#
331722 |
|
29-Mar-2018 |
eadler |
Revert r330897:
This was intended to be a non-functional change. It wasn't. The commit message was thus wrong. In addition it broke arm, and merged crypto related code.
Revert with prejudice.
This revert skips files touched in r316370 since that commit was since MFCed. This revert also skips files that require $FreeBSD$ property changes.
Thank you to those who helped me get out of this mess including but not limited to gonzo, kevans, rgrimes.
Requested by: gjb (re)
|
#
330897 |
|
14-Mar-2018 |
eadler |
Partial merge of the SPDX changes
These changes are incomplete but are making it difficult to determine what other changes can/should be merged.
No objections from: pfg
|
#
302408 |
|
07-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
166537 |
|
06-Feb-2007 |
rwatson |
Update comments in mac.h.
Obtained from: TrustedBSD Project
|
#
166531 |
|
06-Feb-2007 |
rwatson |
Continue 7-CURRENT MAC Framework rearrangement and cleanup:
Don't perform a nested include of _label.h in mac.h, as mac.h now describes only the user API to MAC, and _label.h defines the in-kernel representation of MAC labels.
Remove mac.h includes from policies and MAC framework components that do not use userspace MAC API definitions.
Add _KERNEL inclusion checks to mac_internal.h and mac_policy.h, as these are kernel-only include files
Obtained from: TrustedBSD Project
|
#
163606 |
|
22-Oct-2006 |
rwatson |
Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h begun with a repo-copy of mac.h to mac_framework.h. sys/mac.h now contains the userspace and user<->kernel API and definitions, with all in-kernel interfaces moved to mac_framework.h, which is now included across most of the kernel instead.
This change is the first step in a larger cleanup and sweep of MAC Framework interfaces in the kernel, and will not be MFC'd.
Obtained from: TrustedBSD Project Sponsored by: SPARTA
|
#
162238 |
|
12-Sep-2006 |
csjp |
Introduce a new entry point, mac_create_mbuf_from_firewall. This entry point exists to allow the mandatory access control policy to properly initialize mbufs generated by the firewall. An example where this might happen is keep alive packets, or ICMP error packets in response to other packets.
This takes care of kernel panics associated with un-initialize mbuf labels when the firewall generates packets.
[1] I modified this patch from it's original version, the initial patch introduced a number of entry points which were programmatically equivalent. So I introduced only one. Instead, we should leverage mac_create_mbuf_netlayer() which is used for similar situations, an example being icmp_error()
This will minimize the impact associated with the MFC
Submitted by: mlaier [1] MFC after: 1 week
This is a RELENG_6 candidate
|
#
157575 |
|
06-Apr-2006 |
csjp |
Introduce a new MAC entry point for label initialization of the NFS daemon's credential: mac_associate_nfsd_label()
This entry point can be utilized by various Mandatory Access Control policies so they can properly initialize the label of files which get created as a result of an NFS operation. This work will be useful for fixing kernel panics associated with accessing un-initialized or invalid vnode labels.
The implementation of these entry points will come shortly.
Obtained from: TrustedBSD Requested by: mdodd MFC after: 3 weeks
|
#
150805 |
|
02-Oct-2005 |
rwatson |
Complete removal of mac_create_root_mount/mpo_create_root_mount MAC interfaces.
Obtained from: TrustedBSD Project Submitted by: Chris Vance <Christopher dot Vance at SPARTA dot com> MFC after: 3 days
|
#
147982 |
|
14-Jul-2005 |
rwatson |
When devfs cloning takes place, provide access to the credential of the process that caused the clone event to take place for the device driver creating the device. This allows cloned device drivers to adapt the device node based on security aspects of the process, such as the uid, gid, and MAC label.
- Add a cred reference to struct cdev, so that when a device node is instantiated as a vnode, the cloning credential can be exposed to MAC.
- Add make_dev_cred(), a version of make_dev() that additionally accepts the credential to stick in the struct cdev. Implement it and make_dev() in terms of a back-end make_dev_credv().
- Add a new event handler, dev_clone_cred, which can be registered to receive the credential instead of dev_clone, if desired.
- Modify the MAC entry point mac_create_devfs_device() to accept an optional credential pointer (may be NULL), so that MAC policies can inspect and act on the label or other elements of the credential when initializing the skeleton device protections.
- Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(), so that the pty clone credential is exposed to the MAC Framework.
While currently primarily focussed on MAC policies, this change is also a prerequisite for changes to allow ptys to be instantiated with the UID of the process looking up the pty. This requires further changes to the pty driver -- in particular, to immediately recycle pty nodes on last close so that the credential-related state can be recreated on next lookup.
Submitted by: Andrew Reisse <andrew.reisse@sparta.com> Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA MFC after: 1 week MFC note: Merge to 6.x, but not 5.x for ABI reasons
|
#
147785 |
|
05-Jul-2005 |
rwatson |
Eliminate MAC entry point mac_create_mbuf_from_mbuf(), which is redundant with respect to existing mbuf copy label routines. Expose a new mac_copy_mbuf() routine at the top end of the Framework and use that; use the existing mpo_copy_mbuf_label() routine on the bottom end.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, SPAWAR Approved by: re (scottl)
|
#
147784 |
|
05-Jul-2005 |
rwatson |
Add MAC Framework and MAC policy entry point mac_check_socket_create(), which is invoked from socket() and socketpair(), permitting MAC policy modules to control the creation of sockets by domain, type, and protocol.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, SPAWAR Approved by: re (scottl) Requested by: SCC
|
#
147091 |
|
07-Jun-2005 |
rwatson |
Gratuitous renaming of four System V Semaphore MAC Framework entry points to convert _sema() to _sem() for consistency purposes with respect to the other semaphore-related entry points:
mac_init_sysv_sema() -> mac_init_sysv_sem() mac_destroy_sysv_sem() -> mac_destroy_sysv_sem() mac_create_sysv_sema() -> mac_create_sysv_sem() mac_cleanup_sysv_sema() -> mac_cleanup_sysv_sem()
Congruent changes are made to the policy interface to support this.
Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA
|
#
145855 |
|
04-May-2005 |
rwatson |
Introduce MAC Framework and MAC Policy entry points to label and control access to POSIX Semaphores:
mac_init_posix_sem() Initialize label for POSIX semaphore mac_create_posix_sem() Create POSIX semaphore mac_destroy_posix_sem() Destroy POSIX semaphore mac_check_posix_sem_destroy() Check whether semaphore may be destroyed mac_check_posix_sem_getvalue() Check whether semaphore may be queried mac_check_possix_sem_open() Check whether semaphore may be opened mac_check_posix_sem_post() Check whether semaphore may be posted to mac_check_posix_sem_unlink() Check whether semaphore may be unlinked mac_check_posix_sem_wait() Check whether may wait on semaphore
Update Biba, MLS, Stub, and Test policies to implement these entry points. For information flow policies, most semaphore operations are effectively read/write.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Sponsored by: DARPA, McAfee, SPARTA Obtained from: TrustedBSD Project
|
#
145234 |
|
18-Apr-2005 |
rwatson |
Introduce p_canwait() and MAC Framework and MAC Policy entry points mac_check_proc_wait(), which control the ability to wait4() specific processes. This permits MAC policies to limit information flow from children that have changed label, although has to be handled carefully due to common programming expectations regarding the behavior of wait4(). The cr_seeotheruids() check in p_canwait() is #if 0'd for this reason.
The mac_stub and mac_test policies are updated to reflect these new entry points.
Sponsored by: SPAWAR, SPARTA Obtained from: TrustedBSD Project
|
#
145167 |
|
16-Apr-2005 |
rwatson |
Introduce three additional MAC Framework and MAC Policy entry points to control socket poll() (select()), fstat(), and accept() operations, required for some policies:
poll() mac_check_socket_poll() fstat() mac_check_socket_stat() accept() mac_check_socket_accept()
Update mac_stub and mac_test policies to be aware of these entry points. While here, add missing entry point implementations for:
mac_stub.c stub_check_socket_receive() mac_stub.c stub_check_socket_send() mac_test.c mac_test_check_socket_send() mac_test.c mac_test_check_socket_visible()
Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA
|
#
145147 |
|
16-Apr-2005 |
rwatson |
Introduce new MAC Framework and MAC Policy entry points to control the use of system calls to manipulate elements of the process credential, including:
setuid() mac_check_proc_setuid() seteuid() mac_check_proc_seteuid() setgid() mac_check_proc_setgid() setegid() mac_check_proc_setegid() setgroups() mac_check_proc_setgroups() setreuid() mac_check_proc_setreuid() setregid() mac_check_proc_setregid() setresuid() mac_check_proc_setresuid() setresgid() mac_check_rpoc_setresgid()
MAC checks are performed before other existing security checks; both current credential and intended modifications are passed as arguments to the entry points. The mac_test and mac_stub policies are updated.
Submitted by: Samy Al Bahra <samy@kerneled.org> Obtained from: TrustedBSD Project
|
#
145076 |
|
14-Apr-2005 |
csjp |
Move MAC check_vnode_mmap entry point out from being exclusive to MAP_SHARED so that the entry point gets executed un-conditionally. This may be useful for security policies which want to perform access control checks around run-time linking.
-add the mmap(2) flags argument to the check_vnode_mmap entry point so that we can make access control decisions based on the type of mapped object. -update any dependent API around this parameter addition such as function prototype modifications, entry point parameter additions and the inclusion of sys/mman.h header file. -Change the MLS, BIBA and LOMAC security policies so that subject domination routines are not executed unless the type of mapping is shared. This is done to maintain compatibility between the old vm_mmap_vnode(9) and these policies.
Reviewed by: rwatson MFC after: 1 month
|
#
137815 |
|
17-Nov-2004 |
rwatson |
Define new MAC framework and policy entry points for System V IPC objects and operations:
- System V IPC message, message queue, semaphore, and shared memory segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory segment access control entry points, including rights to attach, destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Obtained from: TrustedBSD Project Sponsored by: DARPA, SPAWAR, McAfee Research
|
#
130585 |
|
16-Jun-2004 |
phk |
Do the dreaded s/dev_t/struct cdev */ Bump __FreeBSD_version accordingly.
|
#
129096 |
|
10-May-2004 |
rwatson |
Improve consistency of include file guards in src/sys/sys by terminating them with '_', as well as beginning with '_'.
Observed by: bde
|
#
126121 |
|
22-Feb-2004 |
pjd |
Reimplement sysctls handling by MAC framework. Now I believe it is done in the right way.
Removed some XXMAC cases, we now assume 'high' integrity level for all sysctls, except those with CTLFLAG_ANYBODY flag set. No more magic.
Reviewed by: rwatson Approved by: rwatson, scottl (mentor) Tested with: LINT (compilation), mac_biba(4) (functionality)
|
#
126097 |
|
21-Feb-2004 |
rwatson |
Update my personal copyrights and NETA copyrights in the kernel to use the "year1-year3" format, as opposed to "year1, year2, year3". This seems to make lawyers more happy, but also prevents the lines from getting excessively long as the years start to add up.
Suggested by: imp
|
#
125293 |
|
01-Feb-2004 |
rwatson |
Coalesce pipe allocations and frees. Previously, the pipe code would allocate two 'struct pipe's from the pipe zone, and malloc a mutex.
- Create a new "struct pipepair" object holding the two 'struct pipe' instances, struct mutex, and struct label reference. Pipe structures now have a back-pointer to the pipe pair, and a 'pipe_present' flag to indicate whether the half has been closed.
- Perform mutex init/destroy in zone init/destroy, avoiding reallocating the mutex for each pipe. Perform most pipe structure setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe', update many policies. MAC labels are also handled outside of the UMA zone for now. Label-only policy modules don't have to be recompiled, but if a module is recompiled, its pipe entry points will need to be updated. If a module actually reached into the pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed half until a full-close takes place. However, VM mapped buffers are still released on half-close.
Some code refactoring is now possible to clean up some of the back references, etc; this patch attempts not to change the structure of most of the pipe implementation, only allocation/free code paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation and free in system call tests on UP and SMP in my micro-benchmarks. May or may not make a difference in macro-benchmarks, but doing less work is good.
Reviewed by: juli, tjr Testing help: dwhite, fenestro, scottl, et al
|
#
123607 |
|
17-Dec-2003 |
rwatson |
Switch TCP over to using the inpcb label when responding in timed wait, rather than the socket label. This avoids reaching up to the socket layer during connection close, which requires locking changes. To do this, introduce MAC Framework entry point mac_create_mbuf_from_inpcb(), which is called from tcp_twrespond() instead of calling mac_create_mbuf_from_socket() or mac_create_mbuf_netlayer(). Introduce MAC Policy entry point mpo_create_mbuf_from_inpcb(), and implementations for various policies, which generally just copy label data from the inpcb to the mbuf. Assert the inpcb lock in the entry point since we require consistency for the inpcb label reference.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
123173 |
|
06-Dec-2003 |
rwatson |
Rename mac_create_cred() MAC Framework entry point to mac_copy_cred(), and the mpo_create_cred() MAC policy entry point to mpo_copy_cred_label(). This is more consistent with similar entry points for creation and label copying, as mac_create_cred() was called from crdup() as opposed to during process creation. For a number of policies, this removes the requirement for special handling when copying credential labels, and improves consistency.
Approved by: re (scottl) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
122875 |
|
17-Nov-2003 |
rwatson |
Introduce a MAC label reference in 'struct inpcb', which caches the MAC label referenced from 'struct socket' in the IPv4 and IPv6-based protocols. This permits MAC labels to be checked during network delivery operations without dereferencing inp->inp_socket to get to so->so_label, which will eventually avoid our having to grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the MAC Framework, along with the normal circus of entry points: initialization, creation from socket, destruction, as well as a delivery access control check.
For most policies, the inpcb label will simply be a cache of the socket label, so a new protocol switch method is introduced, pr_sosetlabel() to notify protocols that the socket layer label has been updated so that the cache can be updated while holding appropriate locks. Most protocols implement this using pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use the the worker function in_pcbsosetlabel(), which calls into the MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub policy, and test policy.
Reviewed by: sam, bms Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
122810 |
|
16-Nov-2003 |
rwatson |
Implement mac_get_peer(3) using getsockopt() with SOL_SOCKET and SO_PEERLABEL. This provides an interface to query the label of a socket peer without embedding implementation details of mac_t in the application. Previously, sizeof(*mac_t) had to be specified by an application when performing getsockopt().
Document mac_get_peer(3), and expand documentation of the other mac_get(3) functions. Note that it's possible to get EINVAL back from mac_get_fd(3) when pointing it at an inappropriate object.
NOTE: mac_get_fd() and mac_set_fd() support for sockets will follow shortly, so the documentation is slightly ahead of the code.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
122807 |
|
16-Nov-2003 |
rwatson |
Reduce gratuitous redundancy and length in function names:
mac_setsockopt_label_set() -> mac_setsockopt_label() mac_getsockopt_label_get() -> mac_getsockopt_label() mac_getsockopt_peerlabel_get() -> mac_getsockopt_peerlabel()
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
122527 |
|
12-Nov-2003 |
rwatson |
GC prototype for mac_destroy_vnode_label(), missed in last commit.
|
#
122524 |
|
12-Nov-2003 |
rwatson |
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol.
Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
120657 |
|
02-Oct-2003 |
rwatson |
Use __BEGIN_DECLS and __END_DECLS around userland function prototypes so that mac.h may be more safely included in userland C++ applications.
PR: bin/56595 Submitted by: "KONDOU, Kazuhiro" <kazuhiro@alib.jp>
|
#
119546 |
|
29-Aug-2003 |
rwatson |
Remove extra tabs indenting MAC library calls; they were there to line up the function names in an earlier generation of the API when some of the functions returned structure pointers.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
119317 |
|
22-Aug-2003 |
rwatson |
Make the elements argument to mac_prepare() be const.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
119315 |
|
22-Aug-2003 |
rwatson |
Add prototype for new libc function mac_prepare_type().
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
119244 |
|
21-Aug-2003 |
rwatson |
Introduce two new MAC Framework and MAC policy entry points:
mac_reflect_mbuf_icmp() mac_reflect_mbuf_tcp()
These entry points permit MAC policies to do "update in place" changes to the labels on ICMP and TCP mbuf headers when an ICMP or TCP response is generated to a packet outside of the context of an existing socket. For example, in respond to a ping or a RST packet to a SYN on a closed port.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
119198 |
|
21-Aug-2003 |
rwatson |
Add mac_check_vnode_deleteextattr() and mac_check_vnode_listextattr(): explicit access control checks to delete and list extended attributes on a vnode, rather than implicitly combining with the setextattr and getextattr checks. This reflects EA API changes in the kernel made recently, including the move to explicit VOP's for both of these operations.
Obtained from: TrustedBSD PRoject Sponsored by: DARPA, Network Associates Laboratories
|
#
113681 |
|
18-Apr-2003 |
rwatson |
Update NAI copyright to 2003, missed in earlier commits and merges.
|
#
113487 |
|
14-Apr-2003 |
rwatson |
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this:
- Modify mbuf_to_label() to extract the tag, returning NULL if not found.
- Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf.
- Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag().
- Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d.
- Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions.
- Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!).
- Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now.
- Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's.
- Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label.
- Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously.
- When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now.
- No longer any weird handling of MAC labels in if_loop.c during header copies.
- Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded.
In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified.
- mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems.
- Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks.
- This makes allocation in mac_init_mbuf() conditional on the flag.
Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
112675 |
|
26-Mar-2003 |
rwatson |
Modify the mac_init_ipq() MAC Framework entry point to accept an additional flags argument to indicate blocking disposition, and pass in M_NOWAIT from the IP reassembly code to indicate that blocking is not OK when labeling a new IP fragment reassembly queue. This should eliminate some of the WITNESS warnings that have started popping up since fine-grained IP stack locking started going in; if memory allocation fails, the creation of the fragment queue will be aborted.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
112505 |
|
23-Mar-2003 |
rwatson |
Garbage collect FREEBSD_MAC_EXTATTR_NAME and FREEBSD_MAC_EXTATTR_NAMESPACE, which are no longer required now that we have UFS2 with extended attribute transactions.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
111939 |
|
06-Mar-2003 |
rwatson |
Instrument sysarch() MD privileged I/O access interfaces with a MAC check, mac_check_sysarch_ioperm(), permitting MAC security policy modules to control access to these interfaces. Currently, they protect access to IOPL on i386, and setting HAE on Alpha. Additional checks might be required on other platforms to prevent bypass of kernel security protections by unauthorized processes.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
111936 |
|
05-Mar-2003 |
rwatson |
Provide a mac_check_system_swapoff() entry point, which permits MAC modules to authorize disabling of swap against a particular vnode.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
107698 |
|
09-Dec-2002 |
rwatson |
Remove dm_root entry from struct devfs_mount. It's never set, and is unused. Replace it with a dm_mount back-pointer to the struct mount that the devfs_mount is associated with. Export that pointer to MAC Framework entry points, where all current policies don't use the pointer. This permits the SEBSD port of SELinux's FLASK/TE to compile out-of-the-box on 5.0-CURRENT with full file system labeling support.
Approved by: re (murray) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
107271 |
|
26-Nov-2002 |
rwatson |
Un-staticize mac_cred_mmapped_drop_perms() so that it may be used by policy modules making use of downgrades in the MAC AST event. This is required by the mac_lomac port of LOMAC to the MAC Framework.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
107105 |
|
20-Nov-2002 |
rwatson |
Introduce p_label, extensible security label storage for the MAC framework in struct proc. While the process label is actually stored in the struct ucred pointed to by p_ucred, there is a need for transient storage that may be used when asynchronous (deferred) updates need to be performed on the "real" label for locking reasons. Unlike other label storage, this label has no locking semantics, relying on policies to provide their own protection for the label contents, meaning that a policy leaf mutex may be used, avoiding lock order issues. This permits policies that act based on historical process behavior (such as audit policies, the MAC Framework port of LOMAC, etc) can update process properties even when many existing locks are held without violating the lock order. No currently committed policies implement use of this label storage.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
107089 |
|
19-Nov-2002 |
rwatson |
Merge kld access control checks from the MAC tree: these access control checks permit policy modules to augment the system policy for permitting kld operations. This permits policies to limit access to kld operations based on credential (and other) properties, as well as to perform checks on the kld being loaded (integrity, etc).
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
106788 |
|
12-Nov-2002 |
rwatson |
Garbage collect mac_create_devfs_vnode() -- it hasn't been used since we brought in the new cache and locking model for vnode labels. We now rely on mac_associate_devfs_vnode().
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
106468 |
|
05-Nov-2002 |
rwatson |
Bring in two sets of changes:
(1) Permit userland applications to request a change of label atomic with an execve() via mac_execve(). This is required for the SEBSD port of SELinux/FLASK. Attempts to invoke this without MAC compiled in result in ENOSYS, as with all other MAC system calls. Complexity, if desired, is present in policy modules, rather than the framework.
(2) Permit policies to have access to both the label of the vnode being executed as well as the interpreter if it's a shell script or related UNIX nonsense. Because we can't hold both vnode locks at the same time, cache the interpreter label. SEBSD relies on this because it supports secure transitioning via shell script executables. Other policies might want to take both labels into account during an integrity or confidentiality decision at execve()-time.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
106412 |
|
04-Nov-2002 |
rwatson |
Permit MAC policies to instrument the access control decisions for system accounting configuration and for nfsd server thread attach. Policies might use this to protect the integrity or confidentiality of accounting data, limit the ability to turn on or off accounting, as well as to prevent inappropriately labeled threads from becoming nfs server threads.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
106392 |
|
03-Nov-2002 |
rwatson |
License clarification and wording changes: NAI has approved removal of clause three, and NAI Labs now goes by the name Network Associates Laboratories.
|
#
106369 |
|
03-Nov-2002 |
rwatson |
Introduce mac_check_system_settime(), a MAC check allowing policies to augment the system policy for changing the system time.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
106308 |
|
01-Nov-2002 |
rwatson |
Add MAC checks for various kenv() operations: dump, get, set, unset, permitting MAC policies to limit access to the kernel environment.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
106212 |
|
30-Oct-2002 |
rwatson |
While 'mode_t' seemed like a good idea for the access mode argument for MAC access() and open() checks, the argument actually has an int type where it becomes available. Switch to using 'int' for the mode argument throughout the MAC Framework and policy modules.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
106093 |
|
28-Oct-2002 |
rwatson |
Remove all reference to 'struct oldmac', since it's no longer required with the new VFS/EA semantics in the MAC framework. Move the per-policy structures out to per-policy include files, removing all policy-specific defines and structures out of the base framework includes and implementation, making mac_biba and mac_mls entirely self-contained.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
106025 |
|
27-Oct-2002 |
rwatson |
Implement mac_check_system_sysctl(), a MAC Framework entry point to permit MAC policies to augment the security protections on sysctl() operations. This is not really a wonderful entry point, as we only have access to the MIB of the target sysctl entry, rather than the more useful entry name, but this is sufficient for policies like Biba that wish to use their notions of privilege or integrity to prevent inappropriate sysctl modification. Affects MAC kernels only. Since SYSCTL_LOCK isn't in sysctl.h, just kern_sysctl.c, we can't assert the SYSCTL subsystem lockin the MAC Framework.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
106024 |
|
27-Oct-2002 |
rwatson |
Hook up mac_check_system_reboot(), a MAC Framework entry point that permits MAC modules to augment system security decisions regarding the reboot() system call, if MAC is compiled into the kernel.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
106023 |
|
27-Oct-2002 |
rwatson |
Merge from MAC tree: rename mac_check_vnode_swapon() to mac_check_system_swapon(), to reflect the fact that the primary object of this change is the running kernel as a whole, rather than just the vnode. We'll drop additional checks of this class into the same check namespace, including reboot(), sysctl(), et al.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
105988 |
|
26-Oct-2002 |
rwatson |
Slightly change the semantics of vnode labels for MAC: rather than "refreshing" the label on the vnode before use, just get the label right from inception. For single-label file systems, set the label in the generic VFS getnewvnode() code; for multi-label file systems, leave the labeling up to the file system. With UFS1/2, this means reading the extended attribute during vfs_vget() as the inode is pulled off disk, rather than hitting the extended attributes frequently during operations later, improving performance. This also corrects sematics for shared vnode locks, which were not previously present in the system. This chances the cache coherrency properties WRT out-of-band access to label data, but in an acceptable form. With UFS1, there is a small race condition during automatic extended attribute start -- this is not present with UFS2, and occurs because EAs aren't available at vnode inception. We'll introduce a work around for this shortly.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
105729 |
|
22-Oct-2002 |
rwatson |
Remove the mac_te policy bits from 'struct oldmac' -- we're not going to merge mac_te, since the SEBSD port of SELinux/FLASK provides a much more mature Type Enforcement implementation. This changes the size of the on-disk 'struct oldmac' EA labels, which may require regeneration.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
105717 |
|
22-Oct-2002 |
rwatson |
Introduce MAC_CHECK_VNODE_SWAPON, which permits MAC policies to perform authorization checks during swapon() events; policies might choose to enforce protections based on the credential requesting the swap configuration, the target of the swap operation, or other factors such as internal policy state.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
105693 |
|
22-Oct-2002 |
rwatson |
Revised APIs for user process label management; the existing APIs relied on all label parsing occuring in userland, and knowledge of the loaded policies in the user libraries. This revision of the API pushes that parsing into the kernel, avoiding the need for shared library support of policies in userland, permitting statically linked binaries (such as ls, ps, and ifconfig) to use MAC labels. In these API revisions, high level parsing of the MAC label is done in the MAC Framework, and interpretation of label elements is delegated to the MAC policy modules. This permits modules to export zero or more label elements to user space if desired, and support them in the manner they want and with the semantics they want. This is believed to be the final revision of this interface: from the perspective of user applications, the API has actually not changed, although the ABI has.
Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
105643 |
|
21-Oct-2002 |
rwatson |
Add compartment support to Biba and MLS policies. The logic of the policies remains the same: subjects and objects are labeled for integrity or sensitivity, and a dominance operator determines whether or not subject/object accesses are permitted to limit inappropriate information flow. Compartments are a non-hierarchal component to the label, so add a bitfield to the label element for each, and a set check as part of the dominance operator. This permits the implementation of "need to know" elements of MLS.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
104571 |
|
06-Oct-2002 |
rwatson |
Integrate mac_check_socket_send() and mac_check_socket_receive() checks from the MAC tree: allow policies to perform access control for the ability of a process to send and receive data via a socket. At some point, we might also pass in additional address information if an explicit address is requested on send.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
104546 |
|
06-Oct-2002 |
rwatson |
Sync from MAC tree: break out the single mmap entry point into seperate entry points for each occasion:
mac_check_vnode_mmap() Check at initial mapping mac_check_vnode_mprotect() Check at mapping protection change mac_check_vnode_mmap_downgrade() Determine if a mapping downgrade should take place following subject relabel.
Implement mmap() and mprotect() entry points for labeled vnode policies. These entry points are currently not hooked up to the VM system in the base tree. These changes improve the consistency of the access control interface and offer more flexibility regarding limiting access to vnode mmaping.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
104541 |
|
05-Oct-2002 |
rwatson |
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
104533 |
|
05-Oct-2002 |
rwatson |
Integrate a devfs/MAC fix from the MAC tree: avoid a race condition during devfs VOP symlink creation by introducing a new entry point to determine the label of the devfs_dirent prior to allocation of a vnode for the symlink.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
104529 |
|
05-Oct-2002 |
rwatson |
Merge support for mac_check_vnode_link(), a MAC framework/policy entry point that instruments the creation of hard links. Policy implementations to follow.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
104338 |
|
02-Oct-2002 |
rwatson |
Add a new MAC entry point, mac_thread_userret(td), which permits policy modules to perform MAC-related events when a thread returns to user space. This is required for policies that have floating process labels, as it's not always possible to acquire the process lock at arbitrary points in the stack during system call processing; process labels might represent traditional authentication data, process history information, or other data.
LOMAC will use this entry point to perform the process label update prior to the thread returning to userspace, when plugged into the MAC framework.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
102129 |
|
19-Aug-2002 |
rwatson |
Pass active_cred and file_cred into the MAC framework explicitly for mac_check_vnode_{poll,read,stat,write}(). Pass in fp->f_cred when calling these checks with a struct file available. Otherwise, pass NOCRED. All currently MAC policies use active_cred, but could now offer the cached credential semantic used for the base system security model.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
102123 |
|
19-Aug-2002 |
rwatson |
Provide an implementation of mac_syscall() so that security modules can offer new services without reserving system call numbers, or augmented versions of existing services. User code requests a target policy by name, and specifies the policy-specific API plus target. This is required in particular for our port of SELinux/FLASK to the MAC framework since it offers additional security services.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
102115 |
|
19-Aug-2002 |
rwatson |
Break out mac_check_pipe_op() into component check entry points: mac_check_pipe_poll(), mac_check_pipe_read(), mac_check_pipe_stat(), and mac_check_pipe_write(). This is improves consistency with other access control entry points and permits security modules to only control the object methods that they are interested in, avoiding switch statements.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
102112 |
|
19-Aug-2002 |
rwatson |
Break out mac_check_vnode_op() into three seperate checks: mac_check_vnode_poll(), mac_check_vnode_read(), mac_check_vnode_write(). This improves the consistency with other existing vnode checks, and allows policies to avoid implementing switch statements to determine what operations they do and do not want to authorize.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
101934 |
|
15-Aug-2002 |
rwatson |
Rename mac_check_socket_receive() to mac_check_socket_deliver() so that we can use the names _receive() and _send() for the receive() and send() checks. Rename related constants, policy implementations, etc.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
101826 |
|
13-Aug-2002 |
rwatson |
Define 'struct label' in _label.h rather than mac.h, which will permit us to reduce namespace pollution by doing a nested include of _label.h rather than mac.h. mac.h contains lots of baggage, whereas _label.h contains much less. A follow-up sweep to change nested inclusion will follow. The problem regarding exporting 'struct label' to userland due to excessive exporting of kernel structures to userland still needs to be resolved.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs Suggested by: bde
|
#
100998 |
|
30-Jul-2002 |
rwatson |
Reduce the memory footprint of MAC in the base system by halving the number of policy slots to 4.
(Having run a quick errand, time to start on phase 2 of the MAC integration)
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
100978 |
|
30-Jul-2002 |
rwatson |
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem entry points (mac.h), and MAC policy entry points (mac_policy.h). These files define the interface between the kernel and the MAC framework, and between the MAC framework and each registered policy module. These APIs and ABIs may not be assumed to be stable until following FreeBSD 5.1-RELEASE.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|