272461 |
03-Oct-2014 |
gjb |
Copy stable/10@r272459 to releng/10.1 as part of the 10.1-RELEASE process.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
270045 |
16-Aug-2014 |
bz |
MFC r259885:
As constantly reported during kernel compilation, m_buflen is unsigned so can never be < 0. Remove the expression, which can never be true.
|
263960 |
31-Mar-2014 |
mjg |
MFC r263458: audit: plug FILEDESC_LOCK leak in audit_canon_path.
|
260817 |
17-Jan-2014 |
avg |
MFC r258622: dtrace sdt: remove the ugly sname parameter of SDT_PROBE_DEFINE
|
259917 |
26-Dec-2013 |
jhb |
MFC 259014: There is no sysctl with the MIB { CTL_KERN, KERN_MAXID }.
|
256281 |
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
255971 |
01-Oct-2013 |
markj |
Fix some typos that were causing probe argument types to show up as unknown.
Reviewed by: rwatson (mac provider) Approved by: re (glebius) MFC after: 1 week
|
255945 |
29-Sep-2013 |
kib |
Make the mac_policy_rm lock recursable, which allows reentrance into the mac framework. It is needed when priv_check_cred(9) is called from the mac callback, e.g. in the mac_portacl(4).
Reported by: az Reviewed by: rwatson Sponsored by: The FreeBSD Foundation MFC after: 1 week Approved by: re (gjb)
|
255359 |
07-Sep-2013 |
davide |
- Use make_dev_credf(MAKEDEV_REF) instead of the race-prone make_dev()+ dev_ref() in the clone handlers that still use it. - Don't set SI_CHEAPCLONE flag, it's not used anywhere neither in devfs (for anything real)
Reviewed by: kib
|
255240 |
05-Sep-2013 |
pjd |
Handle cases where capability rights are not provided.
Reported by: kib
|
255219 |
05-Sep-2013 |
pjd |
Change the cap_rights_t type from uint64_t to a structure that we can extend in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to represent one right, but we are running out of spare bits. Currently the new structure provides place for 114 rights (so 50 more than the previous cap_rights_t), but it is possible to grow the structure to hold at least 285 rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights { uint64_t cr_rights[CAP_RIGHTS_VERSION + 2]; };
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total number of elements in the array - 2. This means if those two bits are equal to 0, we have 2 array elements.
The top two bits in all remaining array elements should be 0. The next five bits in all array elements contain array index. Only one bit is used and bit position in this five-bits range defines array index. This means there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL) #define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...); void cap_rights_set(cap_rights_t *rights, ...); void cap_rights_clear(cap_rights_t *rights, ...); bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights); void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src); void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src); bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(), cap_rights_clear() and cap_rights_is_set() functions are provided by separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \ __cap_rights_set((rights), __VA_ARGS__, 0ULL) void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that there are no two rights belonging to different array elements provided together. For example this is illegal and will be detected, because CAP_LOOKUP belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls, but I see no other way to do that. This should be fine as Capsicum is still experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
|
254603 |
21-Aug-2013 |
kib |
Implement read(2)/write(2) and neccessary lseek(2) for posix shmfd. Add MAC framework entries for posix shm read and write.
Do not allow implicit extension of the underlying memory segment past the limit set by ftruncate(2) by either of the syscalls. Read and write returns short i/o, lseek(2) fails with EINVAL when resulting offset does not fit into the limit.
Discussed with: alc Tested by: pho Sponsored by: The FreeBSD Foundation
|
253078 |
09-Jul-2013 |
avg |
audit_proc_coredump: check return value of audit_new
audit_new may return NULL if audit is disabled or suspended.
Sponsored by: HybridCluster MFC after: 7 days
|
251391 |
04-Jun-2013 |
alc |
Relax the vm object locking in mac_proc_vm_revoke_recurse(). A read lock suffices in one place.
Sponsored by: EMC / Isilon Storage Division
|
248084 |
09-Mar-2013 |
attilio |
Switch the vm_object mutex to be a rwlock. This will enable in the future further optimizations where the vm_object lock will be held in read mode most of the time the page cache resident pool of pages are accessed for reading purposes.
The change is mostly mechanical but few notes are reported: * The KPI changes as follow: - VM_OBJECT_LOCK() -> VM_OBJECT_WLOCK() - VM_OBJECT_TRYLOCK() -> VM_OBJECT_TRYWLOCK() - VM_OBJECT_UNLOCK() -> VM_OBJECT_WUNLOCK() - VM_OBJECT_LOCK_ASSERT(MA_OWNED) -> VM_OBJECT_ASSERT_WLOCKED() (in order to avoid visibility of implementation details) - The read-mode operations are added: VM_OBJECT_RLOCK(), VM_OBJECT_TRYRLOCK(), VM_OBJECT_RUNLOCK(), VM_OBJECT_ASSERT_RLOCKED(), VM_OBJECT_ASSERT_LOCKED() * The vm/vm_pager.h namespace pollution avoidance (forcing requiring sys/mutex.h in consumers directly to cater its inlining functions using VM_OBJECT_LOCK()) imposes that all the vm/vm_pager.h consumers now must include also sys/rwlock.h. * zfs requires a quite convoluted fix to include FreeBSD rwlocks into the compat layer because the name clash between FreeBSD and solaris versions must be avoided. At this purpose zfs redefines the vm_object locking functions directly, isolating the FreeBSD components in specific compat stubs.
The KPI results heavilly broken by this commit. Thirdy part ports must be updated accordingly (I can think off-hand of VirtualBox, for example).
Sponsored by: EMC / Isilon storage division Reviewed by: jeff Reviewed by: pjd (ZFS specific review) Discussed with: alc Tested by: pho
|
247667 |
02-Mar-2013 |
pjd |
- Implement two new system calls:
int bindat(int fd, int s, const struct sockaddr *addr, socklen_t addrlen); int connectat(int fd, int s, const struct sockaddr *name, socklen_t namelen);
which allow to bind and connect respectively to a UNIX domain socket with a path relative to the directory associated with the given file descriptor 'fd'.
- Add manual pages for the new syscalls.
- Make the new syscalls available for processes in capability mode sandbox.
- Add capability rights CAP_BINDAT and CAP_CONNECTAT that has to be present on the directory descriptor for the syscalls to work.
- Update audit(4) to support those two new syscalls and to handle path in sockaddr_un structure relative to the given directory descriptor.
- Update procstat(1) to recognize the new capability rights.
- Document the new capability rights in cap_rights_limit(2).
Sponsored by: The FreeBSD Foundation Discussed with: rwatson, jilles, kib, des
|
247602 |
02-Mar-2013 |
pjd |
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of cap_new(2), which limits capability rights of the given descriptor without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls that can be used with the new cap_fcntls_limit(2) syscall and retrive them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was heavly modified.
- The audit subsystem, kdump and procstat tools were updated to recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide backward API and ABI compatibility there are some incompatible changes that are described in detail below:
CAP_CREATE old behaviour: - Allow for openat(2)+O_CREAT. - Allow for linkat(2). - Allow for symlinkat(2). CAP_CREATE new behaviour: - Allow for openat(2)+O_CREAT.
Added CAP_LINKAT: - Allow for linkat(2). ABI: Reuses CAP_RMDIR bit. - Allow to be target for renameat(2).
Added CAP_SYMLINKAT: - Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour: - Allow for unlinkat(2) when removing non-directory object. - Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour: - Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT: - Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR): - Allow for unlinkat(2) on any object. - Required if target of renameat(2) exists and will be removed by this call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour: - Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and PROT_WRITE. CAP_MMAP new behaviour: - Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R: - Allow for mmap(PROT_READ). Added CAP_MMAP_W: - Allow for mmap(PROT_WRITE). Added CAP_MMAP_X: - Allow for mmap(PROT_EXEC). Added CAP_MMAP_RW: - Allow for mmap(PROT_READ | PROT_WRITE). Added CAP_MMAP_RX: - Allow for mmap(PROT_READ | PROT_EXEC). Added CAP_MMAP_WX: - Allow for mmap(PROT_WRITE | PROT_EXEC). Added CAP_MMAP_RWX: - Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT. Renamed CAP_MKFIFO to CAP_MKFIFOAT. Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour: - Allow pread(2). - Disallow read(2), readv(2) (if there is no CAP_SEEK). CAP_READ new behaviour: - Allow read(2), readv(2). - Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour: - Allow pwrite(2). - Disallow write(2), writev(2) (if there is no CAP_SEEK). CAP_WRITE new behaviour: - Allow write(2), writev(2). - Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ) #define CAP_PWRITE (CAP_SEEK | CAP_WRITE) #define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ) #define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE) #define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL) #define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W) #define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X) #define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X) #define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X) #define CAP_RECV CAP_READ #define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \ (CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \ CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN) #define CAP_SOCK_SERVER \ (CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \ CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \ CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X #define CAP_DELETE CAP_UNLINKAT #define CAP_MKDIR CAP_MKDIRAT #define CAP_RMDIR CAP_UNLINKAT #define CAP_MKFIFO CAP_MKFIFOAT #define CAP_MKNOD CAP_MKNODAT #define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation Reviewed by: Christoph Mallon <christoph.mallon@gmx.de> Many aspects discussed with: rwatson, benl, jonathan ABI compatibility discussed with: kib
|
246911 |
17-Feb-2013 |
pjd |
Remove redundant check.
|
246691 |
11-Feb-2013 |
pjd |
Style.
|
246446 |
07-Feb-2013 |
pjd |
Add AUDIT_ARG_SOCKADDR() macro so we can start using the audit_arg_sockaddr() function, which is currently unused.
Sponsored by: The FreeBSD Foundation
|
245573 |
17-Jan-2013 |
csjp |
Implement the zonename token for jailed processes. If a process has an auditid/preselection masks specified, and is jailed, include the zonename (jailname) token as a part of the audit record.
Reviewed by: pjd MFC after: 2 weeks
|
244267 |
15-Dec-2012 |
rwatson |
Four .c files from OpenBSM are used, in modified form, by the kernel to implement the BSM audit trail format. Rename the kernel versions of the files to match the userspace filenames so that it's easier to work out what they correspond to, and therefore ensure they are kept in-sync.
Obtained from: TrustedBSD Project
|
243751 |
01-Dec-2012 |
rwatson |
Merge OpenBSM 1.2-alpha2 changes from contrib/openbsm to src/sys/{bsm,security/audit}. There are a few tweaks to help with the FreeBSD build environment that will be merged back to OpenBSM. No significant functional changes appear on the kernel side.
Obtained from: TrustedBSD Project Sponsored by: The FreeBSD Foundation (auditdistd)
|
243745 |
01-Dec-2012 |
pjd |
IFp4 @219811:
VFS is now fully MPSAFE, fix compilation.
|
243727 |
30-Nov-2012 |
pjd |
IFp4 @208452:
Audit handling for missing events: - AUE_READLINKAT - AUE_FACCESSAT - AUE_MKDIRAT - AUE_MKFIFOAT - AUE_MKNODAT - AUE_SYMLINKAT
Sponsored by: FreeBSD Foundation (auditdistd) MFC after: 2 weeks
|
243726 |
30-Nov-2012 |
pjd |
IFp4 @208451:
Fix path handling for *at() syscalls.
Before the change directory descriptor was totally ignored, so the relative path argument was appended to current working directory path and not to the path provided by descriptor, thus wrong paths were stored in audit logs.
Now that we use directory descriptor in vfs_lookup, move AUDIT_ARG_UPATH1() and AUDIT_ARG_UPATH2() calls to the place where we hold file descriptors table lock, so we are sure paths will be resolved according to the same directory in audit record and in actual operation.
Sponsored by: FreeBSD Foundation (auditdistd) Reviewed by: rwatson MFC after: 2 weeks
|
243723 |
30-Nov-2012 |
pjd |
IFp4 @208383:
Currently when we discover that trail file is greater than configured limit we send AUDIT_TRIGGER_ROTATE_KERNEL trigger to the auditd daemon once. If for some reason auditd didn't rotate trail file it will never be rotated.
Change it by sending the trigger when trail file size grows by the configured limit. For example if the limit is 1MB, we will send trigger on 1MB, 2MB, 3MB, etc.
This is also needed for the auditd change that will be committed soon where auditd may ignore the trigger - it might be ignored if kernel requests the trail file to be rotated too quickly (often than once a second) which would result in overwriting previous trail file.
Sponsored by: FreeBSD Foundation (auditdistd) MFC after: 2 weeks
|
243722 |
30-Nov-2012 |
pjd |
IFp4 @208382:
Currently on each record write we call VFS_STATFS() to get available space on the file system as well as VOP_GETATTR() to get trail file size.
We can assume that trail file is only updated by the audit worker, so instead of asking for file size on every write, get file size on trail switch only (it should be zero, but it's not expensive) and use global variable audit_size protected by the audit worker lock to keep track of trail file's size.
This eliminates VOP_GETATTR() call for every write. VFS_STATFS() is satisfied from in-memory data (mount->mnt_stat), so shouldn't be expensive.
Sponsored by: FreeBSD Foundation (auditdistd) MFC after: 2 weeks
|
243720 |
30-Nov-2012 |
pjd |
IFp4 @208381:
For VOP_GETATTR() we just need vnode to be shared-locked.
Sponsored by: FreeBSD Foundation (auditdistd) MFC after: 2 weeks
|
241896 |
22-Oct-2012 |
kib |
Remove the support for using non-mpsafe filesystem modules.
In particular, do not lock Giant conditionally when calling into the filesystem module, remove the VFS_LOCK_GIANT() and related macros. Stop handling buffers belonging to non-mpsafe filesystems.
The VFS_VERSION is bumped to indicate the interface change which does not result in the interface signatures changes.
Conducted and reviewed by: attilio Tested by: pho
|
234957 |
03-May-2012 |
brueffer |
Check vplabel for NULL before dereferencing it. Fixes a panic when running atop with MAC_MLS enabled.
Submitted by: Richard Kojedzinszky <krichy@tvnetwork.hu> Reviewed by: rwatson MFC after: 1 week
|
234032 |
08-Apr-2012 |
rwatson |
When allocation of labels on files is implicitly disabled due to MAC policy configuration, avoid leaking resources following failed calls to get and set MAC labels by file descriptor.
Reported by: Mateusz Guzik <mjguzik at gmail.com> + clang scan-build MFC after: 3 days
|
233937 |
06-Apr-2012 |
melifaro |
- Improve BPF locking model.
Interface locks and descriptor locks are converted from mutex(9) to rwlock(9). This greately improves performance: in most common case we need to acquire 1 reader lock instead of 2 mutexes.
- Remove filter(descriptor) (reader) lock in bpf_mtap[2] This was suggested by glebius@. We protect filter by requesting interface writer lock on filter change.
- Cover struct bpf_if under BPF_INTERNAL define. This permits including bpf.h without including rwlock stuff. However, this is is temporary solution, struct bpf_if should be made opaque for any external caller.
Found by: Dmitrij Tejblum <tejblum@yandex-team.ru> Sponsored by: Yandex LLC
Reviewed by: glebius (previous version) Reviewed by: silence on -net@ Approved by: (mentor)
MFC after: 3 weeks
|
231378 |
10-Feb-2012 |
ed |
Remove direct access to si_name.
Code should just use the devtoname() function to obtain the name of a character device. Also add const keywords to pieces of code that need it to build properly.
MFC after: 2 weeks
|
229272 |
02-Jan-2012 |
ed |
Use strchr() and strrchr().
It seems strchr() and strrchr() are used more often than index() and rindex(). Therefore, simply migrate all kernel code to use it.
For the XFS code, remove an empty line to make the code identical to the code in the Linux kernel.
|
228448 |
12-Dec-2011 |
attilio |
Revert the approach for skipping lockstat_probe_func call when doing lock_success/lock_failure, introduced in r228424, by directly skipping in dtrace_probe.
This mainly helps in avoiding namespace pollution and thus lockstat.h dependency by systm.h.
As an added bonus, this also helps in MFC case. Reviewed by: avg MFC after: 3 months (or never) X-MFC: r228424
|
228433 |
12-Dec-2011 |
avg |
put sys/systm.h at its proper place or add it if missing
Reported by: lstewart, tinderbox Pointyhat to: avg, attilio MFC after: 1 week MFC with: r228430
|
227309 |
07-Nov-2011 |
ed |
Mark all SYSCTL_NODEs static that have no corresponding SYSCTL_DECLs.
The SYSCTL_NODE macro defines a list that stores all child-elements of that node. If there's no SYSCTL_DECL macro anywhere else, there's no reason why it shouldn't be static.
|
227293 |
07-Nov-2011 |
ed |
Mark MALLOC_DEFINEs static that have no corresponding MALLOC_DECLAREs.
This means that their use is restricted to a single C file.
|
226500 |
18-Oct-2011 |
ed |
Get rid of D_PSEUDO.
It seems the D_PSEUDO flag was meant to allow make_dev() to return NULL. Nowadays we have a different interface for that; make_dev_p(). There's no need to keep it there.
While there, remove an unneeded D_NEEDMINOR from the gpio driver.
Discussed with: gonzo@ (gpio)
|
226143 |
08-Oct-2011 |
brueffer |
Remove two dublicated assignments.
CID: 9870 Found with: Coverity Prevent(tm) Confirmed by: rwatson MFC after: 1 week
|
225617 |
16-Sep-2011 |
kmacy |
In order to maximize the re-usability of kernel code in user space this patch modifies makesyscalls.sh to prefix all of the non-compatibility calls (e.g. not linux_, freebsd32_) with sys_ and updates the kernel entry points and all places in the code that use them. It also fixes an additional name space collision between the kernel function psignal and the libc function of the same name by renaming the kernel psignal kern_psignal(). By introducing this change now we will ease future MFCs that change syscalls.
Reviewed by: rwatson Approved by: re (bz)
|
225344 |
02-Sep-2011 |
rwatson |
Correct several issues in the integration of POSIX shared memory objects and the new setmode and setowner fileops in FreeBSD 9.0:
- Add new MAC Framework entry point mac_posixshm_check_create() to allow MAC policies to authorise shared memory use. Provide a stub policy and test policy templates.
- Add missing Biba and MLS implementations of mac_posixshm_check_setmode() and mac_posixshm_check_setowner().
- Add 'accmode' argument to mac_posixshm_check_open() -- unlike the mac_posixsem_check_open() entry point it was modeled on, the access mode is required as shared memory access can be read-only as well as writable; this isn't true of POSIX semaphores.
- Implement full range of POSIX shared memory entry points for Biba and MLS.
Sponsored by: Google Inc. Obtained from: TrustedBSD Project Approved by: re (kib)
|
225177 |
25-Aug-2011 |
attilio |
Fix a deficiency in the selinfo interface: If a selinfo object is recorded (via selrecord()) and then it is quickly destroyed, with the waiters missing the opportunity to awake, at the next iteration they will find the selinfo object destroyed, causing a PF#.
That happens because the selinfo interface has no way to drain the waiters before to destroy the registered selinfo object. Also this race is quite rare to get in practice, because it would require a selrecord(), a poll request by another thread and a quick destruction of the selrecord()'ed selinfo object.
Fix this by adding the seldrain() routine which should be called before to destroy the selinfo objects (in order to avoid such case), and fix the present cases where it might have already been called. Sometimes, the context is safe enough to prevent this type of race, like it happens in device drivers which installs selinfo objects on poll callbacks. There, the destruction of the selinfo object happens at driver detach time, when all the filedescriptors should be already closed, thus there cannot be a race. For this case, mfi(4) device driver can be set as an example, as it implements a full correct logic for preventing this from happening.
Sponsored by: Sandvine Incorporated Reported by: rstone Tested by: pluknet Reviewed by: jhb, kib Approved by: re (bz) MFC after: 3 weeks
|
224914 |
16-Aug-2011 |
kib |
Add the fo_chown and fo_chmod methods to struct fileops and use them to implement fchown(2) and fchmod(2) support for several file types that previously lacked it. Add MAC entries for chown/chmod done on posix shared memory and (old) in-kernel posix semaphores.
Based on the submission by: glebius Reviewed by: rwatson Approved by: re (bz)
|
224778 |
11-Aug-2011 |
rwatson |
Second-to-last commit implementing Capsicum capabilities in the FreeBSD kernel for FreeBSD 9.0:
Add a new capability mask argument to fget(9) and friends, allowing system call code to declare what capabilities are required when an integer file descriptor is converted into an in-kernel struct file *. With options CAPABILITIES compiled into the kernel, this enforces capability protection; without, this change is effectively a no-op.
Some cases require special handling, such as mmap(2), which must preserve information about the maximum rights at the time of mapping in the memory map so that they can later be enforced in mprotect(2) -- this is done by narrowing the rights in the existing max_protection field used for similar purposes with file permissions.
In namei(9), we assert that the code is not reached from within capability mode, as we're not yet ready to enforce namespace capabilities there. This will follow in a later commit.
Update two capability names: CAP_EVENT and CAP_KEVENT become CAP_POST_KEVENT and CAP_POLL_KEVENT to more accurately indicate what they represent.
Approved by: re (bz) Submitted by: jonathan Sponsored by: Google Inc
|
224181 |
18-Jul-2011 |
jonathan |
Provide ability to audit cap_rights_t arguments.
We wish to be able to audit capability rights arguments; this code provides the necessary infrastructure.
This commit does not, of itself, turn on such auditing for any system call; that should follow shortly.
Approved by: mentor (rwatson), re (Capsicum blanket) Sponsored by: Google Inc
|
219258 |
04-Mar-2011 |
netchild |
- Add a FEATURE for capsicum (security_capabilities). - Rename mac FEATURE to security_mac.
Discussed with: rwatson
|
219128 |
01-Mar-2011 |
rwatson |
Add ECAPMODE, "Not permitted in capability mode", a new kernel errno constant to indicate that a system call (or perhaps an operation requested via a system call) is not permitted for a capability mode process.
Submitted by: anderson Sponsored by: Google, Inc. Obtained from: Capsicum Project MFC after: 1 week
|
219028 |
25-Feb-2011 |
netchild |
Add some FEATURE macros for various features (AUDIT/CAM/IPC/KTR/MAC/NFS/NTP/ PMC/SYSV/...).
No FreeBSD version bump, the userland application to query the features will be committed last and can serve as an indication of the availablility if needed.
Sponsored by: Google Summer of Code 2010 Submitted by: kibab Reviewed by: arch@ (parts by rwatson, trasz, jhb) X-MFC after: to be determined in last commit with code from this project
|
218345 |
05-Feb-2011 |
alc |
Unless "cnt" exceeds MAX_COMMIT_COUNT, nfsrv_commit() and nfsvno_fsync() are incorrectly calling vm_object_page_clean(). They are passing the length of the range rather than the ending offset of the range.
Perform the OFF_TO_IDX() conversion in vm_object_page_clean() rather than the callers.
Reviewed by: kib MFC after: 3 weeks
|
217325 |
12-Jan-2011 |
mdf |
sysctl(9) cleanup checkpoint: amd64 GENERIC builds cleanly.
Commit the security directory.
|
215034 |
09-Nov-2010 |
brucec |
Fix typos.
PR: bin/148894 Submitted by: olgeni
|
214249 |
23-Oct-2010 |
rwatson |
Add missing DTrace probe invocation to mac_vnode_check_open; the probe was declared, but never used.
MFC after: 3 days Sponsored by: Google, Inc.
|
212425 |
10-Sep-2010 |
mdf |
Replace sbuf_overflowed() with sbuf_error(), which returns any error code associated with overflow or with the drain function. While this function is not expected to be used often, it produces more information in the form of an errno that sbuf_overflowed() did.
|
211616 |
22-Aug-2010 |
rpaulo |
Add an extra comment to the SDT probes definition. This allows us to get use '-' in probe names, matching the probe names in Solaris.[1]
Add userland SDT probes definitions to sys/sdt.h.
Sponsored by: The FreeBSD Foundation Discussed with: rwaston [1]
|
207615 |
04-May-2010 |
csjp |
Add a case to make sure that internal audit records get converted to BSM format for lpathconf(2) events.
MFC after: 2 weeks
|
204581 |
02-Mar-2010 |
rwatson |
Update device-labeling logic for Biba, LOMAC, and MLS to recognize new-style pts devices when various policy ptys_equal flags are enabled.
Submitted by: Estella Mystagic <estella at mystagic.com> MFC after: 1 week
|
203328 |
31-Jan-2010 |
csjp |
Make sure we convert audit records that were produced as the result of the closefrom(2) syscall.
|
202143 |
12-Jan-2010 |
brooks |
Replace the static NGROUPS=NGROUPS_MAX+1=1024 with a dynamic kern.ngroups+1. kern.ngroups can range from NGROUPS_MAX=1023 to INT_MAX-1. Given that the Windows group limit is 1024, this range should be sufficient for most applications.
MFC after: 1 month
|
201438 |
03-Jan-2010 |
trasz |
Make mac_lomac(4) able to interpret NFSv4 access bits.
Reviewed by: rwatson
|
196971 |
08-Sep-2009 |
phk |
Having thrown the cat out of the house, add a necessary include.
|
196970 |
08-Sep-2009 |
phk |
Revert previous commit and add myself to the list of people who should know better than to commit with a cat in the area.
|
196969 |
08-Sep-2009 |
phk |
Add necessary include.
|
196122 |
12-Aug-2009 |
rwatson |
Correctly audit real gids following changes to the audit record argument interface.
Approved by: re (kib)
|
195939 |
29-Jul-2009 |
rwatson |
Eliminate ARG_UPATH[12] arguments to AUDIT_ARG_UPATH() and instead provide specific macros, AUDIT_ARG_UPATH1() and AUDIT_ARG_UPATH2() to capture path information for audit records. This allows us to move the definitions of ARG_* out of the public audit header file, as they are an implementation detail of our current kernel-internal audit record, which may change.
Approved by: re (kensmith) Obtained from: TrustedBSD Project MFC after: 1 month
|
195926 |
28-Jul-2009 |
rwatson |
Rework vnode argument auditing to follow the same structure, in order to avoid exposing ARG_ macros/flag values outside of the audit code in order to name which one of two possible vnodes will be audited for a system call.
Approved by: re (kib) Obtained from: TrustedBSD Project MFC after: 1 month
|
195925 |
28-Jul-2009 |
rwatson |
Audit file descriptors passed to fooat(2) system calls, which are used instead of the root/current working directory as the starting point for lookups. Up to two such descriptors can be audited. Add audit record BSM encoding for fooat(2).
Note: due to an error in the OpenBSM 1.1p1 configuration file, a further change is required to that file in order to fix openat(2) auditing.
Approved by: re (kib) Reviewed by: rdivacky (fooat(2) portions) Obtained from: TrustedBSD Project MFC after: 1 month
|
195740 |
17-Jul-2009 |
rwatson |
Import OpenBSM 1.1p1 from vendor branch to 8-CURRENT, populating contrib/openbsm and a subset also imported into sys/security/audit. This patch release addresses several minor issues:
- Fixes to AUT_SOCKUNIX token parsing. - IPv6 support for au_to_me(3). - Improved robustness in the parsing of audit_control, especially long flags/naflags strings and whitespace in all fields. - Add missing conversion of a number of FreeBSD/Mac OS X errnos to/from BSM error number space.
MFC after: 3 weeks Obtained from: TrustedBSD Project Sponsored by: Apple, Inc. Approved by: re (kib)
|
195291 |
02-Jul-2009 |
rwatson |
Create audit records for AUE_POSIX_OPENPT, currently w/o arguments.
Approved by: re (audit argument blanket)
|
195282 |
02-Jul-2009 |
rwatson |
Fix comment misthink.
Submitted by: b. f. <bf1783 at googlemail.com> Approved by: re (audit argument blanket) MFC after: 1 week
|
195280 |
02-Jul-2009 |
rwatson |
Clean up a number of aspects of token generation from audit arguments to system calls:
- Centralize generation of argument tokens for VM addresses in a macro, ADDR_TOKEN(), and properly encode 64-bit addresses in 64-bit arguments. - Fix up argument numbers across a large number of syscalls so that they match the numeric argument into the system call. - Don't audit the address argument to ioctl(2) or ptrace(2), but do keep generating tokens for mmap(2), minherit(2), since they relate to passing object access across execve(2).
Approved by: re (audit argument blanket) Obtained from: TrustedBSD Project MFC after: 1 week
|
195267 |
01-Jul-2009 |
rwatson |
For access(2) and eaccess(2), audit the requested access mode.
Approved by: re (audit argument blanket) MFC after: 3 days
|
195252 |
01-Jul-2009 |
rwatson |
Define missing audit argument macro AUDIT_ARG_SOCKET(), and capture the domain, type, and protocol arguments to socket(2) and socketpair(2).
Approved by: re (audit argument blanket) MFC after: 3 days
|
195247 |
01-Jul-2009 |
rwatson |
When auditing unmount(2), capture FSID arguments as regular text strings rather than as paths, which would lead to them being treated as relative pathnames and hence confusingly converted into absolute pathnames.
Capture flags to unmount(2) via an argument token.
Approved by: re (audit argument blanket) MFC after: 3 days
|
195242 |
01-Jul-2009 |
rwatson |
Audit the file descriptor number passed to lseek(2).
Approved by: re (kib) MFC after: 3 days
|
195235 |
01-Jul-2009 |
rwatson |
udit the 'options' argument to wait4(2).
Approved by: re (kib) MFC after: 3 days
|
195177 |
29-Jun-2009 |
sson |
Dynamically allocate the gidset field in audit record.
This fixes a problem created by the recent change that allows a large number of groups per user. The gidset field in struct kaudit_record is now dynamically allocated to the size needed rather than statically (using NGROUPS).
Approved by: re@ (kensmith, rwatson), gnn (mentor)
|
195104 |
27-Jun-2009 |
rwatson |
Replace AUDIT_ARG() with variable argument macros with a set more more specific macros for each audit argument type. This makes it easier to follow call-graphs, especially for automated analysis tools (such as fxr).
In MFC, we should leave the existing AUDIT_ARG() macros as they may be used by third-party kernel modules.
Suggested by: brooks Approved by: re (kib) Obtained from: TrustedBSD Project MFC after: 1 week
|
194766 |
23-Jun-2009 |
kib |
Implement global and per-uid accounting of the anonymous memory. Add rlimit RLIMIT_SWAP that limits the amount of swap that may be reserved for the uid.
The accounting information (charge) is associated with either map entry, or vm object backing the entry, assuming the object is the first one in the shadow chain and entry does not require COW. Charge is moved from entry to object on allocation of the object, e.g. during the mmap, assuming the object is allocated, or on the first page fault on the entry. It moves back to the entry on forks due to COW setup.
The per-entry granularity of accounting makes the charge process fair for processes that change uid during lifetime, and decrements charge for proper uid when region is unmapped.
The interface of vm_pager_allocate(9) is extended by adding struct ucred *, that is used to charge appropriate uid when allocation if performed by kernel, e.g. md(4).
Several syscalls, among them is fork(2), may now return ENOMEM when global or per-uid limits are enforced.
In collaboration with: pho Reviewed by: alc Approved by: re (kensmith)
|
194534 |
20-Jun-2009 |
ed |
Chase the removal of PRIV_TTY_PRISON in the mac(9) modules.
Reported by: kib Pointy hat to: me
|
193951 |
10-Jun-2009 |
kib |
Adapt vfs kqfilter to the shared vnode lock used by zfs write vop. Use vnode interlock to protect the knote fields [1]. The locking assumes that shared vnode lock is held, thus we get exclusive access to knote either by exclusive vnode lock protection, or by shared vnode lock + vnode interlock.
Do not use kl_locked() method to assert either lock ownership or the fact that curthread does not own the lock. For shared locks, ownership is not recorded, e.g. VOP_ISLOCKED can return LK_SHARED for the shared lock not owned by curthread, causing false positives in kqueue subsystem assertions about knlist lock.
Remove kl_locked method from knlist lock vector, and add two separate assertion methods kl_assert_locked and kl_assert_unlocked, that are supposed to use proper asserts. Change knlist_init accordingly.
Add convenience function knlist_init_mtx to reduce number of arguments for typical knlist initialization.
Submitted by: jhb [1] Noted by: jhb [2] Reviewed by: jhb Tested by: rnoland
|
193511 |
05-Jun-2009 |
rwatson |
Move "options MAC" from opt_mac.h to opt_global.h, as it's now in GENERIC and used in a large number of files, but also because an increasing number of incorrect uses of MAC calls were sneaking in due to copy-and-paste of MAC-aware code without the associated opt_mac.h include.
Discussed with: pjd
|
193393 |
03-Jun-2009 |
rwatson |
Add one further check with mac_policy_count to an mbuf copying case (limited to netatalk) to avoid MAC label lookup on both mbufs if no policies are registered.
Obtained from: TrustedBSD Project
|
193391 |
03-Jun-2009 |
rwatson |
Continue work to optimize performance of "options MAC" when no MAC policy modules are loaded by avoiding mbuf label lookups when policies aren't loaded, pushing further socket locking into MAC policy modules, and avoiding locking MAC ifnet locks when no policies are loaded:
- Check mac_policies_count before looking for mbuf MAC label m_tags in MAC Framework entry points. We will still pay label lookup costs if MAC policies are present but don't require labels (typically a single mbuf header field read, but perhaps further indirection if IPSEC or other m_tag consumers are in use).
- Further push socket locking for socket-related access control checks and events into MAC policies from the MAC Framework, so that sockets are only locked if a policy specifically requires a lock to protect a label. This resolves lock order issues during sonewconn() and also in local domain socket cross-connect where multiple socket locks could not be held at once for the purposes of propagatig MAC labels across multiple sockets. Eliminate mac_policy_count check in some entry points where it no longer avoids locking.
- Add mac_policy_count checking in some entry points relating to network interfaces that otherwise lock a global MAC ifnet lock used to protect ifnet labels.
Obtained from: TrustedBSD Project
|
193371 |
03-Jun-2009 |
rwatson |
By default, label all network interfaces as biba/equal on attach. This makes it easier for first-time users to configure and work with biba as remote acess is still allowed. Effectively, this means that, by default, only local security properties, not distributed ones, are enforced.
Obtained from: TrustedBSD Project
|
193355 |
02-Jun-2009 |
rwatson |
Mark MAC Framework sx and rm locks as NOWITNESS to suppress warnings that might arise from WITNESS not understanding its locking protocol, which should be deadlock-free. Currently these warnings generally don't occur, but as object locking is pushed into policies for some object types, they would otherwise occur more often.
Obtained from: TrustedBSD Project
|
193332 |
02-Jun-2009 |
rwatson |
Add internal 'mac_policy_count' counter to the MAC Framework, which is a count of the number of registered policies.
Rather than unconditionally locking sockets before passing them into MAC, lock them in the MAC entry points only if mac_policy_count is non-zero.
This avoids locking overhead for a number of socket system calls when no policies are registered, eliminating measurable overhead for the MAC Framework for the socket subsystem when there are no active policies.
Possibly socket locks should be acquired by policies if they are required for socket labels, which would further avoid locking overhead when there are policies but they don't require labeling of sockets, or possibly don't even implement socket controls.
Obtained from: TrustedBSD Project
|
193030 |
29-May-2009 |
rwatson |
Make the rmlock(9) interface a bit more like the rwlock(9) interface:
- Add rm_init_flags() and accept extended options only for that variation. - Add a flags space specifically for rm_init_flags(), rather than borrowing the lock_init() flag space. - Define flag RM_RECURSE to use instead of LO_RECURSABLE. - Define flag RM_NOWITNESS to allow an rmlock to be exempt from WITNESS checking; this wasn't possible previously as rm_init() always passed LO_WITNESS when initializing an rmlock's struct lock. - Add RM_SYSINIT_FLAGS(). - Rename embedded mutex in rmlocks to make it more obvious what it is. - Update consumers. - Update man page.
|
192895 |
27-May-2009 |
jamie |
Add hierarchical jails. A jail may further virtualize its environment by creating a child jail, which is visible to that jail and to any parent jails. Child jails may be restricted more than their parents, but never less. Jail names reflect this hierarchy, being MIB-style dot-separated strings.
Every thread now points to a jail, the default being prison0, which contains information about the physical system. Prison0's root directory is the same as rootvnode; its hostname is the same as the global hostname, and its securelevel replaces the global securelevel. Note that the variable "securelevel" has actually gone away, which should not cause any problems for code that properly uses securelevel_gt() and securelevel_ge().
Some jail-related permissions that were kept in global variables and set via sysctls are now per-jail settings. The sysctls still exist for backward compatibility, used only by the now-deprecated jail(2) system call.
Approved by: bz (mentor)
|
192881 |
27-May-2009 |
rwatson |
Convert the MAC Framework from using rwlocks to rmlocks to stabilize framework registration for non-sleepable entry points.
Obtained from: TrustedBSD Project
|
191990 |
11-May-2009 |
attilio |
Remove the thread argument from the FSD (File-System Dependent) parts of the VFS. Now all the VFS_* functions and relating parts don't want the context as long as it always refers to curthread.
In some points, in particular when dealing with VOPs and functions living in the same namespace (eg. vflush) which still need to be converted, pass curthread explicitly in order to retain the old behaviour. Such loose ends will be fixed ASAP.
While here fix a bug: now, UFS_EXTATTR can be compiled alone without the UFS_EXTATTR_AUTOSTART option.
VFS KPI is heavilly changed by this commit so thirdy parts modules needs to be recompiled. Bump __FreeBSD_version in order to signal such situation.
|
191731 |
01-May-2009 |
rwatson |
Rename MAC Framework-internal macros used to invoke policy entry points:
MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP
This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel.
Obtained from: TrustedBSD Project
|
191296 |
19-Apr-2009 |
rwatson |
Temporarily relax the constraints on argument size checking for A_GETCOND; login(1) isn't quite ready for them yet on 64-bit systems as it continues to use the conventions of the old version of the API.
Reported by: stas, Jakub Lach <jakub_lach at mailplus.pl>
|
191270 |
19-Apr-2009 |
rwatson |
Merge OpenBSM 1.1 changes to the FreeBSD 8.x kernel:
- Add and use mapping of fcntl(2) commands to new BSM constant space. - Adopt (int) rather than (long) arguments to a number of auditon(2) commands, as has happened in Solaris, and add compatibility code to handle the old comments.
Note that BSM_PF_IEEE80211 is partially but not fully removed, as the userspace OpenBSM 1.1alpha5 code still depends on it. Once userspace is updated, I'll GCC the kernel constant.
MFC after: 2 weeks Sponsored by: Apple, Inc. Obtained from: TrustedBSD Project Portions submitted by: sson
|
191147 |
16-Apr-2009 |
rwatson |
Merge new kernel files from OpenBSM 1.1: audit_fcntl.h and audit_bsm_fcntl.c contain utility routines to map local fcntl commands into BSM constants. Adaptation to the FreeBSD kernel environment will follow in a future commit.
Sponsored by: Apple, Inc. Obtained from: TrustedBSD Project MFC after: 2 weeks
|
191143 |
16-Apr-2009 |
rwatson |
Remove D_NEEDGIANT from audit pipes. I'm actually not sure why this was here, but isn't needed.
MFC after: 2 weeks Sponsored by: Apple, Inc.
|
190524 |
29-Mar-2009 |
trasz |
Get rid of VSTAT and replace it with VSTAT_PERMS, which is somewhat better defined.
Approved by: rwatson (mentor)
|
189830 |
14-Mar-2009 |
pjd |
- Correct logic in if statement - we want to allocate temporary buffer when someone is passing new rules, not when he only want to read them. Because of this bug, even if the given rules were incorrect, they ended up in rule_string. - Add missing protection for rule_string when coping it.
Reviewed by: rwatson MFC after: 1 week
|
189797 |
14-Mar-2009 |
rwatson |
Rework MAC Framework synchronization in a number of ways in order to improve performance:
- Eliminate custom reference count and condition variable to monitor threads entering the framework, as this had both significant overhead and behaved badly in the face of contention.
- Replace reference count with two locks: an rwlock and an sx lock, which will be read-acquired by threads entering the framework depending on whether a give policy entry point is permitted to sleep or not.
- Replace previous mutex locking of the reference count for exclusive access with write acquiring of both the policy list sx and rw locks, which occurs only when policies are attached or detached.
- Do a lockless read of the dynamic policy list head before acquiring any locks in order to reduce overhead when no dynamic policies are loaded; this a race we can afford to lose.
- For every policy entry point invocation, decide whether sleeping is permitted, and if not, use a _NOSLEEP() variant of the composition macros, which will use the rwlock instead of the sxlock. In some cases, we decide which to use based on allocation flags passed to the MAC Framework entry point.
As with the move to rwlocks/rmlocks in pfil, this may trigger witness warnings, but these should (generally) be false positives as all acquisition of the locks is for read with two very narrow exceptions for policy load/unload, and those code blocks should never acquire other locks.
Sponsored by: Google, Inc. Obtained from: TrustedBSD Project Discussed with: csjp (idea, not specific patch)
|
189590 |
09-Mar-2009 |
csjp |
Mark the bsdextended rules sysctl as being mpsafe.
Discussed with: rwatson
|
189570 |
09-Mar-2009 |
rwatson |
Add a new thread-private flag, TDP_AUDITREC, to indicate whether or not there is an audit record hung off of td_ar on the current thread. Test this flag instead of td_ar when auditing syscall arguments or checking for an audit record to commit on syscall return. Under these circumstances, td_pflags is much more likely to be in the cache (especially if there is no auditing of the current system call), so this should help reduce cache misses in the system call return path.
MFC after: 1 week Reported by: kris Obtained from: TrustedBSD Project
|
189533 |
08-Mar-2009 |
rwatson |
Remove 'uio' argument from MAC Framework and MAC policy entry points for extended attribute get/set; in the case of get an uninitialized user buffer was passed before the EA was retrieved, making it of relatively little use; the latter was simply unused by any policies.
Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
|
189532 |
08-Mar-2009 |
rwatson |
Rename 'ucred' argument to mac_socket_check_bind() to 'cred' to match other use of the same variable type.
Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
|
189529 |
08-Mar-2009 |
rwatson |
Improve the consistency of MAC Framework and MAC policy entry point naming by renaming certain "proc" entry points to "cred" entry points, reflecting their manipulation of credentials. For some entry points, the process was passed into the framework but not into policies; in these cases, stop passing in the process since we don't need it.
mac_proc_check_setaudit -> mac_cred_check_setaudit mac_proc_check_setaudit_addr -> mac_cred_check_setaudit_addr mac_proc_check_setauid -> mac_cred_check_setauid mac_proc_check_setegid -> mac_cred_check_setegid mac_proc_check_seteuid -> mac_cred_check_seteuid mac_proc_check_setgid -> mac_cred_check_setgid mac_proc_check_setgroups -> mac_cred_ceck_setgroups mac_proc_check_setregid -> mac_cred_check_setregid mac_proc_check_setresgid -> mac_cred_check_setresgid mac_proc_check_setresuid -> mac_cred_check_setresuid mac_proc_check_setreuid -> mac_cred_check_setreuid mac_proc_check_setuid -> mac_cred_check_setuid
Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
|
189503 |
08-Mar-2009 |
rwatson |
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation.
Successful access control checks will be reported by:
mac_framework:kernel:<entrypoint>:mac_check_ok
Failed access control checks will be reported by:
mac_framework:kernel:<entrypoint>:mac_check_err
Successful privilege grants will be reported by:
mac_framework:kernel:priv_grant:mac_grant_ok
Failed privilege grants will be reported by:
mac_framework:kernel:priv_grant:mac_grant_err
In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing.
Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
|
189311 |
03-Mar-2009 |
rwatson |
Reduce the verbosity of SDT trace points for DTrace by defining several wrapper macros that allow trace points and arguments to be declared using a single macro rather than several. This means a lot less repetition and vertical space for each trace point.
Use these macros when defining privilege and MAC Framework trace points.
Reviewed by: jb MFC after: 1 week
|
189279 |
02-Mar-2009 |
rwatson |
Merge OpenBSM 1.1 beta 1 from OpenBSM vendor branch to head, both contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual merge).
OpenBSM history for imported revision below for reference.
MFC after: 1 month Sponsored by: Apple, Inc. Obtained from: TrustedBSD Project
OpenBSM 1.1 beta 1
- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes. For legacy support no suffix defaults to bytes. - Audit trail log expiration support added. It is configured in audit_control(5) with the expire-after parameter. If there is no expire-after parameter in audit_control(5), the default, then the audit trail files are not expired and removed. See audit_control(5) for more information. - Change defaults in audit_control: warn at 5% rather than 20% free for audit partitions, rotate automatically at 2mb, and set the default policy to cnt,argv rather than cnt so that execve(2) arguments are captured if AUE_EXECVE events are audited. These may provide more usable defaults for many users. - Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert au_to_socket_ex(3) arguments to BSM format. - Fix error encoding AUT_IPC_PERM tokens.
|
189013 |
24-Feb-2009 |
kib |
Use vm_map_entry_t instead of explicit struct vm_map_entry *.
Reviewed by: alc
|
188315 |
08-Feb-2009 |
rwatson |
Set the lower bound on queue size for an audit pipe to 1 instead of 0, as an audit pipe with a queue length of 0 is less useful.
Obtained from: TrustedBSD Project Sponsored by: Apple, Inc. MFC after: 1 week
|
188313 |
08-Feb-2009 |
rwatson |
Change various routines that are responsible for transforming audit event IDs based on arguments to return au_event_t rather than int.
Obtained from: TrustedBSD Project Sponsored by: Apple, Inc. MFC after: 1 week
|
188312 |
08-Feb-2009 |
rwatson |
Audit AUE_MAC_EXECVE; currently just the standard AUE_EXECVE arguments and not the label.
Obtained from: TrustedBSD Project Sponsored by: Apple, Inc. MFC after: 1 week
|
188311 |
08-Feb-2009 |
rwatson |
Audit the flag argument to the nfssvc(2) system call.
Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
|
188122 |
04-Feb-2009 |
rwatson |
Eliminate the local variable 'ape' in audit_pipe_kqread(), as it's only used for an assertion that we don't really need anymore.
MFC after: 1 week Reported by: Christoph Mallon <christoph dot mallon at gmx dot de>
|
187667 |
24-Jan-2009 |
rwatson |
Use __FBSDID() for $FreeBSD$ version strings in .c files.
Obtained from: TrustedBSD Project MFC after: 3 days
|
187666 |
24-Jan-2009 |
rwatson |
Begin to add SDT tracing of the MAC Framework: add policy modevent, register, and unregister hooks that give access to the mac_policy_conf for the policy.
Obtained from: TrustedBSD Project MFC after: 3 days
|
187215 |
14-Jan-2009 |
rwatson |
Update copyright, P4 version number as audit_bsm_token.c reflects changes in bsm_token.c through #86 from OpenBSM.
MFC after: 1 month Sponsored by: Apple, Inc. Obtained from: TrustedBSD Project
|
187214 |
14-Jan-2009 |
rwatson |
Merge OpenBSM alpha 5 from OpenBSM vendor branch to head, both contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual merge). Hook up bsm_domain.c and bsm_socket_type.c to the libbsm build along with man pages, add audit_bsm_domain.c and audit_bsm_socket_type.c to the kernel environment.
OpenBSM history for imported revisions below for reference.
MFC after: 1 month Sponsored by: Apple Inc. Obtained from: TrustedBSD Project
OpenBSM 1.1 alpha 5
- Stub libauditd(3) man page added. - All BSM error number constants with BSM_ERRNO_. - Interfaces to convert between local and BSM socket types and protocol families have been added: au_bsm_to_domain(3), au_bsm_to_socket_type(3), au_domain_to_bsm(3), and au_socket_type_to_bsm(3), along with definitions of constants in audit_domain.h and audit_socket_type.h. This improves interoperability by converting local constant spaces, which vary by OS, to and from Solaris constants (where available) or OpenBSM constants for protocol domains not present in Solaris (a fair number). These routines should be used when generating and interpreting extended socket tokens. - Fix build warnings with full gcc warnings enabled on most supported platforms. - Don't compile error strings into bsm_errno.c when building it in the kernel environment. - When started by launchd, use the label com.apple.auditd rather than org.trustedbsd.auditd.
|
187016 |
10-Jan-2009 |
rwatson |
Rather than having MAC policies explicitly declare what object types they label, derive that information implicitly from the set of label initializers in their policy operations set. This avoids a possible class of programmer errors, while retaining the structure that allows us to avoid allocating labels for objects that don't need them. As before, we regenerate a global mask of labeled objects each time a policy is loaded or unloaded, stored in mac_labeled.
Discussed with: csjp Suggested by: Jacques Vidrine <nectar at apple.com> Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
|
187014 |
10-Jan-2009 |
rwatson |
Use MPC_OBJECT_IP6Q to indicate labeling of struct ip6q rather than MPC_OBJECT_IPQ; it was already defined, just not used.
Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
|
186825 |
06-Jan-2009 |
rwatson |
Do a lockless read of the audit pipe list before grabbing the audit pipe lock in order to avoid the lock acquire hit if the pipe list is very likely empty.
Obtained from: TrustedBSD Project MFC after: 3 weeks Sponsored by: Apple, Inc.
|
186822 |
06-Jan-2009 |
rwatson |
In AUDIT_SYSCALL_EXIT(), invoke audit_syscall_exit() only if an audit record is active on the current thread--historically we may always have wanted to enter the audit code if auditing was enabled, but now we just commit the audit record so don't need to enter if there isn't one.
Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
|
186662 |
31-Dec-2008 |
rwatson |
Fix white space botch: use carriage returns rather than tabs.
|
186650 |
31-Dec-2008 |
rwatson |
Commit two files missed in previous commit: hook up audit_bsm_errno.c and adapt for kernel build environment.
Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
|
186649 |
31-Dec-2008 |
rwatson |
Call au_errno_to_bsm() on the errno value passed into au_to_return32() to convert local FreeBSD error numbers into BSM error numbers.
Obtained from: TrustedBSD Project
|
186647 |
31-Dec-2008 |
rwatson |
Merge OpenBSM alpha 4 from OpenBSM vendor branch to head, both contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual merge). Add libauditd build parts and add to auditd's linkage; force libbsm to build before libauditd.
OpenBSM history for imported revisions below for reference.
MFC after: 1 month Sponsored by: Apple Inc. Obtained from: TrustedBSD Project
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the local error number passed to audit_submit(3) to a BSM error number, rather than have the caller perform that conversion. - Reallocate user audit events to avoid collisions with Solaris; adopt a more formal allocation scheme, and add some events allocated in Solaris that will be of immediate use on other platforms. - Add an event for Calife. - Add au_strerror(3), which allows generating strings for BSM errors directly, rather than requiring applications to map to the local error space, which might not be able to entirely represent the BSM error number space. - Major auditd rewrite for launchd(8) support. Add libauditd library that is shared between launchd and auditd. - Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for (re)starting auditing under launchd(8) on Mac OS X. - Add 'current' symlink to active audit trail. - Add crash recovery of previous audit trail file when detected on audit startup that it has not been properly terminated. - Add the event AUE_audit_recovery to indicated when an audit trail file has been recovered from not being properly terminated. This event is stored in the new audit trail file and includes the path of recovered audit trail file. - Mac OS X and FreeBSD dependent code in auditd.c is separated into auditd_darwin.c and auditd_fbsd.c files. - Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system calls. - For Mac OS X, we use ASL(3) instead of syslog(3) for logging. - Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map between BSM error numbers (largely the Solaris definitions) and local errno(2) values for 32-bit and 64-bit return tokens. This is required as operating systems don't agree on some of the values of more recent error numbers. - Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the total size for the token. This buge. - Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
|
186397 |
22-Dec-2008 |
alc |
Make preparations for resurrecting shared/read locks on vm maps:
mac_proc_vm_revoke_recurse() requests a read lock on the vm map at the start but does not handle failure by vm_map_lock_upgrade() when it seeks to modify the vm map. At present, this works because all lock request on a vm map are implemented as exclusive locks. Thus, vm_map_lock_upgrade() is a no-op that always reports success. However, that is about to change, and proc_vm_revoke_recurse() will require substantial modifications to handle vm_map_lock_upgrade() failures. For the time being, I am changing mac_proc_vm_revoke_recurse() to request a write lock on the vm map at the start.
Approved by: rwatson MFC after: 3 months
|
185573 |
02-Dec-2008 |
rwatson |
Merge OpenBSM 1.1 alpha 2 from the OpenBSM vendor branch to head, both contrib/openbsm (svn merge) and sys/{bsm,security/audit} (manual merge).
- Add OpenBSM contrib tree to include paths for audit(8) and auditd(8). - Merge support for new tokens, fixes to existing token generation to audit_bsm_token.c. - Synchronize bsm includes and definitions.
OpenBSM history for imported revisions below for reference.
MFC after: 1 month Sponsored by: Apple Inc. Obtained from: TrustedBSD Project
--
OpenBSM 1.1 alpha 2
- Include files in OpenBSM are now broken out into two parts: library builds required solely for user space, and system includes, which may also be required for use in the kernels of systems integrating OpenBSM. Submitted by Stacey Son. - Configure option --with-native-includes allows forcing the use of native include for system includes, rather than the versions bundled with OpenBSM. This is intended specifically for platforms that ship OpenBSM, have adapted versions of the system includes in a kernel source tree, and will use the OpenBSM build infrastructure with an unmodified OpenBSM distribution, allowing the customized system includes to be used with the OpenBSM build. Submitted by Stacey Son. - Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s or asprintf(). Added compat/strlcpy.h for Linux. - Remove compatibility defines for old Darwin token constant names; now only BSM token names are provided and used. - Add support for extended header tokens, which contain space for information on the host generating the record. - Add support for setting extended host information in the kernel, which is used for setting host information in extended header tokens. The audit_control file now supports a "host" parameter which can be used by auditd to set the information; if not present, the kernel parameters won't be set and auditd uses unextended headers for records that it generates.
OpenBSM 1.1 alpha 1
- Add option to auditreduce(1) which allows users to invert sense of matching, such that BSM records that do not match, are selected. - Fix bug in audit_write() where we commit an incomplete record in the event there is an error writing the subject token. This was submitted by Diego Giagio. - Build support for Mac OS X 10.5.1 submitted by Eric Hall. - Fix a bug which resulted in host XML attributes not being arguments so that const strings can be passed as arguments to tokens. This patch was submitted by Xin LI. - Modify the -m option so users can select more then one audit event. - For Mac OS X, added Mach IPC support for audit trigger messages. - Fixed a bug in getacna() which resulted in a locking problem on Mac OS X. - Added LOG_PERROR flag to openlog when -d option is used with auditd. - AUE events added for Mac OS X Leopard system calls.
|
185539 |
02-Dec-2008 |
peter |
Delete a bunch of empty mergeinfo records caused by local copies.
|
185484 |
30-Nov-2008 |
csjp |
Partially roll back a revision which changed the error code being returned by getaudit(2). Some applications such has su, id will interpret E2BIG as requiring the use of getaudit_addr(2) to pull extended audit state (ip6) from the kernel.
This change un-breaks the ABI when auditing has been activated on a system and the users are logged in via ip6.
This is a RELENG_7_1 candidate.
MFC after: 1 day Discussed with: rwatson
|
185435 |
29-Nov-2008 |
bz |
MFp4: Bring in updated jail support from bz_jail branch.
This enhances the current jail implementation to permit multiple addresses per jail. In addtion to IPv4, IPv6 is supported as well. Due to updated checks it is even possible to have jails without an IP address at all, which basically gives one a chroot with restricted process view, no networking,..
SCTP support was updated and supports IPv6 in jails as well.
Cpuset support permits jails to be bound to specific processor sets after creation.
Jails can have an unrestricted (no duplicate protection, etc.) name in addition to the hostname. The jail name cannot be changed from within a jail and is considered to be used for management purposes or as audit-token in the future.
DDB 'show jails' command was added to aid debugging.
Proper compat support permits 32bit jail binaries to be used on 64bit systems to manage jails. Also backward compatibility was preserved where possible: for jail v1 syscalls, as well as with user space management utilities.
Both jail as well as prison version were updated for the new features. A gap was intentionally left as the intermediate versions had been used by various patches floating around the last years.
Bump __FreeBSD_version for the afore mentioned and in kernel changes.
Special thanks to: - Pawel Jakub Dawidek (pjd) for his multi-IPv4 patches and Olivier Houchard (cognet) for initial single-IPv6 patches. - Jeff Roberson (jeff) and Randall Stewart (rrs) for their help, ideas and review on cpuset and SCTP support. - Robert Watson (rwatson) for lots and lots of help, discussions, suggestions and review of most of the patch at various stages. - John Baldwin (jhb) for his help. - Simon L. Nielsen (simon) as early adopter testing changes on cluster machines as well as all the testers and people who provided feedback the last months on freebsd-jail and other channels. - My employer, CK Software GmbH, for the support so I could work on this.
Reviewed by: (see above) MFC after: 3 months (this is just so that I get the mail) X-MFC Before: 7.2-RELEASE if possible
|
185293 |
25-Nov-2008 |
rwatson |
Regularize /* FALLTHROUGH */ comments in the BSM event type switch, and add one that was missing.
MFC after: 3 weeks Coverity ID: 3960
|
184948 |
14-Nov-2008 |
rwatson |
When repeatedly accessing a thread credential, cache the credential pointer in a local thread. While this is unlikely to significantly improve performance given modern compiler behavior, it makes the code more readable and reduces diffs to the Mac OS X version of the same code (which stores things in creds in the same way, but where the cred for a thread is reached quite differently).
Discussed with: sson MFC after: 1 month Sponsored by: Apple Inc. Obtained from: TrustedBSD Project
|
184904 |
13-Nov-2008 |
rwatson |
The audit queue limit variables are size_t, so use size_t for the audit queue length variables as well, avoiding storing the limit in a larger type than the length.
Submitted by: sson Sponsored by: Apple Inc. MFC after: 1 week
|
184858 |
11-Nov-2008 |
rwatson |
Move audit-internal function definitions for getting and setting audit kinfo state to audit_private.h.
|
184857 |
11-Nov-2008 |
rwatson |
Minor style tweaks and change lock name string to use _'s and not spaces to improve parseability.
|
184856 |
11-Nov-2008 |
csjp |
Add support for extended header BSM tokens. Currently we use the regular header tokens. The extended header tokens contain an IP or IPv6 address which makes it possible to identify which host an audit record came from when audit records are centralized.
If the host information has not been specified, the system will default to the old style headers. Otherwise, audit records that are created as a result of system calls will contain host information.
This implemented has been designed to be consistent with the Solaris implementation. Host information is set/retrieved using the A_GETKAUDIT and A_SETKAUDIT auditon(2) commands. These commands require that a pointer to a auditinfo_addr_t object is passed. Currently only IP and IPv6 address families are supported.
The users pace bits associated with this change will follow in an openbsm import.
Reviewed by: rwatson, (sson, wsalamon (older version)) MFC after: 1 month
|
184825 |
10-Nov-2008 |
rwatson |
Wrap sx locking of the audit worker sleep lock in macros, update comments.
MFC after: 2 months Sponsored by: Apple, Inc.
|
184661 |
04-Nov-2008 |
jhb |
Use shared vnode locks for auditing vnode arguments as auditing only does a VOP_GETATTR() which does not require an exclusive lock.
Reviewed by: csjp, rwatson
|
184660 |
04-Nov-2008 |
jhb |
Don't lock the vnode around calls to vn_fullpath().
Reviewed by: csjp, rwatson
|
184545 |
02-Nov-2008 |
rwatson |
Update introductory comment for audit pipes.
MFC after: 2 months Sponsored by: Apple, Inc.
|
184544 |
02-Nov-2008 |
rwatson |
Remove stale comment about filtering in audit pipe ioctl routine: we do support filtering now, although we may want to make it more interesting in the future.
MFC after: 2 months Sponsored by: Apple, Inc.
|
184540 |
01-Nov-2008 |
rwatson |
Add comment for per-pipe stats.
MFC after: 2 months Sponsored by: Apple, Inc.
|
184536 |
01-Nov-2008 |
rwatson |
We only allow a partial read of the first record in an audit pipe record queue, so move the offset field from the per-record audit_pipe_entry structure to the audit_pipe structure.
Now that we support reading more than one record at a time, add a new summary field to audit_pipe, ap_qbyteslen, which tracks the total number of bytes present in a pipe, and return that (minus the current offset) via FIONREAD and kqueue's data variable for the pending byte count rather than the number of bytes remaining in only the first record.
Add a number of asserts to confirm that these counts and offsets following the expected rules.
MFC after: 2 months Sponsored by: Apple, Inc.
|
184534 |
01-Nov-2008 |
rwatson |
Allow a single read(2) system call on an audit pipe to retrieve data from more than one audit record at a time in order to improve efficiency.
MFC after: 2 months Sponsored by: Apple, Inc.
|
184510 |
31-Oct-2008 |
rwatson |
Since there is no longer the opportunity for record truncation, just return 0 if the truncation counter is queried on an audit pipe.
MFC after: 2 months Sponsored by: Apple, Inc.
|
184508 |
31-Oct-2008 |
rwatson |
Historically, /dev/auditpipe has allows only whole records to be read via read(2), which meant that records longer than the buffer passed to read(2) were dropped. Instead take the approach of allowing partial reads to be continued across multiple system calls more in the style of streaming character device.
This means retaining a record on the per-pipe queue in a partially read state, so maintain a current offset into the record. Keep the record on the queue during a read, so add a new lock, ap_sx, to serialize removal of records from the queue by either read(2) or ioctl(2) requesting a pipe flush. Modify the kqueue handler to return bytes left in the current record rather than simply the size of the current record.
It is now possible to use praudit, which used the standard FILE * buffer sizes, to track much larger record sizes from /dev/auditpipe, such as very long command lines to execve(2).
MFC after: 2 months Sponsored by: Apple, Inc.
|
184489 |
30-Oct-2008 |
rwatson |
When we drop an audit record going to and audit pipe because the audit pipe has overflowed, drop the newest, rather than oldest, record. This makes overflow drop behavior consistent with memory allocation failure leading to drop, avoids touching the consumer end of the queue from a producer, and lowers the CPU overhead of dropping a record by dropping before memory allocation and copying.
Obtained from: Apple, Inc. MFC after: 2 months
|
184488 |
30-Oct-2008 |
rwatson |
Break out single audit_pipe_mtx into two types of locks: a global rwlock protecting the list of audit pipes, and a per-pipe mutex protecting the queue.
Likewise, replace the single global condition variable used to signal delivery of a record to one or more pipes, and add a per-pipe condition variable to avoid spurious wakeups when event subscriptions differ across multiple pipes.
This slightly increases the cost of delivering to audit pipes, but should reduce lock contention in the presence of multiple readers as only the per-pipe lock is required to read from a pipe, as well as avoid overheading when different pipes are used in different ways.
MFC after: 2 months Sponsored by: Apple, Inc.
|
184482 |
30-Oct-2008 |
rwatson |
Protect the event->class lookup database using an rwlock instead of a mutex, as it's rarely changed but frequently accessed read-only from multiple threads, so a potentially significant source of contention.
MFC after: 1 month Sponsored by: Apple, Inc.
|
184467 |
30-Oct-2008 |
rwatson |
The V* flags passed using an accmode_t to the access() and open() access control checks in mac_bsdextended are not in the same namespace as the MBI_ flags used in ugidfw policies, so add an explicit conversion routine to get from one to the other.
Obtained from: TrustedBSD Project
|
184426 |
28-Oct-2008 |
trasz |
Commit part of accmode_t changes that I missed in previous commit.
Approved by: rwatson (mentor)
|
184425 |
28-Oct-2008 |
rwatson |
Break out strictly credential-related portions of mac_process.c into a new file, mac_cred.c.
Obtained from: TrustedBSD Project
|
184413 |
28-Oct-2008 |
trasz |
Introduce accmode_t. This is required for NFSv4 ACLs - it will be neccessary to add more V* constants, and the variables changed by this patch were often being assigned to mode_t variables, which is 16 bit.
Approved by: rwatson (mentor)
|
184412 |
28-Oct-2008 |
rwatson |
Rename mac_cred_mmapped_drop_perms(), which revokes access to virtual memory mappings when the MAC label on a process changes, to mac_proc_vm_revoke(),
It now also acquires its own credential reference directly from the affected process rather than accepting one passed by the the caller, simplifying the API and consumer code.
Obtained from: TrustedBSD Project
|
184407 |
28-Oct-2008 |
rwatson |
Rename three MAC entry points from _proc_ to _cred_ to reflect the fact that they operate directly on credentials: mac_proc_create_swapper(), mac_proc_create_init(), and mac_proc_associate_nfsd(). Update policies.
Obtained from: TrustedBSD Project
|
184402 |
28-Oct-2008 |
rwatson |
Extended comment on why we consider a partition relabel request of "0" to be a no-op request, and why this might have to change if we want to allow leaving a partition someday.
Obtained from: TrustedBSD Project MFC after: 3 days
|
184401 |
28-Oct-2008 |
rwatson |
Rename label_on_label() to partition_check(), which is far more suggestive as to its actual function.
Obtained from: TrustedBSD Project MFC after: 3 days
|
184400 |
28-Oct-2008 |
rwatson |
Improve alphabetical sort order of stub entry points.
|
184367 |
27-Oct-2008 |
rwatson |
When the mac_bsdextended policy is unloaded, free rule memory.
Obtained from: TrustedBSD Project MFC after: 3 days
|
184332 |
27-Oct-2008 |
rwatson |
Add TrustedBSD credit to new ugidfw_internal.h file.
|
184331 |
27-Oct-2008 |
rwatson |
Break mac_bsdextended.c out into multiple .c files, with the base access control logic and policy registration remaining in that file, and access control checks broken out into other files by class of check.
Obtained from: TrustedBSD Project
|
184330 |
27-Oct-2008 |
rwatson |
Copy mac_bsdextended.c to two object-specific files as a prototype for how modularize MAC policy layout.
Obtained from: TrustedBSD Project
|
184308 |
26-Oct-2008 |
rwatson |
Implement MAC policy support for IPv6 fragment reassembly queues, modeled on IPv4 fragment reassembly queue support.
Obtained from: TrustedBSD Project
|
184307 |
26-Oct-2008 |
rwatson |
Add a MAC label, MAC Framework, and MAC policy entry points for IPv6 fragment reassembly queues.
This allows policies to label reassembly queues, perform access control checks when matching fragments to a queue, update a queue label when fragments are matched, and label the resulting reassembled datagram.
Obtained from: TrustedBSD Project
|
184214 |
23-Oct-2008 |
des |
Fix a number of style issues in the MALLOC / FREE commit. I've tried to be careful not to fix anything that was already broken; the NFSv4 code is particularly bad in this respect.
|
184205 |
23-Oct-2008 |
des |
Retire the MALLOC and FREE macros. They are an abomination unto style(9).
MFC after: 3 months
|
183980 |
17-Oct-2008 |
bz |
Add a mac_inpcb_check_visible implementation to all MAC policies that handle mac_socket_check_visible.
Reviewed by: rwatson MFC after: 3 months (set timer; decide then)
|
183973 |
17-Oct-2008 |
bz |
Add mac_inpcb_check_visible MAC Framework entry point, which is similar to mac_socket_check_visible but operates on the inpcb.
Reviewed by: rwatson MFC after: 3 months (set timer, decide then)
|
183970 |
17-Oct-2008 |
bz |
Use the label from the socket credential rather than the solabel which was not set by the mac_partition policy.
Spotted by: rwatson Reviewed by: rwatson MFC after: 3 days
|
183381 |
26-Sep-2008 |
ed |
Remove unit2minor() use from kernel code.
When I changed kern_conf.c three months ago I made device unit numbers equal to (unneeded) device minor numbers. We used to require bitshifting, because there were eight bits in the middle that were reserved for a device major number. Not very long after I turned dev2unit(), minor(), unit2minor() and minor2unit() into macro's. The unit2minor() and minor2unit() macro's were no-ops.
We'd better not remove these four macro's from the kernel, because there is a lot of (external) code that may still depend on them. For now it's harmless to remove all invocations of unit2minor() and minor2unit().
Reviewed by: kib
|
183113 |
17-Sep-2008 |
attilio |
Remove the suser(9) interface from the kernel. It has been replaced from years by the priv_check(9) interface and just very few places are left. Note that compatibility stub with older FreeBSD version (all above the 8 limit though) are left in order to reduce diffs against old versions. It is responsibility of the maintainers for any module, if they think it is the case, to axe out such cases.
This patch breaks KPI so __FreeBSD_version will be bumped into a later commit.
This patch needs to be credited 50-50 with rwatson@ as he found time to explain me how the priv_check() works in detail and to review patches.
Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com> Reviewed by: rwatson
|
182905 |
10-Sep-2008 |
trasz |
Remove VSVTX, VSGID and VSUID. This should be a no-op, as VSVTX == S_ISVTX, VSGID == S_ISGID and VSUID == S_ISUID.
Approved by: rwatson (mentor)
|
182754 |
04-Sep-2008 |
des |
Unbreak the build.
Pointy hat to: kevlo
|
182750 |
04-Sep-2008 |
kevlo |
If the process id specified is invalid, the system call returns ESRCH
|
182371 |
28-Aug-2008 |
attilio |
Decontextualize the couplet VOP_GETATTR / VOP_SETATTR as the passed thread was always curthread and totally unuseful.
Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
|
182158 |
25-Aug-2008 |
rwatson |
More fully audit fexecve(2) and its arguments.
Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
|
182118 |
24-Aug-2008 |
rwatson |
Use ERANGE instead of EOVERFLOW selected in r182059, this seems more appropriate even if Solaris doesn't document it (E2BIG) or use it (EOVERFLOW).
Submitted by: nectar at apple dot com Sponsored by: Apple, Inc. MFC after: 3 days
|
182090 |
24-Aug-2008 |
csjp |
Use sbuf_putc instead of sbuf_cat. This makes more sense, since we are appending a single character to the buffer.
MFC after: 2 weeks
|
182063 |
23-Aug-2008 |
rwatson |
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2) so that the general exec code isn't aware of the details of allocating, copying, and freeing labels, rather, simply passes in a void pointer to start and stop functions that will be used by the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface allowing policies to declare which types of objects require label allocation, initialization, and destruction, and define a set of flags covering various supported object types (MPC_OBJECT_PROC, MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the overhead of compiling the MAC Framework into the kernel if policies aren't loaded, or if policies require labels on only a small number or even no object types. Each time a policy is loaded or unloaded, we recalculate a mask of labeled object types across all policies present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it is no longer required.
MFC after: 1 week ((1) only) Reviewed by: csjp Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
|
182059 |
23-Aug-2008 |
rwatson |
When getaudit(2) is unable to fit the terminal IPv6 address into the space provided by its argument structure, return EOVERFLOW instead of E2BIG. The latter is documented in Solaris's man page, but the former is implemented. In either case, the caller should use getaudit_addr(2) to return the IPv6 address.
Submitted by: sson Obtained from: Apple, Inc. MFC after: 3 days
|
181604 |
11-Aug-2008 |
csjp |
Make sure we check the preselection masks present for all audit pipes. It is possible that the audit pipe(s) have different preselection configs then the global preselection mask.
Spotted by: Vincenzo Iozzo MFC after: 2 weeks
|
181463 |
09-Aug-2008 |
des |
Add sbuf_new_auto as a shortcut for the very common case of creating a completely dynamic sbuf.
Obtained from: Varnish MFC after: 2 weeks
|
181217 |
02-Aug-2008 |
rwatson |
Minor style tweaks.
|
181213 |
02-Aug-2008 |
rwatson |
Rename mac_partition_enabled to partition_enabled to synchronize with other policies that similarly now avoid the additional mac_ prefix on variables.
MFC after: soon
|
181069 |
31-Jul-2008 |
rwatson |
In mac_bsdextended's auditctl and acct policy access control checks, return success if the passed vnode pointer is NULL (rather than panicking). This can occur if either audit or accounting are disabled while the policy is running.
Since the swapoff control has no real relevance to this policy, which is concerned about intent to write rather than water under the bridge, remove it.
PR: kern/126100 Reported by: Alan Amesbury <amesbury at umn dot edu> MFC after: 3 days
|
181060 |
31-Jul-2008 |
csjp |
Currently, BSM audit pathname token generation for chrooted or jailed processes are not producing absolute pathname tokens. It is required that audited pathnames are generated relative to the global root mount point. This modification changes our implementation of audit_canon_path(9) and introduces a new function: vn_fullpath_global(9) which performs a vnode -> pathname translation relative to the global mount point based on the contents of the name cache. Much like vn_fullpath, vn_fullpath_global is a wrapper function which called vn_fullpath1.
Further, the string parsing routines have been converted to use the sbuf(9) framework. This change also removes the conditional acquisition of Giant, since the vn_fullpath1 method will not dip into file system dependent code.
The vnode locking was modified to use vhold()/vdrop() instead the vref() and vrele(). This will modify the hold count instead of modifying the user count. This makes more sense since it's the kernel that requires the reference to the vnode. This also makes sure that the vnode does not get recycled we hold the reference to it. [1]
Discussed with: rwatson Reviewed by: kib [1] MFC after: 2 weeks
|
181053 |
31-Jul-2008 |
rwatson |
Further synchronization of copyrights, licenses, white space, etc from Apple and from the OpenBSM vendor tree.
Obtained from: Apple Inc., TrustedBSD Project MFC after: 3 days
|
180735 |
23-Jul-2008 |
rwatson |
Minor white space tweak.
Obtained from: Apple Inc. MFC after: 3 days
|
180716 |
22-Jul-2008 |
rwatson |
If an AUE_SYSCTL_NONADMIN audit event is selected, generate a record with equivilent content to AUE_SYSCTL.
Obtained from: Apple Inc. MFC after: 3 days
|
180715 |
22-Jul-2008 |
rwatson |
Further minor style fixes to audit.
Obtained from: Apple Inc. MFC after: 3 days
|
180712 |
22-Jul-2008 |
rwatson |
Remove unneeded \ at the end of a macro.
Obtained from: Apple Inc. MFC after: 3 days
|
180711 |
22-Jul-2008 |
rwatson |
Further minor white space tweaks.
Obtained from: Apple Inc. MFC after: 3 days
|
180709 |
22-Jul-2008 |
rwatson |
Generally avoid <space><tab> as a white space anomoly.
Obtained from: Apple Inc. MFC after: 3 days
|
180708 |
22-Jul-2008 |
rwatson |
Use #define<tab> rather than #define<space>.
Obtained from: Apple Inc. MFC after: 3 days
|
180706 |
22-Jul-2008 |
rwatson |
Comment fix.
Obtained from: Apple Inc. MFC after: 3 days
|
180704 |
22-Jul-2008 |
rwatson |
Comment typo fix.
Obtained from: Apple Inc. MFC after: 3 days
|
180703 |
22-Jul-2008 |
rwatson |
Minor white space synchronization to Apple version of security audit.
Obtained from: Apple Inc. MFC after: 3 days
|
180701 |
22-Jul-2008 |
rwatson |
In preparation to sync Apple and FreeBSD versions of security audit, pick up the Apple Computer -> Apple change in their copyright and license templates.
Obtained from: Apple Inc. MFC after: 3 days
|
180699 |
22-Jul-2008 |
rwatson |
Use unsigned int when iterating over groupsets in audit_arg_groupset().
Obtained from: Apple Inc. MFC after: 3 days
|
180059 |
27-Jun-2008 |
jhb |
Rework the lifetime management of the kernel implementation of POSIX semaphores. Specifically, semaphores are now represented as new file descriptor type that is set to close on exec. This removes the need for all of the manual process reference counting (and fork, exec, and exit event handlers) as the normal file descriptor operations handle all of that for us nicely. It is also suggested as one possible implementation in the spec and at least one other OS (OS X) uses this approach.
Some bugs that were fixed as a result include: - References to a named semaphore whose name is removed still work after the sem_unlink() operation. Prior to this patch, if a semaphore's name was removed, valid handles from sem_open() would get EINVAL errors from sem_getvalue(), sem_post(), etc. This fixes that. - Unnamed semaphores created with sem_init() were not cleaned up when a process exited or exec'd. They were only cleaned up if the process did an explicit sem_destroy(). This could result in a leak of semaphore objects that could never be cleaned up. - On the other hand, if another process guessed the id (kernel pointer to 'struct ksem' of an unnamed semaphore (created via sem_init)) and had write access to the semaphore based on UID/GID checks, then that other process could manipulate the semaphore via sem_destroy(), sem_post(), sem_wait(), etc. - As part of the permission check (UID/GID), the umask of the proces creating the semaphore was not honored. Thus if your umask denied group read/write access but the explicit mode in the sem_init() call allowed it, the semaphore would be readable/writable by other users in the same group, for example. This includes access via the previous bug. - If the module refused to unload because there were active semaphores, then it might have deregistered one or more of the semaphore system calls before it noticed that there was a problem. I'm not sure if this actually happened as the order that modules are discovered by the kernel linker depends on how the actual .ko file is linked. One can make the order deterministic by using a single module with a mod_event handler that explicitly registers syscalls (and deregisters during unload after any checks). This also fixes a race where even if the sem_module unloaded first it would have destroyed locks that the syscalls might be trying to access if they are still executing when they are unloaded.
XXX: By the way, deregistering system calls doesn't do any blocking to drain any threads from the calls. - Some minor fixes to errno values on error. For example, sem_init() isn't documented to return ENFILE or EMFILE if we run out of semaphores the way that sem_open() can. Instead, it should return ENOSPC in that case.
Other changes: - Kernel semaphores now use a hash table to manage the namespace of named semaphores nearly in a similar fashion to the POSIX shared memory object file descriptors. Kernel semaphores can now also have names longer than 14 chars (up to MAXPATHLEN) and can include subdirectories in their pathname. - The UID/GID permission checks for access to a named semaphore are now done via vaccess() rather than a home-rolled set of checks. - Now that kernel semaphores have an associated file object, the various MAC checks for POSIX semaphores accept both a file credential and an active credential. There is also a new posixsem_check_stat() since it is possible to fstat() a semaphore file descriptor. - A small set of regression tests (using the ksem API directly) is present in src/tools/regression/posixsem.
Reported by: kris (1) Tested by: kris Reviewed by: rwatson (lightly) MFC after: 1 month
|
180031 |
26-Jun-2008 |
jhb |
Add missing counter increments for posix shm checks.
|
179963 |
23-Jun-2008 |
jhb |
Remove the posixsem_check_destroy() MAC check. It is semantically identical to doing a MAC check for close(), but no other types of close() (including close(2) and ksem_close(2)) have MAC checks.
Discussed with: rwatson
|
179781 |
13-Jun-2008 |
rwatson |
The TrustedBSD MAC Framework named struct ipq instances 'ipq', which is the same as the global variable defined in ip_input.c. Instead, adopt the name 'q' as found in about 1/2 of uses in ip_input.c, preventing a collision on the name. This is non-harmful, but means that search and replace on the global works less well (as in the virtualization work), as well as indexing tools.
MFC after: 1 week Reported by: julian
|
179726 |
11-Jun-2008 |
ed |
Don't enforce unique device minor number policy anymore.
Except for the case where we use the cloner library (clone_create() and friends), there is no reason to enforce a unique device minor number policy. There are various drivers in the source tree that allocate unr pools and such to provide minor numbers, without using them themselves.
Because we still need to support unique device minor numbers for the cloner library, introduce a new flag called D_NEEDMINOR. All cdevsw's that are used in combination with the cloner library should be marked with this flag to make the cloning work.
This means drivers can now freely use si_drv0 to store their own flags and state, making it effectively the same as si_drv1 and si_drv2. We still keep the minor() and dev2unit() routines around to make drivers happy.
The NTFS code also used the minor number in its hash table. We should not do this anymore. If the si_drv0 field would be changed, it would no longer end up in the same list.
Approved by: philip (mentor)
|
179715 |
10-Jun-2008 |
simon |
When the file-system containing the audit log file is running low on disk space a warning is printed. Make this warning a bit more informative.
Approved by: rwatson
|
179517 |
03-Jun-2008 |
rwatson |
Add an XXX comment regarding a bug I introduced when modifying the behavior of audit log vnode rotation: on shutdown, we may not properly drain all pending records, which could lead to lost records during system shutdown.
|
179359 |
27-May-2008 |
csjp |
Plug a memory leak which can occur when multiple MAC policies are loaded which label mbufs. This leak can occur if one policy successfully allocates label storage and subsequent allocations from other policies fail.
Spotted by: rwatson MFC after: 1 week
|
179178 |
21-May-2008 |
rwatson |
Don't use LK_DRAIN before calling VOP_FSYNC() in the two further panic cases for audit trail failure -- this doesn't contribute anything, and might arguably be wrong.
MFC after: 1 week Requested by: attilio
|
179176 |
21-May-2008 |
rwatson |
Don't use LK_DRAIN before calling VOP_FSYNC() in the panic case for audit trail failure -- this doesn't contribute anything, and might arguably be wrong.
MFC after: 1 week Requested by: attilio
|
178802 |
06-May-2008 |
rwatson |
When testing whether to enter the audit argument gathering code, rather than checking whether audit is enabled globally, instead check whether the current thread has an audit record. This avoids entering the audit code to collect argument data if auditing is enabled but the current system call is not of interest to audit.
MFC after: 1 week Sponsored by: Apple, Inc.
|
178617 |
27-Apr-2008 |
rwatson |
Fix include guard spelling.
MFC after: 3 days Submitted by: diego
|
178461 |
24-Apr-2008 |
rwatson |
Use logic or, not binary or, when deciding whether or not a system call exit requires entering the audit code. The result is much the same, but they mean different things.
MFC afer: 3 days Submitted by: Diego Giagio <dgiagio at gmail dot com>
|
178322 |
19-Apr-2008 |
rwatson |
When auditing state from an IPv4 or IPv6 socket, use read locks on the inpcb rather than write locks.
MFC after: 3 months
|
178321 |
19-Apr-2008 |
rwatson |
When propagating a MAC label from an inpcb to an mbuf, allow read and write locks on the inpcb, not just write locks.
MFC after: 3 months
|
178285 |
17-Apr-2008 |
rwatson |
Convert pcbinfo and inpcb mutexes to rwlocks, and modify macros to explicitly select write locking for all use of the inpcb mutex. Update some pcbinfo lock assertions to assert locked rather than write-locked, although in practice almost all uses of the pcbinfo rwlock main exclusive, and all instances of inpcb lock acquisition are exclusive.
This change should introduce (ideally) little functional change. However, it lays the groundwork for significantly increased parallelism in the TCP/IP code.
MFC after: 3 months Tested by: kris (superset of committered patch)
|
178186 |
13-Apr-2008 |
rwatson |
Use __FBSDID() for $FreeBSD$ IDs in the audit code.
MFC after: 3 days
|
178184 |
13-Apr-2008 |
rwatson |
Make naming of include guards for MAC Framework include files more consistent with other kernel include guards (don't start with _SYS).
MFC after: 3 days
|
177785 |
31-Mar-2008 |
kib |
Add the support for the AT_FDCWD and fd-relative name lookups to the namei(9).
Based on the submission by rdivacky, sponsored by Google Summer of Code 2007 Reviewed by: rwatson, rdivacky Tested by: pho
|
177253 |
16-Mar-2008 |
rwatson |
In keeping with style(9)'s recommendations on macros, use a ';' after each SYSINIT() macro invocation. This makes a number of lightweight C parsers much happier with the FreeBSD kernel source, including cflow's prcc and lxr.
MFC after: 1 month Discussed with: imp, rink
|
177033 |
10-Mar-2008 |
rwatson |
Remove XXX to remind me to check the free space calculation, which to my eyes appears right following a check.
MFC after: 3 days
|
176887 |
06-Mar-2008 |
csjp |
Change auditon(2) so that if somebody supplies an invalid command, it returns EINVAL. Right now we return 0 or success for invalid commands, which could be quite problematic in certain conditions.
MFC after: 1 week Discussed with: rwatson
|
176749 |
02-Mar-2008 |
rwatson |
Rather than copying out the full audit trigger record, which includes a queue entry field, just copy out the unsigned int that is the trigger message. In practice, auditd always requested sizeof(unsigned int), so the extra bytes were ignored, but copying them out was not the intent.
MFC after: 1 month
|
176690 |
01-Mar-2008 |
rwatson |
Add audit_prefixes to two more globally visible functions in the Audit implementation.
MFC after: 1 month
|
176686 |
01-Mar-2008 |
rwatson |
Rename globally exposed symbol send_trigger() to audit_send_trigger().
MFC after: 1 month
|
176627 |
27-Feb-2008 |
rwatson |
Replace somewhat awkward audit trail rotation scheme, which involved the global audit mutex and condition variables, with an sx lock which protects the trail vnode and credential while in use, and is acquired by the system call code when rotating the trail. Previously, a "message" would be sent to the kernel audit worker, which did the rotation, but the new code is simpler and (hopefully) less error-prone.
Obtained from: TrustedBSD Project MFC after: 1 month
|
176565 |
25-Feb-2008 |
rwatson |
Rename several audit functions in the global kernel symbol namespace to have audit_ on the front:
- canon_path -> audit_canon_path - msgctl_to_event -> audit_msgctl_to_event - semctl_to_event -> audit_semctl_to_event
MFC after: 1 month
|
175763 |
28-Jan-2008 |
csjp |
Make sure that the termid type is initialized to AU_IPv4 by default. This makes sure that process tokens credentials with un-initialized audit contexts are handled correctly. Currently, when invariants are enabled, this change fixes a panic by ensuring that we have a valid termid family. Also, this fixes token generation for process tokens making sure that userspace is always getting a valid token.
This is consistent with what Solaris does when an audit context is un-initialized.
Obtained from: TrustedBSD Project MFC after: 1 week
|
175747 |
28-Jan-2008 |
rwatson |
Properly return the error from mls_subject_privileged() in the ifnet relabel check for MLS rather than returning 0 directly.
This problem didn't result in a vulnerability currently as the central implementation of ifnet relabeling also checks for UNIX privilege, and we currently don't guarantee containment for the root user in mac_mls, but we should be using the MLS definition of privilege as well as the UNIX definition in anticipation of supporting root containment at some point.
MFC after: 3 days Submitted by: Zhouyi Zhou <zhouzhouyi at gmail dot com> Sponsored by: Google SoC 2007
|
175456 |
18-Jan-2008 |
csjp |
Fix gratuitous whitespace bug
MFC after: 1 week Obtained from: TrustedBSD Project
|
175455 |
18-Jan-2008 |
csjp |
Add a case for AUE_LISTEN. This removes the following console error message:
"BSM conversion requested for unknown event 43140"
It should be noted that we need to audit the fd argument for this system call.
Obtained from: TrustedBSD Project MFC after: 1 week
|
175294 |
13-Jan-2008 |
attilio |
VOP_LOCK1() (and so VOP_LOCK()) and VOP_UNLOCK() are only used in conjuction with 'thread' argument passing which is always curthread. Remove the unuseful extra-argument and pass explicitly curthread to lower layer functions, when necessary.
KPI results broken by this change, which should affect several ports, so version bumping and manpage update will be further committed.
Tested by: kris, pho, Diego Sardina <siarodx at gmail dot com>
|
175202 |
10-Jan-2008 |
attilio |
vn_lock() is currently only used with the 'curthread' passed as argument. Remove this argument and pass curthread directly to underlying VOP_LOCK1() VFS method. This modify makes the code cleaner and in particular remove an annoying dependence helping next lockmgr() cleanup. KPI results, obviously, changed.
Manpage and FreeBSD_version will be updated through further commits.
As a side note, would be valuable to say that next commits will address a similar cleanup about VFS methods, in particular vop_lock1 and vop_unlock.
Tested by: Diego Sardina <siarodx at gmail dot com>, Andrea Di Pasquale <whyx dot it at gmail dot com>
|
175164 |
08-Jan-2008 |
jhb |
Add a new file descriptor type for IPC shared memory objects and use it to implement shm_open(2) and shm_unlink(2) in the kernel: - Each shared memory file descriptor is associated with a swap-backed vm object which provides the backing store. Each descriptor starts off with a size of zero, but the size can be altered via ftruncate(2). The shared memory file descriptors also support fstat(2). read(2), write(2), ioctl(2), select(2), poll(2), and kevent(2) are not supported on shared memory file descriptors. - shm_open(2) and shm_unlink(2) are now implemented as system calls that manage shared memory file descriptors. The virtual namespace that maps pathnames to shared memory file descriptors is implemented as a hash table where the hash key is generated via the 32-bit Fowler/Noll/Vo hash of the pathname. - As an extension, the constant 'SHM_ANON' may be specified in place of the path argument to shm_open(2). In this case, an unnamed shared memory file descriptor will be created similar to the IPC_PRIVATE key for shmget(2). Note that the shared memory object can still be shared among processes by sharing the file descriptor via fork(2) or sendmsg(2), but it is unnamed. This effectively serves to implement the getmemfd() idea bandied about the lists several times over the years. - The backing store for shared memory file descriptors are garbage collected when they are not referenced by any open file descriptors or the shm_open(2) virtual namespace.
Submitted by: dillon, peter (previous versions) Submitted by: rwatson (I based this on his version) Reviewed by: alc (suggested converting getmemfd() to shm_open())
|
174898 |
25-Dec-2007 |
rwatson |
Add a new 'why' argument to kdb_enter(), and a set of constants to use for that argument. This will allow DDB to detect the broad category of reason why the debugger has been entered, which it can use for the purposes of deciding which DDB script to run.
Assign approximate why values to all current consumers of the kdb_enter() interface.
|
174894 |
25-Dec-2007 |
wkoszek |
Change "audit_pipe_preselect" to "audit_pipe_presel" to make it print with proper alignment in ddb(4) and vmstat(8).
Reviewed by: rwatson@
|
174718 |
17-Dec-2007 |
rwatson |
Fix a MAC label leak for POSIX semaphores, in which per-policy labels would be properly disposed of, but the global label structure for the semaphore wouldn't be freed.
MFC after: 3 days Reported by: tanyong <tanyong at ercist dot iscas dot ac dot cn>, zhouzhouyi
|
174267 |
04-Dec-2007 |
wkoszek |
Explicitly initialize 'ret' to 0'. It lets one to build tmpfs from the latest source tree with older compiler--gcc3.
Approved by: cognet (mentor)
|
173163 |
30-Oct-2007 |
rwatson |
Implement per-object type consistency checks for labels passed to 'internalize' operations rather than using a single common check.
Obtained from: TrustedBSD Project
|
173142 |
29-Oct-2007 |
rwatson |
Replace use of AU_NULL with 0 when no audit classes are in use; this supports the removal of hard-coded audit class constants in OpenBSM 1.0. All audit classes are now dynamically configured via the audit_class database.
Obtained from: TrustedBSD Project
|
173141 |
29-Oct-2007 |
rwatson |
Canonicalize names of local variables.
Add some missing label checks in mac_test.
Obtained from: TrustedBSD Project
|
173138 |
29-Oct-2007 |
rwatson |
Resort TrustedBSD MAC Framework policy entry point implementations and declarations to match the object, operation sort order in the framework itself.
Obtained from: TrustedBSD Project
|
173112 |
28-Oct-2007 |
rwatson |
Add missing mac_test labeling and sleep checks for the syncache.
Discussed with: csjp Obtained from: TrustedBSD Project
|
173108 |
28-Oct-2007 |
rwatson |
Garbage collect mac_mbuf_create_multicast_encap TrustedBSD MAC Framework entry point, which is no longer required now that we don't support old-style multicast tunnels. This removes the last mbuf object class entry point that isn't init/copy/destroy.
Obtained from: TrustedBSD Project
|
173102 |
28-Oct-2007 |
rwatson |
Continue to move from generic network entry points in the TrustedBSD MAC Framework by moving from mac_mbuf_create_netlayer() to more specific entry points for specific network services:
- mac_netinet_firewall_reply() to be used when replying to in-bound TCP segments in pf and ipfw (etc).
- Rename mac_netinet_icmp_reply() to mac_netinet_icmp_replyinplace() and add mac_netinet_icmp_reply(), reflecting that in some cases we overwrite a label in place, but in others we apply the label to a new mbuf.
Obtained from: TrustedBSD Project
|
173095 |
28-Oct-2007 |
rwatson |
Move towards more explicit support for various network protocol stacks in the TrustedBSD MAC Framework:
- Add mac_atalk.c and add explicit entry point mac_netatalk_aarp_send() for AARP packet labeling, rather than using a generic link layer entry point.
- Add mac_inet6.c and add explicit entry point mac_netinet6_nd6_send() for ND6 packet labeling, rather than using a generic link layer entry point.
- Add expliict entry point mac_netinet_arp_send() for ARP packet labeling, and mac_netinet_igmp_send() for IGMP packet labeling, rather than using a generic link layer entry point.
- Remove previous genering link layer entry point, mac_mbuf_create_linklayer() as it is no longer used.
- Add implementations of new entry points to various policies, largely by replicating the existing link layer entry point for them; remove old link layer entry point implementation.
- Make MAC_IFNET_LOCK(), MAC_IFNET_UNLOCK(), and mac_ifnet_mtx global to the MAC Framework rather than static to mac_net.c as it is now needed outside of mac_net.c.
Obtained from: TrustedBSD Project
|
173093 |
28-Oct-2007 |
rwatson |
Perform explicit label type checks for externalize entry points, rather than a generic initialized test.
Obtained from: TrustedBSD Project
|
173083 |
27-Oct-2007 |
csjp |
Make sure we are incrementing the read count for each audit pipe read.
MFC after: 1 week
|
173054 |
27-Oct-2007 |
rwatson |
Give each posixsem MAC Framework entry point its own counter and test case in the mac_test policy, rather than sharing a single function for all of the access control checks.
Obtained from: TrustedBSD Project
|
173042 |
26-Oct-2007 |
rwatson |
Update comment following MAC Framework entry point renaming and reorganization.
Obtained from: TrustedBSD Project
|
173018 |
26-Oct-2007 |
rwatson |
Rename 'mac_mbuf_create_from_firewall' to 'mac_netinet_firewall_send' as we move towards netinet as a pseudo-object for the MAC Framework.
Rename 'mac_create_mbuf_linklayer' to 'mac_mbuf_create_linklayer' to reflect general object-first ordering preference.
Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
|
172995 |
26-Oct-2007 |
csjp |
Implement AUE_CORE, which adds process core dump support into the kernel. This change introduces audit_proc_coredump() which is called by coredump(9) to create an audit record for the coredump event. When a process dumps a core, it could be security relevant. It could be an indicator that a stack within the process has been overflowed with an incorrectly constructed malicious payload or a number of other events.
The record that is generated looks like this:
header,111,10,process dumped core,0,Thu Oct 25 19:36:29 2007, + 179 msec argument,0,0xb,signal path,/usr/home/csjp/test.core subject,csjp,csjp,staff,csjp,staff,1101,1095,50457,10.37.129.2 return,success,1 trailer,111
- We allocate a completely new record to make sure we arent clobbering the audit data associated with the syscall that produced the core (assuming the core is being generated in response to SIGABRT and not an invalid memory access). - Shuffle around expand_name() so we can use the coredump name at the very beginning of the coredump call. Make sure we free the storage referenced by "name" if we need to bail out early. - Audit both successful and failed coredump creation efforts
Obtained from: TrustedBSD Project Reviewed by: rwatson MFC after: 1 month
|
172990 |
25-Oct-2007 |
rwatson |
Sort entry points in mac_framework.h and mac_policy.h alphabetically by primary object type, and then by secondarily by method name. This sorts entry points relating to particular objects, such as pipes, sockets, and vnodes together.
Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
|
172970 |
25-Oct-2007 |
rwatson |
Normalize TCP syncache-related MAC Framework entry points to match most other entry points in the form mac_<object>_method().
Discussed with: csjp Obtained from: TrustedBSD Project
|
172957 |
25-Oct-2007 |
rwatson |
Rename mac_associate_nfsd_label() to mac_proc_associate_nfsd(), and move from mac_vfs.c to mac_process.c to join other functions that setup up process labels for specific purposes. Unlike the two proc create calls, this call is intended to run after creation when a process registers as the NFS daemon, so remains an _associate_ call..
Obtained from: TrustedBSD Project
|
172955 |
25-Oct-2007 |
rwatson |
Consistently name functions for mac_<policy> as <policy>_whatever rather than mac_<policy>_whatever, as this shortens the names and makes the code a bit easier to read.
When dealing with label structures, name variables 'mb', 'ml', 'mm rather than the longer 'mac_biba', 'mac_lomac', and 'mac_mls', likewise making the code a little easier to read.
Obtained from: TrustedBSD Project
|
172953 |
25-Oct-2007 |
rwatson |
Further MAC Framework cleanup: normalize some local variable names and clean up some comments.
Obtained from: TrustedBSD Project
|
172930 |
24-Oct-2007 |
rwatson |
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms:
mac_<object>_<method/action> mac_<object>_check_<method/action>
The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names.
All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI.
Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
|
172915 |
24-Oct-2007 |
csjp |
Use extended process token. The in kernel process audit state is stored in an extended subject token now. Make sure that we are using the extended data. This fixes the termID for process tokens.
Obtained from: TrustedBSD Project Discussed with: rwatson MFC after: 1 week
|
172905 |
23-Oct-2007 |
rwatson |
Bump MAC_VERSION to 4 and add an 8.x line in the version table. Version 4 will include significant synchronization to the Mac OS X Leopard version of the MAC Framework.
Obtained from: TrustedBSD Project
|
172850 |
21-Oct-2007 |
rwatson |
Canonicalize naming of local variables for struct ksem and associated labels to 'ks' and 'kslabel' to reflect the convention in posix_sem.c.
MFC after: 3 days Obtained from: TrustedBSD Project
|
172836 |
20-Oct-2007 |
julian |
Rename the kthread_xxx (e.g. kthread_create()) calls to kproc_xxx as they actually make whole processes. Thos makes way for us to add REAL kthread_create() and friends that actually make theads. it turns out that most of these calls actually end up being moved back to the thread version when it's added. but we need to make this cosmetic change first.
I'd LOVE to do this rename in 7.0 so that we can eventually MFC the new kthread_xxx() calls.
|
172583 |
12-Oct-2007 |
csjp |
- Change the wakeup logic associated with having multiple sleepers on multiple different audit pipes. The old method used cv_signal() which would result in only one thread being woken up after we appended a record to it's queue. This resulted in un-timely wake-ups when processing audit records real-time.
- Assign PSOCK priority to threads that have been sleeping on a read(2). This is the same priority threads are woken up with when they select(2) or poll(2). This yields fairness between various forms of sleep on the audit pipes.
Obtained from: TrustedBSD Project Discussed with: rwatson MFC after: 1 week
|
172207 |
17-Sep-2007 |
jeff |
- Move all of the PS_ flags into either p_flag or td_flags. - p_sflag was mostly protected by PROC_LOCK rather than the PROC_SLOCK or previously the sched_lock. These bugs have existed for some time. - Allow swapout to try each thread in a process individually and then swapin the whole process if any of these fail. This allows us to move most scheduler related swap flags into td_flags. - Keep ki_sflag for backwards compat but change all in source tools to use the new and more correct location of P_INMEM.
Reported by: pho Reviewed by: attilio, kib Approved by: re (kensmith)
|
172107 |
10-Sep-2007 |
rwatson |
Rename mac_check_vnode_delete() MAC Framework and MAC Policy entry point to mac_check_vnode_unlink(), reflecting UNIX naming conventions.
This is the first of several commits to synchronize the MAC Framework in FreeBSD 7.0 with the MAC Framework as it will appear in Mac OS X Leopard.
Reveiwed by: csjp, Samy Bahra <sbahra at gwu dot edu> Submitted by: Jacques Vidrine <nectar at apple dot com> Obtained from: Apple Computer, Inc. Sponsored by: SPARTA, SPAWAR Approved by: re (bmah)
|
171744 |
06-Aug-2007 |
rwatson |
Remove the now-unused NET_{LOCK,UNLOCK,ASSERT}_GIANT() macros, which previously conditionally acquired Giant based on debug.mpsafenet. As that has now been removed, they are no longer required. Removing them significantly simplifies error-handling in the socket layer, eliminated quite a bit of unwinding of locking in error cases.
While here clean up the now unneeded opt_net.h, which previously was used for the NET_WITH_GIANT kernel option. Clean up some related gotos for consistency.
Reviewed by: bz, csjp Tested by: kris Approved by: re (kensmith)
|
171555 |
23-Jul-2007 |
rwatson |
When checking labels during a vnode link operation in MLS, use the file vnode label for a check rather than the directory vnode label a second time.
MFC after: 3 days Submitted by: Zhouyi ZHOU <zhouzhouyi at FreeBSD dot org> Reviewed by: csjp Sponsored by: Google Summer of Code 2007 Approved by: re (bmah)
|
171253 |
05-Jul-2007 |
rwatson |
In preparation for 7.0 privilege cleanup, clean up style:
- Sort copyrights by date. - Re-wrap, and in some cases, fix comments. - Fix tabbing, white space, remove extra blank lines. - Remove commented out debugging printfs.
Approved by: re (kensmith)
|
171235 |
05-Jul-2007 |
peter |
Fix a bunch of warnings due to a missing forward declaration of a struct.
Approved by: re (rwatson)
|
171144 |
01-Jul-2007 |
rwatson |
Remove two boot printfs generated by Audit to announce it's presence, and replace with software-testable sysctl node (security.audit) that can be used to detect kernel audit support.
Obtained from: TrustedBSD Project Approved by: re (kensmith)
|
171066 |
27-Jun-2007 |
csjp |
- Add audit_arg_audinfo_addr() for auditing the arguments for setaudit_addr(2) - In audit_bsm.c, make sure all the arguments: ARG_AUID, ARG_ASID, ARG_AMASK, and ARG_TERMID{_ADDR} are valid before auditing their arguments. (This is done for both setaudit and setaudit_addr. - Audit the arguments passed to setaudit_addr(2) - AF_INET6 does not equate to AU_IPv6. Change this in au_to_in_addr_ex() so the audit token is created with the correct type. This fixes the processing of the in_addr_ex token in users pace. - Change the size of the token (as generated by the kernel) from 5*4 bytes to 4*4 bytes (the correct size of an ip6 address) - Correct regression from ucred work which resulted in getaudit() not returning E2BIG if the subject had an ip6 termid - Correct slight regression in getaudit(2) which resulted in the size of a pointer being passed instead of the size of the structure. (This resulted in invalid auditinfo data being returned via getaudit(2))
Reviewed by: rwatson Approved by: re@ (kensmith) Obtained from: TrustedBSD Project MFC after: 1 month
|
171047 |
26-Jun-2007 |
rwatson |
Add a new MAC framework and policy entry point, mpo_check_proc_setaudit_addr to be used when controlling use of setaudit_addr(), rather than mpo_check_proc_setaudit(), which takes a different argument type.
Reviewed by: csjp Approved by: re (kensmith)
|
170777 |
15-Jun-2007 |
rwatson |
In setaudit_addr(), drop the process lock in error cases.
Submitted by: Peter Holm <peter@holm.cc> (BugMaster)
|
170691 |
14-Jun-2007 |
rwatson |
Spell statistics more correctly in comments.
|
170689 |
13-Jun-2007 |
rwatson |
Include priv.h to pick up suser(9) definitions, missed in an earlier commit.
Warnings spotted by: kris
|
170687 |
13-Jun-2007 |
rwatson |
Close a very narrow race that might cause a trigger allocation to be leaked if a trigger is delivered as the trigger device is closed.
Obtained from: TrustedBSD Project
|
170587 |
12-Jun-2007 |
rwatson |
Eliminate now-unused SUSER_ALLOWJAIL arguments to priv_check_cred(); in some cases, move to priv_check() if it was an operation on a thread and no other flags were present.
Eliminate caller-side jail exception checking (also now-unused); jail privilege exception code now goes solely in kern_jail.c.
We can't yet eliminate suser() due to some cases in the KAME code where a privilege check is performed and then used in many different deferred paths. Do, however, move those prototypes to priv.h.
Reviewed by: csjp Obtained from: TrustedBSD Project
|
170585 |
11-Jun-2007 |
rwatson |
Clean up, and sometimes remove, a number of audit-related implementation comments.
Obtained from: TrutstedBSD Project
|
170407 |
07-Jun-2007 |
rwatson |
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS.
Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
|
170307 |
05-Jun-2007 |
jeff |
Commit 14/14 of sched_lock decomposition. - Use thread_lock() rather than sched_lock for per-thread scheduling sychronization. - Use the per-process spinlock rather than the sched_lock for per-process scheduling synchronization.
Tested by: kris, current@ Tested on: i386, amd64, ULE, 4BSD, libthr, libkse, PREEMPTION, etc. Discussed with: kris, attilio, kmacy, jhb, julian, bde (small parts each)
|
170196 |
01-Jun-2007 |
rwatson |
Clean up audit comments--formatting, spelling, etc.
|
170183 |
01-Jun-2007 |
kib |
Change the VOP_OPEN(), vn_open() vnode operation and d_fdopen() cdev operation argument from being file descriptor index into the pointer to struct file: part 2. Convert calls missed in the first big commit.
Noted by: rwatson Pointy hat to: kib
|
170182 |
01-Jun-2007 |
rwatson |
Remove AUDIT_PRINTF() debugging statements and definition; clean up or remove associated comments.
Slip audit_file_rotate_wait assignment in audit_rotate_vnode() before the drop of the global audit mutex.
Obtained from: TrustedBSD Project
|
170132 |
30-May-2007 |
rwatson |
Remove unused !AUDIT audit_proc_*() prototypes: unlike in Mac OS X, we don't define or use these functions if AUDIT isn't configured.
Obtained from: TrustedBSD Project
|
170131 |
30-May-2007 |
rwatson |
Synchronize white space to congruent user-space code in OpenBSM.
Obtained from: TrustedBSD Project
|
170130 |
30-May-2007 |
rwatson |
Remove unused ar_subj_comm field from in-kernel audit record; we never export this via BSM, so don't pay space/time cost of maintaining it.
Obtained from: TrustedBSD Project
|
170127 |
30-May-2007 |
rwatson |
Consistent white space after .'s in comments.
|
169896 |
23-May-2007 |
rwatson |
No need to force __inline__ of currecord(), as the compiler will usefully inline it when needed already, and the symbol is also required outside of audit.c. This silences a new gcc warning on the topic of using __inline__ instead of __inline.
MFC after: 3 days
|
169831 |
21-May-2007 |
rwatson |
Short name of kernel audit worker thread from "audit_worker" to "audit".
MFC after: 3 days
|
169097 |
29-Apr-2007 |
rwatson |
Don't expose #ifdef NOTYET parts to userspace via audit_ioctl.h, just remove them, since the functionality they are associated with isn't there yet.
MFC after: 3 days
|
168977 |
23-Apr-2007 |
rwatson |
Rename mac*devfsdirent*() to mac*devfs*() to synchronize with SEDarwin, where similar data structures exist to support devfs and the MAC Framework, but are named differently.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
|
168976 |
23-Apr-2007 |
rwatson |
Apply variable name normalization to MAC policies: adopt global conventions for the naming of variables associated with specific data structures.
Obtained from: TrustedBSD Project
|
168955 |
22-Apr-2007 |
rwatson |
Normalize variable naming in the MAC Framework by adopting the normal variable name conventions for arguments passed into the framework -- for example, name network interfaces 'ifp', sockets 'so', mounts 'mp', mbufs 'm', processes 'p', etc, wherever possible. Previously there was significant variation in this regard.
Normalize copyright lists to ranges where sensible.
|
168954 |
22-Apr-2007 |
rwatson |
In the MAC Framework implementation, file systems have two per-mountpoint labels: the mount label (label of the mountpoint) and the fs label (label of the file system). In practice, policies appear to only ever use one, and the distinction is not helpful.
Combine mnt_mntlabel and mnt_fslabel into a single mnt_label, and eliminate extra machinery required to maintain the additional label. Update policies to reflect removal of extra entry points and label.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
|
168951 |
22-Apr-2007 |
rwatson |
Remove MAC Framework access control check entry points made redundant with the introduction of priv(9) and MAC Framework entry points for privilege checking/granting. These entry points exactly aligned with privileges and provided no additional security context:
- mac_check_sysarch_ioperm() - mac_check_kld_unload() - mac_check_settime() - mac_check_system_nfsd()
Add mpo_priv_check() implementations to Biba and LOMAC policies, which, for each privilege, determine if they can be granted to processes considered unprivileged by those two policies. These mostly, but not entirely, align with the set of privileges granted in jails.
Obtained from: TrustedBSD Project
|
168947 |
22-Apr-2007 |
rwatson |
Further MAC test policy cleanup and enhancement:
- Redistribute counter declarations to where they are used, rather than at the file header, so it's more clear where we do (and don't) have counters.
- Add many more counters, one per policy entry point, so that many individual access controls and object life cycle events are tracked.
- Perform counter increments for label destruction explicitly in entry point functions rather than in LABEL_DESTROY().
- Use LABEL_INIT() instead of SLOT_SET() directly in label init functions to be symmetric with destruction.
- Align counter names more carefully with entry point names.
- More constant and variable name normalization.
Obtained from: TrustedBSD Project
|
168944 |
22-Apr-2007 |
rwatson |
Perform overdue clean up mac_test policy:
- Add a more detailed comment describing the mac_test policy.
- Add COUNTER_DECL() and COUNTER_INC() macros to declare and manage various test counters, reducing the verbosity of the test policy quite a bit.
- Add LABEL_CHECK() macro to abbreviate normal validation of labels. Unlike the previous check macros, this checks for a NULL label and doesn't test NULL labels. This means that optionally passed labels will now be handled automatically, although in the case of optional credentials, NULL-checks are still required.
- Add LABEL_DESTROY() macro to abbreviate the handling of label validation and tear-down.
- Add LABEL_NOTFREE() macro to abbreviate check for non-free labels.
- Normalize the names of counters, magic values.
- Remove unused policy "enabled" flag.
Obtained from: TrustedBSD Project
|
168933 |
21-Apr-2007 |
rwatson |
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid().
MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points.
Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
|
168814 |
17-Apr-2007 |
rwatson |
Remove $P4$ that snuck into CVS from Perforce.
|
168783 |
16-Apr-2007 |
rwatson |
Merge OpenBSM 1.0 alpha 14 changes to src/sys/security/audit:
- au_to_attr64(), au_to_process64(), au_to_subject64(), au_to_subject64_ex(), au_to_zonename(), au_to_header64_tm(). - Extended address token fixes.
Obtained from: TrustedBSD Project
|
168688 |
13-Apr-2007 |
csjp |
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip6 information for subject tokens.
The approach that was taken was to change the process audit state slightly to use an extended terminal ID in the kernel. This allows us to store both IPv4 IPv6 addresses. In the case that an IPv4 address is in use, we convert the terminal ID from an struct auditinfo_addr to a struct auditinfo.
If getaudit(2) is called when the subject is bound to an ip6 address, we return E2BIG.
- Change the internal audit record to store an extended terminal ID - Introduce ARG_TERMID_ADDR - Change the kaudit <-> BSM conversion process so that we are using the appropriate subject token. If the address associated with the subject is IPv4, we use the standard subject32 token. If the subject has an IPv6 address associated with them, we use an extended subject32 token. - Fix a couple of endian issues where we do a couple of byte swaps when we shouldn't be. IP addresses are already in the correct byte order, so reading the ip6 address 4 bytes at a time and swapping them results in in-correct address data. It should be noted that the same issue was found in the openbsm library and it has been changed there too on the vendor branch - Change A_GETPINFO to use the appropriate structures - Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does, but can also handle ip6 addresses - Adjust get{set}audit(2) syscalls to convert the data auditinfo <-> auditinfo_addr - Fully implement set{get}audit_addr(2)
NOTE: This adds the ability for processes to correctly set extended subject information. The appropriate userspace utilities still need to be updated.
MFC after: 1 month Reviewed by: rwatson Obtained from: TrustedBSD
|
168355 |
04-Apr-2007 |
rwatson |
Replace custom file descriptor array sleep lock constructed using a mutex and flags with an sxlock. This leads to a significant and measurable performance improvement as a result of access to shared locking for frequent lookup operations, reduced general overhead, and reduced overhead in the event of contention. All of these are imported for threaded applications where simultaneous access to a shared file descriptor array occurs frequently. Kris has reported 2x-4x transaction rate improvements on 8-core MySQL benchmarks; smaller improvements can be expected for many workloads as a result of reduced overhead.
- Generally eliminate the distinction between "fast" and regular acquisisition of the filedesc lock; the plan is that they will now all be fast. Change all locking instances to either shared or exclusive locks.
- Correct a bug (pointed out by kib) in fdfree() where previously msleep() was called without the mutex held; sx_sleep() is now always called with the sxlock held exclusively.
- Universally hold the struct file lock over changes to struct file, rather than the filedesc lock or no lock. Always update the f_ops field last. A further memory barrier is required here in the future (discussed with jhb).
- Improve locking and reference management in linux_at(), which fails to properly acquire vnode references before using vnode pointers. Annotate improper use of vn_fullpath(), which will be replaced at a future date.
In fcntl(), we conservatively acquire an exclusive lock, even though in some cases a shared lock may be sufficient, which should be revisited. The dropping of the filedesc lock in fdgrowtable() is no longer required as the sxlock can be held over the sleep operation; we should consider removing that (pointed out by attilio).
Tested by: kris Discussed with: jhb, kris, attilio, jeff
|
167211 |
04-Mar-2007 |
rwatson |
Remove 'MPSAFE' annotations from the comments above most system calls: all system calls now enter without Giant held, and then in some cases, acquire Giant explicitly.
Remove a number of other MPSAFE annotations in the credential code and tweak one or two other adjacent comments.
|
166905 |
23-Feb-2007 |
rwatson |
More unnecessary include reduction.
|
166900 |
23-Feb-2007 |
rwatson |
Remove many unneeded includes, update copyright.
|
166899 |
23-Feb-2007 |
rwatson |
Remove empty entry point functions (init, destroy, syscall) from policies that don't need them.
|
166898 |
23-Feb-2007 |
rwatson |
mac_none sample policy has nothing to enforce, so remove sysctls. mac_stub acts as a template policy and holds sample sysctls.
|
166845 |
20-Feb-2007 |
rwatson |
Update auditing of socket information for the inpcb new world order: so_pcb will always be non-NULL, and lock the inpcb while non-atomically accessing address data.
|
166843 |
20-Feb-2007 |
rwatson |
Move mapping of MBI_APPEND to MBI_WRITE from inside the rule loop in mac_bsdextended_check() to before the loop, as it needs to happen only once.
MFC after: 1 week
|
166830 |
19-Feb-2007 |
rwatson |
Do allow bypass of mac_seeotheruids in jail in order to be consistent with other uses of PRIV_SEEOTHERUIDS. This will automatically be scoped to the jail by the jail policy.
|
166617 |
10-Feb-2007 |
rwatson |
In mac_biba_check_system_swapoff(), don't extract the object label since it isn't used in the access control decision. This became visible to Coverity with the change to a function call retrieving label values.
Coverity CID: 1723
|
166538 |
06-Feb-2007 |
rwatson |
Print intptr_t values by first casting to intmax_t and then printing with %jd, as intptr_t may not be int-sized.
Assistance from: jhb Spotted by: Mr Tinderbox
|
166533 |
06-Feb-2007 |
rwatson |
Introduce accessor functions mac_label_get() and mac_label_set() to replace LABEL_TO_SLOT() macro used by policy modules to query and set label data in struct label. Instead of using a union, store an intptr_t, simplifying the API.
Update policies: in most cases this required only small tweaks to current wrapper macros. In two cases, a single wrapper macros had to be split into separate get and set macros.
Move struct label definition from _label.h to mac_internal.h and remove _label.h. With this change, policies may now treat struct label * as opaque, allowing us to change the layout of struct label without breaking the policy module ABI. For example, we could make the maximum number of policies with labels modifiable at boot-time rather than just at compile-time.
Obtained from: TrustedBSD Project
|
166531 |
06-Feb-2007 |
rwatson |
Continue 7-CURRENT MAC Framework rearrangement and cleanup:
Don't perform a nested include of _label.h in mac.h, as mac.h now describes only the user API to MAC, and _label.h defines the in-kernel representation of MAC labels.
Remove mac.h includes from policies and MAC framework components that do not use userspace MAC API definitions.
Add _KERNEL inclusion checks to mac_internal.h and mac_policy.h, as these are kernel-only include files
Obtained from: TrustedBSD Project
|
165845 |
06-Jan-2007 |
rwatson |
When returning early from audit_arg_file() due to so->so_pcb being NULL (due to an early reset or the like), remember to unlock the socket lock. This will not occur in 7-CURRENT, but could in theory occur in 6-STABLE.
MFC after: 1 week
|
165715 |
01-Jan-2007 |
csjp |
Teach the stub policy about some of the more recent entry points that have been introduced to the MAC framework:
mpo_associate_nfsd_label mpo_create_mbuf_from_firewall mpo_check_system_nfsd mpo_check_vnode_mmap_downgrade mpo_check_vnode_mprotect mpo_init_syncache_label mpo_destroy_syncache_label mpo_init_syncache_from_inpcb mpo_create_mbuf_from_syncache
MFC after: 2 weeks [1]
[1] The syncache related entry points will NOT be MFCed as the changes in the syncache subsystem are not present in RELENG_6 yet.
|
165714 |
01-Jan-2007 |
csjp |
Remove conditional return of 1. For the MAC_STATIC case at this point in the code, one being returned is invariant.
Discussed with: rwatson MFC after: 1 week
|
165708 |
31-Dec-2006 |
rwatson |
Only signal the CV indicating that the MAC Framework is available for exclusive access if there is at least one thread waiting for it to become available. This may significantly reduce overhead by reducing the number of unnecessary wakeups issued whenever the framework becomes idle.
Annotate that we still signal the CV more than necessary and should fix this.
Obtained from: TrustedBSD Project Reviewed by: csjp Tested by: csjp
|
165646 |
29-Dec-2006 |
rwatson |
Slightly resort functions in file so that no forward function prototypes are required.
Obtained from: TrustedBSD Project
|
165645 |
29-Dec-2006 |
rwatson |
Re-add include of opt_mac.h in mac_framework.c, which was improperly removed from this file. It is required to pick up the definition of MAC_STATIC.
|
165625 |
29-Dec-2006 |
rwatson |
Remove two XXX comments that no longer apply.
Obtained from: TrustedBSD Project
|
165624 |
29-Dec-2006 |
rwatson |
Use p_cansee() to check that a target process for an audit state manipulation is visible to the subject process. Remove XXX comments suggesting this.
Convert one XXX on a difference from Darwin into a note: it's not a bug, it's a feature.
Obtained from: TrustedBSD Project
|
165621 |
29-Dec-2006 |
rwatson |
Add a witness sleep warning to canon_path(), which invokes vput() and hence may perform an unbounded sleep. Remove an XXX comment suggesting that one be added.
Obtained from: TrustedBSD Project
|
165607 |
28-Dec-2006 |
rwatson |
Add missing include guards to mac_internal.h, update include guards in mac_policy.h following move to new location in src/sys/security/mac.
Obtained from: TrustedBSD Project
|
165604 |
28-Dec-2006 |
rwatson |
Update a number of comments:
- Replace XXX with Note: in several cases where observations are made about future functionality rather than problems or bugs.
- Remove an XXX comment about byte order and au_to_ip() -- IP headers must be submitted in network byte order. Add a comment to this effect.
- Mention that we don't implement select/poll for /dev/audit.
Obtained from: TrustedBSD Project
|
165601 |
28-Dec-2006 |
rwatson |
Remove XXX comments about EA transaction support and provide a more general and detailed comment on the topic of EA transactions and kernel warnings.
Obtained from: TrustedBSD Project
|
165600 |
28-Dec-2006 |
rwatson |
Remove an inaccurate comment I added regarding storage for mbuf tag labels: they are in fact stored in the tag directly.
Obtained from: TrustedBSD Project
|
165599 |
28-Dec-2006 |
rwatson |
In mac_inpcb_sosetlabel(), assert the socket lock rather than commenting that we should assert the socket lock.
Obtained from: TrustedBSD Project
|
165595 |
28-Dec-2006 |
rwatson |
Centralize definition of MAC_VERSION in mac_policy.h, as it defines the kernel<->policy ABI version. Add a comment to the definition describing it and listing known versions. Modify MAC_POLICY_SET() to reference the current kernel version by name rather than by number.
Staticize mac_late, which is used only in mac_framework.c.
Obtained from: TrustedBSD Project
|
165593 |
28-Dec-2006 |
rwatson |
Move mac_init_label() and mac_destroy_label() from mac_framework.c to mac_label.c, and use these instead of replicated code in the label zone constructor and destructor.
Obtained from: TrustedBSD Project
|
165591 |
28-Dec-2006 |
rwatson |
Trim unneeded includes.
|
165590 |
28-Dec-2006 |
rwatson |
Break contents of kern_mac.c out into two files following a repo-copy:
mac_framework.c Contains basic MAC Framework functions, policy registration, sysinits, etc.
mac_syscalls.c Contains implementations of various MAC system calls, including ENOSYS stubs when compiling without options MAC.
Obtained from: TrustedBSD Project
|
165586 |
28-Dec-2006 |
rwatson |
Update MAC Framework general comments, referencing various interfaces it consumes and implements, as well as the location of the framework and policy modules.
Refactor MAC Framework versioning a bit so that the current ABI version can be exported via a read-only sysctl.
Further update comments relating to locking/synchronization.
Update copyright to take into account these and other recent changes.
Obtained from: TrustedBSD Project
|
165505 |
23-Dec-2006 |
rwatson |
Re-wrap comments following de-indentation.
|
165469 |
22-Dec-2006 |
rwatson |
Move src/sys/sys/mac_policy.h, the kernel interface between the MAC Framework and security modules, to src/sys/security/mac/mac_policy.h, completing the removal of kernel-only MAC Framework include files from src/sys/sys. Update the MAC Framework and MAC policy modules. Delete the old mac_policy.h.
Third party policy modules will need similar updating.
Obtained from: TrustedBSD Project
|
165434 |
21-Dec-2006 |
rwatson |
Minor style fixes.
|
165433 |
21-Dec-2006 |
rwatson |
Remove mac_enforce_subsystem debugging sysctls. Enforcement on subsystems will be a property of policy modules, which may require access control check entry points to be invoked even when not actively enforcing (i.e., to track information flow without providing protection).
Obtained from: TrustedBSD Project Suggested by: Christopher dot Vance at sparta dot com
|
165429 |
20-Dec-2006 |
rwatson |
Comment LABEL_TO_SLOT() macro, including observing that we'd like to improve this policy API to avoid encoding struct label binary layout in policy modules.
Obtained from: TrustedBSD Project
|
165428 |
20-Dec-2006 |
rwatson |
Trim trailing white space, clean up comment line wrapping and formatting.
Document mac_associate_nfsd_label().
Obtained from: TrustedBSD Project
|
165427 |
20-Dec-2006 |
rwatson |
Trim trailing white space.
|
165426 |
20-Dec-2006 |
rwatson |
Document socket labeling model.
Clean up comment white space and wrapping.
Obtained from: TrustedBSD Project
|
165425 |
20-Dec-2006 |
rwatson |
Clean up comment white space and line wrapping.
|
165424 |
20-Dec-2006 |
rwatson |
Additional comments regarding the interaction between the kernel privilege model and the MAC Framework.
Obtained from: TrustedBSD Project
|
165423 |
20-Dec-2006 |
rwatson |
Document that we could allocate the mbuf label as part of the tag rather than from the slab, but don't.
Document mac_mbuf_to_label(), mac_copy_mbuf_tag().
Clean up white space/wrapping for other comments.
Obtained from: TrustedBSD Project
|
165422 |
20-Dec-2006 |
rwatson |
Staticize and comment zone_label.
Obtained from: TrustedBSD Project
|
165421 |
20-Dec-2006 |
rwatson |
Clean up comments, trailing white space.
Provide a comment describing MAC_EXTERNALIZE().
Obtained from: TrustedBSD Project
|
165420 |
20-Dec-2006 |
rwatson |
Re-wrap comment at 77 character columns.
|
165414 |
20-Dec-2006 |
rwatson |
Comment and white space cleanup.
Exapnd comments on System V IPC labeling methods, which could use improved consistency with respect to other object types.
Obtained from: TrustedBSD Project
|
165412 |
20-Dec-2006 |
rwatson |
Externalize local stack copy of the ifnet label, rather than the copy on the ifnet itself. The stack copy has been made while holding the mutex protecting ifnet labels, so copying from the ifnet copy could result in an inconsistent version being copied out.
Reported by: Todd.Miller@sparta.com Obtained from: TrustedBSD Project MFC after: 3 weeks
|
165411 |
20-Dec-2006 |
rwatson |
Expand commenting on label slots, justification for the MAC Framework locking model, interactions between locking and policy init/destroy methods.
Rewrap some comments to 77 character line wrap.
Obtained from: TrustedBSD Project
|
165150 |
13-Dec-2006 |
csjp |
Teach the MAC policies which utilize mbuf labeling the new syncache entry points. Properly initialize the mbuf label based on the label we copy from the PCB. This fixes an LOR between the PCB and syncache code.
|
165149 |
13-Dec-2006 |
csjp |
Fix LOR between the syncache and inpcb locks when MAC is present in the kernel. This LOR snuck in with some of the recent syncache changes. To fix this, the inpcb handling was changed:
- Hang a MAC label off the syncache object - When the syncache entry is initially created, we pickup the PCB lock is held because we extract information from it while initializing the syncache entry. While we do this, copy the MAC label associated with the PCB and use it for the syncache entry. - When the packet is transmitted, copy the label from the syncache entry to the mbuf so it can be processed by security policies which analyze mbuf labels.
This change required that the MAC framework be extended to support the label copy operations from the PCB to the syncache entry, and then from the syncache entry to the mbuf.
These functions really should be referencing the syncache structure instead of the label. However, due to some of the complexities associated with exposing this syncache structure we operate directly on it's label pointer. This should be OK since we aren't making any access control decisions within this code directly, we are merely allocating and copying label storage so we can properly initialize mbuf labels for any packets the syncache code might create.
This also has a nice side effect of caching. Prior to this change, the PCB would be looked up/locked for each packet transmitted. Now the label is cached at the time the syncache entry is initialized.
Submitted by: andre [1] Discussed with: rwatson
[1] andre submitted the tcp_syncache.c changes
|
164184 |
11-Nov-2006 |
trhodes |
Merge posix4/* into normal kernel hierarchy.
Reviewed by: glanced at by jhb Approved by: silence on -arch@ and -standards@
|
164034 |
06-Nov-2006 |
rwatson |
Add stub entry point implementations of mpo_priv_check and mpo_priv_grant to the mac_stub policy.
Obtained from: TrustedBSD Project
|
164033 |
06-Nov-2006 |
rwatson |
Sweep kernel replacing suser(9) calls with priv(9) calls, assigning specific privilege names to a broad range of privileges. These may require some future tweaking.
Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
|
164032 |
06-Nov-2006 |
rwatson |
Add a new priv(9) kernel interface for checking the availability of privilege for threads and credentials. Unlike the existing suser(9) interface, priv(9) exposes a named privilege identifier to the privilege checking code, allowing more complex policies regarding the granting of privilege to be expressed. Two interfaces are provided, replacing the existing suser(9) interface:
suser(td) -> priv_check(td, priv) suser_cred(cred, flags) -> priv_check_cred(cred, priv, flags)
A comprehensive list of currently available kernel privileges may be found in priv.h. New privileges are easily added as required, but the comments on adding privileges found in priv.h and priv(9) should be read before doing so.
The new privilege interface exposed sufficient information to the privilege checking routine that it will now be possible for jail to determine whether a particular privilege is granted in the check routine, rather than relying on hints from the calling context via the SUSER_ALLOWJAIL flag. For now, the flag is maintained, but a new jail check function, prison_priv_check(), is exposed from kern_jail.c and used by the privilege check routine to determine if the privilege is permitted in jail. As a result, a centralized list of privileges permitted in jail is now present in kern_jail.c.
The MAC Framework is now also able to instrument privilege checks, both to deny privileges otherwise granted (mac_priv_check()), and to grant privileges otherwise denied (mac_priv_grant()), permitting MAC Policy modules to implement privilege models, as well as control a much broader range of system behavior in order to constrain processes running with root privilege.
The suser() and suser_cred() functions remain implemented, now in terms of priv_check() and the PRIV_ROOT privilege, for use during the transition and possibly continuing use by third party kernel modules that have not been updated. The PRIV_DRIVER privilege exists to allow device drivers to check privilege without adopting a more specific privilege identifier.
This change does not modify the actual security policy, rather, it modifies the interface for privilege checks so changes to the security policy become more feasible.
Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
|
164011 |
06-Nov-2006 |
csjp |
Change the type of ar_arg_sockaddr from struct sockaddr to struct sockaddr_storage. This structure is defined in RFC 2553 and is a more semantically correct structure for holding IP and IP6 sockaddr information. struct sockaddr is not big enough to hold all the required information for IP6, resulting in truncated addresses et al when auditing IP6 sockaddr information.
We also need to assume that the sa->sa_len has been validated before the call to audit_arg_sockaddr() is made, otherwise it could result in a buffer overflow. This is being done to accommodate auditing of network related arguments (like connect, bind et al) that will be added soon.
Discussed with: rwatson Obtained from: TrustedBSD Project MFC after: 2 weeks
|
163788 |
30-Oct-2006 |
rwatson |
Forward declare struct cdev, since arguments of this type are used in function prototypes.
Obtained from: TrustedBSD Project
|
163686 |
25-Oct-2006 |
rwatson |
Remove extra _MAC_ from #ifdef guard.
|
163606 |
22-Oct-2006 |
rwatson |
Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h begun with a repo-copy of mac.h to mac_framework.h. sys/mac.h now contains the userspace and user<->kernel API and definitions, with all in-kernel interfaces moved to mac_framework.h, which is now included across most of the kernel instead.
This change is the first step in a larger cleanup and sweep of MAC Framework interfaces in the kernel, and will not be MFC'd.
Obtained from: TrustedBSD Project Sponsored by: SPARTA
|
163208 |
10-Oct-2006 |
rwatson |
Do allow jailed superuser to override the port ACL.
MFC after: 3 days Submitted by: Michal Mertl <mime at traveller dot cz>
|
163207 |
10-Oct-2006 |
csjp |
Mark the audit system calls as being un-implemented in jails. Currently we do not trust jails enough to execute audit related system calls. An example of this is with su(1), or login(1) within prisons. So, if the syscall request comes from a jail return ENOSYS. This will cause these utilities to operate as if audit is not present in the kernel.
Looking forward, this problem will be remedied by allowing non privileged users to maintain and their own audit streams, but the details on exactly how this will be implemented needs to be worked out.
This change should fix situations when options AUDIT has been compiled into the kernel, and utilities like su(1), or login(1) fail due to audit system call failures within jails.
This is a RELENG_6 candidate.
Reported by: Christian Brueffer Discussed with: rwatson MFC after: 3 days
|
162990 |
03-Oct-2006 |
rwatson |
Add BSM conversion switch entries for a number of system calls, many administrative, to prevent console warnings and enable basic event auditing (generally without arguments).
MFC after: 3 days Obtained from: TrustedBSD Project
|
162950 |
02-Oct-2006 |
rwatson |
Trim some no longer XXX comments. Remove some commented out debugging printfs.
MFC after: 3 days Obtained from: TrustedBSD Project
|
162944 |
02-Oct-2006 |
rwatson |
Audit path argument when changing audit trails.
Call NDFREE(), which while not currently strictly necessary, isn't a bad idea.
MFC after: 3 days Obtained from: TrustedBSD Project
|
162599 |
24-Sep-2006 |
rwatson |
Rework the way errors are handled with respect to how audit records are written to the audit trail file:
- audit_record_write() now returns void, and all file system specific error handling occurs inside this function. This pushes error handling complexity out of the record demux routine that hands off to both the trail and audit pipes, and makes trail behavior more consistent with pipes as a record destination.
- Rate limit kernel printfs associated with running low on space. Rate limit audit triggers for low space. Rate limit printfs for fail stop events. Rate limit audit worker write error printfs.
- Document in detail the types of limits and space checks we perform, and combine common cases.
This improves the audit subsystems tolerance to low space conditions by avoiding toasting the console with printfs are waking up the audit daemon continuously.
MFC after: 3 days Obtained from: TrustedBSD Project
|
162508 |
21-Sep-2006 |
rwatson |
Merge OpenBSM 1.0 alpha 11 changes into src/sys/bsm and src/sys/security; primarily, add new event identifiers and update trigger names.
Obtained from: TrustedBSD Project
|
162467 |
20-Sep-2006 |
rwatson |
Remove MAC_DEBUG label counters, which were used to debug leaks and other problems while labels were first being added to various kernel objects. They have outlived their usefulness.
MFC after: 1 month Suggested by: Christopher dot Vance at SPARTA dot com Obtained from: TrustedBSD Project
|
162466 |
20-Sep-2006 |
rwatson |
Rather than allocating all buffer memory for the completed BSM record when allocating the record in the first place, allocate the final buffer when closing the BSM record. At that point, more size information is available, so a sufficiently large buffer can be allocated.
This allows the kernel to generate audit records in excess of MAXAUDITDATA bytes, but is consistent with Solaris's behavior. This only comes up when auditing command line arguments, in which case we presume the administrator really does want the data as they have specified the policy flag to gather them.
Obtained from: TrustedBSD Project MFC after: 3 days
|
162465 |
20-Sep-2006 |
rwatson |
Add missing white space in au_to_exec_{args,env}().
MFC after: 3 days
|
162419 |
18-Sep-2006 |
csjp |
Make sure that lutimes(2) gets processed and converted into a BSM record.
Submitted by: rwatson MFC after: 1 day
|
162383 |
17-Sep-2006 |
rwatson |
Declare security and security.bsd sysctl hierarchies in sysctl.h along with other commonly used sysctl name spaces, rather than declaring them all over the place.
MFC after: 1 month Sponsored by: nCircle Network Security, Inc.
|
162380 |
17-Sep-2006 |
csjp |
Correct a slight regression which was introduced with the implementation of audit pipes. If the kernel record was not selected for the trail or the pipe, any user supplied record attached to it would be tossed away, resulting in otherwise selected events being lost.
- Introduce two new masks: AR_PRESELECT_USER_TRAIL AR_PRESELECT_USER_PIPE, currently we have AR_PRESELECT_TRAIL and AR_PRESELECT_PIPE, which tells the audit worker that we are interested in the kernel record, with the additional masks we can determine if either the pipe or trail is interested in seeing the kernel or user record.
- In audit(2), we unconditionally set the AR_PRESELECT_USER_TRAIL and AR_PRESELECT_USER_PIPE masks under the assumption that userspace has done the preselection [1].
Currently, there is work being done that allows the kernel to parse and preselect user supplied records, so in the future preselection could occur in either layer. But there is still a few details to work out here.
[1] At some point we need to teach au_preselect(3) about the interests of all the individual audit pipes.
This is a RELENG_6 candidate.
Reviewed by: rwatson Obtained from: TrustedBSD Project MFC after: 1 week
|
162372 |
17-Sep-2006 |
rwatson |
Add AUE_SYSARCH to the list of audit events during BSM conversion to prevent a console warning. Eventually, we will capture more arguments for sysarch.
Obtained from: TrustedBSD Project MFC after: 3 days
|
162238 |
12-Sep-2006 |
csjp |
Introduce a new entry point, mac_create_mbuf_from_firewall. This entry point exists to allow the mandatory access control policy to properly initialize mbufs generated by the firewall. An example where this might happen is keep alive packets, or ICMP error packets in response to other packets.
This takes care of kernel panics associated with un-initialize mbuf labels when the firewall generates packets.
[1] I modified this patch from it's original version, the initial patch introduced a number of entry points which were programmatically equivalent. So I introduced only one. Instead, we should leverage mac_create_mbuf_netlayer() which is used for similar situations, an example being icmp_error()
This will minimize the impact associated with the MFC
Submitted by: mlaier [1] MFC after: 1 week
This is a RELENG_6 candidate
|
162183 |
09-Sep-2006 |
rwatson |
Add struct msg to the forwarded declared data structures in mac_policy.h.
Obtained from: TrustedBSD Project
|
162177 |
09-Sep-2006 |
rwatson |
Add a BSM conversion switch case for AUE_GETCWD, so that a console warning isn't generated when __getcwd() is invoked.
MFC after: 3 days Obtained from: TrustedBSD Project
|
162176 |
09-Sep-2006 |
rwatson |
Small style cleanup.
MFC after: 3 days
|
161970 |
04-Sep-2006 |
rwatson |
White space cleanup, no functional change.
|
161813 |
01-Sep-2006 |
wsalamon |
Audit the argv and env vectors passed in on exec: Add the argument auditing functions for argv and env. Add kernel-specific versions of the tokenizer functions for the arg and env represented as a char array. Implement the AUDIT_ARGV and AUDIT_ARGE audit policy commands to enable/disable argv/env auditing. Call the argument auditing from the exec system calls.
Obtained from: TrustedBSD Project Approved by: rwatson (mentor)
|
161649 |
26-Aug-2006 |
csjp |
Fix panic associated with file creation via RPC/NFS when the MLS policy is loaded. This problem stems from the fact that the policy is not properly initializing the mac label associated with the NFS daemon.
Obtained from: TrustedBSD Project Discussed with: rwatson
|
161646 |
26-Aug-2006 |
rwatson |
Allow the user process to query the kernel's notion of a maximum audit record size at run-time, which can be used by the user process to size the user space buffer it reads into from the audit pipe.
Perforce change: 105098 Obtained from: TrustedBSD Project
|
161635 |
26-Aug-2006 |
rwatson |
Update kernel OpenBSM parts, especially src/sys/bsm, for the OpenBSM 1.0 alpha 9 import. See the OpenBSM import commit message for a detailed summary of changes.
Obtained from: TrustedBSD Project
|
161601 |
25-Aug-2006 |
rwatson |
Remove $P4$ from this file; other then temporarily P4-local work in progress the kernel audit code in CVS is considered authoritative. This will ease $P4$-related merging issues during the CVS loopback.
Obtained from: TrustedBSD Project
|
161582 |
24-Aug-2006 |
rwatson |
Add kqueue support to audit pipe pseudo-devices.
Obtained from: TrustedBSD Project
|
161026 |
06-Aug-2006 |
rwatson |
Make mpo_associate_nfsd_label() return void, not int, to match mac_associate_nfsd_label().
Head nod: csjp
|
160425 |
17-Jul-2006 |
phk |
Remove the NDEVFSINO and NDEVFSOVERFLOW options which no longer exists in DEVFS.
Remove the opt_devfs.h file now that it is empty.
|
160243 |
10-Jul-2006 |
csjp |
Implement mpo_associate_nfsd_label entry point for the BIBA security policy, we will initialize the label to biba/low for files that have been created through an NFS RPC. This is a safe default given the default nature of our NFS implementation, there is not a whole lot of data integrity there by default. This also fixes kernel panics associated with file creation over NFS while creating files on filesystems which have multilabel enabled with BIBA enabled.
MFC after: 2 weeks Discussed with: rwatson
|
160136 |
06-Jul-2006 |
wsalamon |
Audit the remaining parameters to the extattr system calls. Generate the audit records for those calls.
Obtained from: TrustedBSD Project Approved by: rwatson (mentor)
|
160086 |
03-Jul-2006 |
rwatson |
Correct a number of problems that were previously commented on:
- Correct audit_arg_socketaddr() argument name from so to sa. - Assert arguments are non-NULL to many argument capture functions rather than testing them. This may trip some bugs. - Assert the process lock is held when auditing process information. - Test currecord in several more places. - Test validity of more arguments with kasserts, such as flag values when auditing vnode information.
Perforce change: 98825 Obtained from: TrustedBSD Project
|
159686 |
17-Jun-2006 |
wsalamon |
Make the size of the subject32_ex and process32_ex tokens depend on whether we have an IPv6 address. Write the term ID as 4 or 16 bytes depending on address type. This change matches the recent OpenBSM change, and what Solaris does.
Obtained from: TrustedBSD Project Approved by: rwatson (mentor)
|
159415 |
08-Jun-2006 |
rwatson |
Lock process when copying fields from process structure so as to get a consistent snapshot, as well as get consistent values (i.e., that p_comm is properly nul-terminated).
Perforce CID: 98824 Obtained from: TrustedBSD Project
|
159414 |
08-Jun-2006 |
rwatson |
Prefer C to C++ comments per style(9).
Perforce CID: 98826 Obtained from: TrustedBSD Project
|
159332 |
06-Jun-2006 |
rwatson |
Extract pointer value for mnt_stat from vp after the NULL check, not before.
Coverity ID: 134394 Found with: Coverity Prevent (tm)
|
159318 |
05-Jun-2006 |
rwatson |
Remove use of Giant around vn_open() in audit trail setup.
Submitted by: jhb, wsalamon Obtained from: TrustedBSD Project
|
159278 |
05-Jun-2006 |
rwatson |
When generating BSM tokens for mkfifo(), include mode argument.
Submitted by: wsalamon Obtained from: TrustedBSD Project
|
159277 |
05-Jun-2006 |
rwatson |
When generating the process token, need to check whether the process was sucessfully audited. Otherwise, generate the PID token. This change covers the pid < 0 cases, and pid lookup failure cases.
Submitted by: wsalamon Obtained from: TrustedBSD Project
|
159275 |
05-Jun-2006 |
rwatson |
Consistently use audit_free() to free records, rather than directly invoking uma_zfree().
Perforce change: 96652 Obtained from: TrustedBSD Project
|
159269 |
05-Jun-2006 |
rwatson |
Introduce support for per-audit pipe preselection independent from the global audit trail configuration. This allows applications consuming audit trails to specify parameters for which audit records are of interest, including selecting records not required by the global trail. Allowing application interest specification without changing the global configuration allows intrusion detection systems to run without interfering with global auditing or each other (if multiple are present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have been selected by the global trail or by the audit pipe subsystem, set during record commit, so that this information is available after BSM conversion when delivering the BSM to the trail and audit pipes in the audit worker thread asynchronously. Preselection by either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created when the system call is entering: consult both the global trail and pipes.
- au_preselect() now accepts the class in order to avoid repeatedly looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether they want to track the global trail, or program their own preselection parameters: they may specify their own flags and naflags masks, similar to the global masks of the same name, as well as a set of per-auid masks. They also set a per-pipe mode specifying whether they track the global trail, or user their own -- the door is left open for future additional modes. A new ioctl is defined to allow a user process to flush the current audit pipe queue, which can be used after reprogramming pre-selection to make sure that only records of interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields necessary to support preselection. By default, audit pipes track the global trail, so "praudit /dev/auditpipe" will track the global audit trail even though praudit doesn't program the audit pipe selection model.
- Comment about the complexities of potentially adding partial read support to audit pipes.
By using a set of ioctls, applications can select which records are of interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
|
159266 |
05-Jun-2006 |
rwatson |
Shorten audit record zone name.
Perforce change: 93598 Obtained from: TrustedBSD Project
|
159265 |
05-Jun-2006 |
rwatson |
No longer unconditionally drain the audit record queue if there is not an active audit trail: instead, continue to iterate through each record in case an audit pipe is interested.
Obtained from: TrustedBSD Project
|
159264 |
05-Jun-2006 |
rwatson |
Pull BSM conversion logic out of audit_record_write(), as well as knowledge of user vs. kernel audit records into audit_worker_process_record(). This largely confines vnode knowledge to audit_record_write(), but avoids that logic knowing about BSM as opposed to byte streams. This will allow us to improve our ability to support real-time audit stream processing by audit pipe consumers while auditing is disabled, but this support is not yet complete.
Obtained from: TrustedBSD Project
|
159263 |
05-Jun-2006 |
rwatson |
Assert audit mtx in audit_worker_drain().
Break out logic to call audit_record_write() and handle error conditions into audit_worker_process_record(). This will be the future home of some logic now present in audit_record_write() also.
Obtained from: TrustedBSD Project
|
159262 |
05-Jun-2006 |
rwatson |
Use struct kaudit_queue instead of a hand-crafted queue type for audit records in the audit_worker thread.
Obtained from: TrustedBSD Project
|
159261 |
05-Jun-2006 |
rwatson |
Rename audit_cv to audit_worker_cv, as it wakes up the audit worker.
Rename audit_commit_cv to audit_watermark_cv, since it is there to wake up threads waiting on hitting the low watermark. Describe properly in comment.
Obtained from: TrustedBSD Project
|
159259 |
05-Jun-2006 |
rwatson |
Merge OpenBSM 1.0 alpha 6 changes for BSM token creation to src/sys/security/audit:
- Clarify and clean up AUR_ types to match Solaris. - Clean up use of host vs. network byte order for IP addresses. - Remove combined user/kernel implementations of some token creation calls, such as au_to_file(), header calls, etc.
Obtained from: TrustedBSD Project
|
159143 |
01-Jun-2006 |
csjp |
Check to see if the rootdir is the same as the current working directory. If it is, and the pathname was relative, do not separate the componenets with a '/' character.
Obtained from: TrustedBSD Project
|
158043 |
26-Apr-2006 |
rwatson |
Reconstitute struct mac_policy_ops by breaking out individual function pointer prototypes from it into their own typedefs. No functional or ABI change. This allows policies to declare their own function prototypes based on a common definition from mac_policy.h rather than duplicating these definitions.
Obtained from: SEDarwin, SPARTA MFC after: 1 month
|
157986 |
23-Apr-2006 |
dwmalone |
Add some new options to mac_bsdestended. We can now match on:
subject: ranges of uid, ranges of gid, jail id objects: ranges of uid, ranges of gid, filesystem, object is suid, object is sgid, object matches subject uid/gid object type
We can also negate individual conditions. The ruleset language is a superset of the previous language, so old rules should continue to work.
These changes require a change to the API between libugidfw and the mac_bsdextended module. Add a version number, so we can tell if we're running mismatched versions.
Update man pages to reflect changes, add extra test cases to test_ugidfw.c and add a shell script that checks that the the module seems to do what we expect.
Suggestions from: rwatson, trhodes Reviewed by: trhodes MFC after: 2 months
|
157575 |
06-Apr-2006 |
csjp |
Introduce a new MAC entry point for label initialization of the NFS daemon's credential: mac_associate_nfsd_label()
This entry point can be utilized by various Mandatory Access Control policies so they can properly initialize the label of files which get created as a result of an NFS operation. This work will be useful for fixing kernel panics associated with accessing un-initialized or invalid vnode labels.
The implementation of these entry points will come shortly.
Obtained from: TrustedBSD Requested by: mdodd MFC after: 3 weeks
|
156893 |
19-Mar-2006 |
tegge |
Don't call vn_finished_write() if vn_start_write() failed.
|
156889 |
19-Mar-2006 |
rwatson |
Merge Perforce change 93581 from TrustedBSD audit3 branch:
Mega-style patch.
Obtained from: TrustedBSD Project
|
156888 |
19-Mar-2006 |
rwatson |
Merge Perforce changes 93512, 93514, 93515 from TrustedBSD audit3 branch:
Integrate audit.c to audit_worker.c, so as to migrate the worker thread implementation to its own .c file.
Populate audit_worker.c using parts now removed from audit.c:
- Move audit rotation global variables. - Move audit_record_write(), audit_worker_rotate(), audit_worker_drain(), audit_worker(), audit_rotate_vnode(). - Create audit_worker_init() from relevant parts of audit_init(), which now calls this routine. - Recreate audit_free(), which wraps uma_zfree() so that audit_record_zone can be static to audit.c. - Unstaticize various types and variables relating to the audit record queue so that audit_worker can get to them. We may want to wrap these in accessor methods at some point. - Move AUDIT_PRINTF() to audit_private.h.
Addition of audit_worker.c to kernel configuration, missed in earlier submit.
Obtained from: TrustedBSD Project
|
156884 |
19-Mar-2006 |
rwatson |
Merge Perforce change 93570 from TrustedBSD audit3 branch:
Add audit pipe ioctls to query minimum and maximum audit queue lengths.
Obtained from: TrustedBSD Project
|
156883 |
19-Mar-2006 |
rwatson |
Merge Perforce change 93567 from TrustedBSD audit3 branch:
Bump default queue limit for audit pipes from 32 to 128, since 32 is pretty small.
Obtained from: TrustedBSD Project
|
156882 |
19-Mar-2006 |
rwatson |
Merge Perforce change 93568 from TrustedBSD audit3 branch:
Normalize nested include guards.
Obtained from: TrustedBSD Project
|
156880 |
19-Mar-2006 |
rwatson |
Merge Perforce change 93506 from TrustedBSD audit3 branch:
Add ioctls to audit pipes in order to allow querying of the current record queue state, setting of the queue limit, and querying of pipe statistics.
Obtained from: TrustedBSD Project
|
156846 |
18-Mar-2006 |
rwatson |
Merge perforce 93507:
Correct comment: this print is now from audit_record_write(), not audit_worker().
Obtained from: TrustedBSD Project
|
156845 |
18-Mar-2006 |
rwatson |
Merge perforce change 93199:
Change send_trigger() prototype to return an int, so that user space callers can tell if the message was successfully placed in the trigger queue. This isn't quite the same as it being successfully received, but is close enough that we can generate a more useful warning message in audit(8).
Obtained from: TrustedBSD Project
|
156300 |
04-Mar-2006 |
dwmalone |
Create a mac_bsdextended_check_vp function that takes a cred, a vnode and a mode and checks if a given access mode is permitted. This centralises the mac_bsdextended_enabled check and the GETATTR calls and makes the implementation of the mac policy methods simple.
This should make it easier for us to match vnodes on more complex attributes than just uid and gid in the future, but for now there should be no functional change.
Approved/Reviewed by: rwatson, trhodes MFC after: 1 month
|
156292 |
04-Mar-2006 |
rwatson |
Count drops when the first of two pipe mallocs fails.
Obtained from: TrustedBSD Project
|
156291 |
04-Mar-2006 |
rwatson |
Update src/sys/security/audit for OpenBSM 1.0 alpha 5:
- Include audit_internal.h to get definition of internal audit record structures, as it's no longer in audit.h. Forward declare au_record in audit_private.h as not all audit_private.h consumers care about it.
- Remove __APPLE__ compatibility bits that are subsumed by configure for user space.
- Don't expose in6_addr internals (non-portable, but also cleaner looking).
- Avoid nested include of audit.h in audit_private.h.
Obtained from: TrustedBSD Project
|
156225 |
02-Mar-2006 |
tegge |
Eliminate a deadlock when creating snapshots. Blocking vn_start_write() must be called without any vnode locks held. Remove calls to vn_start_write() and vn_finished_write() in vnode_pager_putpages() and add these calls before the vnode lock is obtained to most of the callers that don't already have them.
|
155559 |
11-Feb-2006 |
rwatson |
Add stub AUE_EACCESS entry.
Obtained from: TrustedBSD Project
|
155558 |
11-Feb-2006 |
rwatson |
Initialize user process audit ID to AU_DEFAUDITID so that init and its pre-authentication children are covered by naflags.
Obtained from: TrustedBSD Project
|
155448 |
07-Feb-2006 |
rwatson |
Acquire vnode lock around call to VOP_GETATTR() in audit_record_write(). In the future, we may want to acquire the lock early in the function and hold it across calls to vn_rdwr(), etc, to avoid multiple acquires.
Spotted by: kris (bugmagnet) Obtained from: TrustedBSD Project
|
155428 |
07-Feb-2006 |
rwatson |
Fix queue drop logic when the queue overflows: decrement queue length.
Obtained from: TrustedBSD Project
|
155408 |
06-Feb-2006 |
rwatson |
Add support for audit pipe special devices, which allow user space applications to insert a "tee" in the live audit event stream. Records are inserted into a per-clone queue so that user processes can pull discreet records out of the queue. Unlike delivery to disk, audit pipes are "lossy", dropping records in low memory conditions or when the process falls behind real-time events. This mechanism is appropriate for use by live monitoring systems, host-based intrusion detection, etc, and avoids applications having to dig through active on-disk trails that are owned by the audit daemon.
Obtained from: TrustedBSD Project
|
155406 |
06-Feb-2006 |
rwatson |
Manage audit record memory with the slab allocator, turning initialization routines into a ctor, tear-down to a dtor, cleaning up, etc. This will allow audit records to be allocated from per-cpu caches.
On recent FreeBSD, dropping the audit_mtx around freeing to UMA is no longer required (at one point it was possible to acquire Giant on that path), so a mutex-free thread-local drain is no longer required.
Obtained from: TrustedBSD Project
|
155353 |
05-Feb-2006 |
rwatson |
When GC'ing a thread, assert that it has no active audit record. This should not happen, but with this assert, brueffer and I would not have spent 45 minutes trying to figure out why he wasn't seeing audit records with the audit version in CVS.
Obtained from: TrustedBSD Project
|
155271 |
04-Feb-2006 |
rwatson |
Cast pointers to (uintptr_t) before down-casting to (int). This avoids an incompatible conversion from a 64-bit pointer to a 32-bit integer on 64-bit platforms. We will investigate whether Solaris uses a 64-bit token here, or a new record here, in order to avoid truncating user pointers that are 64-bit. However, in the mean time, truncation is fine as these are rarely/never used fields in audit records.
Obtained from: TrustedBSD Project
|
155270 |
03-Feb-2006 |
rwatson |
Fix INVARIANTS build on amd64; (unsigned unsigned long) != u_int64_t.
Submitted by: mlaier
|
155258 |
03-Feb-2006 |
rwatson |
Remove user.h include in audit.h, it is unneeded, and also can cause build problems for other components that include audit.h.
|
155195 |
02-Feb-2006 |
rwatson |
Add new fields to process-related data structures:
- td_ar to struct thread, which holds the in-progress audit record during a system call.
- p_au to struct proc, which holds per-process audit state, such as the audit identifier, audit terminal, and process audit masks.
In the earlier implementation, td_ar was added to the zero'd section of struct thread. In order to facilitate merging to RELENG_6, it has been moved to the end of the data structure, requiring explicit initalization in the thread constructor.
Much help from: wsalamon Obtained from: TrustedBSD Project
|
155192 |
01-Feb-2006 |
rwatson |
Import kernel audit framework:
- Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events.
Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
|
154386 |
15-Jan-2006 |
csjp |
Fix potential overrun of static stack allocated array which stores the rules. If an array is N elements large, we can only access elements 0..(N-1).
MFC after: 1 week Found with: Coverity Prevent(tm)
|
153927 |
31-Dec-2005 |
csjp |
Introduce a new sysctl variable:
security.mac.biba.interfaces_equal
If non-zero, all network interfaces be created with the label:
biba/equal(equal-equal)
This is useful where programs which initialize network interfaces do not have any labeling support. This includes dhclient and ppp. A long term solution is to add labeling support into dhclient(8) and ppp(8), and remove this variable.
It should be noted that this behavior is different then setting the:
security.mac.biba.trust_all_interfaces
sysctl variable, as this will create interfaces with a biba/high label. Lower integrity processes are not able to write to the interface in this event. The security.mac.biba.interfaces_equal will override trust_all_interfaces.
The security.mac.biba.interfaces_equal variable will be set to zero or disabled by default.
MFC after: 2 weeks
|
151897 |
31-Oct-2005 |
rwatson |
Normalize a significant number of kernel malloc type names:
- Prefer '_' to ' ', as it results in more easily parsed results in memory monitoring tools such as vmstat.
- Remove punctuation that is incompatible with using memory type names as file names, such as '/' characters.
- Disambiguate some collisions by adding subsystem prefixes to some memory types.
- Generally prefer lower case to upper case.
- If the same type is defined in multiple architecture directories, attempt to use the same name in additional cases.
Not all instances were caught in this change, so more work is required to finish this conversion. Similar changes are required for UMA zone names.
|
151115 |
09-Oct-2005 |
csjp |
Lock object while we iterate through it's backing objects.
Discussed with: alc
|
150923 |
04-Oct-2005 |
csjp |
Use the correct object's backing_object_offset while calculating offsets. While we are here, add a note that we need to lock the object before walking the backing object list.
Pointed out by: alc Discussed with: rwatson
|
150914 |
04-Oct-2005 |
csjp |
Standard Giant push down operations for the Mandatory Access Control (MAC) framework. This makes Giant protection around MAC operations which inter- act with VFS conditional, based on the MPSAFE status of the file system.
Affected the following syscalls:
o __mac_get_fd o __mac_get_file o __mac_get_link o __mac_set_fd o __mac_set_file o __mac_set_link
-Drop Giant all together in __mac_set_proc because the mac_cred_mmapped_drop_perms_recurse routine no longer requires it. -Move conditional Giant aquisitions to after label allocation routines. -Move the conditional release of Giant to before label de-allocation routines.
Discussed with: rwatson
|
150913 |
04-Oct-2005 |
csjp |
Conditionally pickup Giant in mac_cred_mmapped_drop_perms_recurse so we can drop it all together in __mac_set_proc.
Reviewed by: alc Discussed with: rwatson
|
150805 |
02-Oct-2005 |
rwatson |
Complete removal of mac_create_root_mount/mpo_create_root_mount MAC interfaces.
Obtained from: TrustedBSD Project Submitted by: Chris Vance <Christopher dot Vance at SPARTA dot com> MFC after: 3 days
|
150764 |
30-Sep-2005 |
trhodes |
Allow the root user to be aware of other credentials by virtue of privilege.
Submitted by: rwatson
|
150340 |
19-Sep-2005 |
phk |
Add #include <sys/sx.h>, devfs is going to require this shortly.
|
150324 |
19-Sep-2005 |
rwatson |
Remove mac_create_root_mount() and mpo_create_root_mount(), which provided access to the root file system before the start of the init process. This was used briefly by SEBSD before it knew about preloading data in the loader, and using that method to gain access to data earlier results in fewer inconsistencies in the approach. Policy modules still have access to the root file system creation event through the mac_create_mount() entry point.
Removed now, and will be removed from RELENG_6, in order to gain third party policy dependencies on the entry point for the lifetime of the 6.x branch.
MFC after: 3 days Submitted by: Chris Vance <Christopher dot Vance at SPARTA dot com> Sponsored by: SPARTA
|
148858 |
08-Aug-2005 |
rwatson |
Insert a series of place-holder function pointers in mac_policy.h for entry points that will be inserted over the life-time of the 6.x branch, including for:
- New struct file labeling (void * already added to struct file), events, access control checks. - Additional struct mount access control checks, internalization/ externalization. - mac_check_cap() - System call enter/exit check and event. - Socket and vnode ioctl entry points.
MFC after: 3 days
|
148482 |
28-Jul-2005 |
trhodes |
If a "hole" opens up in the ruleset (i.e.: remove 5), do not return unknown error. Instead, just return error.
Submitted by: avatar Tested by: trhodes
|
148259 |
21-Jul-2005 |
rwatson |
Remove duplicate initialization of mpo_create_stub pointer.
PR: 83779 Submitted by: Wojciech A. Koszek <dunstan at freebsd dot czest dot pl> MFC after: 3 days
|
147983 |
14-Jul-2005 |
rwatson |
Bump the module versions of the MAC Framework and MAC policy modules from 2 (6.x) to 3 (7.x) to allow for future changes in the MAC policy module ABI in 7.x.
Obtained from: TrustedBSD Project
|
147982 |
14-Jul-2005 |
rwatson |
When devfs cloning takes place, provide access to the credential of the process that caused the clone event to take place for the device driver creating the device. This allows cloned device drivers to adapt the device node based on security aspects of the process, such as the uid, gid, and MAC label.
- Add a cred reference to struct cdev, so that when a device node is instantiated as a vnode, the cloning credential can be exposed to MAC.
- Add make_dev_cred(), a version of make_dev() that additionally accepts the credential to stick in the struct cdev. Implement it and make_dev() in terms of a back-end make_dev_credv().
- Add a new event handler, dev_clone_cred, which can be registered to receive the credential instead of dev_clone, if desired.
- Modify the MAC entry point mac_create_devfs_device() to accept an optional credential pointer (may be NULL), so that MAC policies can inspect and act on the label or other elements of the credential when initializing the skeleton device protections.
- Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(), so that the pty clone credential is exposed to the MAC Framework.
While currently primarily focussed on MAC policies, this change is also a prerequisite for changes to allow ptys to be instantiated with the UID of the process looking up the pty. This requires further changes to the pty driver -- in particular, to immediately recycle pty nodes on last close so that the credential-related state can be recreated on next lookup.
Submitted by: Andrew Reisse <andrew.reisse@sparta.com> Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA MFC after: 1 week MFC note: Merge to 6.x, but not 5.x for ABI reasons
|
147785 |
05-Jul-2005 |
rwatson |
Eliminate MAC entry point mac_create_mbuf_from_mbuf(), which is redundant with respect to existing mbuf copy label routines. Expose a new mac_copy_mbuf() routine at the top end of the Framework and use that; use the existing mpo_copy_mbuf_label() routine on the bottom end.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, SPAWAR Approved by: re (scottl)
|
147784 |
05-Jul-2005 |
rwatson |
Add MAC Framework and MAC policy entry point mac_check_socket_create(), which is invoked from socket() and socketpair(), permitting MAC policy modules to control the creation of sockets by domain, type, and protocol.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, SPAWAR Approved by: re (scottl) Requested by: SCC
|
147222 |
10-Jun-2005 |
csjp |
Correct grammar error in comment
MFC after: 3 days
|
147091 |
07-Jun-2005 |
rwatson |
Gratuitous renaming of four System V Semaphore MAC Framework entry points to convert _sema() to _sem() for consistency purposes with respect to the other semaphore-related entry points:
mac_init_sysv_sema() -> mac_init_sysv_sem() mac_destroy_sysv_sem() -> mac_destroy_sysv_sem() mac_create_sysv_sema() -> mac_create_sysv_sem() mac_cleanup_sysv_sema() -> mac_cleanup_sysv_sem()
Congruent changes are made to the policy interface to support this.
Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA
|
145855 |
04-May-2005 |
rwatson |
Introduce MAC Framework and MAC Policy entry points to label and control access to POSIX Semaphores:
mac_init_posix_sem() Initialize label for POSIX semaphore mac_create_posix_sem() Create POSIX semaphore mac_destroy_posix_sem() Destroy POSIX semaphore mac_check_posix_sem_destroy() Check whether semaphore may be destroyed mac_check_posix_sem_getvalue() Check whether semaphore may be queried mac_check_possix_sem_open() Check whether semaphore may be opened mac_check_posix_sem_post() Check whether semaphore may be posted to mac_check_posix_sem_unlink() Check whether semaphore may be unlinked mac_check_posix_sem_wait() Check whether may wait on semaphore
Update Biba, MLS, Stub, and Test policies to implement these entry points. For information flow policies, most semaphore operations are effectively read/write.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Sponsored by: DARPA, McAfee, SPARTA Obtained from: TrustedBSD Project
|
145414 |
22-Apr-2005 |
trhodes |
Get the directory structure correct in a comment.
Submitted by: Samy Al Bahra
|
145412 |
22-Apr-2005 |
trhodes |
Add locking support to mac_bsdextended:
- Introduce a global mutex, mac_bsdextended_mtx, to protect the rule array and hold this mutex over use and modification of the rule array and rules. - Re-order and clean up sysctl_rule so that copyin/copyout/update happen in the right order (suggested by: jhb done by rwatson).
|
145234 |
18-Apr-2005 |
rwatson |
Introduce p_canwait() and MAC Framework and MAC Policy entry points mac_check_proc_wait(), which control the ability to wait4() specific processes. This permits MAC policies to limit information flow from children that have changed label, although has to be handled carefully due to common programming expectations regarding the behavior of wait4(). The cr_seeotheruids() check in p_canwait() is #if 0'd for this reason.
The mac_stub and mac_test policies are updated to reflect these new entry points.
Sponsored by: SPAWAR, SPARTA Obtained from: TrustedBSD Project
|
145167 |
16-Apr-2005 |
rwatson |
Introduce three additional MAC Framework and MAC Policy entry points to control socket poll() (select()), fstat(), and accept() operations, required for some policies:
poll() mac_check_socket_poll() fstat() mac_check_socket_stat() accept() mac_check_socket_accept()
Update mac_stub and mac_test policies to be aware of these entry points. While here, add missing entry point implementations for:
mac_stub.c stub_check_socket_receive() mac_stub.c stub_check_socket_send() mac_test.c mac_test_check_socket_send() mac_test.c mac_test_check_socket_visible()
Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA
|
145160 |
16-Apr-2005 |
rwatson |
In mac_get_fd(), remove unconditional acquisition of Giant around copying of the socket label to thread-local storage, and replace it with conditional acquisition based on debug.mpsafenet. Acquire the socket lock around the copy operation.
In mac_set_fd(), replace the unconditional acquisition of Giant with the conditional acquisition of Giant based on debug.mpsafenet. The socket lock is acquired in mac_socket_label_set() so doesn't have to be acquired here.
Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA
|
145147 |
16-Apr-2005 |
rwatson |
Introduce new MAC Framework and MAC Policy entry points to control the use of system calls to manipulate elements of the process credential, including:
setuid() mac_check_proc_setuid() seteuid() mac_check_proc_seteuid() setgid() mac_check_proc_setgid() setegid() mac_check_proc_setegid() setgroups() mac_check_proc_setgroups() setreuid() mac_check_proc_setreuid() setregid() mac_check_proc_setregid() setresuid() mac_check_proc_setresuid() setresgid() mac_check_rpoc_setresgid()
MAC checks are performed before other existing security checks; both current credential and intended modifications are passed as arguments to the entry points. The mac_test and mac_stub policies are updated.
Submitted by: Samy Al Bahra <samy@kerneled.org> Obtained from: TrustedBSD Project
|
145076 |
14-Apr-2005 |
csjp |
Move MAC check_vnode_mmap entry point out from being exclusive to MAP_SHARED so that the entry point gets executed un-conditionally. This may be useful for security policies which want to perform access control checks around run-time linking.
-add the mmap(2) flags argument to the check_vnode_mmap entry point so that we can make access control decisions based on the type of mapped object. -update any dependent API around this parameter addition such as function prototype modifications, entry point parameter additions and the inclusion of sys/mman.h header file. -Change the MLS, BIBA and LOMAC security policies so that subject domination routines are not executed unless the type of mapping is shared. This is done to maintain compatibility between the old vm_mmap_vnode(9) and these policies.
Reviewed by: rwatson MFC after: 1 month
|
142383 |
24-Feb-2005 |
rwatson |
Remove an accidental clearing of the new label pointer on a system V message queue, which was introduced during the merge process.
Submitted by: Andrew Reisse <areisse at nailabs dot com>
|
141802 |
13-Feb-2005 |
rwatson |
Synchronize HEAD copyright/license with RELENG_5 copyright/license: McAfee instead of NETA.
|
141050 |
30-Jan-2005 |
rwatson |
Update copyright for NETA->McAfee.
|
140879 |
26-Jan-2005 |
rwatson |
Remove policy references to mpo_check_vnode_mprotect(), which is currently unimplemented.
Update copyrights.
Pointed out by: csjp
|
140661 |
23-Jan-2005 |
rwatson |
Remove an obsoleted comment about struct versions.
MFC after: 3 days Pointed out by: trhodes
|
140635 |
22-Jan-2005 |
rwatson |
Update mac_test for MAC Framework policy entry points System V IPC objects (message queues, semaphores, shared memory), exercising and validating MAC labels on these objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Obtained from: TrustedBSD Project Sponsored by: DARPA, SPAWAR, McAfee Research
|
140632 |
22-Jan-2005 |
rwatson |
Update mac_stub for MAC Framework policy entry points System V IPC objects (message queues, semaphores, shared memory).
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Obtained from: TrustedBSD Project Sponsored by: DARPA, SPAWAR, McAfee Research
|
140629 |
22-Jan-2005 |
rwatson |
Implement MLS confidentiality protection for System V IPC objects (message queues, semaphores, shared memory).
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Obtained from: TrustedBSD Project Sponsored by: DARPA, SPAWAR, McAfee Research
|
140628 |
22-Jan-2005 |
rwatson |
Implement Biba integrity protection for System V IPC objects (message queues, semaphores, shared memory).
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Obtained from: TrustedBSD Project Sponsored by: DARPA, SPAWAR, McAfee Research
|
139614 |
03-Jan-2005 |
rwatson |
Exempt the superuser from mac_seeotheruids checks.
Submitted by: bkoenig at cs dot tu-berlin dot de PR: 72238 MFC after: 2 weeks
|
138556 |
08-Dec-2004 |
rwatson |
Add a new sysctl/tunable to mac_portacl:
security.mac.portacl.autoport_exempt
This sysctl exempts to bind port '0' as long as IP_PORTRANGELOW hasn't been set on the socket. This is quite useful as it allows applications to use automatic binding without adding overly broad rules for the binding of port 0. This sysctl defaults to enabled.
This is a slight variation on the patch submitted by the contributor.
MFC after: 2 weeks Submitted by: Michal Mertl <mime at traveller dot cz>
|
138477 |
06-Dec-2004 |
rwatson |
Switch from using an sx lock to a mutex for the mac_portacl rule chain: the sx lock was used previously because we might sleep allocating additional memory by using auto-extending sbufs. However, we no longer do this, instead retaining the user-submitted rule string, so mutexes can be used instead. Annotate the reason for not using the sbuf-related rule-to-string code with a comment.
Switch to using TAILQ_CONCAT() instead of manual list copying, as it's O(1), reducing the rule replacement step under the mutex from O(2N) to O(2).
Remove now uneeded vnode-related includes.
MFC after: 2 weeks
|
137817 |
17-Nov-2004 |
rwatson |
Implement MAC entry points relating to System V IPC, calling into the MAC policies to perform object life cycle operations and access control checks.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Obtained from: TrustedBSD Project Sponsored by: DARPA, SPAWAR, McAfee Research
|
137815 |
17-Nov-2004 |
rwatson |
Define new MAC framework and policy entry points for System V IPC objects and operations:
- System V IPC message, message queue, semaphore, and shared memory segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory segment access control entry points, including rights to attach, destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Obtained from: TrustedBSD Project Sponsored by: DARPA, SPAWAR, McAfee Research
|
137454 |
09-Nov-2004 |
rwatson |
Bump MAC Framework version to 2 in preparation for the upcoming API/ABI changes associated with adding System V IPC support. This will prevent old modules from being used with the new kernel, and new modules from being used with the old kernel.
|
137072 |
30-Oct-2004 |
rwatson |
Disable use of synchronization early in the boot by the MAC Framework; for modules linked into the kernel or loaded very early, panics will result otherwise, as the CV code it calls will panic due to its use of a mutex before it is initialized.
|
136812 |
23-Oct-2004 |
rwatson |
/%x/%s/ -- mismerged DEBUGGER() printf() format stirng from the TrustedBSD branch.
Submitted by: bde
|
136776 |
22-Oct-2004 |
rwatson |
Expand comments on various sections of the MAC Framework Policy API, as well as document the properties of the mac_policy_conf structure. Warn about the ABI risks in changing the structure without careful consideration.
Obtained from: TrustedBSD Project Sponsored by: SPAWAR
|
136775 |
22-Oct-2004 |
rwatson |
Replace direct reference to kdb_enter() with a DEBUGGER() macro that will call printf() if KDB isn't compiled into the kernel.
Obtained from: TrustedBSD Project Sponsored by: SPAWAR
|
136774 |
22-Oct-2004 |
rwatson |
Minor white space synchronization and line wrapping.
|
136773 |
22-Oct-2004 |
rwatson |
In the MAC label zone destructor, assert that the label is only destroyed in an initialized state.
|
136772 |
22-Oct-2004 |
rwatson |
Remove extern declaration of mac_enforce_sysv, as it's not present in the CVS version of the MAC Framework.
|
136742 |
21-Oct-2004 |
rwatson |
Bump copyright dates for NETA on these files.
|
136739 |
21-Oct-2004 |
rwatson |
Modify mac_bsdextended policy so that it defines its own vnode access right bits rather than piggy-backing on the V* rights defined in vnode.h. The mac_bsdextended bits are given the same values as the V* bits to make the new kernel module binary compatible with the old version of libugidfw that uses V* bits. This avoids leaking kernel API/ABI to user management tools, and in particular should remove the need for libugidfw to include vnode.h.
Requested by: phk
|
135039 |
10-Sep-2004 |
trhodes |
Remove the debugging tunable, it was not being used. Enable first match by default.[1]
We should: rwatson [1]
|
134132 |
21-Aug-2004 |
trhodes |
Allow mac_bsdextended(4) to log failed attempts to syslog's AUTHPRIV facility. This is disabled by default but may be turned on by using the mac_bsdextended_logging sysctl.
Reviewed by: re (jhb) Approved by: re (jhb)
|
134131 |
21-Aug-2004 |
trhodes |
Give the mac_bsdextended(4) policy the ability to match and apply on a first rule only in place of all rules match. This is similar to how ipfw(8) works.
Provide a sysctl, mac_bsdextended_firstmatch_enabled, to enable this feature.
Reviewed by: re (jhb) Aprroved by: re (jhb)
|
132987 |
02-Aug-2004 |
green |
* Add a "how" argument to uma_zone constructors and initialization functions so that they know whether the allocation is supposed to be able to sleep or not. * Allow uma_zone constructors and initialation functions to return either success or error. Almost all of the ones in the tree currently return success unconditionally, but mbuf is a notable exception: the packet zone constructor wants to be able to fail if it cannot suballocate an mbuf cluster, and the mbuf allocators want to be able to fail in general in a MAC kernel if the MAC mbuf initializer fails. This fixes the panics people are seeing when they run out of memory for mbuf clusters. * Allow debug.nosleepwithlocks on WITNESS to be disabled, without changing the default.
Both bmilekic and jeff have reviewed the changes made to make failable zone allocations work.
|
132781 |
28-Jul-2004 |
kan |
Introduce SLOT_SET macro and use it in place of casts as lvalues.
|
132563 |
23-Jul-2004 |
rwatson |
Allow an effective uid of root to bypass mac_bsdextended rules; the MAC Framework can restrict the root user, but this policy is not intended to support that.
Stylish Swiss footwear provided for: trhodes
|
132232 |
16-Jul-2004 |
rwatson |
Rename Biba and MLS _single label elements to _effective, which more accurately represents the intention of the 'single' label element in Biba and MLS labels. It also approximates the use of 'effective' in traditional UNIX credentials, and avoids confusion with 'singlelabel' in the context of file systems.
Inspired by: trhodes
|
132199 |
15-Jul-2004 |
phk |
Do a pass over all modules in the kernel and make them return EOPNOTSUPP for unknown events.
A number of modules return EINVAL in this instance, and I have left those alone for now and instead taught MOD_QUIESCE to accept this as "didn't do anything".
|
131934 |
10-Jul-2004 |
marcel |
Update for the KDB framework: o Call kdb_enter() instead of Debugger().
|
131025 |
24-Jun-2004 |
rwatson |
Introduce a temporary mutex, mac_ifnet_mtx, to lock MAC labels on network interfaces. This global mutex will protect all ifnet labels. Acquire the mutex across various MAC activities on interfaces, such as security checks, propagating interface labels to mbufs generated from the interface, retrieving and setting the interface label.
Introduce mpo_copy_ifnet_label MAC policy entry point to copy the value of an interface label from one label to another. Use this to avoid performing a label externalize while holding mac_ifnet_mtx; copy the label to a temporary ifnet label and then externalize that.
Implement mpo_copy_ifnet_label for various MAC policies that implement interface labeling using generic label copying routines.
Obtained from: TrustedBSD Project Sponsored by: DARPA, McAfee Research
|
130585 |
16-Jun-2004 |
phk |
Do the dreaded s/dev_t/struct cdev */ Bump __FreeBSD_version accordingly.
|
130398 |
13-Jun-2004 |
rwatson |
Socket MAC labels so_label and so_peerlabel are now protected by SOCK_LOCK(so):
- Hold socket lock over calls to MAC entry points reading or manipulating socket labels.
- Assert socket lock in MAC entry point implementations.
- When externalizing the socket label, first make a thread-local copy while holding the socket lock, then release the socket lock to externalize to userspace.
|
129880 |
30-May-2004 |
phk |
add missing #include <sys/module.h>
|
129268 |
15-May-2004 |
cperciva |
Remove dead code. (This loop counted the number of rules, but the count was never used.)
Reported by: pjd Approved by: rwatson
|
129096 |
10-May-2004 |
rwatson |
Improve consistency of include file guards in src/sys/sys by terminating them with '_', as well as beginning with '_'.
Observed by: bde
|
128902 |
03-May-2004 |
rwatson |
If the mbuf pointer passed to mac_mbuf_to_label() is NULL, or the tag lookup for the label tag fails, return NULL rather than something close to NULL. This scenario occurs if mbuf header labeling is optional and a policy requiring labeling is loaded, resulting in some mbufs having labels and others not. Previously, 0x14 would be returned because the NULL from m_tag_find() was not treated specially.
Obtained from: TrustedBSD Project Sponsored by: DARPA, McAfee Research
|
128901 |
03-May-2004 |
rwatson |
Add /* !MAC */ to final #endif.
|
128897 |
03-May-2004 |
rwatson |
Update copyright.
|
128896 |
03-May-2004 |
rwatson |
When performing label assertions on an mbuf header label in mac_test, test the label pointer for NULL before testing the label slot for permitted values. When loading mac_test dynamically with conditional mbuf labels, the label pointer may be NULL if the mbuf was instantiated while labels were not required on mbufs by any policy.
Obtained from: TrustedBSD Project Sponsored by: DARPA, McAfee Research
|
128886 |
03-May-2004 |
rwatson |
Bump copyright date for NETA to 2004.
|
128885 |
03-May-2004 |
rwatson |
Add MAC_STATIC, a kernel option that disables internal MAC Framework synchronization protecting against dynamic load and unload of MAC policies, and instead simply blocks load and unload. In a static configuration, this allows you to avoid the synchronization costs associated with introducing dynamicism.
Obtained from: TrustedBSD Project Sponsored by: DARPA, McAfee Research
|
126406 |
29-Feb-2004 |
rwatson |
Define BPFD_LOCK_ASSERT() to assert the BPF descriptor lock.
Assert the BPF descriptor lock in the MAC calls referencing live BPF descriptors.
Obtained from: TrustedBSD Project Sponsored by: DARPA, McAfee Research
|
126296 |
26-Feb-2004 |
rwatson |
Forward declare struct proc, struct sockaddr, and struct thread, which are employed in entry points later in the same include file.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Air Force Research Laboratory, McAfee Research
|
126292 |
26-Feb-2004 |
rwatson |
Forward declare struct bpf_d, struct ifnet, struct image_params, and struct vattr in mac_policy.h. This permits policies not implementing entry points using these types to compile without including include files with these types.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Air Force Research Laboratory
|
126262 |
26-Feb-2004 |
rwatson |
Move inet and inet6 related MAC Framework entry points from mac_net.c to a new mac_inet.c. This code is now conditionally compiled based on inet support being compiled into the kernel.
Move socket related MAC Framework entry points from mac_net.c to a new mac_socket.c.
To do this, some additional _enforce MIB variables are now non-static. In addition, mbuf_to_label() is now mac_mbuf_to_label() and non-static.
Obtained from: TrustedBSD Project Sponsored by: DARPA, McAfee Research
|
126121 |
22-Feb-2004 |
pjd |
Reimplement sysctls handling by MAC framework. Now I believe it is done in the right way.
Removed some XXMAC cases, we now assume 'high' integrity level for all sysctls, except those with CTLFLAG_ANYBODY flag set. No more magic.
Reviewed by: rwatson Approved by: rwatson, scottl (mentor) Tested with: LINT (compilation), mac_biba(4) (functionality)
|
126097 |
22-Feb-2004 |
rwatson |
Update my personal copyrights and NETA copyrights in the kernel to use the "year1-year3" format, as opposed to "year1, year2, year3". This seems to make lawyers more happy, but also prevents the lines from getting excessively long as the years start to add up.
Suggested by: imp
|
125310 |
01-Feb-2004 |
rwatson |
Commit file missed in last pass: MAC api uses 'struct pipepair', not 'struct pipe' now.
|
125293 |
01-Feb-2004 |
rwatson |
Coalesce pipe allocations and frees. Previously, the pipe code would allocate two 'struct pipe's from the pipe zone, and malloc a mutex.
- Create a new "struct pipepair" object holding the two 'struct pipe' instances, struct mutex, and struct label reference. Pipe structures now have a back-pointer to the pipe pair, and a 'pipe_present' flag to indicate whether the half has been closed.
- Perform mutex init/destroy in zone init/destroy, avoiding reallocating the mutex for each pipe. Perform most pipe structure setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe', update many policies. MAC labels are also handled outside of the UMA zone for now. Label-only policy modules don't have to be recompiled, but if a module is recompiled, its pipe entry points will need to be updated. If a module actually reached into the pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed half until a full-close takes place. However, VM mapped buffers are still released on half-close.
Some code refactoring is now possible to clean up some of the back references, etc; this patch attempts not to change the structure of most of the pipe implementation, only allocation/free code paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation and free in system call tests on UP and SMP in my micro-benchmarks. May or may not make a difference in macro-benchmarks, but doing less work is good.
Reviewed by: juli, tjr Testing help: dwhite, fenestro, scottl, et al
|
124756 |
20-Jan-2004 |
rwatson |
Pay attention to mac_portacl_enabled.
Submitted by: simon
|
123607 |
17-Dec-2003 |
rwatson |
Switch TCP over to using the inpcb label when responding in timed wait, rather than the socket label. This avoids reaching up to the socket layer during connection close, which requires locking changes. To do this, introduce MAC Framework entry point mac_create_mbuf_from_inpcb(), which is called from tcp_twrespond() instead of calling mac_create_mbuf_from_socket() or mac_create_mbuf_netlayer(). Introduce MAC Policy entry point mpo_create_mbuf_from_inpcb(), and implementations for various policies, which generally just copy label data from the inpcb to the mbuf. Assert the inpcb lock in the entry point since we require consistency for the inpcb label reference.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
123397 |
10-Dec-2003 |
rwatson |
interpvnodelabel can be NULL in mac_test_execve_transition(). This only turned up when running mac_test side by side with a transitioning policy such as SEBSD. Make the NULL testing match mac_test_execve_will_transition(), which already tested the vnode label pointer for NULL.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
123173 |
06-Dec-2003 |
rwatson |
Rename mac_create_cred() MAC Framework entry point to mac_copy_cred(), and the mpo_create_cred() MAC policy entry point to mpo_copy_cred_label(). This is more consistent with similar entry points for creation and label copying, as mac_create_cred() was called from crdup() as opposed to during process creation. For a number of policies, this removes the requirement for special handling when copying credential labels, and improves consistency.
Approved by: re (scottl) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
122879 |
18-Nov-2003 |
rwatson |
Use UMA zone allocator for Biba and MLS labels rather than MALLOC(9).
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
122875 |
18-Nov-2003 |
rwatson |
Introduce a MAC label reference in 'struct inpcb', which caches the MAC label referenced from 'struct socket' in the IPv4 and IPv6-based protocols. This permits MAC labels to be checked during network delivery operations without dereferencing inp->inp_socket to get to so->so_label, which will eventually avoid our having to grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the MAC Framework, along with the normal circus of entry points: initialization, creation from socket, destruction, as well as a delivery access control check.
For most policies, the inpcb label will simply be a cache of the socket label, so a new protocol switch method is introduced, pr_sosetlabel() to notify protocols that the socket layer label has been updated so that the cache can be updated while holding appropriate locks. Most protocols implement this using pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use the the worker function in_pcbsosetlabel(), which calls into the MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub policy, and test policy.
Reviewed by: sam, bms Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
122824 |
17-Nov-2003 |
rwatson |
Don't implement mpo_destroy() for Biba, LOMAC, and MLS, as they aren't allowed to be unloaded.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
122820 |
16-Nov-2003 |
rwatson |
Implement sockets support for __mac_get_fd() and __mac_set_fd() system calls, and prefer these calls over getsockopt()/setsockopt() for ABI reasons. When addressing UNIX domain sockets, these calls retrieve and modify the socket label, not the label of the rendezvous vnode.
- Create mac_copy_socket_label() entry point based on mac_copy_pipe_label() entry point, intended to copy the socket label into temporary storage that doesn't require a socket lock to be held (currently Giant).
- Implement mac_copy_socket_label() for various policies.
- Expose socket label allocation, free, internalize, externalize entry points as non-static from mac_net.c.
- Use mac_socket_label_set() in __mac_set_fd().
MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and mac_get_peer() to retrieve and set various socket labels without directly invoking the getsockopt() interface.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
122810 |
16-Nov-2003 |
rwatson |
Implement mac_get_peer(3) using getsockopt() with SOL_SOCKET and SO_PEERLABEL. This provides an interface to query the label of a socket peer without embedding implementation details of mac_t in the application. Previously, sizeof(*mac_t) had to be specified by an application when performing getsockopt().
Document mac_get_peer(3), and expand documentation of the other mac_get(3) functions. Note that it's possible to get EINVAL back from mac_get_fd(3) when pointing it at an inappropriate object.
NOTE: mac_get_fd() and mac_set_fd() support for sockets will follow shortly, so the documentation is slightly ahead of the code.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
122809 |
16-Nov-2003 |
rwatson |
Abstract the label checking and setting logic from mac_setsockopt_label() into mac_socket_label_set(); make it non-static so that it can be invoked from kern_mac.c for mac_set_fd().
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
122808 |
16-Nov-2003 |
rwatson |
Implement mpo_copy_{mbuf,pipe,vnode}_label() entry points for mac_stub and mac_test.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
122807 |
16-Nov-2003 |
rwatson |
Reduce gratuitous redundancy and length in function names:
mac_setsockopt_label_set() -> mac_setsockopt_label() mac_getsockopt_label_get() -> mac_getsockopt_label() mac_getsockopt_peerlabel_get() -> mac_getsockopt_peerlabel()
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
122774 |
16-Nov-2003 |
rwatson |
Whitespace fix.
|
122718 |
15-Nov-2003 |
rwatson |
mac_relabel_cred() accepts two cred labels, not a cred label and a vnode label; update assertion.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
122705 |
14-Nov-2003 |
bde |
Reduced prequisites by only using MALLOC_DECLARE() if it is defined. This fixes a dependency of mac_label.c on namespace pollution in <vm/uma.h>.
Similarly for SYSCTL_DECL() although I had no problems with it. This probably makes some includes of <sys/sysctl.h> bogus.
|
122584 |
12-Nov-2003 |
rwatson |
Mark __mac_get_pid() as MPSAFE in the comment, as it runs without Giant and is also MPSAFE.
Push Giant further down into __mac_get_fd() and __mac_set_fd(), grabbing it only for constrained regions dealing with VFS, and dropping it entirely for operations related to labeling of pipes.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
122569 |
12-Nov-2003 |
jhb |
Remove extraneous & to fix compile.
|
122563 |
12-Nov-2003 |
rwatson |
Remove extraneous fullpath variable, which broke lint build. This extra argument to the devfs MAC policy entry points was accidentally merged from the MAC branch during my earlier commit to these policies, and is not scheduled to be merged just yet.
|
122527 |
12-Nov-2003 |
rwatson |
GC prototype for mac_destroy_vnode_label(), missed in last commit.
|
122524 |
12-Nov-2003 |
rwatson |
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol.
Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
122454 |
11-Nov-2003 |
rwatson |
Whitespace sync to MAC branch, expand comment at the head of the file.
|
122270 |
08-Nov-2003 |
rwatson |
Replace a '-' with a ')'. Update copyright.
PR: 53195
|
122260 |
07-Nov-2003 |
rwatson |
When allocation of a socket peer label fails, scrub what was successfully initialized in the label as a socket peer label, not a socket label. For current policy modules, this didn't make a difference, but if a policy module had label data in the peer label that was to be GC'd in a different way than the normal socket label, it might have been a problem.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
122202 |
07-Nov-2003 |
rwatson |
Trim trailing whitespace.
|
122159 |
06-Nov-2003 |
rwatson |
Remove the flags argument from mac_externalize_*_label(), as it's not passed into policies or used internally to the MAC Framework.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
121816 |
31-Oct-2003 |
brooks |
Replace the if_name and if_unit members of struct ifnet with new members if_xname, if_dname, and if_dunit. if_xname is the name of the interface and if_dname/unit are the driver name and instance.
This change paves the way for interface renaming and enhanced pseudo device creation and configuration symantics.
Approved By: re (in principle) Reviewed By: njl, imp Tested On: i386, amd64, sparc64 Obtained From: NetBSD (if_xname)
|
121507 |
25-Oct-2003 |
rwatson |
Make MAC_EXTERNALIZE() and MAC_INTERNALIZE() simply take the object type, rather than "object_label" as the first argument. This reduces complexity a little for the consumer, and also makes it easier for use to rename the underlying entry points in struct mac_policy_obj.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
121490 |
25-Oct-2003 |
rwatson |
Sort type declarations together. Remove an excess carriage return.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
121374 |
22-Oct-2003 |
rwatson |
mac_Finish break-out of kern_mac.c into parts:
Include src/sys/security/mac/mac_internal.h in kern_mac.c.
Remove redundant defines from the include: SYSCTL_DECL(), debug macros, composition macros.
Unstaticize various bits now exposed to the remainder of the kernel: mac_init_label(), mac_destroy_label().
Remove all the functions now implemented in mac_process/mac_vfs/mac_net/ mac_pipe. Also remove debug counters, sysctls exporting debug counters, enforcement flags, sysctls exporting enforcement flags.
Leave module declaration, sysctl nodes, mactemp malloc type, system calls.
This should conclude MAC/LINT/NOTES breakage from the break-out process, but I'm running builds now to make sure I caught everything.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
121372 |
22-Oct-2003 |
rwatson |
Variable cleanup following break-out of kern_mac.c into sys/security/mac:
Unstaticize mac_late. Remove ea_warn_once, now in mac_vfs.c. Unstaticisize mac_policy_list, mac_static_policy_list, use struct mac_policy_list_head instead of LIST_HEAD() directly. Unstaticize and un-inline MAC policy locking functions so they can be referenced from mac_*.c.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
121371 |
22-Oct-2003 |
rwatson |
Rename error_select() to mac_error_select(), and unstaticize so it can be used from src/sys/security/mac/mac_*.c.
Obtained from: TrustedBSD Project Sponosred by: DARPA, Network Associates Laboratories
|
121367 |
22-Oct-2003 |
rwatson |
Remove non-VFS related code from mac_vfs.c. Leave:
Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used.
Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails.
Enforce_fs toggle to enforce file systme access control.
Debugging counters for file system objects: mounts, vnodes, devfs_dirents.
Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects.
Life cycle operations for devfs entries.
Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode.
Generic single-level label implementation for use by all file systems when in singlelabel mode.
Exec-time transition based on file label entry points.
Vnode operation access control checks (many).
Mount operation access control checks (few).
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
121362 |
22-Oct-2003 |
rwatson |
Remove non-system bits from mac_system.c. Leave:
Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl().
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
121361 |
22-Oct-2003 |
rwatson |
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles. Credential, process label counters. VM revocation sysctls/tunables. Credential label management, internalization/externalization/relabel code. Process label management. Proc0, proc1 creation, cred creation. Thread userret. mac_execve_enter(), _exit(), transition at exec-time. VM revocation on process label change. Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
121359 |
22-Oct-2003 |
rwatson |
Remove non-pipe code from mac_pipe.c. Leave:
Pipe enforcement flag. Pipe object debugging counters. MALLOC type for MAC label storage. Pipe MAC label management routines, externalize/internalization/change routines. Pipe MAC access control checks.
Un-staticize functions called from mac_set_fd() when operating on a pipe. Abstraction improvements in this space seem likely.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
121357 |
22-Oct-2003 |
rwatson |
Remove non-network related contents from mac_net.c. Leave:
Network and socket enforcement toggles. Counters for network objects (mbufs, ifnets, bpfdecs, sockets, and ipqs). Label management routines for network objects. Life cycle events for network objects. Label internalization/externalization/relabel for ifnets, sockets, including ioctl implementations for sockets, ifnets. Access control checks relating to network obejcts.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
121352 |
22-Oct-2003 |
rwatson |
The following shared types/constants/interfaces/... are required in mac_internal.h:
Sysctl tree declarations.
Policy list structure definition.
Policy list variables (static, dynamic).
mac_late flag.
Enforcement flags for process, vm, which have checks in multiple files.
mac_labelmbufs variable to drive conditional mbuf labeling.
M_MACTEMP malloc type.
Debugging counter macros.
MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation.
Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes.
MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
121304 |
21-Oct-2003 |
rwatson |
Line-break sync to the MAC development branch.
|
120657 |
02-Oct-2003 |
rwatson |
Use __BEGIN_DECLS and __END_DECLS around userland function prototypes so that mac.h may be more safely included in userland C++ applications.
PR: bin/56595 Submitted by: "KONDOU, Kazuhiro" <kazuhiro@alib.jp>
|
120582 |
29-Sep-2003 |
rwatson |
If the struct mac copied into the kernel has a negative length, return EINVAL rather than failing the following malloc due to the value being too large.
|
119546 |
29-Aug-2003 |
rwatson |
Remove extra tabs indenting MAC library calls; they were there to line up the function names in an earlier generation of the API when some of the functions returned structure pointers.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
119494 |
26-Aug-2003 |
rwatson |
Fix a mac_policy_list reference to be a mac_static_policy_list reference: this fixes mac_syscall() for static policies when using optimized locking.
Obtained from: TrustedBSD Project Sponosred by: DARPA, Network Associates Laboratories
|
119317 |
22-Aug-2003 |
rwatson |
Make the elements argument to mac_prepare() be const.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
119315 |
22-Aug-2003 |
rwatson |
Add prototype for new libc function mac_prepare_type().
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
119301 |
22-Aug-2003 |
rwatson |
Correct typo introduced during manual merge: hook up the reflect_tcp test to the reflect_tcp entry point, rather than the reflect_icmp entry point.
Submitted by: naddy
|
119244 |
21-Aug-2003 |
rwatson |
Introduce two new MAC Framework and MAC policy entry points:
mac_reflect_mbuf_icmp() mac_reflect_mbuf_tcp()
These entry points permit MAC policies to do "update in place" changes to the labels on ICMP and TCP mbuf headers when an ICMP or TCP response is generated to a packet outside of the context of an existing socket. For example, in respond to a ping or a RST packet to a SYN on a closed port.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
119242 |
21-Aug-2003 |
rwatson |
Correct logic for filling out a "new" label during a credential change in mac_lomac: if both flags are set on the new label, we may not need to always fill out the label (only if one flag is set, not both). Avoid stomping on a section of the label if we are in fact modifying both elements.
Because we know that both flags will be set, we don't need to test whether the range or single are set in later consistency checks of the range and single -- just test them.
By checking the range of the new vs. the range of the old label before testing the single against the new range, we implicitly test that the new single is in the old range. Document this with a comment.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
119228 |
21-Aug-2003 |
rwatson |
Retrofit of mac_test regression and consistency test module for MAC Framework labels:
- Re-work the label state assertions to use a set of central ASSERT_type_LABEL() assertions.
- Test to make sure labels passed to externalize/internalize calls haven't been destroyed.
- For access control checks, assert the condition of all labels passed in.
- For life cycle events, assert the condition of all labels passed in.
- Add new entry point implementations for new MAC Framework entry points: mac_test_reflect_mbuf_icmp(), mac_test_reflect_mbuf_tcp(), mac_test_check_vnode_deleteextattr(), mac_test_check_vnode_listextattr().
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
119223 |
21-Aug-2003 |
rwatson |
Add stub entries for new MAC framework entry points:
mpo_reflect_mbuf_icmp() mpo_reflect_mbuf_tcp() mpo_check_vnode_deletextattr() mpo_check_vnode_listextattr()
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
119211 |
21-Aug-2003 |
rwatson |
Generally rename things to represent the fact that this is now the mac_stub policy and no longer mac_none (as found in the repocopy). Add comment to this effect.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
119210 |
21-Aug-2003 |
rwatson |
mac_none is now the null policy, not a stub policy, so remove the stubs. Add a pointer to mac_stub, which is now the stub policy.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
119202 |
21-Aug-2003 |
rwatson |
Implementations of mpo_check_vnode_deleteextattr() and mpo_check_vnode_listextattr() for Biba, MLS, and BSD Extended.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
119198 |
21-Aug-2003 |
rwatson |
Add mac_check_vnode_deleteextattr() and mac_check_vnode_listextattr(): explicit access control checks to delete and list extended attributes on a vnode, rather than implicitly combining with the setextattr and getextattr checks. This reflects EA API changes in the kernel made recently, including the move to explicit VOP's for both of these operations.
Obtained from: TrustedBSD PRoject Sponsored by: DARPA, Network Associates Laboratories
|
119184 |
20-Aug-2003 |
rwatson |
Remove about 40 lines of #ifdef/#endif by using new macros MAC_DEBUG_COUNTER_INC() and MAC_DEBUG_COUNTER_DEC() to maintain debugging counter values rather than #ifdef'ing the atomic operations to MAC_DEBUG.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
118308 |
01-Aug-2003 |
rwatson |
Attempt to simplify #ifdef logic for MAC_ALWAYS_LABEL_MBUF.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
118274 |
31-Jul-2003 |
rwatson |
Improve consistency with the Biba policy -- rename mac_mls_subject_equal_ok() to mac_mls_subject_privileged(), which more consistently reflects the fact that this is really about our notion of privilege in the MLS policy.
Since we don't use suser() for privilege in MLS, remove the suser check from the ifnet relabel ioctl, and replace it with an MLS privilege check.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
118270 |
31-Jul-2003 |
rwatson |
Remove a suser() check in the mac_biba policy: the MAC Framework itself already checks suser on a network interface relabel, so don't dup it here. Rely solely on the Biba definition of privilege, which is already tested.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories Submitted by: Andrew Reisse <areisse@nailabs.com>
|
117247 |
05-Jul-2003 |
rwatson |
Remove trailing whitespace.
|
116701 |
23-Jun-2003 |
rwatson |
Redesign the externalization APIs from the MAC Framework to the MAC policy modules to improve robustness against C string bugs and vulnerabilities. Following these revisions, all string construction of labels for export to userspace (or elsewhere) is performed using the sbuf API, which prevents the consumer from having to perform laborious and intricate pointer and buffer checks. This substantially simplifies the externalization logic, both at the MAC Framework level, and in individual policies; this becomes especially useful when policies export more complex label data, such as with compartments in Biba and MLS.
Bundled in here are some other minor fixes associated with externalization: including avoiding malloc while holding the process mutex in mac_lomac, and hence avoid a failure mode when printing labels during a downgrade operation due to the removal of the M_NOWAIT case.
This has been running in the MAC development tree for about three weeks without problems.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
116689 |
22-Jun-2003 |
rwatson |
Forward declare a boatload of structures referenced in the MAC policy definition structure; this permits policies to reduce their number of gratuitous includes for required for entry points they don't implement. This also facilitates building the MAC Framework on Darwin.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
116678 |
22-Jun-2003 |
phk |
Add a f_vnode field to struct file.
Several of the subtypes have an associated vnode which is used for stuff like the f*() functions.
By giving the vnode a speparate field, a number of checks for the specific subtype can be replaced simply with a check for f_vnode != NULL, and we can later free f_data up to subtype specific use.
At this point in time, f_data still points to the vnode, so any code I might have overlooked will still work.
|
116182 |
11-Jun-2003 |
obrien |
Use __FBSDID().
|
115715 |
02-Jun-2003 |
rwatson |
Also implement mpo_copy_mbuf_label() for mac_lomac, or labels may not be properly propagated across some mbuf copy operations.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
115707 |
02-Jun-2003 |
rwatson |
Use mac_biba_label_copy() and mac_mls_label_copy() to implement the mpo_copy_mbuf_label() entry point for Biba and MLS, respectively. Otherwise, labels in m_tags may not be properly propagated across some classes of mbuf operations. This problem caused these policies to fail-stop the system with a panic.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
115525 |
31-May-2003 |
phk |
Remove double return()
Found by: FlexeLint
|
115497 |
31-May-2003 |
rwatson |
Rewrite Biba and MLS label externalization code to use sbufs instead of C strings internally; C strings require a lot of return value checking that (a) takes a lot of space, and (b) is difficult to get right. Prior to the advent of compartment support, modeling APIs for helper functions on snprintf worked fine; with the additional complexity, the sbuf_printf() API makes a lot more sense.
While doing this, break out the printing of sequential compartment lists into a helper function, mac_{biba,mls}_compartment_to_string(). This permits the main body of mac_{biba,mls}_element_to_string() to be concerned only with identifying sequential ranges rather than rendering.
At a less disruptive moment, we'll push the move from snprintf()-like interface to sbuf()-like interface up into the MAC Framework layer.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
115414 |
30-May-2003 |
rwatson |
Make sure all character pointers are properly initialized; this was mismerged from the MAC tree, and didn't get picked up because warnings are not normally fatal in per-module builds, only when they are linked into a kernel (such as LINT).
Reported by: des and the technicolor tinderbox Approved by: re (scottl)
|
115395 |
29-May-2003 |
rwatson |
Use strsep() in preference to manual string parsing for Biba and MLS label internalization. Use sensible variable names. Include comments. Doesn't fix any known bugs, but may fix unknown ones.
Approved by: re (scottl)
|
114846 |
08-May-2003 |
rwatson |
Rename MAC_MAX_POLICIES to MAC_MAX_SLOTS, since the variables and constants in question refer to the number of label slots, not the maximum number of policies that may be loaded. This should reduce confusion regarding an element in the MAC sysctl MIB, as well as make it more clear what the affect of changing the compile-time constants is.
Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
114806 |
07-May-2003 |
rwatson |
Clean up locking for the MAC Framework:
(1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some.
(2) Rename variables to _mtx, _cv, _count, simplifying the naming.
(3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped.
(4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time.
(5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits.
(6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility.
These changes have been running for a few weeks on MAC development branch systems.
Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
113955 |
24-Apr-2003 |
alc |
- Acquire the vm_object's lock when performing vm_object_page_clean(). - Add a parameter to vm_pageout_flush() that tells vm_pageout_flush() whether its caller has locked the vm_object. (This is a temporary measure to bootstrap vm_object locking.)
|
113687 |
18-Apr-2003 |
rwatson |
Rather than check for M_PKTHDR and conditionally perform access control, simply assert that M_PKTHDR is set using M_ASSERTPKTHDR().
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
113681 |
18-Apr-2003 |
rwatson |
Update NAI copyright to 2003, missed in earlier commits and merges.
|
113534 |
15-Apr-2003 |
rwatson |
Modify mac_test policy to invoke WITNESS_WARN() when a potentially blocking allocation could occur as a result of a label initialization. This will simulate the behavior of allocated label policies such as MLS and Biba when running mac_test from the perspective of WITNESS lock and sleep warnings.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
113531 |
15-Apr-2003 |
rwatson |
Enable the MAC_ALWAYS_LABEL_MBUF flag for the Biba, LOMAC, MLS, and Test policies. Missed in earlier merge.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
113526 |
15-Apr-2003 |
rwatson |
mac_init_mbuf_tag() accepts malloc flags, not mbuf allocator flags, so don't try and convert the argument flags to malloc flags, or we risk implicitly requesting blocking and generating witness warnings.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
113487 |
14-Apr-2003 |
rwatson |
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this:
- Modify mbuf_to_label() to extract the tag, returning NULL if not found.
- Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf.
- Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag().
- Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d.
- Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions.
- Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!).
- Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now.
- Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's.
- Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label.
- Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously.
- When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now.
- No longer any weird handling of MAC labels in if_loop.c during header copies.
- Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded.
In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified.
- mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems.
- Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks.
- This makes allocation in mac_init_mbuf() conditional on the flag.
Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
113482 |
14-Apr-2003 |
rwatson |
Abstract access to the mbuf header label behind a new function, mbuf_to_label(). This permits the vast majority of entry point code to be unaware that labels are stored in m->m_pkthdr.label, such that we can experiment storage of labels elsewhere (such as in m_tags).
Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
113255 |
08-Apr-2003 |
des |
Introduce an M_ASSERTPKTHDR() macro which performs the very common task of asserting that an mbuf has a packet header. Use it instead of hand- rolled versions wherever applicable.
Submitted by: Hiten Pandya <hiten@unixdaemons.com>
|
112717 |
27-Mar-2003 |
rwatson |
Trim "trustedbsd_" from the front of the policy module "short names"; the vendor is only included in the long name currently, reducing verbosity when modules are registered and unregistered.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
112675 |
26-Mar-2003 |
rwatson |
Modify the mac_init_ipq() MAC Framework entry point to accept an additional flags argument to indicate blocking disposition, and pass in M_NOWAIT from the IP reassembly code to indicate that blocking is not OK when labeling a new IP fragment reassembly queue. This should eliminate some of the WITNESS warnings that have started popping up since fine-grained IP stack locking started going in; if memory allocation fails, the creation of the fragment queue will be aborted.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
112578 |
25-Mar-2003 |
rwatson |
Update the MAC regression test policy to include stubs and testing functionality for the following entry pints:
mac_test_init_proc_label() mac_test_destroy_proc_label()
For process labeling entry points, now also track the use of process labels and test assertions about their integrity and life cycle.
mac_test_thread_userret() mac_test_check_kenv_dump() mac_test_check_kenv_get() mac_test_check_kenv_set() mac_test_check_kenv_unset() mac_test_check_kld_load() mac_test_check_kld_stat() mac_test_check_kld_unload() mac_test_check_sysarch_ioperm() mac_test_check_system_acct() mac_test_check_system_reboot() mac_test_check_system_settime() mac_test_check_system_swapon() mac_test_check_system_swapoff() mac_test_check_system_sysctl()
For other entry points, just provide testing stubs.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
112577 |
25-Mar-2003 |
rwatson |
Update MAC "none" stub policy to include stubs for the following entry points:
mac_none_thread_userret() mac_none_check_kenv_dump() mac_none_check_kenv_get() mac_none_check_kenv_set() mac_none_check_kenv_unset() mac_none_check_kld_load() mac_none_check_kld_stat() mac_none_check_kld_unload() mac_none_check_sysarch_ioperm() mac_none_check_system_acct() mac_none_check_system_settime() mac_none_check_system_swapoff()
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
112576 |
25-Mar-2003 |
rwatson |
Expand scope of the MLS policy to include a new entry point available for enforcement:
mac_mls_check_system_swapon() - Require that the subject and the swapfile target vnode labels dominate one another. An additional check is probably needed here to require that the swapfile target has a label of mls/high to prevent information leakage through swapfiles.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
112575 |
25-Mar-2003 |
rwatson |
Expand scope of the BSD extended "file system firewall" policy to include a new entry point available for enforcement:
mac_bsdextended_check_system_swapon() - Apply extended access control checks to the file target of swap.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
112574 |
25-Mar-2003 |
rwatson |
Expand scope of the Biba policy to include some of the new entry points available for enforcement:
mac_biba_check_sysarch_ioperm() - Require Biba privilege to make use of privileged machine-dependent interfaces, protecting against bypass of the policy via various mechanisms.
mac_biba_check_system_swapoff() - Require Biba privilege to disable swapping against a vnode target.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
112505 |
23-Mar-2003 |
rwatson |
Garbage collect FREEBSD_MAC_EXTATTR_NAME and FREEBSD_MAC_EXTATTR_NAMESPACE, which are no longer required now that we have UFS2 with extended attribute transactions.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
112367 |
18-Mar-2003 |
phk |
Including <sys/stdint.h> is (almost?) universally only to be able to use %j in printfs, so put a newsted include in <sys/systm.h> where the printf prototype lives and save everybody else the trouble.
|
112128 |
12-Mar-2003 |
kan |
Do not depend on namespace pollution, explicitly include sys/sx.h
|
111939 |
06-Mar-2003 |
rwatson |
Instrument sysarch() MD privileged I/O access interfaces with a MAC check, mac_check_sysarch_ioperm(), permitting MAC security policy modules to control access to these interfaces. Currently, they protect access to IOPL on i386, and setting HAE on Alpha. Additional checks might be required on other platforms to prevent bypass of kernel security protections by unauthorized processes.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
111936 |
05-Mar-2003 |
rwatson |
Provide a mac_check_system_swapoff() entry point, which permits MAC modules to authorize disabling of swap against a particular vnode.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
111883 |
04-Mar-2003 |
jhb |
Replace calls to WITNESS_SLEEP() and witness_list() with equivalent calls to WITNESS_WARN().
|
111771 |
02-Mar-2003 |
rwatson |
A cute yet small MAC policy that provides a simple ACL mechanism to permit users and groups to bind ports for TCP or UDP, and is intended to be combined with the recently committed support for net.inet.ip.portrange.reservedhigh. The policy is twiddled using sysctl(8). To use this module, you will need to compile in MAC support, and probably set reservedhigh to 0, then twiddle security.mac.portacl.rules to set things as desired. This policy module only restricts ports explicitly bound using bind(), not implicitly bound ports where the port number is selected by the IP stack. It appears to work properly in my local configuration, but needs more broad testing.
A sample policy might be:
# sysctl security.mac.portacl.rules="uid:425:tcp:80,uid:425:tcp:79"
This permits uid 425 to bind TCP sockets to ports 79 and 80. Currently no distinction is made for incoming vs. outgoing ports with TCP, although that would probably be easy to add.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
111119 |
19-Feb-2003 |
imp |
Back out M_* changes, per decision of the TRB.
Approved by: trb
|
111032 |
17-Feb-2003 |
julian |
Move a bunch of flags from the KSE to the thread. I was in two minds as to where to put them in the first case.. I should have listenned to the other mind.
Submitted by: parts by davidxu@ Reviewed by: jeff@ mini@
|
110354 |
04-Feb-2003 |
rwatson |
Implement mpo_check_kld_load() and mpo_check_kld_unload() for the Biba MAC policy. To load a KLD, require that the subject hold Biba privilege, and the the kernel module be marked as high integrity. To unload a KLD, require that the subject hold Biba privilege.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
110351 |
04-Feb-2003 |
rwatson |
Place more stringent checks on process credential relabeling for the Biba and MLS policies: as we support both an effective (single) element and range (available) elements, require that the single be in the range if both the single and range are defined in the update. Remove comments suggesting that such a check might be a good idea.
Don't introduce a similar check for network interfaces; due to different interpretations of the single and range elements, it's not clear that it's useful to do so.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
110350 |
04-Feb-2003 |
rwatson |
Rename the variable 'grade' to 'type' in interface parsing and labeling for Biba.
Rename the variable 'level' to 'type' in interface parsing and labeling for MLS.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
109623 |
21-Jan-2003 |
alfred |
Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0. Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
|
109153 |
13-Jan-2003 |
dillon |
Bow to the whining masses and change a union back into void *. Retain removal of unnecessary casts and throw in some minor cleanups to see if anyone complains, just for the hell of it.
|
109123 |
12-Jan-2003 |
dillon |
Change struct file f_data to un_data, a union of the correct struct pointer types, and remove a huge number of casts from code using it.
Change struct xfile xf_data to xun_data (ABI is still compatible).
If we need to add a #define for f_data and xf_data we can, but I don't think it will be necessary. There are no operational changes in this commit.
|
108788 |
06-Jan-2003 |
mux |
Fix warnings on 64bits architectures.
Noticed by: alpha tinderbox
|
108376 |
28-Dec-2002 |
rwatson |
Map VAPPEND to VWRITE since the ugidfw rule syntax doesn't specifically address the append access mode.
Reported by: "Daniel C. Sobral" <dcs@newsguy.com> Obtained from: TrustedBSD Project Sponosred by: DARPA, Network Associates Laboratories
MFC Candidate.
|
107849 |
14-Dec-2002 |
alfred |
SCARGS removal take II.
|
107839 |
13-Dec-2002 |
alfred |
Backout removal SCARGS, the code freeze is only "selectively" over.
|
107838 |
13-Dec-2002 |
alfred |
Remove SCARGS.
Reviewed by: md5
|
107731 |
10-Dec-2002 |
rwatson |
Default policies to on: if you load them or compile them into your kernel, you should expect them to do something, so now they do. This doesn't affect users who don't load or explicitly compile in the policies.
Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
107698 |
09-Dec-2002 |
rwatson |
Remove dm_root entry from struct devfs_mount. It's never set, and is unused. Replace it with a dm_mount back-pointer to the struct mount that the devfs_mount is associated with. Export that pointer to MAC Framework entry points, where all current policies don't use the pointer. This permits the SEBSD port of SELinux's FLASK/TE to compile out-of-the-box on 5.0-CURRENT with full file system labeling support.
Approved by: re (murray) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
107622 |
04-Dec-2002 |
rwatson |
Remove a const that generates a warning: the const isn't strictly wrong, since we don't want the variable changed, but since we assign it to variables that may also refer to other non-const strings, warnings were generated that could break LINT.
Approved by: re Spotted by: sam
|
107551 |
03-Dec-2002 |
rwatson |
License tweak: remove clause 3 per permission of NAI.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
107548 |
03-Dec-2002 |
rwatson |
Unhook the old LOMAC module, now replaced with mac_lomac.
Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
107279 |
26-Nov-2002 |
rwatson |
Correct two warnings by staticizing a function and removing an unused function.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
107273 |
26-Nov-2002 |
rwatson |
Import an implementation of LOMAC (Low-Watermark Mandatory Access Control) as a MAC Framework policy module. Unlike the existing src/sys/security/lomac implementation, this one has its fingers out of the kernel lock order and doesn't make use of flags in existing kernel structures. This greatly reduces the quantity of replicated code with src/sys/kern, simplifies the implementation (3000 vs 8500 lines), and correctes a number of known stability problems with the existing LOMAC implementation, which will be removed. A bit more hooking up to do here.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
107271 |
26-Nov-2002 |
rwatson |
Un-staticize mac_cred_mmapped_drop_perms() so that it may be used by policy modules making use of downgrades in the MAC AST event. This is required by the mac_lomac port of LOMAC to the MAC Framework.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
107105 |
20-Nov-2002 |
rwatson |
Introduce p_label, extensible security label storage for the MAC framework in struct proc. While the process label is actually stored in the struct ucred pointed to by p_ucred, there is a need for transient storage that may be used when asynchronous (deferred) updates need to be performed on the "real" label for locking reasons. Unlike other label storage, this label has no locking semantics, relying on policies to provide their own protection for the label contents, meaning that a policy leaf mutex may be used, avoiding lock order issues. This permits policies that act based on historical process behavior (such as audit policies, the MAC Framework port of LOMAC, etc) can update process properties even when many existing locks are held without violating the lock order. No currently committed policies implement use of this label storage.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
107089 |
19-Nov-2002 |
rwatson |
Merge kld access control checks from the MAC tree: these access control checks permit policy modules to augment the system policy for permitting kld operations. This permits policies to limit access to kld operations based on credential (and other) properties, as well as to perform checks on the kld being loaded (integrity, etc).
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106856 |
13-Nov-2002 |
rwatson |
Introduce a condition variable to avoid returning EBUSY when the MAC policy list is busy during a load or unload attempt. We assert no locks held during the cv wait, meaning we should be fairly deadlock-safe. Because of the cv model and busy count, it's possible for a cv waiter waiting for exclusive access to the policy list to be starved by active and long-lived access control/labeling events. For now, we accept that as a necessary tradeoff.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106788 |
12-Nov-2002 |
rwatson |
Garbage collect mac_create_devfs_vnode() -- it hasn't been used since we brought in the new cache and locking model for vnode labels. We now rely on mac_associate_devfs_vnode().
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106779 |
11-Nov-2002 |
rwatson |
Garbage collect definition of M_MACOPVEC -- we no longer perform a dynamic mapping of an operation vector into an operation structure, rather, we rely on C99 sparse structure initialization.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106648 |
08-Nov-2002 |
rwatson |
Update MAC modules for changes in arguments for exec MAC policy entry points to include an explicit execlabel.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106647 |
08-Nov-2002 |
rwatson |
Add an explicit execlabel argument to exec-related MAC policy entry points, rather than relying on policies to grub around in the image activator instance structure.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106469 |
05-Nov-2002 |
rwatson |
Update policy modules for changes in arguments associated with support for label access on the interpreter, not just the shell script. No policies currently present in the system rely on the new labels.
|
106468 |
05-Nov-2002 |
rwatson |
Bring in two sets of changes:
(1) Permit userland applications to request a change of label atomic with an execve() via mac_execve(). This is required for the SEBSD port of SELinux/FLASK. Attempts to invoke this without MAC compiled in result in ENOSYS, as with all other MAC system calls. Complexity, if desired, is present in policy modules, rather than the framework.
(2) Permit policies to have access to both the label of the vnode being executed as well as the interpreter if it's a shell script or related UNIX nonsense. Because we can't hold both vnode locks at the same time, cache the interpreter label. SEBSD relies on this because it supports secure transitioning via shell script executables. Other policies might want to take both labels into account during an integrity or confidentiality decision at execve()-time.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106462 |
05-Nov-2002 |
rwatson |
Since neither the Biba policy nor the MLS policy make use of transitioning, remove their transition entry points.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106460 |
05-Nov-2002 |
rwatson |
Assert that appropriate vnodes are locked in mac_execve_will_transition(). Allow transitioning to be twiddled off using the process and fs enforcement flags, although at some point this should probably be its own flag.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106418 |
04-Nov-2002 |
rwatson |
Implement mpo_check_system_acct and mpo_check_system_settime() for Biba: require Biba privilege to configure either, and require that accounting files be high integrity. Note that this does allow implicit information flow from low to high integrity, but it also protects the integrity of accounting data.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106416 |
04-Nov-2002 |
rwatson |
Correct use of mac_biba_subject_privileged() in swapon() code.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106412 |
04-Nov-2002 |
rwatson |
Permit MAC policies to instrument the access control decisions for system accounting configuration and for nfsd server thread attach. Policies might use this to protect the integrity or confidentiality of accounting data, limit the ability to turn on or off accounting, as well as to prevent inappropriately labeled threads from becoming nfs server threads.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106410 |
04-Nov-2002 |
rwatson |
Remove mac_cache_fslabel_in_vnode sysctl -- with the new VFS/MAC construction, labels are always cached.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106393 |
04-Nov-2002 |
rwatson |
License and wording updates: NAI has authorized the removal of clause three from their BSD-style license. Also, s/NAI Labs/Network Associates Laboratories/.
|
106392 |
04-Nov-2002 |
rwatson |
License clarification and wording changes: NAI has approved removal of clause three, and NAI Labs now goes by the name Network Associates Laboratories.
|
106369 |
03-Nov-2002 |
rwatson |
Introduce mac_check_system_settime(), a MAC check allowing policies to augment the system policy for changing the system time.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106367 |
03-Nov-2002 |
rwatson |
Change privilege model for mac_partition such that BSD superuser can change the partition once a partition has been set. This is required for correct operation of sendmail between partitions.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106354 |
02-Nov-2002 |
mux |
Fix some warnings on 64 bit architectures. The vn_extattr_get() function takes an int * parameter, not a size_t * parameter.
Arguably, it should rather take a size_t *, but that would require changing the uio_resid field of struct uio to be a size_t instead of an int, which I don't want to do that close to 5.0-RELEASE.
Reviewed by: rwatson
|
106308 |
01-Nov-2002 |
rwatson |
Add MAC checks for various kenv() operations: dump, get, set, unset, permitting MAC policies to limit access to the kernel environment.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106217 |
30-Oct-2002 |
rwatson |
Move to C99 sparse structure initialization for the mac_policy_ops structure definition, rather than using an operation vector we translate into the structure. Originally, we used a vector for two reasons:
(1) We wanted to define the structure sparsely, which wasn't supported by the C compiler for structures. For a policy with five entry points, you don't want to have to stick in a few hundred NULL function pointers.
(2) We thought it would improve ABI compatibility allowing modules to work with kernels that had a superset of the entry points defined in the module, even if the kernel had changed its entry point set.
Both of these no longer apply:
(1) C99 gives us a way to sparsely define a static structure.
(2) The ABI problems existed anyway, due to enumeration numbers, argument changes, and semantic mismatches. Since the going rule for FreeBSD is that you really need your modules to pretty closely match your kernel, it's not worth the complexity.
This submit eliminates the operation vector, dynamic allocation of the operation structure, copying of the vector to the structure, and redoes the vectors in each policy to direct structure definitions. One enourmous benefit of this change is that we now get decent type checking on policy entry point implementation arguments.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106214 |
30-Oct-2002 |
rwatson |
Various minor type, prototype tweaks -- clean up cruft due to lack of type checking on entry points (to be introduced shortly).
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106212 |
30-Oct-2002 |
rwatson |
While 'mode_t' seemed like a good idea for the access mode argument for MAC access() and open() checks, the argument actually has an int type where it becomes available. Switch to using 'int' for the mode argument throughout the MAC Framework and policy modules.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106174 |
30-Oct-2002 |
rwatson |
Try again to fix the KASSERT.
|
106173 |
30-Oct-2002 |
rwatson |
Fix a KASSERT bug that showed up only in the LINT build, not the module build, so I missed it in the merge.
Pointed out by: sam
|
106162 |
29-Oct-2002 |
rwatson |
Hook up no-op stubs for reboot, swapon, sysctl entry points.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106161 |
29-Oct-2002 |
rwatson |
Implement Biba policy entry points for mac_check_system_swapon() and mac_check_system_sysctl(), providing additional integrity protections relating to swap target device selection and system management via sysctl(). Require Biba privilege for both; also require that the target of swap operations be a high integrity object, since swap data is high integrity.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Asssociates Laboratories
|
106160 |
29-Oct-2002 |
rwatson |
Require Biba privilege to relabel a network interface.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106094 |
28-Oct-2002 |
rwatson |
Correct a typo in a previously commented include entry that was made visible in the recent commit.
|
106093 |
28-Oct-2002 |
rwatson |
Remove all reference to 'struct oldmac', since it's no longer required with the new VFS/EA semantics in the MAC framework. Move the per-policy structures out to per-policy include files, removing all policy-specific defines and structures out of the base framework includes and implementation, making mac_biba and mac_mls entirely self-contained.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106091 |
28-Oct-2002 |
rwatson |
Add a return type for mac_biba_high_single(), apparently lost in an earlier merge. It's a 'static int'.
|
106090 |
28-Oct-2002 |
rwatson |
Rename mac_biba_subject_equal_ok() to mac_biba_subject_privileged() to evolve the notion of Biba privilege a bit.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106089 |
28-Oct-2002 |
rwatson |
Zero the trusted_interface buffer before starting parsing. Print a warning if a requested interface name is longer than IFNAMSIZ.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106088 |
28-Oct-2002 |
rwatson |
An inappropriate ASSERT slipped in during the recent merge of the reboot checking; remove.
|
106045 |
27-Oct-2002 |
rwatson |
Centrally manage enforcement of {reboot,swapon,sysctl} using the mac_enforce_system toggle, rather than several separate toggles.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106025 |
27-Oct-2002 |
rwatson |
Implement mac_check_system_sysctl(), a MAC Framework entry point to permit MAC policies to augment the security protections on sysctl() operations. This is not really a wonderful entry point, as we only have access to the MIB of the target sysctl entry, rather than the more useful entry name, but this is sufficient for policies like Biba that wish to use their notions of privilege or integrity to prevent inappropriate sysctl modification. Affects MAC kernels only. Since SYSCTL_LOCK isn't in sysctl.h, just kern_sysctl.c, we can't assert the SYSCTL subsystem lockin the MAC Framework.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106024 |
27-Oct-2002 |
rwatson |
Hook up mac_check_system_reboot(), a MAC Framework entry point that permits MAC modules to augment system security decisions regarding the reboot() system call, if MAC is compiled into the kernel.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
106023 |
27-Oct-2002 |
rwatson |
Merge from MAC tree: rename mac_check_vnode_swapon() to mac_check_system_swapon(), to reflect the fact that the primary object of this change is the running kernel as a whole, rather than just the vnode. We'll drop additional checks of this class into the same check namespace, including reboot(), sysctl(), et al.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105988 |
26-Oct-2002 |
rwatson |
Slightly change the semantics of vnode labels for MAC: rather than "refreshing" the label on the vnode before use, just get the label right from inception. For single-label file systems, set the label in the generic VFS getnewvnode() code; for multi-label file systems, leave the labeling up to the file system. With UFS1/2, this means reading the extended attribute during vfs_vget() as the inode is pulled off disk, rather than hitting the extended attributes frequently during operations later, improving performance. This also corrects sematics for shared vnode locks, which were not previously present in the system. This chances the cache coherrency properties WRT out-of-band access to label data, but in an acceptable form. With UFS1, there is a small race condition during automatic extended attribute start -- this is not present with UFS2, and occurs because EAs aren't available at vnode inception. We'll introduce a work around for this shortly.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105959 |
25-Oct-2002 |
rwatson |
Comment describing the semantics of mac_late. Trim trailing whitespace.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105828 |
23-Oct-2002 |
rwatson |
Provide a simple sample labeled access control policy, mac_partition. This policy can be loaded dynamically, and assigns each process a partition number, as well as permitting processes to operate outside the partition. Processes contained in a partition can only "see" processes inside the same partition, so it's a little like jail. The partition of a user can be set using the label mechanisms in login.conf. This sample policy is a good starting point for developers wanting to learn about how to produce labeled policies, as it labels only one kernel object, the process credential.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105736 |
22-Oct-2002 |
rwatson |
Style fix: space between 'switch' and '('.
|
105734 |
22-Oct-2002 |
rwatson |
s/mls/biba/ in a copy+paste error for a printf.
|
105729 |
22-Oct-2002 |
rwatson |
Remove the mac_te policy bits from 'struct oldmac' -- we're not going to merge mac_te, since the SEBSD port of SELinux/FLASK provides a much more mature Type Enforcement implementation. This changes the size of the on-disk 'struct oldmac' EA labels, which may require regeneration.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105722 |
22-Oct-2002 |
rwatson |
Don't enforce MAC Biba policy for socket visibility if Biba is not explicitly enabled.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105717 |
22-Oct-2002 |
rwatson |
Introduce MAC_CHECK_VNODE_SWAPON, which permits MAC policies to perform authorization checks during swapon() events; policies might choose to enforce protections based on the credential requesting the swap configuration, the target of the swap operation, or other factors such as internal policy state.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105716 |
22-Oct-2002 |
rwatson |
Missed in previous merge: export sizeof(struct oldmac) rather than sizeof(struct mac).
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105696 |
22-Oct-2002 |
rwatson |
Adapt MAC policies for the new user API changes; teach policies how to parse their own label elements (some cleanup to occur here in the future to use the newly added kernel strsep()). Policies now entirely encapsulate their notion of label in the policy module.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105694 |
22-Oct-2002 |
rwatson |
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105693 |
22-Oct-2002 |
rwatson |
Revised APIs for user process label management; the existing APIs relied on all label parsing occuring in userland, and knowledge of the loaded policies in the user libraries. This revision of the API pushes that parsing into the kernel, avoiding the need for shared library support of policies in userland, permitting statically linked binaries (such as ls, ps, and ifconfig) to use MAC labels. In these API revisions, high level parsing of the MAC label is done in the MAC Framework, and interpretation of label elements is delegated to the MAC policy modules. This permits modules to export zero or more label elements to user space if desired, and support them in the manner they want and with the semantics they want. This is believed to be the final revision of this interface: from the perspective of user applications, the API has actually not changed, although the ABI has.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105664 |
21-Oct-2002 |
rwatson |
mac_none is a stub policy without any functional implementation. Various cleanups, no functional changes:
- Fix a type in an entry point stub, socket checks accept sockets, not vnodes. - Trailing whitespace - Entry point sort order
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105656 |
21-Oct-2002 |
rwatson |
Introduce mac_biba_copy() and mac_mls_copy(), which conditionally copy elements of one Biba or MLS label to another based on the flags on the source label element. Use this instead of mac_{biba,mls}_{single,range}() to simplify the existing code, as well as support partial label updates (we don't update if none is requested).
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105643 |
21-Oct-2002 |
rwatson |
Add compartment support to Biba and MLS policies. The logic of the policies remains the same: subjects and objects are labeled for integrity or sensitivity, and a dominance operator determines whether or not subject/object accesses are permitted to limit inappropriate information flow. Compartments are a non-hierarchal component to the label, so add a bitfield to the label element for each, and a set check as part of the dominance operator. This permits the implementation of "need to know" elements of MLS.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105640 |
21-Oct-2002 |
rwatson |
More in the way of minor consistency improvements: trim 'mac_mls_' from another variable to line this up with mac_biba.c
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105638 |
21-Oct-2002 |
rwatson |
Demote sockets to single-label objects rather than maintaining a range on them, leaving process credentials as the only kernel objects with label ranges in the Biba and MLS policies. We weren't using the range in any access control decisions, so this lets us garbage collect effectively unused code.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105637 |
21-Oct-2002 |
rwatson |
Synchonize variable spelling with the MAC tree: we shortened some of the names.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105636 |
21-Oct-2002 |
rwatson |
White space nit the crept in during merge.
|
105635 |
21-Oct-2002 |
rwatson |
Since the Biba and MLS access checks are identical to the open checks, collapse the two cases more cleanly: rather than wrapping an access check around open, simply provide the open implementation for the access vector entry. No functional change.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105634 |
21-Oct-2002 |
rwatson |
Cleanup of relabel authorization checks -- almost identical logic, we just break out some of the tests better. Minor change in that we now better support incremental update of labels.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105606 |
21-Oct-2002 |
rwatson |
Add a twiddle to create PTY's with a biba/equal or mls/equal label instead of the default biba/high, mls/low, making it easier to use ptys with these policies. This isn't the final solution, but does help.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105598 |
21-Oct-2002 |
brooks |
Use if_printf(ifp, "blah") instead of printf("%s%d: blah", ifp->if_name, ifp->if_xname).
|
105497 |
20-Oct-2002 |
rwatson |
If MAC_MAX_POLICIES isn't defined, don't try to define it, just let the compile fail. MAC_MAX_POLICIES should always be defined, or we have bigger problems at hand.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105474 |
19-Oct-2002 |
rwatson |
Make sure to clear the 'registered' flag for MAC policies when they unregister. Under some obscure (perhaps demented) circumstances, this can result in a panic if a policy is unregistered, and then someone foolishly unregisters it again.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
105077 |
14-Oct-2002 |
mckusick |
Regularize the vop_stdlock'ing protocol across all the filesystems that use it. Specifically, vop_stdlock uses the lock pointed to by vp->v_vnlock. By default, getnewvnode sets up vp->v_vnlock to reference vp->v_lock. Filesystems that wish to use the default do not need to allocate a lock at the front of their node structure (as some still did) or do a lockinit. They can simply start using vn_lock/VOP_UNLOCK. Filesystems that wish to manage their own locks, but still use the vop_stdlock functions (such as nullfs) can simply replace vp->v_vnlock with a pointer to the lock that they wish to have used for the vnode. Such filesystems are responsible for setting the vp->v_vnlock back to the default in their vop_reclaim routine (e.g., vp->v_vnlock = &vp->v_lock).
In theory, this set of changes cleans up the existing filesystem lock interface and should have no function change to the existing locking scheme.
Sponsored by: DARPA & NAI Labs.
|
104571 |
06-Oct-2002 |
rwatson |
Integrate mac_check_socket_send() and mac_check_socket_receive() checks from the MAC tree: allow policies to perform access control for the ability of a process to send and receive data via a socket. At some point, we might also pass in additional address information if an explicit address is requested on send.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
104569 |
06-Oct-2002 |
rwatson |
Trim accidentally introduced trailing whitespace.
|
104546 |
06-Oct-2002 |
rwatson |
Sync from MAC tree: break out the single mmap entry point into seperate entry points for each occasion:
mac_check_vnode_mmap() Check at initial mapping mac_check_vnode_mprotect() Check at mapping protection change mac_check_vnode_mmap_downgrade() Determine if a mapping downgrade should take place following subject relabel.
Implement mmap() and mprotect() entry points for labeled vnode policies. These entry points are currently not hooked up to the VM system in the base tree. These changes improve the consistency of the access control interface and offer more flexibility regarding limiting access to vnode mmaping.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
104541 |
05-Oct-2002 |
rwatson |
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
104535 |
05-Oct-2002 |
rwatson |
Implement mac_create_devfs_symlink() for policies that interact with vnode labels. Sync from MAC tree.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
104533 |
05-Oct-2002 |
rwatson |
Integrate a devfs/MAC fix from the MAC tree: avoid a race condition during devfs VOP symlink creation by introducing a new entry point to determine the label of the devfs_dirent prior to allocation of a vnode for the symlink.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
104530 |
05-Oct-2002 |
rwatson |
Merge implementation of mpo_check_vnode_link() for various appropriate file-system aware MAC policies. Sync to MAC tree.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
104529 |
05-Oct-2002 |
rwatson |
Merge support for mac_check_vnode_link(), a MAC framework/policy entry point that instruments the creation of hard links. Policy implementations to follow.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
104528 |
05-Oct-2002 |
rwatson |
While the MAC API has supported the ability to handle M_NOWAIT passed to mbuf label initialization, that functionality was never merged to the main tree. Go ahead and merge that functionality now. Note that this requires policy modules to accept the case where the label element may be destroyed even if init has not succeeded on it (in the event that policy failed the init). This will shortly also apply to sockets.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
104527 |
05-Oct-2002 |
rwatson |
Rearrange object and label init/destroy functions to match the order used in mac_policy.h and elsewhere. Sort order is basically "by operation category", then "alphabetically by object". Sync to MAC tree.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
104524 |
05-Oct-2002 |
rwatson |
Sync to MAC tree: use 'flag' instead of 'how' for mac_init_mbuf(); remove a slightly less than useful comment.
|
104522 |
05-Oct-2002 |
rwatson |
Another big diff, little functional change: move label internalization, externalization, and cred label life cycle events to entirely above devfs and vnode events. Sync from MAC tree.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
104521 |
05-Oct-2002 |
rwatson |
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
104520 |
05-Oct-2002 |
rwatson |
Synch from TrustedBSD MAC tree:
- If a policy isn't registered when a policy module unloads, silently succeed.
- Hold the policy list lock across more of the validity tests to avoid races.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
104518 |
05-Oct-2002 |
rwatson |
Cosmetic line wrap synchronization.
|
104517 |
05-Oct-2002 |
rwatson |
Push the debugging obect label counters into security.mac.debug.counters rather than directly under security.mac.debug.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
104514 |
05-Oct-2002 |
rwatson |
Begin another merge from the TrustedBSD MAC branch:
- Change mpo_init_foo(obj, label) and mpo_destroy_foo(obj, label) policy entry points to mpo_init_foo_label(label) and mpo_destroy_foo_label(label). This will permit the use of the same entry points for holding temporary type-specific label during internalization and externalization, as well as for caching purposes. - Because of this, break out mpo_{init,destroy}_socket() and mpo_{init,destroy}_mount() into seperate entry points for socket main/peer labels and mount main/fs labels. - Since the prototype for label initialization is the same across almost all entry points, implement these entry points using common implementations for Biba, MLS, and Test, reducing the number of almost identical looking functions.
This simplifies policy implementation, as well as preparing us for the merge of the new flexible userland API for managing labels on objects.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
104338 |
02-Oct-2002 |
rwatson |
Add a new MAC entry point, mac_thread_userret(td), which permits policy modules to perform MAC-related events when a thread returns to user space. This is required for policies that have floating process labels, as it's not always possible to acquire the process lock at arbitrary points in the stack during system call processing; process labels might represent traditional authentication data, process history information, or other data.
LOMAC will use this entry point to perform the process label update prior to the thread returning to userspace, when plugged into the MAC framework.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
104300 |
01-Oct-2002 |
phk |
Remember to include "opt_devfs.h" so we get any relevant changes to NDEVFSINO before we include devfs.h.
Spotted by: FlexeLint
|
104269 |
01-Oct-2002 |
rwatson |
Improve locking of pipe mutexes in the context of MAC:
(1) Where previously the pipe mutex was selectively grabbed during pipe_ioctl(), now always grab it and then release if if not needed. This protects the call to mac_check_pipe_ioctl() to make sure the label remains consistent. (Note: it looks like sigio locking may be incorrect for fgetown() since we call it not-by-reference and sigio locking assumes call by reference).
(2) In pipe_stat(), lock the pipe if MAC is compiled in so that the call to mac_check_pipe_stat() gets a locked pipe to protect label consistency. We still release the lock before returning actual stat() data, risking inconsistency, but apparently our pipe locking model accepts that risk.
(3) In various pipe MAC authorization checks, assert that the pipe lock is held.
(4) Grab the lock when performing a pipe relabel operation, and assert it a little deeper in the stack.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
104268 |
01-Oct-2002 |
rwatson |
Push 'security.mac.debug_label_fallback' behind options MAC_DEBUG.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
104236 |
30-Sep-2002 |
rwatson |
Add tunables for the existing sysctl twiddles for pipe and vm enforcement so they can be disabled prior to kernel start.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
103942 |
25-Sep-2002 |
jeff |
- Use vrefcnt() instead of v_usecount.
|
103761 |
21-Sep-2002 |
rwatson |
Remove another missed trailing space.
|
103759 |
21-Sep-2002 |
rwatson |
Trim trailing whitespace from the ends of lines.
|
103758 |
21-Sep-2002 |
rwatson |
Continue cleanup and sync of mac_biba and mac_mls policies to the TrustedBSD MAC Perforce tree. Remove unused functions mac_biba_equal_range and mac_mls_equal_range, which determined if the ranges in two range-enabled labels were equal.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
103754 |
21-Sep-2002 |
rwatson |
Remove mac_biba_high_single() check for interface renaming: we now use the notion that a subject range of (low-high) connotes Biba privilege rather than a single of high.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
103750 |
21-Sep-2002 |
rwatson |
As INVARIANTS isn't supported for code that loads only as a kernel module and is not linked into the base system, two KASSERT's rotted. Fix them by fixing variable names. It would be really nice if opt_global.h was used when building modules as part of a buildkernel.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
103570 |
18-Sep-2002 |
rwatson |
Remove un-needed stack variable 'ops'.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
103514 |
18-Sep-2002 |
rwatson |
Add a toggle to disable VM enforcement.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
103513 |
18-Sep-2002 |
rwatson |
At the cost of seeming a little gauche, make use of more traditional alphabetization for mac_enforce_pipe sysctl.
Obtained from: TrustedBSD Project Sponsored by: DAPRA, NAI Labs
|
103314 |
14-Sep-2002 |
njl |
Remove all use of vnode->v_tag, replacing with appropriate substitutes. v_tag is now const char * and should only be used for debugging.
Additionally: 1. All users of VT_NTS now check vfsconf->vf_type VFCF_NETWORK 2. The user of VT_PROCFS now checks for the new flag VV_PROCDEP, which is propagated by pseudofs to all child vnodes if the fs sets PFS_PROCDEP.
Suggested by: phk Reviewed by: bde, rwatson (earlier version)
|
103183 |
10-Sep-2002 |
bde |
Include <sys/malloc.h> instead of depending on namespace pollution 2 layers deep in <sys/proc.h> or <sys/vnode.h>.
|
103136 |
09-Sep-2002 |
rwatson |
Add security.mac.mmap_revocation, a flag indicating whether we should revoke access to memory maps on a process label change.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
103135 |
09-Sep-2002 |
rwatson |
Minor code sync to MAC tree: push Giant locking up from mac_cred_mmapped_drop_perms() to the caller.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
102980 |
05-Sep-2002 |
rwatson |
Re-insert TUNABLE() export of MAC Biba and MAC MLS module 'enabled' sysctls. Apparently lost during some or another merge.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
102949 |
05-Sep-2002 |
bde |
Include <sys/malloc.h> instead of depending on namespace pollution 2 layers deep in <sys/proc.h> or <sys/vnode.h>.
Removed unused includes.
Fixed some printf format errors (1 fatal on i386's; 1 fatal on alphas; 1 not fatal on any supported machine).
|
102163 |
20-Aug-2002 |
rwatson |
Prefer NULL to 0 when passing a NULL pointer.
|
102162 |
20-Aug-2002 |
rwatson |
Provide stub mpo_syscall() implementations for mac_none and mac_test.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
102136 |
19-Aug-2002 |
rwatson |
Close a race in process label changing opened due to dropping the proc locking when revoking access to mmaps. Instead, perform this later once we've changed the process label (hold onto a reference to the new cred so that we don't lose it when we release the process lock if another thread changes the credential).
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
102129 |
19-Aug-2002 |
rwatson |
Pass active_cred and file_cred into the MAC framework explicitly for mac_check_vnode_{poll,read,stat,write}(). Pass in fp->f_cred when calling these checks with a struct file available. Otherwise, pass NOCRED. All currently MAC policies use active_cred, but could now offer the cached credential semantic used for the base system security model.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
102123 |
19-Aug-2002 |
rwatson |
Provide an implementation of mac_syscall() so that security modules can offer new services without reserving system call numbers, or augmented versions of existing services. User code requests a target policy by name, and specifies the policy-specific API plus target. This is required in particular for our port of SELinux/FLASK to the MAC framework since it offers additional security services.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
102115 |
19-Aug-2002 |
rwatson |
Break out mac_check_pipe_op() into component check entry points: mac_check_pipe_poll(), mac_check_pipe_read(), mac_check_pipe_stat(), and mac_check_pipe_write(). This is improves consistency with other access control entry points and permits security modules to only control the object methods that they are interested in, avoiding switch statements.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
102112 |
19-Aug-2002 |
rwatson |
Break out mac_check_vnode_op() into three seperate checks: mac_check_vnode_poll(), mac_check_vnode_read(), mac_check_vnode_write(). This improves the consistency with other existing vnode checks, and allows policies to avoid implementing switch statements to determine what operations they do and do not want to authorize.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
102103 |
19-Aug-2002 |
rwatson |
Assert process locks in proces-related access control checks.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
102102 |
19-Aug-2002 |
rwatson |
Add a missing vnode assertion for the exec() check.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
102088 |
19-Aug-2002 |
phk |
Keep a copy of the credential used to mount filesystems around so we can check and use it later on.
Change the pieces of code which relied on mount->mnt_stat.f_owner to check which user mounted the filesystem.
This became needed as the EA code needs to be able to allocate blocks for "system" EA users like ACLs.
There seems to be some half-baked (probably only quarter- actually) notion that the superuser for a given filesystem is the user who mounted it, but this has far from been carried through. It is unclear if it should be.
Sponsored by: DARPA & NAI Labs.
|
101988 |
16-Aug-2002 |
rwatson |
Wrap maintenance of varios nmac{objectname} counters in MAC_DEBUG so we can avoid the cost of a large number of atomic operations if we're not interested in the object count statistics.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
101934 |
15-Aug-2002 |
rwatson |
Rename mac_check_socket_receive() to mac_check_socket_deliver() so that we can use the names _receive() and _send() for the receive() and send() checks. Rename related constants, policy implementations, etc.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
101933 |
15-Aug-2002 |
rwatson |
Rename mac_check_socket_receive() to mac_check_socket_deliver() so that we can use the names _receive() and _send() for the receive() and send() checks. Rename related constants, policy implementations, etc.
PR: Submitted by: Reviewed by: Approved by: Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs MFC after:
|
101892 |
15-Aug-2002 |
rwatson |
Sync to trustedbsd_mac tree: default to sigsegv rather than copy-on-write during a label change resulting in an mmap removal. This is "fail stop" behavior, which is preferred, although it offers slightly less transparency.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
101826 |
13-Aug-2002 |
rwatson |
Define 'struct label' in _label.h rather than mac.h, which will permit us to reduce namespace pollution by doing a nested include of _label.h rather than mac.h. mac.h contains lots of baggage, whereas _label.h contains much less. A follow-up sweep to change nested inclusion will follow. The problem regarding exporting 'struct label' to userland due to excessive exporting of kernel structures to userland still needs to be resolved.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs Suggested by: bde
|
101712 |
12-Aug-2002 |
rwatson |
Declare a module service "kernel_mac_support" when MAC support is enabled and the kernel provides the MAC registration and entry point service. Declare a dependency on that module service for any MAC module registered using mac_policy.h. For now, hard code the version as 1, but once we've come up with a versioning policy, we'll move to a #define of some sort. In the mean time, this will prevent loading a MAC module when 'options MAC' isn't present, which (due to a bug in the kernel linker) can result if the MAC module is preloaded via loader.conf.
This particular evil recommended by: peter Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI LAbs
|
101308 |
04-Aug-2002 |
jeff |
- Replace v_flag with v_iflag and v_vflag - v_vflag is protected by the vnode lock and is used when synchronization with VOP calls is needed. - v_iflag is protected by interlock and is used for dealing with vnode management issues. These flags include X/O LOCK, FREE, DOOMED, etc. - All accesses to v_iflag and v_vflag have either been locked or marked with mp_fixme's. - Many ASSERT_VOP_LOCKED calls have been added where the locking was not clear. - Many functions in vfs_subr.c were restructured to provide for stronger locking.
Idea stolen from: BSD/OS
|
101238 |
02-Aug-2002 |
rwatson |
Improve ordering of MAC entry points in mac_policy_op structure.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
101173 |
01-Aug-2002 |
rwatson |
Include file cleanup; mac.h and malloc.h at one point had ordering relationship requirements, and no longer do.
Reminded by: bde
|
101169 |
01-Aug-2002 |
rwatson |
Change macop_t to const, use macop_t in MAC policy entry point definition structure. This prevents a boatload of warnings in the MAC modules, so we can hook them up to the build.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
101099 |
31-Jul-2002 |
rwatson |
Introduce support for Mandatory Access Control and extensible kernel access control.
Provide implementations of some sample operating system security policy extensions. These are not yet hooked up to the build as other infrastructure is still being committed. Most of these work fairly well and are in daily use in our development and (limited) production environments. Some are not yet in their final form, and a number of the labeled policies waste a lot of kernel memory and will be fixed over the next month or so to be more conservative. They do give good examples of the flexibility of the MAC framework for implementing a variety of security policies.
mac_biba: Implementation of fixed-label Biba integrity policy, similar to those found in a number of commercial trusted operating systems. All subjects and objects are assigned integrity levels, and information flow is controlled based on a read-up, write-down policy. Currently, purely hierarchal.
mac_bsdextended: Implementation of a "file system firewall", which allows the administrator to specify a series of rules limiting access by users and groups to objects owned by other users and groups. This policy is unlabeled, relying on existing system security labeling (file permissions/ownership, process credentials).
mac_ifoff: Secure interface silencing. Special-purpose module to limit inappropriate out-going network traffic for silent monitoring scenarios. Prevents the various network stacks from generating any output despite an interface being live for reception.
mac_mls: Implementation of fixed-label Multi-Level Security confidentiality policy, similar to those found in a number of commercial trusted operating systems. All subjects and objects are assigned confidentiality levels, and information flow is controlled based on a write-up, read-down policy. Currently, purely hiearchal, although non-hierarchal support is in the works.
mac_none: Policy module implementing all MAC policy entry points with empty stubs. A good place to start if you want all the prototypes types in for you, and don't mind a bit of pruning. Can be loaded, but has no access control impact. Useful also for performance measurements.
mac_seeotheruids: Policy module implementing a security service similar to security.bsd.seeotheruids, only a slightly more detailed policy involving exceptions for members of specific groups, etc. This policy is unlabeled, relying on existing system security labeling (process credentials).
mac_test: Policy module implementing basic sanity tests for label handling. Attempts to ensure that labels are not freed multiple times, etc, etc.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
100998 |
31-Jul-2002 |
rwatson |
Reduce the memory footprint of MAC in the base system by halving the number of policy slots to 4.
(Having run a quick errand, time to start on phase 2 of the MAC integration)
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
100979 |
30-Jul-2002 |
rwatson |
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added.
kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
100978 |
30-Jul-2002 |
rwatson |
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem entry points (mac.h), and MAC policy entry points (mac_policy.h). These files define the interface between the kernel and the MAC framework, and between the MAC framework and each registered policy module. These APIs and ABIs may not be assumed to be stable until following FreeBSD 5.1-RELEASE.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
100894 |
30-Jul-2002 |
rwatson |
Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
97716 |
01-Jun-2002 |
alfred |
Get rid of warnings, there's no need to do preprocessor concatination of things with commas and equal signs.
|
97658 |
31-May-2002 |
tanimura |
Back out my lats commit of locking down a socket, it conflicts with hsu's work.
Requested by: hsu
|
97556 |
30-May-2002 |
alfred |
Check for defined(__i386__) instead of just defined(i386) since the compiler will be updated to only define(__i386__) for ANSI cleanliness.
|
96972 |
20-May-2002 |
tanimura |
Lock down a socket, milestone 1.
o Add a mutex (sb_mtx) to struct sockbuf. This protects the data in a socket buffer. The mutex in the receive buffer also protects the data in struct socket.
o Determine the lock strategy for each members in struct socket.
o Lock down the following members:
- so_count - so_options - so_linger - so_state
o Remove *_locked() socket APIs. Make the following socket APIs touching the members above now require a locked socket:
- sodisconnect() - soisconnected() - soisconnecting() - soisdisconnected() - soisdisconnecting() - sofree() - soref() - sorele() - sorwakeup() - sotryfree() - sowakeup() - sowwakeup()
Reviewed by: alfred
|
96886 |
19-May-2002 |
jhb |
Change p_can{debug,see,sched,signal}()'s first argument to be a thread pointer instead of a proc pointer and require the process pointed to by the second argument to be locked. We now use the thread ucred reference for the credential checks in p_can*() as a result. p_canfoo() should now no longer need Giant.
|
96755 |
16-May-2002 |
trhodes |
More s/file system/filesystem/g
|
94460 |
11-Apr-2002 |
jhb |
Use the proc lock to protect p_ucred while we read a few items from it.
|
93593 |
01-Apr-2002 |
jhb |
Change the suser() API to take advantage of td_ucred as well as do a general cleanup of the API. The entire API now consists of two functions similar to the pre-KSE API. The suser() function takes a thread pointer as its only argument. The td_ucred member of this thread must be valid so the only valid thread pointers are curthread and a few kernel threads such as thread0. The suser_cred() function takes a pointer to a struct ucred as its first argument and an integer flag as its second argument. The flag is currently only used for the PRISON_ROOT flag.
Discussed on: smp@
|
92245 |
13-Mar-2002 |
rwatson |
DBA update: pick the right DBA for various LOMAC copyrights.
|
91406 |
27-Feb-2002 |
jhb |
Simple p_ucred -> td_ucred changes to start using the per-thread ucred reference.
|
91354 |
27-Feb-2002 |
dd |
Introduce a version field to `struct xucred' in place of one of the spares (the size of the field was changed from u_short to u_int to reflect what it really ends up being). Accordingly, change users of xucred to set and check this field as appropriate. In the kernel, this is being done inside the new cru2x() routine which takes a `struct ucred' and fills out a `struct xucred' according to the former. This also has the pleasant sideaffect of removing some duplicate code.
Reviewed by: rwatson
|
90448 |
10-Feb-2002 |
rwatson |
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so as not to use the scatter gather API (which appeared not to be used by any consumers, and be less portable), rather, accepts 'data' and 'nbytes' in the style of other simple read/write interfaces. This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return a size_t. When performing a read, the number of bytes read will be returned, unless the data pointer is NULL, in which case the number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t argument so as to return the size, if desirable. If set to NULL, the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more portable. More commits to rebuild the system call files, as well as update userland utilities to follow.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
90365 |
07-Feb-2002 |
mjacob |
Replace a few more lines of code orphaned by MFREE going away.
MFC after: 1 day
|
90361 |
07-Feb-2002 |
julian |
Pre-KSE/M3 commit. this is a low-functionality change that changes the kernel to access the main thread of a process via the linked list of threads rather than assuming that it is embedded in the process. It IS still embeded there but remove all teh code that assumes that in preparation for the next commit which will actually move it out.
Reviewed by: peter@freebsd.org, gallatin@cs.duke.edu, benno rice,
|
88500 |
26-Dec-2001 |
green |
s/sonewconn3/sonewconn/ forgotten by the modifier.
|
87251 |
03-Dec-2001 |
green |
Split out NAI Labs license and BSD license to prevent the accidental violation of either.
|
87074 |
28-Nov-2001 |
green |
Return a POSIX-compliant error for write(2) failure.
|
86630 |
19-Nov-2001 |
green |
This commit was generated by cvs2svn to compensate for changes in r86629, which included commits to RCS files with non-trunk default branches.
|