FreeBSD source tree https://cgit-dev.freebsd.org/src-test2/atom?h=release%2F6.2.0 2005-10-05T10:31:05Z 2005-10-05T10:31:05Z Robert Watson rwatson@FreeBSD.org 2005-10-05T10:31:05Z urn:sha1:85822579e31e6c6ba3cf0f8eb5d15a6e32798d9c mac_lomac.c:1.37, mac_mls.c:1.74, mac_stub.c:1.55, mac_test.c:1.62, mac.h:1.69, mac_policy.h:1.70 from HEAD to RELENG_6: Remove mac_create_root_mount() and mpo_create_root_mount(), which provided access to the root file system before the start of the init process. This was used briefly by SEBSD before it knew about preloading data in the loader, and using that method to gain access to data earlier results in fewer inconsistencies in the approach. Policy modules still have access to the root file system creation event through the mac_create_mount() entry point. Removed now, and will be removed from RELENG_6, in order to gain third party policy dependencies on the entry point for the lifetime of the 6.x branch. Obtained from: TrustedBSD Project Submitted by: Chris Vance <Christopher dot Vance at SPARTA dot com> Approved by: re (scottl) 2005-09-26T14:36:54Z Poul-Henning Kamp phk@FreeBSD.org 2005-09-26T14:36:54Z urn:sha1:02eb92cc0eb8efadf6e5fc5ac65a45a8b92d15bc DEVFS fixes of many sorts. Approved by: re@ (scottl) 2005-08-13T21:24:18Z Robert Watson rwatson@FreeBSD.org 2005-08-13T21:24:18Z urn:sha1:7e993ff3bc9140ccccc23d520316c214cdad4ac2 HEAD to RELENG_6: changes to introduce a credentialed version of the clone event handler, and then changes to merge the regular and credentialed versions into a single interface (along with updates to existing consumers). With this merge, 6.x and 7.x are in sync. First batch merges devfs_devs.c:1.37, devfs_vnops.c:1.115, kern_conf.c:1.187, tty_pty.c:1.138, mac_vfs.c:1.109, mac_biba.c:1.36, mac_lomac.c:1.36, mac_mls.c:1.73, mac_stub.c:1.53, mac_test.c:1.61, conf.h:1.223, mac.h:1.68, mac_policy.h:1.67 from HEAD to RELENG_6: When devfs cloning takes place, provide access to the credential of the process that caused the clone event to take place for the device driver creating the device. This allows cloned device drivers to adapt the device node based on security aspects of the process, such as the uid, gid, and MAC label. - Add a cred reference to struct cdev, so that when a device node is instantiated as a vnode, the cloning credential can be exposed to MAC. - Add make_dev_cred(), a version of make_dev() that additionally accepts the credential to stick in the struct cdev. Implement it and make_dev() in terms of a back-end make_dev_credv(). - Add a new event handler, dev_clone_cred, which can be registered to receive the credential instead of dev_clone, if desired. - Modify the MAC entry point mac_create_devfs_device() to accept an optional credential pointer (may be NULL), so that MAC policies can inspect and act on the label or other elements of the credential when initializing the skeleton device protections. - Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(), so that the pty clone credential is exposed to the MAC Framework. While currently primarily focussed on MAC policies, this change is also a prerequisite for changes to allow ptys to be instantiated with the UID of the process looking up the pty. This requires further changes to the pty driver -- in particular, to immediately recycle pty nodes on last close so that the credential-related state can be recreated on next lookup. Submitted by: Andrew Reisse <andrew.reisse@sparta.com> Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA Second batch merges scsi_target.c:1.68, coda_fbsd.c:1.43, firewirereg.h:1.38, fwdev.c:1.47, nmdm.c:1.36, snp.c:1.100, dsp.c:1.82, mixer.c:1.45, vkbd.c:1.9, devfs_vnops.c:1.117, tty_pty.c:1.139, tty_tty.c:1.57, bpf.c:1.156, if_tap.c:1.56, if_tun.c:1.153, smb_dev.c:1.28, conf.h:1.224 from HEAD to RELENG_6: Merge the dev_clone and dev_clone_cred event handlers into a single event handler, dev_clone, which accepts a credential argument. Implementors of the event can ignore it if they're not interested, and most do. This avoids having multiple event handler types and fall-back/precedence logic in devfs. This changes the kernel API for /dev cloning, and may affect third party packages containg cloning kernel modules. Requested by: phk These changes modifies the kernel device driver API for device cloning, and might require minor modifications to third party device drivers that make use of devfs cloning. It will not be merged to RELENG_5. Approved by: re (scottl) 2005-07-05T23:39:51Z Robert Watson rwatson@FreeBSD.org 2005-07-05T23:39:51Z urn:sha1:3c308b091fa7576dfb1b4dc97220d0ee02bdec4e redundant with respect to existing mbuf copy label routines. Expose a new mac_copy_mbuf() routine at the top end of the Framework and use that; use the existing mpo_copy_mbuf_label() routine on the bottom end. Obtained from: TrustedBSD Project Sponsored by: SPARTA, SPAWAR Approved by: re (scottl) 2005-06-07T05:03:28Z Robert Watson rwatson@FreeBSD.org 2005-06-07T05:03:28Z urn:sha1:3831e7d7f5547decd48f5f3a0c8d311243b0e1f3 points to convert _sema() to _sem() for consistency purposes with respect to the other semaphore-related entry points: mac_init_sysv_sema() -> mac_init_sysv_sem() mac_destroy_sysv_sem() -> mac_destroy_sysv_sem() mac_create_sysv_sema() -> mac_create_sysv_sem() mac_cleanup_sysv_sema() -> mac_cleanup_sysv_sem() Congruent changes are made to the policy interface to support this. Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA 2005-05-04T10:39:15Z Robert Watson rwatson@FreeBSD.org 2005-05-04T10:39:15Z urn:sha1:5264841183cc5312cd097028c7cb00b39f56874b access to POSIX Semaphores: mac_init_posix_sem() Initialize label for POSIX semaphore mac_create_posix_sem() Create POSIX semaphore mac_destroy_posix_sem() Destroy POSIX semaphore mac_check_posix_sem_destroy() Check whether semaphore may be destroyed mac_check_posix_sem_getvalue() Check whether semaphore may be queried mac_check_possix_sem_open() Check whether semaphore may be opened mac_check_posix_sem_post() Check whether semaphore may be posted to mac_check_posix_sem_unlink() Check whether semaphore may be unlinked mac_check_posix_sem_wait() Check whether may wait on semaphore Update Biba, MLS, Stub, and Test policies to implement these entry points. For information flow policies, most semaphore operations are effectively read/write. Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Sponsored by: DARPA, McAfee, SPARTA Obtained from: TrustedBSD Project 2005-04-18T13:36:57Z Robert Watson rwatson@FreeBSD.org 2005-04-18T13:36:57Z urn:sha1:babe9a2bb37a1c0a1e87cbe5c3ce5fd40c70d990 mac_check_proc_wait(), which control the ability to wait4() specific processes. This permits MAC policies to limit information flow from children that have changed label, although has to be handled carefully due to common programming expectations regarding the behavior of wait4(). The cr_seeotheruids() check in p_canwait() is #if 0'd for this reason. The mac_stub and mac_test policies are updated to reflect these new entry points. Sponsored by: SPAWAR, SPARTA Obtained from: TrustedBSD Project 2005-04-16T18:46:29Z Robert Watson rwatson@FreeBSD.org 2005-04-16T18:46:29Z urn:sha1:7f53207b920ab74fb4fb9de4964071bbb13bbbec control socket poll() (select()), fstat(), and accept() operations, required for some policies: poll() mac_check_socket_poll() fstat() mac_check_socket_stat() accept() mac_check_socket_accept() Update mac_stub and mac_test policies to be aware of these entry points. While here, add missing entry point implementations for: mac_stub.c stub_check_socket_receive() mac_stub.c stub_check_socket_send() mac_test.c mac_test_check_socket_send() mac_test.c mac_test_check_socket_visible() Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA 2005-04-16T13:29:15Z Robert Watson rwatson@FreeBSD.org 2005-04-16T13:29:15Z urn:sha1:030a28b3b5675711d9dbcef4dde8901eeda0bc6c of system calls to manipulate elements of the process credential, including: setuid() mac_check_proc_setuid() seteuid() mac_check_proc_seteuid() setgid() mac_check_proc_setgid() setegid() mac_check_proc_setegid() setgroups() mac_check_proc_setgroups() setreuid() mac_check_proc_setreuid() setregid() mac_check_proc_setregid() setresuid() mac_check_proc_setresuid() setresgid() mac_check_rpoc_setresgid() MAC checks are performed before other existing security checks; both current credential and intended modifications are passed as arguments to the entry points. The mac_test and mac_stub policies are updated. Submitted by: Samy Al Bahra <samy@kerneled.org> Obtained from: TrustedBSD Project 2005-04-14T16:03:30Z Christian S.J. Peron csjp@FreeBSD.org 2005-04-14T16:03:30Z urn:sha1:c92163dcad6e92dd8d19b3ba1d7c7be3a3fcb9e3 MAP_SHARED so that the entry point gets executed un-conditionally. This may be useful for security policies which want to perform access control checks around run-time linking. -add the mmap(2) flags argument to the check_vnode_mmap entry point so that we can make access control decisions based on the type of mapped object. -update any dependent API around this parameter addition such as function prototype modifications, entry point parameter additions and the inclusion of sys/mman.h header file. -Change the MLS, BIBA and LOMAC security policies so that subject domination routines are not executed unless the type of mapping is shared. This is done to maintain compatibility between the old vm_mmap_vnode(9) and these policies. Reviewed by: rwatson MFC after: 1 month