#
302408 |
|
07-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
299187 |
|
06-May-2016 |
pfg |
sys/security: minor spelling fixes.
No functional change.
|
#
280130 |
|
15-Mar-2015 |
mjg |
cred: add proc_set_cred helper
The goal here is to provide one place altering process credentials.
This eases debugging and opens up posibilities to do additional work when such an action is performed.
|
#
275856 |
|
17-Dec-2014 |
gleb |
Adjust printf format specifiers for dev_t and ino_t in kernel.
ino_t and dev_t are about to become uint64_t.
Reviewed by: kib, mckusick
|
#
267992 |
|
28-Jun-2014 |
hselasky |
Pull in r267961 and r267973 again. Fix for issues reported will follow.
|
#
267985 |
|
27-Jun-2014 |
gjb |
Revert r267961, r267973:
These changes prevent sysctl(8) from returning proper output, such as:
1) no output from sysctl(8) 2) erroneously returning ENOMEM with tools like truss(1) or uname(1) truss: can not get etype: Cannot allocate memory
|
#
267961 |
|
27-Jun-2014 |
hselasky |
Extend the meaning of the CTLFLAG_TUN flag to automatically check if there is an environment variable which shall initialize the SYSCTL during early boot. This works for all SYSCTL types both statically and dynamically created ones, except for the SYSCTL NODE type and SYSCTLs which belong to VNETs. A new flag, CTLFLAG_NOFETCH, has been added to be used in the case a tunable sysctl has a custom initialisation function allowing the sysctl to still be marked as a tunable. The kernel SYSCTL API is mostly the same, with a few exceptions for some special operations like iterating childrens of a static/extern SYSCTL node. This operation should probably be made into a factored out common macro, hence some device drivers use this. The reason for changing the SYSCTL API was the need for a SYSCTL parent OID pointer and not only the SYSCTL parent OID list pointer in order to quickly generate the sysctl path. The motivation behind this patch is to avoid parameter loading cludges inside the OFED driver subsystem. Instead of adding special code to the OFED driver subsystem to post-load tunables into dynamically created sysctls, we generalize this in the kernel.
Other changes: - Corrected a possibly incorrect sysctl name from "hw.cbb.intr_mask" to "hw.pcic.intr_mask". - Removed redundant TUNABLE statements throughout the kernel. - Some minor code rewrites in connection to removing not needed TUNABLE statements. - Added a missing SYSCTL_DECL(). - Wrapped two very long lines. - Avoid malloc()/free() inside sysctl string handling, in case it is called to initialize a sysctl from a tunable, hence malloc()/free() is not ready when sysctls from the sysctl dataset are registered. - Bumped FreeBSD version to indicate SYSCTL API change.
MFC after: 2 weeks Sponsored by: Mellanox Technologies
|
#
263152 |
|
14-Mar-2014 |
glebius |
Remove AppleTalk support.
AppleTalk was a network transport protocol for Apple Macintosh devices in 80s and then 90s. Starting with Mac OS X in 2000 the AppleTalk was a legacy protocol and primary networking protocol is TCP/IP. The last Mac OS X release to support AppleTalk happened in 2009. The same year routing equipment vendors (namely Cisco) end their support.
Thus, AppleTalk won't be supported in FreeBSD 11.0-RELEASE.
|
#
263140 |
|
14-Mar-2014 |
glebius |
Remove IPX support.
IPX was a network transport protocol in Novell's NetWare network operating system from late 80s and then 90s. The NetWare itself switched to TCP/IP as default transport in 1998. Later, in this century the Novell Open Enterprise Server became successor of Novell NetWare. The last release that claimed to still support IPX was OES 2 in 2007. Routing equipment vendors (e.g. Cisco) discontinued support for IPX in 2011.
Thus, IPX won't be supported in FreeBSD 11.0-RELEASE.
|
#
231378 |
|
10-Feb-2012 |
ed |
Remove direct access to si_name.
Code should just use the devtoname() function to obtain the name of a character device. Also add const keywords to pieces of code that need it to build properly.
MFC after: 2 weeks
|
#
229272 |
|
02-Jan-2012 |
ed |
Use strchr() and strrchr().
It seems strchr() and strrchr() are used more often than index() and rindex(). Therefore, simply migrate all kernel code to use it.
For the XFS code, remove an empty line to make the code identical to the code in the Linux kernel.
|
#
227309 |
|
07-Nov-2011 |
ed |
Mark all SYSCTL_NODEs static that have no corresponding SYSCTL_DECLs.
The SYSCTL_NODE macro defines a list that stores all child-elements of that node. If there's no SYSCTL_DECL macro anywhere else, there's no reason why it shouldn't be static.
|
#
227293 |
|
07-Nov-2011 |
ed |
Mark MALLOC_DEFINEs static that have no corresponding MALLOC_DECLAREs.
This means that their use is restricted to a single C file.
|
#
204581 |
|
02-Mar-2010 |
rwatson |
Update device-labeling logic for Biba, LOMAC, and MLS to recognize new-style pts devices when various policy ptys_equal flags are enabled.
Submitted by: Estella Mystagic <estella at mystagic.com> MFC after: 1 week
|
#
201438 |
|
03-Jan-2010 |
trasz |
Make mac_lomac(4) able to interpret NFSv4 access bits.
Reviewed by: rwatson
|
#
194766 |
|
23-Jun-2009 |
kib |
Implement global and per-uid accounting of the anonymous memory. Add rlimit RLIMIT_SWAP that limits the amount of swap that may be reserved for the uid.
The accounting information (charge) is associated with either map entry, or vm object backing the entry, assuming the object is the first one in the shadow chain and entry does not require COW. Charge is moved from entry to object on allocation of the object, e.g. during the mmap, assuming the object is allocated, or on the first page fault on the entry. It moves back to the entry on forks due to COW setup.
The per-entry granularity of accounting makes the charge process fair for processes that change uid during lifetime, and decrements charge for proper uid when region is unmapped.
The interface of vm_pager_allocate(9) is extended by adding struct ucred *, that is used to charge appropriate uid when allocation if performed by kernel, e.g. md(4).
Several syscalls, among them is fork(2), may now return ENOMEM when global or per-uid limits are enforced.
In collaboration with: pho Reviewed by: alc Approved by: re (kensmith)
|
#
194534 |
|
20-Jun-2009 |
ed |
Chase the removal of PRIV_TTY_PRISON in the mac(9) modules.
Reported by: kib Pointy hat to: me
|
#
193391 |
|
03-Jun-2009 |
rwatson |
Continue work to optimize performance of "options MAC" when no MAC policy modules are loaded by avoiding mbuf label lookups when policies aren't loaded, pushing further socket locking into MAC policy modules, and avoiding locking MAC ifnet locks when no policies are loaded:
- Check mac_policies_count before looking for mbuf MAC label m_tags in MAC Framework entry points. We will still pay label lookup costs if MAC policies are present but don't require labels (typically a single mbuf header field read, but perhaps further indirection if IPSEC or other m_tag consumers are in use).
- Further push socket locking for socket-related access control checks and events into MAC policies from the MAC Framework, so that sockets are only locked if a policy specifically requires a lock to protect a label. This resolves lock order issues during sonewconn() and also in local domain socket cross-connect where multiple socket locks could not be held at once for the purposes of propagatig MAC labels across multiple sockets. Eliminate mac_policy_count check in some entry points where it no longer avoids locking.
- Add mac_policy_count checking in some entry points relating to network interfaces that otherwise lock a global MAC ifnet lock used to protect ifnet labels.
Obtained from: TrustedBSD Project
|
#
189533 |
|
08-Mar-2009 |
rwatson |
Remove 'uio' argument from MAC Framework and MAC policy entry points for extended attribute get/set; in the case of get an uninitialized user buffer was passed before the EA was retrieved, making it of relatively little use; the latter was simply unused by any policies.
Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
|
#
187016 |
|
10-Jan-2009 |
rwatson |
Rather than having MAC policies explicitly declare what object types they label, derive that information implicitly from the set of label initializers in their policy operations set. This avoids a possible class of programmer errors, while retaining the structure that allows us to avoid allocating labels for objects that don't need them. As before, we regenerate a global mask of labeled objects each time a policy is loaded or unloaded, stored in mac_labeled.
Discussed with: csjp Suggested by: Jacques Vidrine <nectar at apple.com> Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
|
#
187014 |
|
10-Jan-2009 |
rwatson |
Use MPC_OBJECT_IP6Q to indicate labeling of struct ip6q rather than MPC_OBJECT_IPQ; it was already defined, just not used.
Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
|
#
184413 |
|
28-Oct-2008 |
trasz |
Introduce accmode_t. This is required for NFSv4 ACLs - it will be neccessary to add more V* constants, and the variables changed by this patch were often being assigned to mode_t variables, which is 16 bit.
Approved by: rwatson (mentor)
|
#
184412 |
|
28-Oct-2008 |
rwatson |
Rename mac_cred_mmapped_drop_perms(), which revokes access to virtual memory mappings when the MAC label on a process changes, to mac_proc_vm_revoke(),
It now also acquires its own credential reference directly from the affected process rather than accepting one passed by the the caller, simplifying the API and consumer code.
Obtained from: TrustedBSD Project
|
#
184407 |
|
28-Oct-2008 |
rwatson |
Rename three MAC entry points from _proc_ to _cred_ to reflect the fact that they operate directly on credentials: mac_proc_create_swapper(), mac_proc_create_init(), and mac_proc_associate_nfsd(). Update policies.
Obtained from: TrustedBSD Project
|
#
184308 |
|
26-Oct-2008 |
rwatson |
Implement MAC policy support for IPv6 fragment reassembly queues, modeled on IPv4 fragment reassembly queue support.
Obtained from: TrustedBSD Project
|
#
184205 |
|
23-Oct-2008 |
des |
Retire the MALLOC and FREE macros. They are an abomination unto style(9).
MFC after: 3 months
|
#
183980 |
|
17-Oct-2008 |
bz |
Add a mac_inpcb_check_visible implementation to all MAC policies that handle mac_socket_check_visible.
Reviewed by: rwatson MFC after: 3 months (set timer; decide then)
|
#
182371 |
|
28-Aug-2008 |
attilio |
Decontextualize the couplet VOP_GETATTR / VOP_SETATTR as the passed thread was always curthread and totally unuseful.
Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
|
#
182063 |
|
23-Aug-2008 |
rwatson |
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2) so that the general exec code isn't aware of the details of allocating, copying, and freeing labels, rather, simply passes in a void pointer to start and stop functions that will be used by the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface allowing policies to declare which types of objects require label allocation, initialization, and destruction, and define a set of flags covering various supported object types (MPC_OBJECT_PROC, MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the overhead of compiling the MAC Framework into the kernel if policies aren't loaded, or if policies require labels on only a small number or even no object types. Each time a policy is loaded or unloaded, we recalculate a mask of labeled object types across all policies present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it is no longer required.
MFC after: 1 week ((1) only) Reviewed by: csjp Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
|
#
181217 |
|
02-Aug-2008 |
rwatson |
Minor style tweaks.
|
#
179781 |
|
13-Jun-2008 |
rwatson |
The TrustedBSD MAC Framework named struct ipq instances 'ipq', which is the same as the global variable defined in ip_input.c. Instead, adopt the name 'q' as found in about 1/2 of uses in ip_input.c, preventing a collision on the name. This is non-harmful, but means that search and replace on the global works less well (as in the virtualization work), as well as indexing tools.
MFC after: 1 week Reported by: julian
|
#
173138 |
|
29-Oct-2007 |
rwatson |
Resort TrustedBSD MAC Framework policy entry point implementations and declarations to match the object, operation sort order in the framework itself.
Obtained from: TrustedBSD Project
|
#
173108 |
|
28-Oct-2007 |
rwatson |
Garbage collect mac_mbuf_create_multicast_encap TrustedBSD MAC Framework entry point, which is no longer required now that we don't support old-style multicast tunnels. This removes the last mbuf object class entry point that isn't init/copy/destroy.
Obtained from: TrustedBSD Project
|
#
173102 |
|
28-Oct-2007 |
rwatson |
Continue to move from generic network entry points in the TrustedBSD MAC Framework by moving from mac_mbuf_create_netlayer() to more specific entry points for specific network services:
- mac_netinet_firewall_reply() to be used when replying to in-bound TCP segments in pf and ipfw (etc).
- Rename mac_netinet_icmp_reply() to mac_netinet_icmp_replyinplace() and add mac_netinet_icmp_reply(), reflecting that in some cases we overwrite a label in place, but in others we apply the label to a new mbuf.
Obtained from: TrustedBSD Project
|
#
173095 |
|
28-Oct-2007 |
rwatson |
Move towards more explicit support for various network protocol stacks in the TrustedBSD MAC Framework:
- Add mac_atalk.c and add explicit entry point mac_netatalk_aarp_send() for AARP packet labeling, rather than using a generic link layer entry point.
- Add mac_inet6.c and add explicit entry point mac_netinet6_nd6_send() for ND6 packet labeling, rather than using a generic link layer entry point.
- Add expliict entry point mac_netinet_arp_send() for ARP packet labeling, and mac_netinet_igmp_send() for IGMP packet labeling, rather than using a generic link layer entry point.
- Remove previous genering link layer entry point, mac_mbuf_create_linklayer() as it is no longer used.
- Add implementations of new entry points to various policies, largely by replicating the existing link layer entry point for them; remove old link layer entry point implementation.
- Make MAC_IFNET_LOCK(), MAC_IFNET_UNLOCK(), and mac_ifnet_mtx global to the MAC Framework rather than static to mac_net.c as it is now needed outside of mac_net.c.
Obtained from: TrustedBSD Project
|
#
173018 |
|
26-Oct-2007 |
rwatson |
Rename 'mac_mbuf_create_from_firewall' to 'mac_netinet_firewall_send' as we move towards netinet as a pseudo-object for the MAC Framework.
Rename 'mac_create_mbuf_linklayer' to 'mac_mbuf_create_linklayer' to reflect general object-first ordering preference.
Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
|
#
172970 |
|
25-Oct-2007 |
rwatson |
Normalize TCP syncache-related MAC Framework entry points to match most other entry points in the form mac_<object>_method().
Discussed with: csjp Obtained from: TrustedBSD Project
|
#
172955 |
|
25-Oct-2007 |
rwatson |
Consistently name functions for mac_<policy> as <policy>_whatever rather than mac_<policy>_whatever, as this shortens the names and makes the code a bit easier to read.
When dealing with label structures, name variables 'mb', 'ml', 'mm rather than the longer 'mac_biba', 'mac_lomac', and 'mac_mls', likewise making the code a little easier to read.
Obtained from: TrustedBSD Project
|
#
172953 |
|
25-Oct-2007 |
rwatson |
Further MAC Framework cleanup: normalize some local variable names and clean up some comments.
Obtained from: TrustedBSD Project
|
#
172930 |
|
24-Oct-2007 |
rwatson |
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms:
mac_<object>_<method/action> mac_<object>_check_<method/action>
The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names.
All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI.
Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
|
#
172207 |
|
17-Sep-2007 |
jeff |
- Move all of the PS_ flags into either p_flag or td_flags. - p_sflag was mostly protected by PROC_LOCK rather than the PROC_SLOCK or previously the sched_lock. These bugs have existed for some time. - Allow swapout to try each thread in a process individually and then swapin the whole process if any of these fail. This allows us to move most scheduler related swap flags into td_flags. - Keep ki_sflag for backwards compat but change all in source tools to use the new and more correct location of P_INMEM.
Reported by: pho Reviewed by: attilio, kib Approved by: re (kensmith)
|
#
172107 |
|
09-Sep-2007 |
rwatson |
Rename mac_check_vnode_delete() MAC Framework and MAC Policy entry point to mac_check_vnode_unlink(), reflecting UNIX naming conventions.
This is the first of several commits to synchronize the MAC Framework in FreeBSD 7.0 with the MAC Framework as it will appear in Mac OS X Leopard.
Reveiwed by: csjp, Samy Bahra <sbahra at gwu dot edu> Submitted by: Jacques Vidrine <nectar at apple dot com> Obtained from: Apple Computer, Inc. Sponsored by: SPARTA, SPAWAR Approved by: re (bmah)
|
#
170307 |
|
04-Jun-2007 |
jeff |
Commit 14/14 of sched_lock decomposition. - Use thread_lock() rather than sched_lock for per-thread scheduling sychronization. - Use the per-process spinlock rather than the sched_lock for per-process scheduling synchronization.
Tested by: kris, current@ Tested on: i386, amd64, ULE, 4BSD, libthr, libkse, PREEMPTION, etc. Discussed with: kris, attilio, kmacy, jhb, julian, bde (small parts each)
|
#
168977 |
|
23-Apr-2007 |
rwatson |
Rename mac*devfsdirent*() to mac*devfs*() to synchronize with SEDarwin, where similar data structures exist to support devfs and the MAC Framework, but are named differently.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
|
#
168976 |
|
23-Apr-2007 |
rwatson |
Apply variable name normalization to MAC policies: adopt global conventions for the naming of variables associated with specific data structures.
Obtained from: TrustedBSD Project
|
#
168954 |
|
22-Apr-2007 |
rwatson |
In the MAC Framework implementation, file systems have two per-mountpoint labels: the mount label (label of the mountpoint) and the fs label (label of the file system). In practice, policies appear to only ever use one, and the distinction is not helpful.
Combine mnt_mntlabel and mnt_fslabel into a single mnt_label, and eliminate extra machinery required to maintain the additional label. Update policies to reflect removal of extra entry points and label.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
|
#
168951 |
|
22-Apr-2007 |
rwatson |
Remove MAC Framework access control check entry points made redundant with the introduction of priv(9) and MAC Framework entry points for privilege checking/granting. These entry points exactly aligned with privileges and provided no additional security context:
- mac_check_sysarch_ioperm() - mac_check_kld_unload() - mac_check_settime() - mac_check_system_nfsd()
Add mpo_priv_check() implementations to Biba and LOMAC policies, which, for each privilege, determine if they can be granted to processes considered unprivileged by those two policies. These mostly, but not entirely, align with the set of privileges granted in jails.
Obtained from: TrustedBSD Project
|
#
168933 |
|
21-Apr-2007 |
rwatson |
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid().
MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points.
Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
|
#
166533 |
|
06-Feb-2007 |
rwatson |
Introduce accessor functions mac_label_get() and mac_label_set() to replace LABEL_TO_SLOT() macro used by policy modules to query and set label data in struct label. Instead of using a union, store an intptr_t, simplifying the API.
Update policies: in most cases this required only small tweaks to current wrapper macros. In two cases, a single wrapper macros had to be split into separate get and set macros.
Move struct label definition from _label.h to mac_internal.h and remove _label.h. With this change, policies may now treat struct label * as opaque, allowing us to change the layout of struct label without breaking the policy module ABI. For example, we could make the maximum number of policies with labels modifiable at boot-time rather than just at compile-time.
Obtained from: TrustedBSD Project
|
#
165469 |
|
22-Dec-2006 |
rwatson |
Move src/sys/sys/mac_policy.h, the kernel interface between the MAC Framework and security modules, to src/sys/security/mac/mac_policy.h, completing the removal of kernel-only MAC Framework include files from src/sys/sys. Update the MAC Framework and MAC policy modules. Delete the old mac_policy.h.
Third party policy modules will need similar updating.
Obtained from: TrustedBSD Project
|
#
165150 |
|
13-Dec-2006 |
csjp |
Teach the MAC policies which utilize mbuf labeling the new syncache entry points. Properly initialize the mbuf label based on the label we copy from the PCB. This fixes an LOR between the PCB and syncache code.
|
#
164033 |
|
06-Nov-2006 |
rwatson |
Sweep kernel replacing suser(9) calls with priv(9) calls, assigning specific privilege names to a broad range of privileges. These may require some future tweaking.
Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
|
#
163606 |
|
22-Oct-2006 |
rwatson |
Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h begun with a repo-copy of mac.h to mac_framework.h. sys/mac.h now contains the userspace and user<->kernel API and definitions, with all in-kernel interfaces moved to mac_framework.h, which is now included across most of the kernel instead.
This change is the first step in a larger cleanup and sweep of MAC Framework interfaces in the kernel, and will not be MFC'd.
Obtained from: TrustedBSD Project Sponsored by: SPARTA
|
#
162238 |
|
12-Sep-2006 |
csjp |
Introduce a new entry point, mac_create_mbuf_from_firewall. This entry point exists to allow the mandatory access control policy to properly initialize mbufs generated by the firewall. An example where this might happen is keep alive packets, or ICMP error packets in response to other packets.
This takes care of kernel panics associated with un-initialize mbuf labels when the firewall generates packets.
[1] I modified this patch from it's original version, the initial patch introduced a number of entry points which were programmatically equivalent. So I introduced only one. Instead, we should leverage mac_create_mbuf_netlayer() which is used for similar situations, an example being icmp_error()
This will minimize the impact associated with the MFC
Submitted by: mlaier [1] MFC after: 1 week
This is a RELENG_6 candidate
|
#
151897 |
|
31-Oct-2005 |
rwatson |
Normalize a significant number of kernel malloc type names:
- Prefer '_' to ' ', as it results in more easily parsed results in memory monitoring tools such as vmstat.
- Remove punctuation that is incompatible with using memory type names as file names, such as '/' characters.
- Disambiguate some collisions by adding subsystem prefixes to some memory types.
- Generally prefer lower case to upper case.
- If the same type is defined in multiple architecture directories, attempt to use the same name in additional cases.
Not all instances were caught in this change, so more work is required to finish this conversion. Similar changes are required for UMA zone names.
|
#
150340 |
|
19-Sep-2005 |
phk |
Add #include <sys/sx.h>, devfs is going to require this shortly.
|
#
150324 |
|
19-Sep-2005 |
rwatson |
Remove mac_create_root_mount() and mpo_create_root_mount(), which provided access to the root file system before the start of the init process. This was used briefly by SEBSD before it knew about preloading data in the loader, and using that method to gain access to data earlier results in fewer inconsistencies in the approach. Policy modules still have access to the root file system creation event through the mac_create_mount() entry point.
Removed now, and will be removed from RELENG_6, in order to gain third party policy dependencies on the entry point for the lifetime of the 6.x branch.
MFC after: 3 days Submitted by: Chris Vance <Christopher dot Vance at SPARTA dot com> Sponsored by: SPARTA
|
#
147982 |
|
14-Jul-2005 |
rwatson |
When devfs cloning takes place, provide access to the credential of the process that caused the clone event to take place for the device driver creating the device. This allows cloned device drivers to adapt the device node based on security aspects of the process, such as the uid, gid, and MAC label.
- Add a cred reference to struct cdev, so that when a device node is instantiated as a vnode, the cloning credential can be exposed to MAC.
- Add make_dev_cred(), a version of make_dev() that additionally accepts the credential to stick in the struct cdev. Implement it and make_dev() in terms of a back-end make_dev_credv().
- Add a new event handler, dev_clone_cred, which can be registered to receive the credential instead of dev_clone, if desired.
- Modify the MAC entry point mac_create_devfs_device() to accept an optional credential pointer (may be NULL), so that MAC policies can inspect and act on the label or other elements of the credential when initializing the skeleton device protections.
- Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(), so that the pty clone credential is exposed to the MAC Framework.
While currently primarily focussed on MAC policies, this change is also a prerequisite for changes to allow ptys to be instantiated with the UID of the process looking up the pty. This requires further changes to the pty driver -- in particular, to immediately recycle pty nodes on last close so that the credential-related state can be recreated on next lookup.
Submitted by: Andrew Reisse <andrew.reisse@sparta.com> Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA MFC after: 1 week MFC note: Merge to 6.x, but not 5.x for ABI reasons
|
#
147785 |
|
05-Jul-2005 |
rwatson |
Eliminate MAC entry point mac_create_mbuf_from_mbuf(), which is redundant with respect to existing mbuf copy label routines. Expose a new mac_copy_mbuf() routine at the top end of the Framework and use that; use the existing mpo_copy_mbuf_label() routine on the bottom end.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, SPAWAR Approved by: re (scottl)
|
#
145076 |
|
14-Apr-2005 |
csjp |
Move MAC check_vnode_mmap entry point out from being exclusive to MAP_SHARED so that the entry point gets executed un-conditionally. This may be useful for security policies which want to perform access control checks around run-time linking.
-add the mmap(2) flags argument to the check_vnode_mmap entry point so that we can make access control decisions based on the type of mapped object. -update any dependent API around this parameter addition such as function prototype modifications, entry point parameter additions and the inclusion of sys/mman.h header file. -Change the MLS, BIBA and LOMAC security policies so that subject domination routines are not executed unless the type of mapping is shared. This is done to maintain compatibility between the old vm_mmap_vnode(9) and these policies.
Reviewed by: rwatson MFC after: 1 month
|
#
140879 |
|
26-Jan-2005 |
rwatson |
Remove policy references to mpo_check_vnode_mprotect(), which is currently unimplemented.
Update copyrights.
Pointed out by: csjp
|
#
132781 |
|
28-Jul-2004 |
kan |
Introduce SLOT_SET macro and use it in place of casts as lvalues.
|
#
131025 |
|
24-Jun-2004 |
rwatson |
Introduce a temporary mutex, mac_ifnet_mtx, to lock MAC labels on network interfaces. This global mutex will protect all ifnet labels. Acquire the mutex across various MAC activities on interfaces, such as security checks, propagating interface labels to mbufs generated from the interface, retrieving and setting the interface label.
Introduce mpo_copy_ifnet_label MAC policy entry point to copy the value of an interface label from one label to another. Use this to avoid performing a label externalize while holding mac_ifnet_mtx; copy the label to a temporary ifnet label and then externalize that.
Implement mpo_copy_ifnet_label for various MAC policies that implement interface labeling using generic label copying routines.
Obtained from: TrustedBSD Project Sponsored by: DARPA, McAfee Research
|
#
130585 |
|
16-Jun-2004 |
phk |
Do the dreaded s/dev_t/struct cdev */ Bump __FreeBSD_version accordingly.
|
#
126121 |
|
22-Feb-2004 |
pjd |
Reimplement sysctls handling by MAC framework. Now I believe it is done in the right way.
Removed some XXMAC cases, we now assume 'high' integrity level for all sysctls, except those with CTLFLAG_ANYBODY flag set. No more magic.
Reviewed by: rwatson Approved by: rwatson, scottl (mentor) Tested with: LINT (compilation), mac_biba(4) (functionality)
|
#
126097 |
|
21-Feb-2004 |
rwatson |
Update my personal copyrights and NETA copyrights in the kernel to use the "year1-year3" format, as opposed to "year1, year2, year3". This seems to make lawyers more happy, but also prevents the lines from getting excessively long as the years start to add up.
Suggested by: imp
|
#
125293 |
|
01-Feb-2004 |
rwatson |
Coalesce pipe allocations and frees. Previously, the pipe code would allocate two 'struct pipe's from the pipe zone, and malloc a mutex.
- Create a new "struct pipepair" object holding the two 'struct pipe' instances, struct mutex, and struct label reference. Pipe structures now have a back-pointer to the pipe pair, and a 'pipe_present' flag to indicate whether the half has been closed.
- Perform mutex init/destroy in zone init/destroy, avoiding reallocating the mutex for each pipe. Perform most pipe structure setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe', update many policies. MAC labels are also handled outside of the UMA zone for now. Label-only policy modules don't have to be recompiled, but if a module is recompiled, its pipe entry points will need to be updated. If a module actually reached into the pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed half until a full-close takes place. However, VM mapped buffers are still released on half-close.
Some code refactoring is now possible to clean up some of the back references, etc; this patch attempts not to change the structure of most of the pipe implementation, only allocation/free code paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation and free in system call tests on UP and SMP in my micro-benchmarks. May or may not make a difference in macro-benchmarks, but doing less work is good.
Reviewed by: juli, tjr Testing help: dwhite, fenestro, scottl, et al
|
#
123607 |
|
17-Dec-2003 |
rwatson |
Switch TCP over to using the inpcb label when responding in timed wait, rather than the socket label. This avoids reaching up to the socket layer during connection close, which requires locking changes. To do this, introduce MAC Framework entry point mac_create_mbuf_from_inpcb(), which is called from tcp_twrespond() instead of calling mac_create_mbuf_from_socket() or mac_create_mbuf_netlayer(). Introduce MAC Policy entry point mpo_create_mbuf_from_inpcb(), and implementations for various policies, which generally just copy label data from the inpcb to the mbuf. Assert the inpcb lock in the entry point since we require consistency for the inpcb label reference.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
123173 |
|
06-Dec-2003 |
rwatson |
Rename mac_create_cred() MAC Framework entry point to mac_copy_cred(), and the mpo_create_cred() MAC policy entry point to mpo_copy_cred_label(). This is more consistent with similar entry points for creation and label copying, as mac_create_cred() was called from crdup() as opposed to during process creation. For a number of policies, this removes the requirement for special handling when copying credential labels, and improves consistency.
Approved by: re (scottl) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
122875 |
|
17-Nov-2003 |
rwatson |
Introduce a MAC label reference in 'struct inpcb', which caches the MAC label referenced from 'struct socket' in the IPv4 and IPv6-based protocols. This permits MAC labels to be checked during network delivery operations without dereferencing inp->inp_socket to get to so->so_label, which will eventually avoid our having to grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the MAC Framework, along with the normal circus of entry points: initialization, creation from socket, destruction, as well as a delivery access control check.
For most policies, the inpcb label will simply be a cache of the socket label, so a new protocol switch method is introduced, pr_sosetlabel() to notify protocols that the socket layer label has been updated so that the cache can be updated while holding appropriate locks. Most protocols implement this using pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use the the worker function in_pcbsosetlabel(), which calls into the MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub policy, and test policy.
Reviewed by: sam, bms Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
122824 |
|
16-Nov-2003 |
rwatson |
Don't implement mpo_destroy() for Biba, LOMAC, and MLS, as they aren't allowed to be unloaded.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
122820 |
|
16-Nov-2003 |
rwatson |
Implement sockets support for __mac_get_fd() and __mac_set_fd() system calls, and prefer these calls over getsockopt()/setsockopt() for ABI reasons. When addressing UNIX domain sockets, these calls retrieve and modify the socket label, not the label of the rendezvous vnode.
- Create mac_copy_socket_label() entry point based on mac_copy_pipe_label() entry point, intended to copy the socket label into temporary storage that doesn't require a socket lock to be held (currently Giant).
- Implement mac_copy_socket_label() for various policies.
- Expose socket label allocation, free, internalize, externalize entry points as non-static from mac_net.c.
- Use mac_socket_label_set() in __mac_set_fd().
MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and mac_get_peer() to retrieve and set various socket labels without directly invoking the getsockopt() interface.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
122524 |
|
12-Nov-2003 |
rwatson |
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol.
Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
122270 |
|
07-Nov-2003 |
rwatson |
Replace a '-' with a ')'. Update copyright.
PR: 53195
|
#
121816 |
|
31-Oct-2003 |
brooks |
Replace the if_name and if_unit members of struct ifnet with new members if_xname, if_dname, and if_dunit. if_xname is the name of the interface and if_dname/unit are the driver name and instance.
This change paves the way for interface renaming and enhanced pseudo device creation and configuration symantics.
Approved By: re (in principle) Reviewed By: njl, imp Tested On: i386, amd64, sparc64 Obtained From: NetBSD (if_xname)
|
#
121304 |
|
21-Oct-2003 |
rwatson |
Line-break sync to the MAC development branch.
|
#
119242 |
|
21-Aug-2003 |
rwatson |
Correct logic for filling out a "new" label during a credential change in mac_lomac: if both flags are set on the new label, we may not need to always fill out the label (only if one flag is set, not both). Avoid stomping on a section of the label if we are in fact modifying both elements.
Because we know that both flags will be set, we don't need to test whether the range or single are set in later consistency checks of the range and single -- just test them.
By checking the range of the new vs. the range of the old label before testing the single against the new range, we implicitly test that the new single is in the old range. Document this with a comment.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
117247 |
|
04-Jul-2003 |
rwatson |
Remove trailing whitespace.
|
#
116701 |
|
22-Jun-2003 |
rwatson |
Redesign the externalization APIs from the MAC Framework to the MAC policy modules to improve robustness against C string bugs and vulnerabilities. Following these revisions, all string construction of labels for export to userspace (or elsewhere) is performed using the sbuf API, which prevents the consumer from having to perform laborious and intricate pointer and buffer checks. This substantially simplifies the externalization logic, both at the MAC Framework level, and in individual policies; this becomes especially useful when policies export more complex label data, such as with compartments in Biba and MLS.
Bundled in here are some other minor fixes associated with externalization: including avoiding malloc while holding the process mutex in mac_lomac, and hence avoid a failure mode when printing labels during a downgrade operation due to the removal of the M_NOWAIT case.
This has been running in the MAC development tree for about three weeks without problems.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
115715 |
|
02-Jun-2003 |
rwatson |
Also implement mpo_copy_mbuf_label() for mac_lomac, or labels may not be properly propagated across some mbuf copy operations.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
115525 |
|
31-May-2003 |
phk |
Remove double return()
Found by: FlexeLint
|
#
113531 |
|
15-Apr-2003 |
rwatson |
Enable the MAC_ALWAYS_LABEL_MBUF flag for the Biba, LOMAC, MLS, and Test policies. Missed in earlier merge.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
112675 |
|
26-Mar-2003 |
rwatson |
Modify the mac_init_ipq() MAC Framework entry point to accept an additional flags argument to indicate blocking disposition, and pass in M_NOWAIT from the IP reassembly code to indicate that blocking is not OK when labeling a new IP fragment reassembly queue. This should eliminate some of the WITNESS warnings that have started popping up since fine-grained IP stack locking started going in; if memory allocation fails, the creation of the fragment queue will be aborted.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
111119 |
|
19-Feb-2003 |
imp |
Back out M_* changes, per decision of the TRB.
Approved by: trb
|
#
111032 |
|
17-Feb-2003 |
julian |
Move a bunch of flags from the KSE to the thread. I was in two minds as to where to put them in the first case.. I should have listenned to the other mind.
Submitted by: parts by davidxu@ Reviewed by: jeff@ mini@
|
#
109623 |
|
21-Jan-2003 |
alfred |
Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0. Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
|
#
108788 |
|
06-Jan-2003 |
mux |
Fix warnings on 64bits architectures.
Noticed by: alpha tinderbox
|
#
107731 |
|
10-Dec-2002 |
rwatson |
Default policies to on: if you load them or compile them into your kernel, you should expect them to do something, so now they do. This doesn't affect users who don't load or explicitly compile in the policies.
Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
107698 |
|
09-Dec-2002 |
rwatson |
Remove dm_root entry from struct devfs_mount. It's never set, and is unused. Replace it with a dm_mount back-pointer to the struct mount that the devfs_mount is associated with. Export that pointer to MAC Framework entry points, where all current policies don't use the pointer. This permits the SEBSD port of SELinux's FLASK/TE to compile out-of-the-box on 5.0-CURRENT with full file system labeling support.
Approved by: re (murray) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
107622 |
|
04-Dec-2002 |
rwatson |
Remove a const that generates a warning: the const isn't strictly wrong, since we don't want the variable changed, but since we assign it to variables that may also refer to other non-const strings, warnings were generated that could break LINT.
Approved by: re Spotted by: sam
|
#
107551 |
|
03-Dec-2002 |
rwatson |
License tweak: remove clause 3 per permission of NAI.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
107279 |
|
26-Nov-2002 |
rwatson |
Correct two warnings by staticizing a function and removing an unused function.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
107273 |
|
26-Nov-2002 |
rwatson |
Import an implementation of LOMAC (Low-Watermark Mandatory Access Control) as a MAC Framework policy module. Unlike the existing src/sys/security/lomac implementation, this one has its fingers out of the kernel lock order and doesn't make use of flags in existing kernel structures. This greatly reduces the quantity of replicated code with src/sys/kern, simplifies the implementation (3000 vs 8500 lines), and correctes a number of known stability problems with the existing LOMAC implementation, which will be removed. A bit more hooking up to do here.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|