Copy stable/10@r272459 to releng/10.1 as part of
the 10.1-RELEASE process.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Remove 'uio' argument from MAC Framework and MAC policy entry points for
extended attribute get/set; in the case of get an uninitialized user
buffer was passed before the EA was retrieved, making it of relatively
little use; the latter was simply unused by any policies.

Obtained from: TrustedBSD Project
Sponsored by: Google, Inc.

Delete a bunch of empty mergeinfo records caused by local copies.

The V* flags passed using an accmode_t to the access() and open()
access control checks in mac_bsdextended are not in the same
namespace as the MBI_ flags used in ugidfw policies, so add an
explicit conversion routine to get from one to the other.

Obtained from: TrustedBSD Project

Introduce accmode_t. This is required for NFSv4 ACLs - it will be neccessary
to add more V* constants, and the variables changed by this patch were often
being assigned to mode_t variables, which is 16 bit.

Approved by: rwatson (mentor)

Break mac_bsdextended.c out into multiple .c files, with the base access
control logic and policy registration remaining in that file, and access
control checks broken out into other files by class of check.

Obtained from: TrustedBSD Project

Copy mac_bsdextended.c to two object-specific files as a prototype for how
modularize MAC policy layout.

Obtained from: TrustedBSD Project

Fix a number of style issues in the MALLOC / FREE commit. I've tried to
be careful not to fix anything that was already broken; the NFSv4 code is
particularly bad in this respect.

Retire the MALLOC and FREE macros. They are an abomination unto style(9).

MFC after: 3 months

Remove the suser(9) interface from the kernel. It has been replaced from
years by the priv_check(9) interface and just very few places are left.
Note that compatibility stub with older FreeBSD version
(all above the 8 limit though) are left in order to reduce diffs against
old versions. It is responsibility of the maintainers for any module, if
they think it is the case, to axe out such cases.

This patch breaks KPI so __FreeBSD_version will be bumped into a later
commit.

This patch needs to be credited 50-50 with rwatson@ as he found time to
explain me how the priv_check() works in detail and to review patches.

Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
Reviewed by: rwatson

Remove VSVTX, VSGID and VSUID. This should be a no-op,
as VSVTX == S_ISVTX, VSGID == S_ISGID and VSUID == S_ISUID.

Approved by: rwatson (mentor)

Decontextualize the couplet VOP_GETATTR / VOP_SETATTR as the passed thread
was always curthread and totally unuseful.

Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com>

Introduce two related changes to the TrustedBSD MAC Framework:

(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.

(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.

MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.

In mac_bsdextended's auditctl and acct policy access control checks,
return success if the passed vnode pointer is NULL (rather than
panicking). This can occur if either audit or accounting are
disabled while the policy is running.

Since the swapoff control has no real relevance to this policy,
which is concerned about intent to write rather than water under the
bridge, remove it.

PR: kern/126100
Reported by: Alan Amesbury <amesbury at umn dot edu>
MFC after: 3 days

Resort TrustedBSD MAC Framework policy entry point implementations and
declarations to match the object, operation sort order in the framework
itself.

Obtained from: TrustedBSD Project

Consistently name functions for mac_<policy> as <policy>_whatever rather
than mac_<policy>_whatever, as this shortens the names and makes the code
a bit easier to read.

When dealing with label structures, name variables 'mb', 'ml', 'mm rather
than the longer 'mac_biba', 'mac_lomac', and 'mac_mls', likewise making
the code a little easier to read.

Obtained from: TrustedBSD Project

Merge first in a series of TrustedBSD MAC Framework KPI changes
from Mac OS X Leopard--rationalize naming for entry points to
the following general forms:

mac_<object>_<method/action>
mac_<object>_check_<method/action>

The previous naming scheme was inconsistent and mostly
reversed from the new scheme. Also, make object types more
consistent and remove spaces from object types that contain
multiple parts ("posix_sem" -> "posixsem") to make mechanical
parsing easier. Introduce a new "netinet" object type for
certain IPv4/IPv6-related methods. Also simplify, slightly,
some entry point names.

All MAC policy modules will need to be recompiled, and modules
not updates as part of this commit will need to be modified to
conform to the new KPI.

Sponsored by: SPARTA (original patches against Mac OS X)
Obtained from: TrustedBSD Project, Apple Computer

Rename mac_check_vnode_delete() MAC Framework and MAC Policy entry
point to mac_check_vnode_unlink(), reflecting UNIX naming conventions.

This is the first of several commits to synchronize the MAC Framework
in FreeBSD 7.0 with the MAC Framework as it will appear in Mac OS X
Leopard.

Reveiwed by: csjp, Samy Bahra <sbahra at gwu dot edu>
Submitted by: Jacques Vidrine <nectar at apple dot com>
Obtained from: Apple Computer, Inc.
Sponsored by: SPARTA, SPAWAR
Approved by: re (bmah)

In preparation for 7.0 privilege cleanup, clean up style:

- Sort copyrights by date.
- Re-wrap, and in some cases, fix comments.
- Fix tabbing, white space, remove extra blank lines.
- Remove commented out debugging printfs.

Approved by: re (kensmith)

Include priv.h to pick up suser(9) definitions, missed in an earlier
commit.

Warnings spotted by: kris

Apply variable name normalization to MAC policies: adopt global conventions
for the naming of variables associated with specific data structures.

Obtained from: TrustedBSD Project

Allow MAC policy modules to control access to audit configuration system
calls. Add MAC Framework entry points and MAC policy entry points for
audit(), auditctl(), auditon(), setaudit(), aud setauid().

MAC Framework entry points are only added for audit system calls where
additional argument context may be useful for policy decision-making; other
audit system calls without arguments may be controlled via the priv(9)
entry points.

Update various policy modules to implement audit-related checks, and in
some cases, other missing system-related checks.

Obtained from: TrustedBSD Project
Sponsored by: SPARTA, Inc.

More unnecessary include reduction.

Move mapping of MBI_APPEND to MBI_WRITE from inside the rule loop in
mac_bsdextended_check() to before the loop, as it needs to happen only
once.

MFC after: 1 week

Continue 7-CURRENT MAC Framework rearrangement and cleanup:

Don't perform a nested include of _label.h in mac.h, as mac.h now
describes only the user API to MAC, and _label.h defines the in-kernel
representation of MAC labels.

Remove mac.h includes from policies and MAC framework components that do
not use userspace MAC API definitions.

Add _KERNEL inclusion checks to mac_internal.h and mac_policy.h, as these
are kernel-only include files

Obtained from: TrustedBSD Project

Move src/sys/sys/mac_policy.h, the kernel interface between the MAC
Framework and security modules, to src/sys/security/mac/mac_policy.h,
completing the removal of kernel-only MAC Framework include files from
src/sys/sys. Update the MAC Framework and MAC policy modules. Delete
the old mac_policy.h.

Third party policy modules will need similar updating.

Obtained from: TrustedBSD Project

Sweep kernel replacing suser(9) calls with priv(9) calls, assigning
specific privilege names to a broad range of privileges. These may
require some future tweaking.

Sponsored by: nCircle Network Security, Inc.
Obtained from: TrustedBSD Project
Discussed on: arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
Alex Lyashkov <umka at sevcity dot net>,
Skip Ford <skip dot ford at verizon dot net>,
Antoine Brodin <antoine dot brodin at laposte dot net>

Add some new options to mac_bsdestended. We can now match on:

subject: ranges of uid, ranges of gid, jail id
objects: ranges of uid, ranges of gid, filesystem,
object is suid, object is sgid, object matches subject uid/gid
object type

We can also negate individual conditions. The ruleset language is
a superset of the previous language, so old rules should continue
to work.

These changes require a change to the API between libugidfw and the
mac_bsdextended module. Add a version number, so we can tell if
we're running mismatched versions.

Update man pages to reflect changes, add extra test cases to
test_ugidfw.c and add a shell script that checks that the the
module seems to do what we expect.

Suggestions from: rwatson, trhodes
Reviewed by: trhodes
MFC after: 2 months

Create a mac_bsdextended_check_vp function that takes a cred, a
vnode and a mode and checks if a given access mode is permitted.
This centralises the mac_bsdextended_enabled check and the GETATTR
calls and makes the implementation of the mac policy methods simple.

This should make it easier for us to match vnodes on more complex
attributes than just uid and gid in the future, but for now there
should be no functional change.

Approved/Reviewed by: rwatson, trhodes
MFC after: 1 month

Fix potential overrun of static stack allocated array which stores
the rules. If an array is N elements large, we can only access
elements 0..(N-1).

MFC after: 1 week
Found with: Coverity Prevent(tm)

If a "hole" opens up in the ruleset (i.e.: remove 5), do not return
unknown error. Instead, just return error.

Submitted by: avatar
Tested by: trhodes

Add locking support to mac_bsdextended:

- Introduce a global mutex, mac_bsdextended_mtx, to protect the rule
array and hold this mutex over use and modification of the rule array
and rules.
- Re-order and clean up sysctl_rule so that copyin/copyout/update happen
in the right order (suggested by: jhb done by rwatson).

Minor white space synchronization and line wrapping.

Bump copyright dates for NETA on these files.

Modify mac_bsdextended policy so that it defines its own vnode access
right bits rather than piggy-backing on the V* rights defined in
vnode.h. The mac_bsdextended bits are given the same values as the V*
bits to make the new kernel module binary compatible with the old
version of libugidfw that uses V* bits. This avoids leaking kernel
API/ABI to user management tools, and in particular should remove the
need for libugidfw to include vnode.h.

Requested by: phk

Remove the debugging tunable, it was not being used.
Enable first match by default.[1]

We should: rwatson [1]

Allow mac_bsdextended(4) to log failed attempts to syslog's AUTHPRIV
facility. This is disabled by default but may be turned on by using
the mac_bsdextended_logging sysctl.

Reviewed by: re (jhb)
Approved by: re (jhb)

Give the mac_bsdextended(4) policy the ability to match and apply on a first
rule only in place of all rules match. This is similar to how ipfw(8) works.

Provide a sysctl, mac_bsdextended_firstmatch_enabled, to enable this
feature.

Reviewed by: re (jhb)
Aprroved by: re (jhb)

Allow an effective uid of root to bypass mac_bsdextended rules; the MAC
Framework can restrict the root user, but this policy is not intended
to support that.

Stylish Swiss footwear provided for: trhodes

Update my personal copyrights and NETA copyrights in the kernel
to use the "year1-year3" format, as opposed to "year1, year2, year3".
This seems to make lawyers more happy, but also prevents the
lines from getting excessively long as the years start to add up.

Suggested by: imp

Implementations of mpo_check_vnode_deleteextattr() and
mpo_check_vnode_listextattr() for Biba, MLS, and BSD Extended.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Remove trailing whitespace.

Trim "trustedbsd_" from the front of the policy module "short names";
the vendor is only included in the long name currently, reducing
verbosity when modules are registered and unregistered.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Expand scope of the BSD extended "file system firewall" policy to
include a new entry point available for enforcement:

mac_bsdextended_check_system_swapon() - Apply extended access
control checks to the file target of swap.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Back out M_* changes, per decision of the TRB.

Approved by: trb

Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.

Map VAPPEND to VWRITE since the ugidfw rule syntax doesn't specifically
address the append access mode.

Reported by: "Daniel C. Sobral" <dcs@newsguy.com>
Obtained from: TrustedBSD Project
Sponosred by: DARPA, Network Associates Laboratories

MFC Candidate.

Update MAC modules for changes in arguments for exec MAC policy
entry points to include an explicit execlabel.

Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Update policy modules for changes in arguments associated with support
for label access on the interpreter, not just the shell script. No
policies currently present in the system rely on the new labels.

License and wording updates: NAI has authorized the removal of clause
three from their BSD-style license. Also, s/NAI Labs/Network Associates
Laboratories/.

Move to C99 sparse structure initialization for the mac_policy_ops
structure definition, rather than using an operation vector
we translate into the structure. Originally, we used a vector
for two reasons:

(1) We wanted to define the structure sparsely, which wasn't
supported by the C compiler for structures. For a policy
with five entry points, you don't want to have to stick in
a few hundred NULL function pointers.

(2) We thought it would improve ABI compatibility allowing modules
to work with kernels that had a superset of the entry points
defined in the module, even if the kernel had changed its
entry point set.

Both of these no longer apply:

(1) C99 gives us a way to sparsely define a static structure.

(2) The ABI problems existed anyway, due to enumeration numbers,
argument changes, and semantic mismatches. Since the going
rule for FreeBSD is that you really need your modules to
pretty closely match your kernel, it's not worth the
complexity.

This submit eliminates the operation vector, dynamic allocation
of the operation structure, copying of the vector to the
structure, and redoes the vectors in each policy to direct
structure definitions. One enourmous benefit of this change
is that we now get decent type checking on policy entry point
implementation arguments.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Various minor type, prototype tweaks -- clean up cruft due to lack of
type checking on entry points (to be introduced shortly).

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

While 'mode_t' seemed like a good idea for the access mode argument for
MAC access() and open() checks, the argument actually has an int type
where it becomes available. Switch to using 'int' for the mode argument
throughout the MAC Framework and policy modules.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Merge implementation of mpo_check_vnode_link() for various appropriate
file-system aware MAC policies. Sync to MAC tree.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Pass active_cred and file_cred into the MAC framework explicitly
for mac_check_vnode_{poll,read,stat,write}(). Pass in fp->f_cred
when calling these checks with a struct file available. Otherwise,
pass NOCRED. All currently MAC policies use active_cred, but
could now offer the cached credential semantic used for the base
system security model.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs

Introduce support for Mandatory Access Control and extensible
kernel access control.

Provide implementations of some sample operating system security
policy extensions. These are not yet hooked up to the build as
other infrastructure is still being committed. Most of these
work fairly well and are in daily use in our development and (limited)
production environments. Some are not yet in their final form,
and a number of the labeled policies waste a lot of kernel memory
and will be fixed over the next month or so to be more conservative.
They do give good examples of the flexibility of the MAC framework
for implementing a variety of security policies.

mac_biba: Implementation of fixed-label Biba integrity policy,
similar to those found in a number of commercial
trusted operating systems. All subjects and objects
are assigned integrity levels, and information flow
is controlled based on a read-up, write-down
policy. Currently, purely hierarchal.

mac_bsdextended: Implementation of a "file system firewall",
which allows the administrator to specify a series
of rules limiting access by users and groups to
objects owned by other users and groups. This
policy is unlabeled, relying on existing system
security labeling (file permissions/ownership,
process credentials).

mac_ifoff: Secure interface silencing. Special-purpose module
to limit inappropriate out-going network traffic
for silent monitoring scenarios. Prevents the
various network stacks from generating any output
despite an interface being live for reception.

mac_mls: Implementation of fixed-label Multi-Level Security
confidentiality policy, similar to those found in
a number of commercial trusted operating systems.
All subjects and objects are assigned confidentiality
levels, and information flow is controlled based on
a write-up, read-down policy. Currently, purely
hiearchal, although non-hierarchal support is in the
works.

mac_none: Policy module implementing all MAC policy entry
points with empty stubs. A good place to start if
you want all the prototypes types in for you, and
don't mind a bit of pruning. Can be loaded, but
has no access control impact. Useful also for
performance measurements.

mac_seeotheruids: Policy module implementing a security service
similar to security.bsd.seeotheruids, only a slightly
more detailed policy involving exceptions for members
of specific groups, etc. This policy is unlabeled,
relying on existing system security labeling
(process credentials).

mac_test: Policy module implementing basic sanity tests for
label handling. Attempts to ensure that labels are
not freed multiple times, etc, etc.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs