#
685dc743 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
54366c0b |
|
25-Nov-2013 |
Attilio Rao <attilio@FreeBSD.org> |
- For kernel compiled only with KDTRACE_HOOKS and not any lock debugging option, unbreak the lock tracing release semantic by embedding calls to LOCKSTAT_PROFILE_RELEASE_LOCK() direclty in the inlined version of the releasing functions for mutex, rwlock and sxlock. Failing to do so skips the lockstat_probe_func invokation for unlocking. - As part of the LOCKSTAT support is inlined in mutex operation, for kernel compiled without lock debugging options, potentially every consumer must be compiled including opt_kdtrace.h. Fix this by moving KDTRACE_HOOKS into opt_global.h and remove the dependency by opt_kdtrace.h for all files, as now only KDTRACE_FRAMES is linked there and it is only used as a compile-time stub [0]. [0] immediately shows some new bug as DTRACE-derived support for debug in sfxge is broken and it was never really tested. As it was not including correctly opt_kdtrace.h before it was never enabled so it was kept broken for a while. Fix this by using a protection stub, leaving sfxge driver authors the responsibility for fixing it appropriately [1]. Sponsored by: EMC / Isilon storage division Discussed with: rstone [0] Reported by: rstone [1] Discussed with: philip
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
fa765671 |
|
01-May-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
|
#
40202729 |
|
14-Mar-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Rework MAC Framework synchronization in a number of ways in order to improve performance: - Eliminate custom reference count and condition variable to monitor threads entering the framework, as this had both significant overhead and behaved badly in the face of contention. - Replace reference count with two locks: an rwlock and an sx lock, which will be read-acquired by threads entering the framework depending on whether a give policy entry point is permitted to sleep or not. - Replace previous mutex locking of the reference count for exclusive access with write acquiring of both the policy list sx and rw locks, which occurs only when policies are attached or detached. - Do a lockless read of the dynamic policy list head before acquiring any locks in order to reduce overhead when no dynamic policies are loaded; this a race we can afford to lose. - For every policy entry point invocation, decide whether sleeping is permitted, and if not, use a _NOSLEEP() variant of the composition macros, which will use the rwlock instead of the sxlock. In some cases, we decide which to use based on allocation flags passed to the MAC Framework entry point. As with the move to rwlocks/rmlocks in pfil, this may trigger witness warnings, but these should (generally) be false positives as all acquisition of the locks is for read with two very narrow exceptions for policy load/unload, and those code blocks should never acquire other locks. Sponsored by: Google, Inc. Obtained from: TrustedBSD Project Discussed with: csjp (idea, not specific patch)
|
#
2087a58c |
|
07-Mar-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
30d239bc |
|
24-Oct-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
|
#
26ae2b86 |
|
22-Apr-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Normalize variable naming in the MAC Framework by adopting the normal variable name conventions for arguments passed into the framework -- for example, name network interfaces 'ifp', sockets 'so', mounts 'mp', mbufs 'm', processes 'p', etc, wherever possible. Previously there was significant variation in this regard. Normalize copyright lists to ranges where sensible.
|
#
c14d15ae |
|
22-Apr-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Remove MAC Framework access control check entry points made redundant with the introduction of priv(9) and MAC Framework entry points for privilege checking/granting. These entry points exactly aligned with privileges and provided no additional security context: - mac_check_sysarch_ioperm() - mac_check_kld_unload() - mac_check_settime() - mac_check_system_nfsd() Add mpo_priv_check() implementations to Biba and LOMAC policies, which, for each privilege, determine if they can be granted to processes considered unprivileged by those two policies. These mostly, but not entirely, align with the set of privileges granted in jails. Obtained from: TrustedBSD Project
|
#
c96ae196 |
|
06-Feb-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Continue 7-CURRENT MAC Framework rearrangement and cleanup: Don't perform a nested include of _label.h in mac.h, as mac.h now describes only the user API to MAC, and _label.h defines the in-kernel representation of MAC labels. Remove mac.h includes from policies and MAC framework components that do not use userspace MAC API definitions. Add _KERNEL inclusion checks to mac_internal.h and mac_policy.h, as these are kernel-only include files Obtained from: TrustedBSD Project
|
#
0efd6615 |
|
22-Dec-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Move src/sys/sys/mac_policy.h, the kernel interface between the MAC Framework and security modules, to src/sys/security/mac/mac_policy.h, completing the removal of kernel-only MAC Framework include files from src/sys/sys. Update the MAC Framework and MAC policy modules. Delete the old mac_policy.h. Third party policy modules will need similar updating. Obtained from: TrustedBSD Project
|
#
e66fe0e1 |
|
21-Dec-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Remove mac_enforce_subsystem debugging sysctls. Enforcement on subsystems will be a property of policy modules, which may require access control check entry points to be invoked even when not actively enforcing (i.e., to track information flow without providing protection). Obtained from: TrustedBSD Project Suggested by: Christopher dot Vance at sparta dot com
|
#
acd3428b |
|
06-Nov-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Sweep kernel replacing suser(9) calls with priv(9) calls, assigning specific privilege names to a broad range of privileges. These may require some future tweaking. Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
|
#
aed55708 |
|
22-Oct-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h begun with a repo-copy of mac.h to mac_framework.h. sys/mac.h now contains the userspace and user<->kernel API and definitions, with all in-kernel interfaces moved to mac_framework.h, which is now included across most of the kernel instead. This change is the first step in a larger cleanup and sweep of MAC Framework interfaces in the kernel, and will not be MFC'd. Obtained from: TrustedBSD Project Sponsored by: SPARTA
|
#
578994bb |
|
09-Jun-2005 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Correct grammar error in comment MFC after: 3 days
|
#
5dba30f1 |
|
30-May-2004 |
Poul-Henning Kamp <phk@FreeBSD.org> |
add missing #include <sys/module.h>
|
#
63dba32b |
|
21-Feb-2004 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Reimplement sysctls handling by MAC framework. Now I believe it is done in the right way. Removed some XXMAC cases, we now assume 'high' integrity level for all sysctls, except those with CTLFLAG_ANYBODY flag set. No more magic. Reviewed by: rwatson Approved by: rwatson, scottl (mentor) Tested with: LINT (compilation), mac_biba(4) (functionality)
|
#
eca8a663 |
|
11-Nov-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
6bd11732 |
|
22-Oct-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
cc7b13bf |
|
29-Sep-2003 |
Robert Watson <rwatson@FreeBSD.org> |
If the struct mac copied into the kernel has a negative length, return EINVAL rather than failing the following malloc due to the value being too large.
|
#
a6a65b05 |
|
26-Aug-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Fix a mac_policy_list reference to be a mac_static_policy_list reference: this fixes mac_syscall() for static policies when using optimized locking. Obtained from: TrustedBSD Project Sponosred by: DARPA, Network Associates Laboratories
|
#
eb8c7f99 |
|
21-Aug-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Introduce two new MAC Framework and MAC policy entry points: mac_reflect_mbuf_icmp() mac_reflect_mbuf_tcp() These entry points permit MAC policies to do "update in place" changes to the labels on ICMP and TCP mbuf headers when an ICMP or TCP response is generated to a packet outside of the context of an existing socket. For example, in respond to a ping or a RST packet to a SYN on a closed port. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
c096756c |
|
21-Aug-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Add mac_check_vnode_deleteextattr() and mac_check_vnode_listextattr(): explicit access control checks to delete and list extended attributes on a vnode, rather than implicitly combining with the setextattr and getextattr checks. This reflects EA API changes in the kernel made recently, including the move to explicit VOP's for both of these operations. Obtained from: TrustedBSD PRoject Sponsored by: DARPA, Network Associates Laboratories
|
#
8d8d5ea8 |
|
20-Aug-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Remove about 40 lines of #ifdef/#endif by using new macros MAC_DEBUG_COUNTER_INC() and MAC_DEBUG_COUNTER_DEC() to maintain debugging counter values rather than #ifdef'ing the atomic operations to MAC_DEBUG. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
19c3e120 |
|
01-Aug-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Attempt to simplify #ifdef logic for MAC_ALWAYS_LABEL_MBUF. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
f51e5803 |
|
22-Jun-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Redesign the externalization APIs from the MAC Framework to the MAC policy modules to improve robustness against C string bugs and vulnerabilities. Following these revisions, all string construction of labels for export to userspace (or elsewhere) is performed using the sbuf API, which prevents the consumer from having to perform laborious and intricate pointer and buffer checks. This substantially simplifies the externalization logic, both at the MAC Framework level, and in individual policies; this becomes especially useful when policies export more complex label data, such as with compartments in Biba and MLS. Bundled in here are some other minor fixes associated with externalization: including avoiding malloc while holding the process mutex in mac_lomac, and hence avoid a failure mode when printing labels during a downgrade operation due to the removal of the M_NOWAIT case. This has been running in the MAC development tree for about three weeks without problems. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
3b6d9652 |
|
22-Jun-2003 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Add a f_vnode field to struct file. Several of the subtypes have an associated vnode which is used for stuff like the f*() functions. By giving the vnode a speparate field, a number of checks for the specific subtype can be replaced simply with a check for f_vnode != NULL, and we can later free f_data up to subtype specific use. At this point in time, f_data still points to the vnode, so any code I might have overlooked will still work.
|
#
677b542e |
|
10-Jun-2003 |
David E. O'Brien <obrien@FreeBSD.org> |
Use __FBSDID().
|
#
b2aef571 |
|
08-May-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Rename MAC_MAX_POLICIES to MAC_MAX_SLOTS, since the variables and constants in question refer to the number of label slots, not the maximum number of policies that may be loaded. This should reduce confusion regarding an element in the MAC sysctl MIB, as well as make it more clear what the affect of changing the compile-time constants is. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
41a17fe3 |
|
07-May-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
b6e48e03 |
|
23-Apr-2003 |
Alan Cox <alc@FreeBSD.org> |
- Acquire the vm_object's lock when performing vm_object_page_clean(). - Add a parameter to vm_pageout_flush() that tells vm_pageout_flush() whether its caller has locked the vm_object. (This is a temporary measure to bootstrap vm_object locking.)
|
#
2d3db0b8 |
|
18-Apr-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Update NAI copyright to 2003, missed in earlier commits and merges.
|
#
6d1a6a9a |
|
15-Apr-2003 |
Robert Watson <rwatson@FreeBSD.org> |
mac_init_mbuf_tag() accepts malloc flags, not mbuf allocator flags, so don't try and convert the argument flags to malloc flags, or we risk implicitly requesting blocking and generating witness warnings. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
225bff6f |
|
14-Apr-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
10eeb10c |
|
14-Apr-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Abstract access to the mbuf header label behind a new function, mbuf_to_label(). This permits the vast majority of entry point code to be unaware that labels are stored in m->m_pkthdr.label, such that we can experiment storage of labels elsewhere (such as in m_tags). Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
fe584538 |
|
08-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Introduce an M_ASSERTPKTHDR() macro which performs the very common task of asserting that an mbuf has a packet header. Use it instead of hand- rolled versions wherever applicable. Submitted by: Hiten Pandya <hiten@unixdaemons.com>
|
#
5e7ce478 |
|
26-Mar-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Modify the mac_init_ipq() MAC Framework entry point to accept an additional flags argument to indicate blocking disposition, and pass in M_NOWAIT from the IP reassembly code to indicate that blocking is not OK when labeling a new IP fragment reassembly queue. This should eliminate some of the WITNESS warnings that have started popping up since fine-grained IP stack locking started going in; if memory allocation fails, the creation of the fragment queue will be aborted. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
92835789 |
|
05-Mar-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Instrument sysarch() MD privileged I/O access interfaces with a MAC check, mac_check_sysarch_ioperm(), permitting MAC security policy modules to control access to these interfaces. Currently, they protect access to IOPL on i386, and setting HAE on Alpha. Additional checks might be required on other platforms to prevent bypass of kernel security protections by unauthorized processes. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
1b2c2ab2 |
|
05-Mar-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Provide a mac_check_system_swapoff() entry point, which permits MAC modules to authorize disabling of swap against a particular vnode. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
26306795 |
|
04-Mar-2003 |
John Baldwin <jhb@FreeBSD.org> |
Replace calls to WITNESS_SLEEP() and witness_list() with equivalent calls to WITNESS_WARN().
|
#
a163d034 |
|
18-Feb-2003 |
Warner Losh <imp@FreeBSD.org> |
Back out M_* changes, per decision of the TRB. Approved by: trb
|
#
44956c98 |
|
21-Jan-2003 |
Alfred Perlstein <alfred@FreeBSD.org> |
Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0. Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
|
#
48e3128b |
|
12-Jan-2003 |
Matthew Dillon <dillon@FreeBSD.org> |
Bow to the whining masses and change a union back into void *. Retain removal of unnecessary casts and throw in some minor cleanups to see if anyone complains, just for the hell of it.
|
#
cd72f218 |
|
11-Jan-2003 |
Matthew Dillon <dillon@FreeBSD.org> |
Change struct file f_data to un_data, a union of the correct struct pointer types, and remove a huge number of casts from code using it. Change struct xfile xf_data to xun_data (ABI is still compatible). If we need to add a #define for f_data and xf_data we can, but I don't think it will be necessary. There are no operational changes in this commit.
|
#
d1e405c5 |
|
13-Dec-2002 |
Alfred Perlstein <alfred@FreeBSD.org> |
SCARGS removal take II.
|
#
bc9e75d7 |
|
13-Dec-2002 |
Alfred Perlstein <alfred@FreeBSD.org> |
Backout removal SCARGS, the code freeze is only "selectively" over.
|
#
0bbe7292 |
|
13-Dec-2002 |
Alfred Perlstein <alfred@FreeBSD.org> |
Remove SCARGS. Reviewed by: md5
|
#
990b4b2d |
|
08-Dec-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Remove dm_root entry from struct devfs_mount. It's never set, and is unused. Replace it with a dm_mount back-pointer to the struct mount that the devfs_mount is associated with. Export that pointer to MAC Framework entry points, where all current policies don't use the pointer. This permits the SEBSD port of SELinux's FLASK/TE to compile out-of-the-box on 5.0-CURRENT with full file system labeling support. Approved by: re (murray) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
4d10c0ce |
|
26-Nov-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Un-staticize mac_cred_mmapped_drop_perms() so that it may be used by policy modules making use of downgrades in the MAC AST event. This is required by the mac_lomac port of LOMAC to the MAC Framework. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
2555374c |
|
20-Nov-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Introduce p_label, extensible security label storage for the MAC framework in struct proc. While the process label is actually stored in the struct ucred pointed to by p_ucred, there is a need for transient storage that may be used when asynchronous (deferred) updates need to be performed on the "real" label for locking reasons. Unlike other label storage, this label has no locking semantics, relying on policies to provide their own protection for the label contents, meaning that a policy leaf mutex may be used, avoiding lock order issues. This permits policies that act based on historical process behavior (such as audit policies, the MAC Framework port of LOMAC, etc) can update process properties even when many existing locks are held without violating the lock order. No currently committed policies implement use of this label storage. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
a3df768b |
|
19-Nov-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Merge kld access control checks from the MAC tree: these access control checks permit policy modules to augment the system policy for permitting kld operations. This permits policies to limit access to kld operations based on credential (and other) properties, as well as to perform checks on the kld being loaded (integrity, etc). Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
a96acd1a |
|
13-Nov-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Introduce a condition variable to avoid returning EBUSY when the MAC policy list is busy during a load or unload attempt. We assert no locks held during the cv wait, meaning we should be fairly deadlock-safe. Because of the cv model and busy count, it's possible for a cv waiter waiting for exclusive access to the policy list to be starved by active and long-lived access control/labeling events. For now, we accept that as a necessary tradeoff. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
63b6f478 |
|
11-Nov-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Garbage collect mac_create_devfs_vnode() -- it hasn't been used since we brought in the new cache and locking model for vnode labels. We now rely on mac_associate_devfs_vnode(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
2d43d24e |
|
11-Nov-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Garbage collect definition of M_MACOPVEC -- we no longer perform a dynamic mapping of an operation vector into an operation structure, rather, we rely on C99 sparse structure initialization. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
9fa3506e |
|
08-Nov-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Add an explicit execlabel argument to exec-related MAC policy entry points, rather than relying on policies to grub around in the image activator instance structure. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
670cb89b |
|
05-Nov-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Bring in two sets of changes: (1) Permit userland applications to request a change of label atomic with an execve() via mac_execve(). This is required for the SEBSD port of SELinux/FLASK. Attempts to invoke this without MAC compiled in result in ENOSYS, as with all other MAC system calls. Complexity, if desired, is present in policy modules, rather than the framework. (2) Permit policies to have access to both the label of the vnode being executed as well as the interpreter if it's a shell script or related UNIX nonsense. Because we can't hold both vnode locks at the same time, cache the interpreter label. SEBSD relies on this because it supports secure transitioning via shell script executables. Other policies might want to take both labels into account during an integrity or confidentiality decision at execve()-time. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
4443e9ff |
|
05-Nov-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Assert that appropriate vnodes are locked in mac_execve_will_transition(). Allow transitioning to be twiddled off using the process and fs enforcement flags, although at some point this should probably be its own flag. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
e5e820fd |
|
04-Nov-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Permit MAC policies to instrument the access control decisions for system accounting configuration and for nfsd server thread attach. Policies might use this to protect the integrity or confidentiality of accounting data, limit the ability to turn on or off accounting, as well as to prevent inappropriately labeled threads from becoming nfs server threads. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
3da87a65 |
|
04-Nov-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Remove mac_cache_fslabel_in_vnode sysctl -- with the new VFS/MAC construction, labels are always cached. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
6201265b |
|
03-Nov-2002 |
Robert Watson <rwatson@FreeBSD.org> |
License clarification and wording changes: NAI has approved removal of clause three, and NAI Labs now goes by the name Network Associates Laboratories.
|
#
4b8d5f2d |
|
02-Nov-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Introduce mac_check_system_settime(), a MAC check allowing policies to augment the system policy for changing the system time. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
e686e5ae |
|
01-Nov-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Add MAC checks for various kenv() operations: dump, get, set, unset, permitting MAC policies to limit access to the kernel environment. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
5c8dd342 |
|
30-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Move to C99 sparse structure initialization for the mac_policy_ops structure definition, rather than using an operation vector we translate into the structure. Originally, we used a vector for two reasons: (1) We wanted to define the structure sparsely, which wasn't supported by the C compiler for structures. For a policy with five entry points, you don't want to have to stick in a few hundred NULL function pointers. (2) We thought it would improve ABI compatibility allowing modules to work with kernels that had a superset of the entry points defined in the module, even if the kernel had changed its entry point set. Both of these no longer apply: (1) C99 gives us a way to sparsely define a static structure. (2) The ABI problems existed anyway, due to enumeration numbers, argument changes, and semantic mismatches. Since the going rule for FreeBSD is that you really need your modules to pretty closely match your kernel, it's not worth the complexity. This submit eliminates the operation vector, dynamic allocation of the operation structure, copying of the vector to the structure, and redoes the vectors in each policy to direct structure definitions. One enourmous benefit of this change is that we now get decent type checking on policy entry point implementation arguments. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
b914de36 |
|
30-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
While 'mode_t' seemed like a good idea for the access mode argument for MAC access() and open() checks, the argument actually has an int type where it becomes available. Switch to using 'int' for the mode argument throughout the MAC Framework and policy modules. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
8b3a8434 |
|
28-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
An inappropriate ASSERT slipped in during the recent merge of the reboot checking; remove.
|
#
9e913ebd |
|
27-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Centrally manage enforcement of {reboot,swapon,sysctl} using the mac_enforce_system toggle, rather than several separate toggles. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
d3fc69ee |
|
27-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Implement mac_check_system_sysctl(), a MAC Framework entry point to permit MAC policies to augment the security protections on sysctl() operations. This is not really a wonderful entry point, as we only have access to the MIB of the target sysctl entry, rather than the more useful entry name, but this is sufficient for policies like Biba that wish to use their notions of privilege or integrity to prevent inappropriate sysctl modification. Affects MAC kernels only. Since SYSCTL_LOCK isn't in sysctl.h, just kern_sysctl.c, we can't assert the SYSCTL subsystem lockin the MAC Framework. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
a2ecb9b7 |
|
27-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Hook up mac_check_system_reboot(), a MAC Framework entry point that permits MAC modules to augment system security decisions regarding the reboot() system call, if MAC is compiled into the kernel. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
03ce2c0c |
|
27-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Merge from MAC tree: rename mac_check_vnode_swapon() to mac_check_system_swapon(), to reflect the fact that the primary object of this change is the running kernel as a whole, rather than just the vnode. We'll drop additional checks of this class into the same check namespace, including reboot(), sysctl(), et al. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
763bbd2f |
|
26-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Slightly change the semantics of vnode labels for MAC: rather than "refreshing" the label on the vnode before use, just get the label right from inception. For single-label file systems, set the label in the generic VFS getnewvnode() code; for multi-label file systems, leave the labeling up to the file system. With UFS1/2, this means reading the extended attribute during vfs_vget() as the inode is pulled off disk, rather than hitting the extended attributes frequently during operations later, improving performance. This also corrects sematics for shared vnode locks, which were not previously present in the system. This chances the cache coherrency properties WRT out-of-band access to label data, but in an acceptable form. With UFS1, there is a small race condition during automatic extended attribute start -- this is not present with UFS2, and occurs because EAs aren't available at vnode inception. We'll introduce a work around for this shortly. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
a67fe518 |
|
25-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Comment describing the semantics of mac_late. Trim trailing whitespace. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
1cbfd977 |
|
22-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Introduce MAC_CHECK_VNODE_SWAPON, which permits MAC policies to perform authorization checks during swapon() events; policies might choose to enforce protections based on the credential requesting the swap configuration, the target of the swap operation, or other factors such as internal policy state. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
2789e47e |
|
22-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Missed in previous merge: export sizeof(struct oldmac) rather than sizeof(struct mac). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
f7b951a8 |
|
22-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
29e1b85f |
|
20-Oct-2002 |
Brooks Davis <brooks@FreeBSD.org> |
Use if_printf(ifp, "blah") instead of printf("%s%d: blah", ifp->if_name, ifp->if_xname).
|
#
a13c67da |
|
19-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
If MAC_MAX_POLICIES isn't defined, don't try to define it, just let the compile fail. MAC_MAX_POLICIES should always be defined, or we have bigger problems at hand. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
9aeffb2b |
|
19-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Make sure to clear the 'registered' flag for MAC policies when they unregister. Under some obscure (perhaps demented) circumstances, this can result in a panic if a policy is unregistered, and then someone foolishly unregisters it again. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
b371c939 |
|
06-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Integrate mac_check_socket_send() and mac_check_socket_receive() checks from the MAC tree: allow policies to perform access control for the ability of a process to send and receive data via a socket. At some point, we might also pass in additional address information if an explicit address is requested on send. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
e183f80e |
|
05-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Sync from MAC tree: break out the single mmap entry point into seperate entry points for each occasion: mac_check_vnode_mmap() Check at initial mapping mac_check_vnode_mprotect() Check at mapping protection change mac_check_vnode_mmap_downgrade() Determine if a mapping downgrade should take place following subject relabel. Implement mmap() and mprotect() entry points for labeled vnode policies. These entry points are currently not hooked up to the VM system in the base tree. These changes improve the consistency of the access control interface and offer more flexibility regarding limiting access to vnode mmaping. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
83985c26 |
|
05-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
74e62b1b |
|
05-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Integrate a devfs/MAC fix from the MAC tree: avoid a race condition during devfs VOP symlink creation by introducing a new entry point to determine the label of the devfs_dirent prior to allocation of a vnode for the symlink. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
0a694196 |
|
05-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Merge support for mac_check_vnode_link(), a MAC framework/policy entry point that instruments the creation of hard links. Policy implementations to follow. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
56c15412 |
|
05-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
While the MAC API has supported the ability to handle M_NOWAIT passed to mbuf label initialization, that functionality was never merged to the main tree. Go ahead and merge that functionality now. Note that this requires policy modules to accept the case where the label element may be destroyed even if init has not succeeded on it (in the event that policy failed the init). This will shortly also apply to sockets. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
87807196 |
|
05-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Rearrange object and label init/destroy functions to match the order used in mac_policy.h and elsewhere. Sort order is basically "by operation category", then "alphabetically by object". Sync to MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
a931e345 |
|
05-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Sync to MAC tree: use 'flag' instead of 'how' for mac_init_mbuf(); remove a slightly less than useful comment.
|
#
69bbb5b1 |
|
05-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Another big diff, little functional change: move label internalization, externalization, and cred label life cycle events to entirely above devfs and vnode events. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
08bcdc58 |
|
05-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
ea599aa0 |
|
05-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Synch from TrustedBSD MAC tree: - If a policy isn't registered when a policy module unloads, silently succeed. - Hold the policy list lock across more of the validity tests to avoid races. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
226b96fb |
|
05-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Cosmetic line wrap synchronization.
|
#
b2f0927a |
|
05-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Push the debugging obect label counters into security.mac.debug.counters rather than directly under security.mac.debug. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
96adb909 |
|
05-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Begin another merge from the TrustedBSD MAC branch: - Change mpo_init_foo(obj, label) and mpo_destroy_foo(obj, label) policy entry points to mpo_init_foo_label(label) and mpo_destroy_foo_label(label). This will permit the use of the same entry points for holding temporary type-specific label during internalization and externalization, as well as for caching purposes. - Because of this, break out mpo_{init,destroy}_socket() and mpo_{init,destroy}_mount() into seperate entry points for socket main/peer labels and mount main/fs labels. - Since the prototype for label initialization is the same across almost all entry points, implement these entry points using common implementations for Biba, MLS, and Test, reducing the number of almost identical looking functions. This simplifies policy implementation, as well as preparing us for the merge of the new flexible userland API for managing labels on objects. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
92dbb82a |
|
01-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Add a new MAC entry point, mac_thread_userret(td), which permits policy modules to perform MAC-related events when a thread returns to user space. This is required for policies that have floating process labels, as it's not always possible to acquire the process lock at arbitrary points in the stack during system call processing; process labels might represent traditional authentication data, process history information, or other data. LOMAC will use this entry point to perform the process label update prior to the thread returning to userspace, when plugged into the MAC framework. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
328048bc |
|
01-Oct-2002 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Remember to include "opt_devfs.h" so we get any relevant changes to NDEVFSINO before we include devfs.h. Spotted by: FlexeLint
|
#
1aa37f53 |
|
30-Sep-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Improve locking of pipe mutexes in the context of MAC: (1) Where previously the pipe mutex was selectively grabbed during pipe_ioctl(), now always grab it and then release if if not needed. This protects the call to mac_check_pipe_ioctl() to make sure the label remains consistent. (Note: it looks like sigio locking may be incorrect for fgetown() since we call it not-by-reference and sigio locking assumes call by reference). (2) In pipe_stat(), lock the pipe if MAC is compiled in so that the call to mac_check_pipe_stat() gets a locked pipe to protect label consistency. We still release the lock before returning actual stat() data, risking inconsistency, but apparently our pipe locking model accepts that risk. (3) In various pipe MAC authorization checks, assert that the pipe lock is held. (4) Grab the lock when performing a pipe relabel operation, and assert it a little deeper in the stack. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
6be0c25e |
|
30-Sep-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Push 'security.mac.debug_label_fallback' behind options MAC_DEBUG. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
c031391b |
|
30-Sep-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Add tunables for the existing sysctl twiddles for pipe and vm enforcement so they can be disabled prior to kernel start. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
cc51a2b5 |
|
18-Sep-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Remove un-needed stack variable 'ops'. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
ca7850c3 |
|
17-Sep-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Add a toggle to disable VM enforcement. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
b88c98f6 |
|
17-Sep-2002 |
Robert Watson <rwatson@FreeBSD.org> |
At the cost of seeming a little gauche, make use of more traditional alphabetization for mac_enforce_pipe sysctl. Obtained from: TrustedBSD Project Sponsored by: DAPRA, NAI Labs
|
#
06be2aaa |
|
14-Sep-2002 |
Nate Lawson <njl@FreeBSD.org> |
Remove all use of vnode->v_tag, replacing with appropriate substitutes. v_tag is now const char * and should only be used for debugging. Additionally: 1. All users of VT_NTS now check vfsconf->vf_type VFCF_NETWORK 2. The user of VT_PROCFS now checks for the new flag VV_PROCDEP, which is propagated by pseudofs to all child vnodes if the fs sets PFS_PROCDEP. Suggested by: phk Reviewed by: bde, rwatson (earlier version)
|
#
c0f39905 |
|
09-Sep-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Add security.mac.mmap_revocation, a flag indicating whether we should revoke access to memory maps on a process label change. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
16140035 |
|
09-Sep-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Minor code sync to MAC tree: push Giant locking up from mac_cred_mmapped_drop_perms() to the caller. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
b656366b |
|
05-Sep-2002 |
Bruce Evans <bde@FreeBSD.org> |
Include <sys/malloc.h> instead of depending on namespace pollution 2 layers deep in <sys/proc.h> or <sys/vnode.h>. Removed unused includes. Fixed some printf format errors (1 fatal on i386's; 1 fatal on alphas; 1 not fatal on any supported machine).
|
#
e5cb5e37 |
|
19-Aug-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Close a race in process label changing opened due to dropping the proc locking when revoking access to mmaps. Instead, perform this later once we've changed the process label (hold onto a reference to the new cred so that we don't lose it when we release the process lock if another thread changes the credential). Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
177142e4 |
|
19-Aug-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Pass active_cred and file_cred into the MAC framework explicitly for mac_check_vnode_{poll,read,stat,write}(). Pass in fp->f_cred when calling these checks with a struct file available. Otherwise, pass NOCRED. All currently MAC policies use active_cred, but could now offer the cached credential semantic used for the base system security model. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
27f2eac7 |
|
19-Aug-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Provide an implementation of mac_syscall() so that security modules can offer new services without reserving system call numbers, or augmented versions of existing services. User code requests a target policy by name, and specifies the policy-specific API plus target. This is required in particular for our port of SELinux/FLASK to the MAC framework since it offers additional security services. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
c024c3ee |
|
19-Aug-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Break out mac_check_pipe_op() into component check entry points: mac_check_pipe_poll(), mac_check_pipe_read(), mac_check_pipe_stat(), and mac_check_pipe_write(). This is improves consistency with other access control entry points and permits security modules to only control the object methods that they are interested in, avoiding switch statements. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
7f724f8b |
|
19-Aug-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Break out mac_check_vnode_op() into three seperate checks: mac_check_vnode_poll(), mac_check_vnode_read(), mac_check_vnode_write(). This improves the consistency with other existing vnode checks, and allows policies to avoid implementing switch statements to determine what operations they do and do not want to authorize. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
b12baf55 |
|
19-Aug-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Assert process locks in proces-related access control checks. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
851704bb |
|
19-Aug-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Add a missing vnode assertion for the exec() check. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
f050add5 |
|
16-Aug-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Wrap maintenance of varios nmac{objectname} counters in MAC_DEBUG so we can avoid the cost of a large number of atomic operations if we're not interested in the object count statistics. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
d61198e4 |
|
15-Aug-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Rename mac_check_socket_receive() to mac_check_socket_deliver() so that we can use the names _receive() and _send() for the receive() and send() checks. Rename related constants, policy implementations, etc. PR: Submitted by: Reviewed by: Approved by: Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs MFC after:
|
#
99fa64f8 |
|
14-Aug-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Sync to trustedbsd_mac tree: default to sigsegv rather than copy-on-write during a label change resulting in an mmap removal. This is "fail stop" behavior, which is preferred, although it offers slightly less transparency. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
7ba28492 |
|
11-Aug-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Declare a module service "kernel_mac_support" when MAC support is enabled and the kernel provides the MAC registration and entry point service. Declare a dependency on that module service for any MAC module registered using mac_policy.h. For now, hard code the version as 1, but once we've come up with a versioning policy, we'll move to a #define of some sort. In the mean time, this will prevent loading a MAC module when 'options MAC' isn't present, which (due to a bug in the kernel linker) can result if the MAC module is preloaded via loader.conf. This particular evil recommended by: peter Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI LAbs
|
#
e6e370a7 |
|
04-Aug-2002 |
Jeff Roberson <jeff@FreeBSD.org> |
- Replace v_flag with v_iflag and v_vflag - v_vflag is protected by the vnode lock and is used when synchronization with VOP calls is needed. - v_iflag is protected by interlock and is used for dealing with vnode management issues. These flags include X/O LOCK, FREE, DOOMED, etc. - All accesses to v_iflag and v_vflag have either been locked or marked with mp_fixme's. - Many ASSERT_VOP_LOCKED calls have been added where the locking was not clear. - Many functions in vfs_subr.c were restructured to provide for stronger locking. Idea stolen from: BSD/OS
|
#
f9d0d524 |
|
01-Aug-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Include file cleanup; mac.h and malloc.h at one point had ordering relationship requirements, and no longer do. Reminded by: bde
|
#
95fab37e |
|
30-Jul-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
7bc82500 |
|
29-Jul-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|