#
272461 |
|
02-Oct-2014 |
gjb |
Copy stable/10@r272459 to releng/10.1 as part of the 10.1-RELEASE process.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
256281 |
|
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
#
254603 |
|
21-Aug-2013 |
kib |
Implement read(2)/write(2) and neccessary lseek(2) for posix shmfd. Add MAC framework entries for posix shm read and write.
Do not allow implicit extension of the underlying memory segment past the limit set by ftruncate(2) by either of the syscalls. Read and write returns short i/o, lseek(2) fails with EINVAL when resulting offset does not fit into the limit.
Discussed with: alc Tested by: pho Sponsored by: The FreeBSD Foundation
|
#
227309 |
|
07-Nov-2011 |
ed |
Mark all SYSCTL_NODEs static that have no corresponding SYSCTL_DECLs.
The SYSCTL_NODE macro defines a list that stores all child-elements of that node. If there's no SYSCTL_DECL macro anywhere else, there's no reason why it shouldn't be static.
|
#
225344 |
|
02-Sep-2011 |
rwatson |
Correct several issues in the integration of POSIX shared memory objects and the new setmode and setowner fileops in FreeBSD 9.0:
- Add new MAC Framework entry point mac_posixshm_check_create() to allow MAC policies to authorise shared memory use. Provide a stub policy and test policy templates.
- Add missing Biba and MLS implementations of mac_posixshm_check_setmode() and mac_posixshm_check_setowner().
- Add 'accmode' argument to mac_posixshm_check_open() -- unlike the mac_posixsem_check_open() entry point it was modeled on, the access mode is required as shared memory access can be read-only as well as writable; this isn't true of POSIX semaphores.
- Implement full range of POSIX shared memory entry points for Biba and MLS.
Sponsored by: Google Inc. Obtained from: TrustedBSD Project Approved by: re (kib)
|
#
224914 |
|
16-Aug-2011 |
kib |
Add the fo_chown and fo_chmod methods to struct fileops and use them to implement fchown(2) and fchmod(2) support for several file types that previously lacked it. Add MAC entries for chown/chmod done on posix shared memory and (old) in-kernel posix semaphores.
Based on the submission by: glebius Reviewed by: rwatson Approved by: re (bz)
|
#
193391 |
|
03-Jun-2009 |
rwatson |
Continue work to optimize performance of "options MAC" when no MAC policy modules are loaded by avoiding mbuf label lookups when policies aren't loaded, pushing further socket locking into MAC policy modules, and avoiding locking MAC ifnet locks when no policies are loaded:
- Check mac_policies_count before looking for mbuf MAC label m_tags in MAC Framework entry points. We will still pay label lookup costs if MAC policies are present but don't require labels (typically a single mbuf header field read, but perhaps further indirection if IPSEC or other m_tag consumers are in use).
- Further push socket locking for socket-related access control checks and events into MAC policies from the MAC Framework, so that sockets are only locked if a policy specifically requires a lock to protect a label. This resolves lock order issues during sonewconn() and also in local domain socket cross-connect where multiple socket locks could not be held at once for the purposes of propagatig MAC labels across multiple sockets. Eliminate mac_policy_count check in some entry points where it no longer avoids locking.
- Add mac_policy_count checking in some entry points relating to network interfaces that otherwise lock a global MAC ifnet lock used to protect ifnet labels.
Obtained from: TrustedBSD Project
|
#
189533 |
|
08-Mar-2009 |
rwatson |
Remove 'uio' argument from MAC Framework and MAC policy entry points for extended attribute get/set; in the case of get an uninitialized user buffer was passed before the EA was retrieved, making it of relatively little use; the latter was simply unused by any policies.
Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
|
#
189529 |
|
08-Mar-2009 |
rwatson |
Improve the consistency of MAC Framework and MAC policy entry point naming by renaming certain "proc" entry points to "cred" entry points, reflecting their manipulation of credentials. For some entry points, the process was passed into the framework but not into policies; in these cases, stop passing in the process since we don't need it.
mac_proc_check_setaudit -> mac_cred_check_setaudit mac_proc_check_setaudit_addr -> mac_cred_check_setaudit_addr mac_proc_check_setauid -> mac_cred_check_setauid mac_proc_check_setegid -> mac_cred_check_setegid mac_proc_check_seteuid -> mac_cred_check_seteuid mac_proc_check_setgid -> mac_cred_check_setgid mac_proc_check_setgroups -> mac_cred_ceck_setgroups mac_proc_check_setregid -> mac_cred_check_setregid mac_proc_check_setresgid -> mac_cred_check_setresgid mac_proc_check_setresuid -> mac_cred_check_setresuid mac_proc_check_setreuid -> mac_cred_check_setreuid mac_proc_check_setuid -> mac_cred_check_setuid
Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
|
#
187016 |
|
10-Jan-2009 |
rwatson |
Rather than having MAC policies explicitly declare what object types they label, derive that information implicitly from the set of label initializers in their policy operations set. This avoids a possible class of programmer errors, while retaining the structure that allows us to avoid allocating labels for objects that don't need them. As before, we regenerate a global mask of labeled objects each time a policy is loaded or unloaded, stored in mac_labeled.
Discussed with: csjp Suggested by: Jacques Vidrine <nectar at apple.com> Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
|
#
187014 |
|
10-Jan-2009 |
rwatson |
Use MPC_OBJECT_IP6Q to indicate labeling of struct ip6q rather than MPC_OBJECT_IPQ; it was already defined, just not used.
Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
|
#
184413 |
|
28-Oct-2008 |
trasz |
Introduce accmode_t. This is required for NFSv4 ACLs - it will be neccessary to add more V* constants, and the variables changed by this patch were often being assigned to mode_t variables, which is 16 bit.
Approved by: rwatson (mentor)
|
#
184407 |
|
28-Oct-2008 |
rwatson |
Rename three MAC entry points from _proc_ to _cred_ to reflect the fact that they operate directly on credentials: mac_proc_create_swapper(), mac_proc_create_init(), and mac_proc_associate_nfsd(). Update policies.
Obtained from: TrustedBSD Project
|
#
184308 |
|
26-Oct-2008 |
rwatson |
Implement MAC policy support for IPv6 fragment reassembly queues, modeled on IPv4 fragment reassembly queue support.
Obtained from: TrustedBSD Project
|
#
183980 |
|
17-Oct-2008 |
bz |
Add a mac_inpcb_check_visible implementation to all MAC policies that handle mac_socket_check_visible.
Reviewed by: rwatson MFC after: 3 months (set timer; decide then)
|
#
182063 |
|
23-Aug-2008 |
rwatson |
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2) so that the general exec code isn't aware of the details of allocating, copying, and freeing labels, rather, simply passes in a void pointer to start and stop functions that will be used by the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface allowing policies to declare which types of objects require label allocation, initialization, and destruction, and define a set of flags covering various supported object types (MPC_OBJECT_PROC, MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the overhead of compiling the MAC Framework into the kernel if policies aren't loaded, or if policies require labels on only a small number or even no object types. Each time a policy is loaded or unloaded, we recalculate a mask of labeled object types across all policies present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it is no longer required.
MFC after: 1 week ((1) only) Reviewed by: csjp Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
|
#
180059 |
|
27-Jun-2008 |
jhb |
Rework the lifetime management of the kernel implementation of POSIX semaphores. Specifically, semaphores are now represented as new file descriptor type that is set to close on exec. This removes the need for all of the manual process reference counting (and fork, exec, and exit event handlers) as the normal file descriptor operations handle all of that for us nicely. It is also suggested as one possible implementation in the spec and at least one other OS (OS X) uses this approach.
Some bugs that were fixed as a result include: - References to a named semaphore whose name is removed still work after the sem_unlink() operation. Prior to this patch, if a semaphore's name was removed, valid handles from sem_open() would get EINVAL errors from sem_getvalue(), sem_post(), etc. This fixes that. - Unnamed semaphores created with sem_init() were not cleaned up when a process exited or exec'd. They were only cleaned up if the process did an explicit sem_destroy(). This could result in a leak of semaphore objects that could never be cleaned up. - On the other hand, if another process guessed the id (kernel pointer to 'struct ksem' of an unnamed semaphore (created via sem_init)) and had write access to the semaphore based on UID/GID checks, then that other process could manipulate the semaphore via sem_destroy(), sem_post(), sem_wait(), etc. - As part of the permission check (UID/GID), the umask of the proces creating the semaphore was not honored. Thus if your umask denied group read/write access but the explicit mode in the sem_init() call allowed it, the semaphore would be readable/writable by other users in the same group, for example. This includes access via the previous bug. - If the module refused to unload because there were active semaphores, then it might have deregistered one or more of the semaphore system calls before it noticed that there was a problem. I'm not sure if this actually happened as the order that modules are discovered by the kernel linker depends on how the actual .ko file is linked. One can make the order deterministic by using a single module with a mod_event handler that explicitly registers syscalls (and deregisters during unload after any checks). This also fixes a race where even if the sem_module unloaded first it would have destroyed locks that the syscalls might be trying to access if they are still executing when they are unloaded.
XXX: By the way, deregistering system calls doesn't do any blocking to drain any threads from the calls. - Some minor fixes to errno values on error. For example, sem_init() isn't documented to return ENFILE or EMFILE if we run out of semaphores the way that sem_open() can. Instead, it should return ENOSPC in that case.
Other changes: - Kernel semaphores now use a hash table to manage the namespace of named semaphores nearly in a similar fashion to the POSIX shared memory object file descriptors. Kernel semaphores can now also have names longer than 14 chars (up to MAXPATHLEN) and can include subdirectories in their pathname. - The UID/GID permission checks for access to a named semaphore are now done via vaccess() rather than a home-rolled set of checks. - Now that kernel semaphores have an associated file object, the various MAC checks for POSIX semaphores accept both a file credential and an active credential. There is also a new posixsem_check_stat() since it is possible to fstat() a semaphore file descriptor. - A small set of regression tests (using the ksem API directly) is present in src/tools/regression/posixsem.
Reported by: kris (1) Tested by: kris Reviewed by: rwatson (lightly) MFC after: 1 month
|
#
180031 |
|
26-Jun-2008 |
jhb |
Add missing counter increments for posix shm checks.
|
#
179963 |
|
23-Jun-2008 |
jhb |
Remove the posixsem_check_destroy() MAC check. It is semantically identical to doing a MAC check for close(), but no other types of close() (including close(2) and ksem_close(2)) have MAC checks.
Discussed with: rwatson
|
#
179781 |
|
13-Jun-2008 |
rwatson |
The TrustedBSD MAC Framework named struct ipq instances 'ipq', which is the same as the global variable defined in ip_input.c. Instead, adopt the name 'q' as found in about 1/2 of uses in ip_input.c, preventing a collision on the name. This is non-harmful, but means that search and replace on the global works less well (as in the virtualization work), as well as indexing tools.
MFC after: 1 week Reported by: julian
|
#
175164 |
|
08-Jan-2008 |
jhb |
Add a new file descriptor type for IPC shared memory objects and use it to implement shm_open(2) and shm_unlink(2) in the kernel: - Each shared memory file descriptor is associated with a swap-backed vm object which provides the backing store. Each descriptor starts off with a size of zero, but the size can be altered via ftruncate(2). The shared memory file descriptors also support fstat(2). read(2), write(2), ioctl(2), select(2), poll(2), and kevent(2) are not supported on shared memory file descriptors. - shm_open(2) and shm_unlink(2) are now implemented as system calls that manage shared memory file descriptors. The virtual namespace that maps pathnames to shared memory file descriptors is implemented as a hash table where the hash key is generated via the 32-bit Fowler/Noll/Vo hash of the pathname. - As an extension, the constant 'SHM_ANON' may be specified in place of the path argument to shm_open(2). In this case, an unnamed shared memory file descriptor will be created similar to the IPC_PRIVATE key for shmget(2). Note that the shared memory object can still be shared among processes by sharing the file descriptor via fork(2) or sendmsg(2), but it is unnamed. This effectively serves to implement the getmemfd() idea bandied about the lists several times over the years. - The backing store for shared memory file descriptors are garbage collected when they are not referenced by any open file descriptors or the shm_open(2) virtual namespace.
Submitted by: dillon, peter (previous versions) Submitted by: rwatson (I based this on his version) Reviewed by: alc (suggested converting getmemfd() to shm_open())
|
#
174898 |
|
25-Dec-2007 |
rwatson |
Add a new 'why' argument to kdb_enter(), and a set of constants to use for that argument. This will allow DDB to detect the broad category of reason why the debugger has been entered, which it can use for the purposes of deciding which DDB script to run.
Assign approximate why values to all current consumers of the kdb_enter() interface.
|
#
173163 |
|
29-Oct-2007 |
rwatson |
Implement per-object type consistency checks for labels passed to 'internalize' operations rather than using a single common check.
Obtained from: TrustedBSD Project
|
#
173141 |
|
29-Oct-2007 |
rwatson |
Canonicalize names of local variables.
Add some missing label checks in mac_test.
Obtained from: TrustedBSD Project
|
#
173138 |
|
29-Oct-2007 |
rwatson |
Resort TrustedBSD MAC Framework policy entry point implementations and declarations to match the object, operation sort order in the framework itself.
Obtained from: TrustedBSD Project
|
#
173112 |
|
28-Oct-2007 |
rwatson |
Add missing mac_test labeling and sleep checks for the syncache.
Discussed with: csjp Obtained from: TrustedBSD Project
|
#
173108 |
|
28-Oct-2007 |
rwatson |
Garbage collect mac_mbuf_create_multicast_encap TrustedBSD MAC Framework entry point, which is no longer required now that we don't support old-style multicast tunnels. This removes the last mbuf object class entry point that isn't init/copy/destroy.
Obtained from: TrustedBSD Project
|
#
173102 |
|
28-Oct-2007 |
rwatson |
Continue to move from generic network entry points in the TrustedBSD MAC Framework by moving from mac_mbuf_create_netlayer() to more specific entry points for specific network services:
- mac_netinet_firewall_reply() to be used when replying to in-bound TCP segments in pf and ipfw (etc).
- Rename mac_netinet_icmp_reply() to mac_netinet_icmp_replyinplace() and add mac_netinet_icmp_reply(), reflecting that in some cases we overwrite a label in place, but in others we apply the label to a new mbuf.
Obtained from: TrustedBSD Project
|
#
173095 |
|
28-Oct-2007 |
rwatson |
Move towards more explicit support for various network protocol stacks in the TrustedBSD MAC Framework:
- Add mac_atalk.c and add explicit entry point mac_netatalk_aarp_send() for AARP packet labeling, rather than using a generic link layer entry point.
- Add mac_inet6.c and add explicit entry point mac_netinet6_nd6_send() for ND6 packet labeling, rather than using a generic link layer entry point.
- Add expliict entry point mac_netinet_arp_send() for ARP packet labeling, and mac_netinet_igmp_send() for IGMP packet labeling, rather than using a generic link layer entry point.
- Remove previous genering link layer entry point, mac_mbuf_create_linklayer() as it is no longer used.
- Add implementations of new entry points to various policies, largely by replicating the existing link layer entry point for them; remove old link layer entry point implementation.
- Make MAC_IFNET_LOCK(), MAC_IFNET_UNLOCK(), and mac_ifnet_mtx global to the MAC Framework rather than static to mac_net.c as it is now needed outside of mac_net.c.
Obtained from: TrustedBSD Project
|
#
173093 |
|
28-Oct-2007 |
rwatson |
Perform explicit label type checks for externalize entry points, rather than a generic initialized test.
Obtained from: TrustedBSD Project
|
#
173054 |
|
27-Oct-2007 |
rwatson |
Give each posixsem MAC Framework entry point its own counter and test case in the mac_test policy, rather than sharing a single function for all of the access control checks.
Obtained from: TrustedBSD Project
|
#
173018 |
|
26-Oct-2007 |
rwatson |
Rename 'mac_mbuf_create_from_firewall' to 'mac_netinet_firewall_send' as we move towards netinet as a pseudo-object for the MAC Framework.
Rename 'mac_create_mbuf_linklayer' to 'mac_mbuf_create_linklayer' to reflect general object-first ordering preference.
Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
|
#
172955 |
|
25-Oct-2007 |
rwatson |
Consistently name functions for mac_<policy> as <policy>_whatever rather than mac_<policy>_whatever, as this shortens the names and makes the code a bit easier to read.
When dealing with label structures, name variables 'mb', 'ml', 'mm rather than the longer 'mac_biba', 'mac_lomac', and 'mac_mls', likewise making the code a little easier to read.
Obtained from: TrustedBSD Project
|
#
172953 |
|
25-Oct-2007 |
rwatson |
Further MAC Framework cleanup: normalize some local variable names and clean up some comments.
Obtained from: TrustedBSD Project
|
#
172930 |
|
24-Oct-2007 |
rwatson |
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms:
mac_<object>_<method/action> mac_<object>_check_<method/action>
The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names.
All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI.
Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
|
#
172850 |
|
21-Oct-2007 |
rwatson |
Canonicalize naming of local variables for struct ksem and associated labels to 'ks' and 'kslabel' to reflect the convention in posix_sem.c.
MFC after: 3 days Obtained from: TrustedBSD Project
|
#
172107 |
|
09-Sep-2007 |
rwatson |
Rename mac_check_vnode_delete() MAC Framework and MAC Policy entry point to mac_check_vnode_unlink(), reflecting UNIX naming conventions.
This is the first of several commits to synchronize the MAC Framework in FreeBSD 7.0 with the MAC Framework as it will appear in Mac OS X Leopard.
Reveiwed by: csjp, Samy Bahra <sbahra at gwu dot edu> Submitted by: Jacques Vidrine <nectar at apple dot com> Obtained from: Apple Computer, Inc. Sponsored by: SPARTA, SPAWAR Approved by: re (bmah)
|
#
171047 |
|
26-Jun-2007 |
rwatson |
Add a new MAC framework and policy entry point, mpo_check_proc_setaudit_addr to be used when controlling use of setaudit_addr(), rather than mpo_check_proc_setaudit(), which takes a different argument type.
Reviewed by: csjp Approved by: re (kensmith)
|
#
168977 |
|
23-Apr-2007 |
rwatson |
Rename mac*devfsdirent*() to mac*devfs*() to synchronize with SEDarwin, where similar data structures exist to support devfs and the MAC Framework, but are named differently.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
|
#
168976 |
|
23-Apr-2007 |
rwatson |
Apply variable name normalization to MAC policies: adopt global conventions for the naming of variables associated with specific data structures.
Obtained from: TrustedBSD Project
|
#
168954 |
|
22-Apr-2007 |
rwatson |
In the MAC Framework implementation, file systems have two per-mountpoint labels: the mount label (label of the mountpoint) and the fs label (label of the file system). In practice, policies appear to only ever use one, and the distinction is not helpful.
Combine mnt_mntlabel and mnt_fslabel into a single mnt_label, and eliminate extra machinery required to maintain the additional label. Update policies to reflect removal of extra entry points and label.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
|
#
168951 |
|
22-Apr-2007 |
rwatson |
Remove MAC Framework access control check entry points made redundant with the introduction of priv(9) and MAC Framework entry points for privilege checking/granting. These entry points exactly aligned with privileges and provided no additional security context:
- mac_check_sysarch_ioperm() - mac_check_kld_unload() - mac_check_settime() - mac_check_system_nfsd()
Add mpo_priv_check() implementations to Biba and LOMAC policies, which, for each privilege, determine if they can be granted to processes considered unprivileged by those two policies. These mostly, but not entirely, align with the set of privileges granted in jails.
Obtained from: TrustedBSD Project
|
#
168947 |
|
22-Apr-2007 |
rwatson |
Further MAC test policy cleanup and enhancement:
- Redistribute counter declarations to where they are used, rather than at the file header, so it's more clear where we do (and don't) have counters.
- Add many more counters, one per policy entry point, so that many individual access controls and object life cycle events are tracked.
- Perform counter increments for label destruction explicitly in entry point functions rather than in LABEL_DESTROY().
- Use LABEL_INIT() instead of SLOT_SET() directly in label init functions to be symmetric with destruction.
- Align counter names more carefully with entry point names.
- More constant and variable name normalization.
Obtained from: TrustedBSD Project
|
#
168944 |
|
22-Apr-2007 |
rwatson |
Perform overdue clean up mac_test policy:
- Add a more detailed comment describing the mac_test policy.
- Add COUNTER_DECL() and COUNTER_INC() macros to declare and manage various test counters, reducing the verbosity of the test policy quite a bit.
- Add LABEL_CHECK() macro to abbreviate normal validation of labels. Unlike the previous check macros, this checks for a NULL label and doesn't test NULL labels. This means that optionally passed labels will now be handled automatically, although in the case of optional credentials, NULL-checks are still required.
- Add LABEL_DESTROY() macro to abbreviate the handling of label validation and tear-down.
- Add LABEL_NOTFREE() macro to abbreviate check for non-free labels.
- Normalize the names of counters, magic values.
- Remove unused policy "enabled" flag.
Obtained from: TrustedBSD Project
|
#
168933 |
|
21-Apr-2007 |
rwatson |
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid().
MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points.
Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
|
#
166905 |
|
23-Feb-2007 |
rwatson |
More unnecessary include reduction.
|
#
166899 |
|
23-Feb-2007 |
rwatson |
Remove empty entry point functions (init, destroy, syscall) from policies that don't need them.
|
#
166533 |
|
06-Feb-2007 |
rwatson |
Introduce accessor functions mac_label_get() and mac_label_set() to replace LABEL_TO_SLOT() macro used by policy modules to query and set label data in struct label. Instead of using a union, store an intptr_t, simplifying the API.
Update policies: in most cases this required only small tweaks to current wrapper macros. In two cases, a single wrapper macros had to be split into separate get and set macros.
Move struct label definition from _label.h to mac_internal.h and remove _label.h. With this change, policies may now treat struct label * as opaque, allowing us to change the layout of struct label without breaking the policy module ABI. For example, we could make the maximum number of policies with labels modifiable at boot-time rather than just at compile-time.
Obtained from: TrustedBSD Project
|
#
166531 |
|
06-Feb-2007 |
rwatson |
Continue 7-CURRENT MAC Framework rearrangement and cleanup:
Don't perform a nested include of _label.h in mac.h, as mac.h now describes only the user API to MAC, and _label.h defines the in-kernel representation of MAC labels.
Remove mac.h includes from policies and MAC framework components that do not use userspace MAC API definitions.
Add _KERNEL inclusion checks to mac_internal.h and mac_policy.h, as these are kernel-only include files
Obtained from: TrustedBSD Project
|
#
165469 |
|
22-Dec-2006 |
rwatson |
Move src/sys/sys/mac_policy.h, the kernel interface between the MAC Framework and security modules, to src/sys/security/mac/mac_policy.h, completing the removal of kernel-only MAC Framework include files from src/sys/sys. Update the MAC Framework and MAC policy modules. Delete the old mac_policy.h.
Third party policy modules will need similar updating.
Obtained from: TrustedBSD Project
|
#
164184 |
|
11-Nov-2006 |
trhodes |
Merge posix4/* into normal kernel hierarchy.
Reviewed by: glanced at by jhb Approved by: silence on -arch@ and -standards@
|
#
150340 |
|
19-Sep-2005 |
phk |
Add #include <sys/sx.h>, devfs is going to require this shortly.
|
#
150324 |
|
19-Sep-2005 |
rwatson |
Remove mac_create_root_mount() and mpo_create_root_mount(), which provided access to the root file system before the start of the init process. This was used briefly by SEBSD before it knew about preloading data in the loader, and using that method to gain access to data earlier results in fewer inconsistencies in the approach. Policy modules still have access to the root file system creation event through the mac_create_mount() entry point.
Removed now, and will be removed from RELENG_6, in order to gain third party policy dependencies on the entry point for the lifetime of the 6.x branch.
MFC after: 3 days Submitted by: Chris Vance <Christopher dot Vance at SPARTA dot com> Sponsored by: SPARTA
|
#
147982 |
|
14-Jul-2005 |
rwatson |
When devfs cloning takes place, provide access to the credential of the process that caused the clone event to take place for the device driver creating the device. This allows cloned device drivers to adapt the device node based on security aspects of the process, such as the uid, gid, and MAC label.
- Add a cred reference to struct cdev, so that when a device node is instantiated as a vnode, the cloning credential can be exposed to MAC.
- Add make_dev_cred(), a version of make_dev() that additionally accepts the credential to stick in the struct cdev. Implement it and make_dev() in terms of a back-end make_dev_credv().
- Add a new event handler, dev_clone_cred, which can be registered to receive the credential instead of dev_clone, if desired.
- Modify the MAC entry point mac_create_devfs_device() to accept an optional credential pointer (may be NULL), so that MAC policies can inspect and act on the label or other elements of the credential when initializing the skeleton device protections.
- Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(), so that the pty clone credential is exposed to the MAC Framework.
While currently primarily focussed on MAC policies, this change is also a prerequisite for changes to allow ptys to be instantiated with the UID of the process looking up the pty. This requires further changes to the pty driver -- in particular, to immediately recycle pty nodes on last close so that the credential-related state can be recreated on next lookup.
Submitted by: Andrew Reisse <andrew.reisse@sparta.com> Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA MFC after: 1 week MFC note: Merge to 6.x, but not 5.x for ABI reasons
|
#
147785 |
|
05-Jul-2005 |
rwatson |
Eliminate MAC entry point mac_create_mbuf_from_mbuf(), which is redundant with respect to existing mbuf copy label routines. Expose a new mac_copy_mbuf() routine at the top end of the Framework and use that; use the existing mpo_copy_mbuf_label() routine on the bottom end.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, SPAWAR Approved by: re (scottl)
|
#
147091 |
|
07-Jun-2005 |
rwatson |
Gratuitous renaming of four System V Semaphore MAC Framework entry points to convert _sema() to _sem() for consistency purposes with respect to the other semaphore-related entry points:
mac_init_sysv_sema() -> mac_init_sysv_sem() mac_destroy_sysv_sem() -> mac_destroy_sysv_sem() mac_create_sysv_sema() -> mac_create_sysv_sem() mac_cleanup_sysv_sema() -> mac_cleanup_sysv_sem()
Congruent changes are made to the policy interface to support this.
Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA
|
#
145855 |
|
04-May-2005 |
rwatson |
Introduce MAC Framework and MAC Policy entry points to label and control access to POSIX Semaphores:
mac_init_posix_sem() Initialize label for POSIX semaphore mac_create_posix_sem() Create POSIX semaphore mac_destroy_posix_sem() Destroy POSIX semaphore mac_check_posix_sem_destroy() Check whether semaphore may be destroyed mac_check_posix_sem_getvalue() Check whether semaphore may be queried mac_check_possix_sem_open() Check whether semaphore may be opened mac_check_posix_sem_post() Check whether semaphore may be posted to mac_check_posix_sem_unlink() Check whether semaphore may be unlinked mac_check_posix_sem_wait() Check whether may wait on semaphore
Update Biba, MLS, Stub, and Test policies to implement these entry points. For information flow policies, most semaphore operations are effectively read/write.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Sponsored by: DARPA, McAfee, SPARTA Obtained from: TrustedBSD Project
|
#
145234 |
|
18-Apr-2005 |
rwatson |
Introduce p_canwait() and MAC Framework and MAC Policy entry points mac_check_proc_wait(), which control the ability to wait4() specific processes. This permits MAC policies to limit information flow from children that have changed label, although has to be handled carefully due to common programming expectations regarding the behavior of wait4(). The cr_seeotheruids() check in p_canwait() is #if 0'd for this reason.
The mac_stub and mac_test policies are updated to reflect these new entry points.
Sponsored by: SPAWAR, SPARTA Obtained from: TrustedBSD Project
|
#
145167 |
|
16-Apr-2005 |
rwatson |
Introduce three additional MAC Framework and MAC Policy entry points to control socket poll() (select()), fstat(), and accept() operations, required for some policies:
poll() mac_check_socket_poll() fstat() mac_check_socket_stat() accept() mac_check_socket_accept()
Update mac_stub and mac_test policies to be aware of these entry points. While here, add missing entry point implementations for:
mac_stub.c stub_check_socket_receive() mac_stub.c stub_check_socket_send() mac_test.c mac_test_check_socket_send() mac_test.c mac_test_check_socket_visible()
Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA
|
#
145147 |
|
16-Apr-2005 |
rwatson |
Introduce new MAC Framework and MAC Policy entry points to control the use of system calls to manipulate elements of the process credential, including:
setuid() mac_check_proc_setuid() seteuid() mac_check_proc_seteuid() setgid() mac_check_proc_setgid() setegid() mac_check_proc_setegid() setgroups() mac_check_proc_setgroups() setreuid() mac_check_proc_setreuid() setregid() mac_check_proc_setregid() setresuid() mac_check_proc_setresuid() setresgid() mac_check_rpoc_setresgid()
MAC checks are performed before other existing security checks; both current credential and intended modifications are passed as arguments to the entry points. The mac_test and mac_stub policies are updated.
Submitted by: Samy Al Bahra <samy@kerneled.org> Obtained from: TrustedBSD Project
|
#
145076 |
|
14-Apr-2005 |
csjp |
Move MAC check_vnode_mmap entry point out from being exclusive to MAP_SHARED so that the entry point gets executed un-conditionally. This may be useful for security policies which want to perform access control checks around run-time linking.
-add the mmap(2) flags argument to the check_vnode_mmap entry point so that we can make access control decisions based on the type of mapped object. -update any dependent API around this parameter addition such as function prototype modifications, entry point parameter additions and the inclusion of sys/mman.h header file. -Change the MLS, BIBA and LOMAC security policies so that subject domination routines are not executed unless the type of mapping is shared. This is done to maintain compatibility between the old vm_mmap_vnode(9) and these policies.
Reviewed by: rwatson MFC after: 1 month
|
#
141802 |
|
13-Feb-2005 |
rwatson |
Synchronize HEAD copyright/license with RELENG_5 copyright/license: McAfee instead of NETA.
|
#
140879 |
|
26-Jan-2005 |
rwatson |
Remove policy references to mpo_check_vnode_mprotect(), which is currently unimplemented.
Update copyrights.
Pointed out by: csjp
|
#
140635 |
|
22-Jan-2005 |
rwatson |
Update mac_test for MAC Framework policy entry points System V IPC objects (message queues, semaphores, shared memory), exercising and validating MAC labels on these objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Obtained from: TrustedBSD Project Sponsored by: DARPA, SPAWAR, McAfee Research
|
#
136812 |
|
23-Oct-2004 |
rwatson |
/%x/%s/ -- mismerged DEBUGGER() printf() format stirng from the TrustedBSD branch.
Submitted by: bde
|
#
136775 |
|
22-Oct-2004 |
rwatson |
Replace direct reference to kdb_enter() with a DEBUGGER() macro that will call printf() if KDB isn't compiled into the kernel.
Obtained from: TrustedBSD Project Sponsored by: SPAWAR
|
#
131934 |
|
10-Jul-2004 |
marcel |
Update for the KDB framework: o Call kdb_enter() instead of Debugger().
|
#
131025 |
|
24-Jun-2004 |
rwatson |
Introduce a temporary mutex, mac_ifnet_mtx, to lock MAC labels on network interfaces. This global mutex will protect all ifnet labels. Acquire the mutex across various MAC activities on interfaces, such as security checks, propagating interface labels to mbufs generated from the interface, retrieving and setting the interface label.
Introduce mpo_copy_ifnet_label MAC policy entry point to copy the value of an interface label from one label to another. Use this to avoid performing a label externalize while holding mac_ifnet_mtx; copy the label to a temporary ifnet label and then externalize that.
Implement mpo_copy_ifnet_label for various MAC policies that implement interface labeling using generic label copying routines.
Obtained from: TrustedBSD Project Sponsored by: DARPA, McAfee Research
|
#
130585 |
|
16-Jun-2004 |
phk |
Do the dreaded s/dev_t/struct cdev */ Bump __FreeBSD_version accordingly.
|
#
128897 |
|
03-May-2004 |
rwatson |
Update copyright.
|
#
128896 |
|
03-May-2004 |
rwatson |
When performing label assertions on an mbuf header label in mac_test, test the label pointer for NULL before testing the label slot for permitted values. When loading mac_test dynamically with conditional mbuf labels, the label pointer may be NULL if the mbuf was instantiated while labels were not required on mbufs by any policy.
Obtained from: TrustedBSD Project Sponsored by: DARPA, McAfee Research
|
#
126121 |
|
22-Feb-2004 |
pjd |
Reimplement sysctls handling by MAC framework. Now I believe it is done in the right way.
Removed some XXMAC cases, we now assume 'high' integrity level for all sysctls, except those with CTLFLAG_ANYBODY flag set. No more magic.
Reviewed by: rwatson Approved by: rwatson, scottl (mentor) Tested with: LINT (compilation), mac_biba(4) (functionality)
|
#
126097 |
|
21-Feb-2004 |
rwatson |
Update my personal copyrights and NETA copyrights in the kernel to use the "year1-year3" format, as opposed to "year1, year2, year3". This seems to make lawyers more happy, but also prevents the lines from getting excessively long as the years start to add up.
Suggested by: imp
|
#
125293 |
|
01-Feb-2004 |
rwatson |
Coalesce pipe allocations and frees. Previously, the pipe code would allocate two 'struct pipe's from the pipe zone, and malloc a mutex.
- Create a new "struct pipepair" object holding the two 'struct pipe' instances, struct mutex, and struct label reference. Pipe structures now have a back-pointer to the pipe pair, and a 'pipe_present' flag to indicate whether the half has been closed.
- Perform mutex init/destroy in zone init/destroy, avoiding reallocating the mutex for each pipe. Perform most pipe structure setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe', update many policies. MAC labels are also handled outside of the UMA zone for now. Label-only policy modules don't have to be recompiled, but if a module is recompiled, its pipe entry points will need to be updated. If a module actually reached into the pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed half until a full-close takes place. However, VM mapped buffers are still released on half-close.
Some code refactoring is now possible to clean up some of the back references, etc; this patch attempts not to change the structure of most of the pipe implementation, only allocation/free code paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation and free in system call tests on UP and SMP in my micro-benchmarks. May or may not make a difference in macro-benchmarks, but doing less work is good.
Reviewed by: juli, tjr Testing help: dwhite, fenestro, scottl, et al
|
#
123607 |
|
17-Dec-2003 |
rwatson |
Switch TCP over to using the inpcb label when responding in timed wait, rather than the socket label. This avoids reaching up to the socket layer during connection close, which requires locking changes. To do this, introduce MAC Framework entry point mac_create_mbuf_from_inpcb(), which is called from tcp_twrespond() instead of calling mac_create_mbuf_from_socket() or mac_create_mbuf_netlayer(). Introduce MAC Policy entry point mpo_create_mbuf_from_inpcb(), and implementations for various policies, which generally just copy label data from the inpcb to the mbuf. Assert the inpcb lock in the entry point since we require consistency for the inpcb label reference.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
123397 |
|
10-Dec-2003 |
rwatson |
interpvnodelabel can be NULL in mac_test_execve_transition(). This only turned up when running mac_test side by side with a transitioning policy such as SEBSD. Make the NULL testing match mac_test_execve_will_transition(), which already tested the vnode label pointer for NULL.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
123173 |
|
06-Dec-2003 |
rwatson |
Rename mac_create_cred() MAC Framework entry point to mac_copy_cred(), and the mpo_create_cred() MAC policy entry point to mpo_copy_cred_label(). This is more consistent with similar entry points for creation and label copying, as mac_create_cred() was called from crdup() as opposed to during process creation. For a number of policies, this removes the requirement for special handling when copying credential labels, and improves consistency.
Approved by: re (scottl) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
122875 |
|
17-Nov-2003 |
rwatson |
Introduce a MAC label reference in 'struct inpcb', which caches the MAC label referenced from 'struct socket' in the IPv4 and IPv6-based protocols. This permits MAC labels to be checked during network delivery operations without dereferencing inp->inp_socket to get to so->so_label, which will eventually avoid our having to grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the MAC Framework, along with the normal circus of entry points: initialization, creation from socket, destruction, as well as a delivery access control check.
For most policies, the inpcb label will simply be a cache of the socket label, so a new protocol switch method is introduced, pr_sosetlabel() to notify protocols that the socket layer label has been updated so that the cache can be updated while holding appropriate locks. Most protocols implement this using pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use the the worker function in_pcbsosetlabel(), which calls into the MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub policy, and test policy.
Reviewed by: sam, bms Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
122820 |
|
16-Nov-2003 |
rwatson |
Implement sockets support for __mac_get_fd() and __mac_set_fd() system calls, and prefer these calls over getsockopt()/setsockopt() for ABI reasons. When addressing UNIX domain sockets, these calls retrieve and modify the socket label, not the label of the rendezvous vnode.
- Create mac_copy_socket_label() entry point based on mac_copy_pipe_label() entry point, intended to copy the socket label into temporary storage that doesn't require a socket lock to be held (currently Giant).
- Implement mac_copy_socket_label() for various policies.
- Expose socket label allocation, free, internalize, externalize entry points as non-static from mac_net.c.
- Use mac_socket_label_set() in __mac_set_fd().
MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and mac_get_peer() to retrieve and set various socket labels without directly invoking the getsockopt() interface.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
122808 |
|
16-Nov-2003 |
rwatson |
Implement mpo_copy_{mbuf,pipe,vnode}_label() entry points for mac_stub and mac_test.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
122718 |
|
14-Nov-2003 |
rwatson |
mac_relabel_cred() accepts two cred labels, not a cred label and a vnode label; update assertion.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
122569 |
|
12-Nov-2003 |
jhb |
Remove extraneous & to fix compile.
|
#
122524 |
|
12-Nov-2003 |
rwatson |
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol.
Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
119301 |
|
22-Aug-2003 |
rwatson |
Correct typo introduced during manual merge: hook up the reflect_tcp test to the reflect_tcp entry point, rather than the reflect_icmp entry point.
Submitted by: naddy
|
#
119228 |
|
21-Aug-2003 |
rwatson |
Retrofit of mac_test regression and consistency test module for MAC Framework labels:
- Re-work the label state assertions to use a set of central ASSERT_type_LABEL() assertions.
- Test to make sure labels passed to externalize/internalize calls haven't been destroyed.
- For access control checks, assert the condition of all labels passed in.
- For life cycle events, assert the condition of all labels passed in.
- Add new entry point implementations for new MAC Framework entry points: mac_test_reflect_mbuf_icmp(), mac_test_reflect_mbuf_tcp(), mac_test_check_vnode_deleteextattr(), mac_test_check_vnode_listextattr().
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
117247 |
|
04-Jul-2003 |
rwatson |
Remove trailing whitespace.
|
#
116701 |
|
22-Jun-2003 |
rwatson |
Redesign the externalization APIs from the MAC Framework to the MAC policy modules to improve robustness against C string bugs and vulnerabilities. Following these revisions, all string construction of labels for export to userspace (or elsewhere) is performed using the sbuf API, which prevents the consumer from having to perform laborious and intricate pointer and buffer checks. This substantially simplifies the externalization logic, both at the MAC Framework level, and in individual policies; this becomes especially useful when policies export more complex label data, such as with compartments in Biba and MLS.
Bundled in here are some other minor fixes associated with externalization: including avoiding malloc while holding the process mutex in mac_lomac, and hence avoid a failure mode when printing labels during a downgrade operation due to the removal of the M_NOWAIT case.
This has been running in the MAC development tree for about three weeks without problems.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
113534 |
|
15-Apr-2003 |
rwatson |
Modify mac_test policy to invoke WITNESS_WARN() when a potentially blocking allocation could occur as a result of a label initialization. This will simulate the behavior of allocated label policies such as MLS and Biba when running mac_test from the perspective of WITNESS lock and sleep warnings.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
113531 |
|
15-Apr-2003 |
rwatson |
Enable the MAC_ALWAYS_LABEL_MBUF flag for the Biba, LOMAC, MLS, and Test policies. Missed in earlier merge.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
112717 |
|
27-Mar-2003 |
rwatson |
Trim "trustedbsd_" from the front of the policy module "short names"; the vendor is only included in the long name currently, reducing verbosity when modules are registered and unregistered.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
112675 |
|
26-Mar-2003 |
rwatson |
Modify the mac_init_ipq() MAC Framework entry point to accept an additional flags argument to indicate blocking disposition, and pass in M_NOWAIT from the IP reassembly code to indicate that blocking is not OK when labeling a new IP fragment reassembly queue. This should eliminate some of the WITNESS warnings that have started popping up since fine-grained IP stack locking started going in; if memory allocation fails, the creation of the fragment queue will be aborted.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
112578 |
|
24-Mar-2003 |
rwatson |
Update the MAC regression test policy to include stubs and testing functionality for the following entry pints:
mac_test_init_proc_label() mac_test_destroy_proc_label()
For process labeling entry points, now also track the use of process labels and test assertions about their integrity and life cycle.
mac_test_thread_userret() mac_test_check_kenv_dump() mac_test_check_kenv_get() mac_test_check_kenv_set() mac_test_check_kenv_unset() mac_test_check_kld_load() mac_test_check_kld_stat() mac_test_check_kld_unload() mac_test_check_sysarch_ioperm() mac_test_check_system_acct() mac_test_check_system_reboot() mac_test_check_system_settime() mac_test_check_system_swapon() mac_test_check_system_swapoff() mac_test_check_system_sysctl()
For other entry points, just provide testing stubs.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
107731 |
|
10-Dec-2002 |
rwatson |
Default policies to on: if you load them or compile them into your kernel, you should expect them to do something, so now they do. This doesn't affect users who don't load or explicitly compile in the policies.
Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
107698 |
|
09-Dec-2002 |
rwatson |
Remove dm_root entry from struct devfs_mount. It's never set, and is unused. Replace it with a dm_mount back-pointer to the struct mount that the devfs_mount is associated with. Export that pointer to MAC Framework entry points, where all current policies don't use the pointer. This permits the SEBSD port of SELinux's FLASK/TE to compile out-of-the-box on 5.0-CURRENT with full file system labeling support.
Approved by: re (murray) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
106788 |
|
12-Nov-2002 |
rwatson |
Garbage collect mac_create_devfs_vnode() -- it hasn't been used since we brought in the new cache and locking model for vnode labels. We now rely on mac_associate_devfs_vnode().
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
106648 |
|
08-Nov-2002 |
rwatson |
Update MAC modules for changes in arguments for exec MAC policy entry points to include an explicit execlabel.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
106469 |
|
05-Nov-2002 |
rwatson |
Update policy modules for changes in arguments associated with support for label access on the interpreter, not just the shell script. No policies currently present in the system rely on the new labels.
|
#
106393 |
|
03-Nov-2002 |
rwatson |
License and wording updates: NAI has authorized the removal of clause three from their BSD-style license. Also, s/NAI Labs/Network Associates Laboratories/.
|
#
106217 |
|
30-Oct-2002 |
rwatson |
Move to C99 sparse structure initialization for the mac_policy_ops structure definition, rather than using an operation vector we translate into the structure. Originally, we used a vector for two reasons:
(1) We wanted to define the structure sparsely, which wasn't supported by the C compiler for structures. For a policy with five entry points, you don't want to have to stick in a few hundred NULL function pointers.
(2) We thought it would improve ABI compatibility allowing modules to work with kernels that had a superset of the entry points defined in the module, even if the kernel had changed its entry point set.
Both of these no longer apply:
(1) C99 gives us a way to sparsely define a static structure.
(2) The ABI problems existed anyway, due to enumeration numbers, argument changes, and semantic mismatches. Since the going rule for FreeBSD is that you really need your modules to pretty closely match your kernel, it's not worth the complexity.
This submit eliminates the operation vector, dynamic allocation of the operation structure, copying of the vector to the structure, and redoes the vectors in each policy to direct structure definitions. One enourmous benefit of this change is that we now get decent type checking on policy entry point implementation arguments.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
106214 |
|
30-Oct-2002 |
rwatson |
Various minor type, prototype tweaks -- clean up cruft due to lack of type checking on entry points (to be introduced shortly).
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
106212 |
|
30-Oct-2002 |
rwatson |
While 'mode_t' seemed like a good idea for the access mode argument for MAC access() and open() checks, the argument actually has an int type where it becomes available. Switch to using 'int' for the mode argument throughout the MAC Framework and policy modules.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
105988 |
|
26-Oct-2002 |
rwatson |
Slightly change the semantics of vnode labels for MAC: rather than "refreshing" the label on the vnode before use, just get the label right from inception. For single-label file systems, set the label in the generic VFS getnewvnode() code; for multi-label file systems, leave the labeling up to the file system. With UFS1/2, this means reading the extended attribute during vfs_vget() as the inode is pulled off disk, rather than hitting the extended attributes frequently during operations later, improving performance. This also corrects sematics for shared vnode locks, which were not previously present in the system. This chances the cache coherrency properties WRT out-of-band access to label data, but in an acceptable form. With UFS1, there is a small race condition during automatic extended attribute start -- this is not present with UFS2, and occurs because EAs aren't available at vnode inception. We'll introduce a work around for this shortly.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
105696 |
|
22-Oct-2002 |
rwatson |
Adapt MAC policies for the new user API changes; teach policies how to parse their own label elements (some cleanup to occur here in the future to use the newly added kernel strsep()). Policies now entirely encapsulate their notion of label in the policy module.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
104546 |
|
06-Oct-2002 |
rwatson |
Sync from MAC tree: break out the single mmap entry point into seperate entry points for each occasion:
mac_check_vnode_mmap() Check at initial mapping mac_check_vnode_mprotect() Check at mapping protection change mac_check_vnode_mmap_downgrade() Determine if a mapping downgrade should take place following subject relabel.
Implement mmap() and mprotect() entry points for labeled vnode policies. These entry points are currently not hooked up to the VM system in the base tree. These changes improve the consistency of the access control interface and offer more flexibility regarding limiting access to vnode mmaping.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
104541 |
|
05-Oct-2002 |
rwatson |
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
104535 |
|
05-Oct-2002 |
rwatson |
Implement mac_create_devfs_symlink() for policies that interact with vnode labels. Sync from MAC tree.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
104530 |
|
05-Oct-2002 |
rwatson |
Merge implementation of mpo_check_vnode_link() for various appropriate file-system aware MAC policies. Sync to MAC tree.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
104514 |
|
05-Oct-2002 |
rwatson |
Begin another merge from the TrustedBSD MAC branch:
- Change mpo_init_foo(obj, label) and mpo_destroy_foo(obj, label) policy entry points to mpo_init_foo_label(label) and mpo_destroy_foo_label(label). This will permit the use of the same entry points for holding temporary type-specific label during internalization and externalization, as well as for caching purposes. - Because of this, break out mpo_{init,destroy}_socket() and mpo_{init,destroy}_mount() into seperate entry points for socket main/peer labels and mount main/fs labels. - Since the prototype for label initialization is the same across almost all entry points, implement these entry points using common implementations for Biba, MLS, and Test, reducing the number of almost identical looking functions.
This simplifies policy implementation, as well as preparing us for the merge of the new flexible userland API for managing labels on objects.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
102162 |
|
20-Aug-2002 |
rwatson |
Provide stub mpo_syscall() implementations for mac_none and mac_test.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
102129 |
|
19-Aug-2002 |
rwatson |
Pass active_cred and file_cred into the MAC framework explicitly for mac_check_vnode_{poll,read,stat,write}(). Pass in fp->f_cred when calling these checks with a struct file available. Otherwise, pass NOCRED. All currently MAC policies use active_cred, but could now offer the cached credential semantic used for the base system security model.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
102115 |
|
19-Aug-2002 |
rwatson |
Break out mac_check_pipe_op() into component check entry points: mac_check_pipe_poll(), mac_check_pipe_read(), mac_check_pipe_stat(), and mac_check_pipe_write(). This is improves consistency with other access control entry points and permits security modules to only control the object methods that they are interested in, avoiding switch statements.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
102112 |
|
19-Aug-2002 |
rwatson |
Break out mac_check_vnode_op() into three seperate checks: mac_check_vnode_poll(), mac_check_vnode_read(), mac_check_vnode_write(). This improves the consistency with other existing vnode checks, and allows policies to avoid implementing switch statements to determine what operations they do and do not want to authorize.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
101934 |
|
15-Aug-2002 |
rwatson |
Rename mac_check_socket_receive() to mac_check_socket_deliver() so that we can use the names _receive() and _send() for the receive() and send() checks. Rename related constants, policy implementations, etc.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
101099 |
|
31-Jul-2002 |
rwatson |
Introduce support for Mandatory Access Control and extensible kernel access control.
Provide implementations of some sample operating system security policy extensions. These are not yet hooked up to the build as other infrastructure is still being committed. Most of these work fairly well and are in daily use in our development and (limited) production environments. Some are not yet in their final form, and a number of the labeled policies waste a lot of kernel memory and will be fixed over the next month or so to be more conservative. They do give good examples of the flexibility of the MAC framework for implementing a variety of security policies.
mac_biba: Implementation of fixed-label Biba integrity policy, similar to those found in a number of commercial trusted operating systems. All subjects and objects are assigned integrity levels, and information flow is controlled based on a read-up, write-down policy. Currently, purely hierarchal.
mac_bsdextended: Implementation of a "file system firewall", which allows the administrator to specify a series of rules limiting access by users and groups to objects owned by other users and groups. This policy is unlabeled, relying on existing system security labeling (file permissions/ownership, process credentials).
mac_ifoff: Secure interface silencing. Special-purpose module to limit inappropriate out-going network traffic for silent monitoring scenarios. Prevents the various network stacks from generating any output despite an interface being live for reception.
mac_mls: Implementation of fixed-label Multi-Level Security confidentiality policy, similar to those found in a number of commercial trusted operating systems. All subjects and objects are assigned confidentiality levels, and information flow is controlled based on a write-up, read-down policy. Currently, purely hiearchal, although non-hierarchal support is in the works.
mac_none: Policy module implementing all MAC policy entry points with empty stubs. A good place to start if you want all the prototypes types in for you, and don't mind a bit of pruning. Can be loaded, but has no access control impact. Useful also for performance measurements.
mac_seeotheruids: Policy module implementing a security service similar to security.bsd.seeotheruids, only a slightly more detailed policy involving exceptions for members of specific groups, etc. This policy is unlabeled, relying on existing system security labeling (process credentials).
mac_test: Policy module implementing basic sanity tests for label handling. Attempts to ensure that labels are not freed multiple times, etc, etc.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|