| #
272461 |
|
02-Oct-2014 |
gjb |
Copy stable/10@r272459 to releng/10.1 as part of
the 10.1-RELEASE process.
Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation |
| #
256281 |
|
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation
|
| #
216953 |
|
04-Jan-2011 |
emaste |
Quiet clang warnings by using string literal format strings.
|
| #
201321 |
|
30-Dec-2009 |
ed |
Remove an unused variable.
|
| #
157986 |
|
23-Apr-2006 |
dwmalone |
Add some new options to mac_bsdestended. We can now match on:
subject: ranges of uid, ranges of gid, jail id
objects: ranges of uid, ranges of gid, filesystem,
object is suid, object is sgid, object matches subject uid/gid
object type
We can also negate individual conditions. The ruleset language is
a superset of the previous language, so old rules should continue
to work.
These changes require a change to the API between libugidfw and the
mac_bsdextended module. Add a version number, so we can tell if
we're running mismatched versions.
Update man pages to reflect changes, add extra test cases to
test_ugidfw.c and add a shell script that checks that the the
module seems to do what we expect.
Suggestions from: rwatson, trhodes
Reviewed by: trhodes
MFC after: 2 months
|
| #
145432 |
|
23-Apr-2005 |
trhodes |
Fix two typos in comments.
|
| #
145140 |
|
16-Apr-2005 |
rwatson |
When parsing the second {uid,gid} in an identity phrase for ugidfw,
check the password or group database before attempting to parse as an
integer, as is done for the first {uid,gid} in an identity phrase.
Obtained from: TrustedBSD Project
Sponsored by: SPAWAR, SPARTA
|
| #
144210 |
|
28-Mar-2005 |
pjd |
Properly return rule number.
Submitted by: Wojciech A. Koszek
PR: bin/79292
MFC after: 1 week
|
| #
136740 |
|
21-Oct-2004 |
rwatson |
Modify libugidfw(3) to use MBI_* permission flags from mac_bsdextended.h
instead of using the V* permission flags from vnode.h. Remove include
of vnode.h.
Requested by: phk
|
| #
126835 |
|
11-Mar-2004 |
bde |
Fixed misspellings of 0 as NULL.
|
| #
126217 |
|
25-Feb-2004 |
rwatson |
Add bsde_add_rule(), which is similar to bsde_set_rule() except that
the caller does not specify the rule number -- instead, the kernel
module is probed for the next available rule, which is then used.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, McAfee Research
|
| #
106573 |
|
07-Nov-2002 |
rwatson |
License and blurb update authorized by Network Associates.
|
| #
104038 |
|
27-Sep-2002 |
rwatson |
Use size_t instead of int for len variables passed in/out of sysctl.
Pointed out by: jake
|
| #
101885 |
|
14-Aug-2002 |
rwatson |
Use "ugidfw.h" rather than <ugidfw.h> so that mkdep can find it.
Suggested by: mike
|
| #
101206 |
|
02-Aug-2002 |
rwatson |
Introduce support for Mandatory Access Control and extensible
kernel access control.
Provide a library to manage user file system firewall-like rules
supported by the mac_bsdextended.ko security model. The kernel
module exports the current rule set using sysctl, and this
library provides a front end that includes support for retrieving
and setting rules, as well as printing and parsing them.
Note: as with other userland components, this is a WIP. However,
when used in combination with the soon-to-be-committed ugidfw,
it can actually be quite useful in multi-user environments to
allow the administrator to limit inter-user file operations without
resorting to heavier weight labeled security policies.
Obtained form: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
|