#
267654 |
|
19-Jun-2014 |
gjb |
Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
225736 |
|
22-Sep-2011 |
kensmith |
Copy head to stable/9 as part of 9.0-RELEASE release cycle.
Approved by: re (implicit)
|
#
191731 |
|
01-May-2009 |
rwatson |
Rename MAC Framework-internal macros used to invoke policy entry points:
MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP
This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel.
Obtained from: TrustedBSD Project
|
#
189797 |
|
14-Mar-2009 |
rwatson |
Rework MAC Framework synchronization in a number of ways in order to improve performance:
- Eliminate custom reference count and condition variable to monitor threads entering the framework, as this had both significant overhead and behaved badly in the face of contention.
- Replace reference count with two locks: an rwlock and an sx lock, which will be read-acquired by threads entering the framework depending on whether a give policy entry point is permitted to sleep or not.
- Replace previous mutex locking of the reference count for exclusive access with write acquiring of both the policy list sx and rw locks, which occurs only when policies are attached or detached.
- Do a lockless read of the dynamic policy list head before acquiring any locks in order to reduce overhead when no dynamic policies are loaded; this a race we can afford to lose.
- For every policy entry point invocation, decide whether sleeping is permitted, and if not, use a _NOSLEEP() variant of the composition macros, which will use the rwlock instead of the sxlock. In some cases, we decide which to use based on allocation flags passed to the MAC Framework entry point.
As with the move to rwlocks/rmlocks in pfil, this may trigger witness warnings, but these should (generally) be false positives as all acquisition of the locks is for read with two very narrow exceptions for policy load/unload, and those code blocks should never acquire other locks.
Sponsored by: Google, Inc. Obtained from: TrustedBSD Project Discussed with: csjp (idea, not specific patch)
|
#
189529 |
|
08-Mar-2009 |
rwatson |
Improve the consistency of MAC Framework and MAC policy entry point naming by renaming certain "proc" entry points to "cred" entry points, reflecting their manipulation of credentials. For some entry points, the process was passed into the framework but not into policies; in these cases, stop passing in the process since we don't need it.
mac_proc_check_setaudit -> mac_cred_check_setaudit mac_proc_check_setaudit_addr -> mac_cred_check_setaudit_addr mac_proc_check_setauid -> mac_cred_check_setauid mac_proc_check_setegid -> mac_cred_check_setegid mac_proc_check_seteuid -> mac_cred_check_seteuid mac_proc_check_setgid -> mac_cred_check_setgid mac_proc_check_setgroups -> mac_cred_ceck_setgroups mac_proc_check_setregid -> mac_cred_check_setregid mac_proc_check_setresgid -> mac_cred_check_setresgid mac_proc_check_setresuid -> mac_cred_check_setresuid mac_proc_check_setreuid -> mac_cred_check_setreuid mac_proc_check_setuid -> mac_cred_check_setuid
Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
|
#
189503 |
|
07-Mar-2009 |
rwatson |
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation.
Successful access control checks will be reported by:
mac_framework:kernel:<entrypoint>:mac_check_ok
Failed access control checks will be reported by:
mac_framework:kernel:<entrypoint>:mac_check_err
Successful privilege grants will be reported by:
mac_framework:kernel:priv_grant:mac_grant_ok
Failed privilege grants will be reported by:
mac_framework:kernel:priv_grant:mac_grant_err
In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing.
Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
|
#
187667 |
|
24-Jan-2009 |
rwatson |
Use __FBSDID() for $FreeBSD$ version strings in .c files.
Obtained from: TrustedBSD Project MFC after: 3 days
|
#
172930 |
|
24-Oct-2007 |
rwatson |
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms:
mac_<object>_<method/action> mac_<object>_check_<method/action>
The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names.
All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI.
Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
|
#
171047 |
|
26-Jun-2007 |
rwatson |
Add a new MAC framework and policy entry point, mpo_check_proc_setaudit_addr to be used when controlling use of setaudit_addr(), rather than mpo_check_proc_setaudit(), which takes a different argument type.
Reviewed by: csjp Approved by: re (kensmith)
|
#
168933 |
|
21-Apr-2007 |
rwatson |
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid().
MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points.
Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
|