                       error = EINVAL;
                         break;
                 }
                 for( ; cursor < shminfo.shmmni; cursor++) {
                         break;
                 }
                 for( ; cursor < shminfo.shmmni; cursor++) {
-                       if (shmsegs[cursor].shm_perm.mode & SHMSEG_ALLOCATED)
+                       if (shmsegs[cursor].u.shm_perm.mode & SHMSEG_ALLOCATED)
                                 break;
                         continue;
                 }
                                 break;
                         continue;
                 }
@@ -966,7 +1153,18 @@ IPCS_shm_sysctl(__unused struct sysctl_oid *oidp, __unused void *arg1,
                  */
                 if (!IS_64BIT_PROCESS(p)) {
                         shmid_ds_64to32(shmid_dsp, &shmid_ds32);
                  */
                 if (!IS_64BIT_PROCESS(p)) {
                         shmid_ds_64to32(shmid_dsp, &shmid_ds32);
+                       
+                       /* Clear kernel reserved pointer before copying to user space */
+                       shmid_ds32.shm_internal = (user32_addr_t)0;
+                       
                         shmid_dsp = &shmid_ds32;
                         shmid_dsp = &shmid_ds32;
+               } else {
+                       memcpy(&shmid_ds, shmid_dsp, sizeof(shmid_ds));
+
+                       /* Clear kernel reserved pointer before copying to user space */
+                       shmid_ds.shm_internal = USER_ADDR_NULL;
+                       
+                       shmid_dsp = &shmid_ds;
                 }
                 error = copyout(shmid_dsp, ipcs.u64.ipcs_data, ipcs.u64.ipcs_datalen);
                 if (!error) {
                 }
                 error = copyout(shmid_dsp, ipcs.u64.ipcs_data, ipcs.u64.ipcs_datalen);
                 if (!error) {
@@ -974,8 +1172,9 @@ IPCS_shm_sysctl(__unused struct sysctl_oid *oidp, __unused void *arg1,
                         ipcs.u64.ipcs_cursor = cursor + 1;
  
                 if (!IS_64BIT_PROCESS(p))       /* convert in place */
                         ipcs.u64.ipcs_cursor = cursor + 1;
  
                 if (!IS_64BIT_PROCESS(p))       /* convert in place */
-                       ipcs.u32.ipcs_data = CAST_DOWN(void *,ipcs.u64.ipcs_data);
-                       error = SYSCTL_OUT(req, &ipcs, ipcs_sz);
+                       ipcs.u32.ipcs_data = CAST_DOWN_EXPLICIT(user32_addr_t,ipcs.u64.ipcs_data);
+
+               error = SYSCTL_OUT(req, &ipcs, ipcs_sz);
                 }
                 break;
  
                 }
                 break;
  
@@ -988,26 +1187,29 @@ ipcs_shm_sysctl_out:
         return(error);
  }
  
         return(error);
  }
  
-SYSCTL_NODE(_kern, KERN_SYSV, sysv, CTLFLAG_RW, 0, "SYSV");
+SYSCTL_NODE(_kern, KERN_SYSV, sysv, CTLFLAG_RW | CTLFLAG_LOCKED | CTLFLAG_ANYBODY, 0, "SYSV");
  
  
-SYSCTL_PROC(_kern_sysv, KSYSV_SHMMAX, shmmax, CTLTYPE_QUAD | CTLFLAG_RW,
+SYSCTL_PROC(_kern_sysv, OID_AUTO, shmmax, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
      &shminfo.shmmax, 0, &sysctl_shminfo ,"Q","shmmax");
  
      &shminfo.shmmax, 0, &sysctl_shminfo ,"Q","shmmax");
  
-SYSCTL_PROC(_kern_sysv, KSYSV_SHMMIN, shmmin, CTLTYPE_QUAD | CTLFLAG_RW,
+SYSCTL_PROC(_kern_sysv, OID_AUTO, shmmin, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
      &shminfo.shmmin, 0, &sysctl_shminfo ,"Q","shmmin");
  
      &shminfo.shmmin, 0, &sysctl_shminfo ,"Q","shmmin");
  
-SYSCTL_PROC(_kern_sysv, KSYSV_SHMMNI, shmmni, CTLTYPE_QUAD | CTLFLAG_RW,
+SYSCTL_PROC(_kern_sysv, OID_AUTO, shmmni, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
      &shminfo.shmmni, 0, &sysctl_shminfo ,"Q","shmmni");
  
      &shminfo.shmmni, 0, &sysctl_shminfo ,"Q","shmmni");
  
-SYSCTL_PROC(_kern_sysv, KSYSV_SHMSEG, shmseg, CTLTYPE_QUAD | CTLFLAG_RW,
+SYSCTL_PROC(_kern_sysv, OID_AUTO, shmseg, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
      &shminfo.shmseg, 0, &sysctl_shminfo ,"Q","shmseg");
  
      &shminfo.shmseg, 0, &sysctl_shminfo ,"Q","shmseg");
  
-SYSCTL_PROC(_kern_sysv, KSYSV_SHMALL, shmall, CTLTYPE_QUAD | CTLFLAG_RW,
+SYSCTL_PROC(_kern_sysv, OID_AUTO, shmall, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
      &shminfo.shmall, 0, &sysctl_shminfo ,"Q","shmall");
  
      &shminfo.shmall, 0, &sysctl_shminfo ,"Q","shmall");
  
-SYSCTL_NODE(_kern_sysv, OID_AUTO, ipcs, CTLFLAG_RW, 0, "SYSVIPCS");
+SYSCTL_NODE(_kern_sysv, OID_AUTO, ipcs, CTLFLAG_RW | CTLFLAG_LOCKED | CTLFLAG_ANYBODY, 0, "SYSVIPCS");
  
  
-SYSCTL_PROC(_kern_sysv_ipcs, OID_AUTO, shm, CTLFLAG_RW|CTLFLAG_ANYBODY,
+SYSCTL_PROC(_kern_sysv_ipcs, OID_AUTO, shm, CTLFLAG_RW | CTLFLAG_ANYBODY | CTLFLAG_LOCKED,
         0, 0, IPCS_shm_sysctl,
         "S,IPCS_shm_command",
         "ipcs shm command interface");
         0, 0, IPCS_shm_sysctl,
         "S,IPCS_shm_command",
         "ipcs shm command interface");
+#endif /* SYSV_SHM */
+
+/* DSEP Review Done pl-20051108-v02 @2743,@2908,@2913,@3009 */