FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F9.3.0 2011-02-05T21:21:27Z 2011-02-05T21:21:27Z Alan Cox alc@FreeBSD.org 2011-02-05T21:21:27Z urn:sha1:17f3095d1a2ebf8f3eaf76fd51fc6235e56d2cfb incorrectly calling vm_object_page_clean(). They are passing the length of the range rather than the ending offset of the range. Perform the OFF_TO_IDX() conversion in vm_object_page_clean() rather than the callers. Reviewed by: kib MFC after: 3 weeks 2009-05-01T21:05:40Z Robert Watson rwatson@FreeBSD.org 2009-05-01T21:05:40Z urn:sha1:fa76567150773e0aab5fdd883cf7652a27c7c25e MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project 2009-03-14T16:06:06Z Robert Watson rwatson@FreeBSD.org 2009-03-14T16:06:06Z urn:sha1:4020272933cbe552f932d9642419f8becee04bd5 improve performance: - Eliminate custom reference count and condition variable to monitor threads entering the framework, as this had both significant overhead and behaved badly in the face of contention. - Replace reference count with two locks: an rwlock and an sx lock, which will be read-acquired by threads entering the framework depending on whether a give policy entry point is permitted to sleep or not. - Replace previous mutex locking of the reference count for exclusive access with write acquiring of both the policy list sx and rw locks, which occurs only when policies are attached or detached. - Do a lockless read of the dynamic policy list head before acquiring any locks in order to reduce overhead when no dynamic policies are loaded; this a race we can afford to lose. - For every policy entry point invocation, decide whether sleeping is permitted, and if not, use a _NOSLEEP() variant of the composition macros, which will use the rwlock instead of the sxlock. In some cases, we decide which to use based on allocation flags passed to the MAC Framework entry point. As with the move to rwlocks/rmlocks in pfil, this may trigger witness warnings, but these should (generally) be false positives as all acquisition of the locks is for read with two very narrow exceptions for policy load/unload, and those code blocks should never acquire other locks. Sponsored by: Google, Inc. Obtained from: TrustedBSD Project Discussed with: csjp (idea, not specific patch) 2009-03-08T10:58:37Z Robert Watson rwatson@FreeBSD.org 2009-03-08T10:58:37Z urn:sha1:6f6174a7621e3a97032b067d72d873d1cda60b64 naming by renaming certain "proc" entry points to "cred" entry points, reflecting their manipulation of credentials. For some entry points, the process was passed into the framework but not into policies; in these cases, stop passing in the process since we don't need it. mac_proc_check_setaudit -> mac_cred_check_setaudit mac_proc_check_setaudit_addr -> mac_cred_check_setaudit_addr mac_proc_check_setauid -> mac_cred_check_setauid mac_proc_check_setegid -> mac_cred_check_setegid mac_proc_check_seteuid -> mac_cred_check_seteuid mac_proc_check_setgid -> mac_cred_check_setgid mac_proc_check_setgroups -> mac_cred_ceck_setgroups mac_proc_check_setregid -> mac_cred_check_setregid mac_proc_check_setresgid -> mac_cred_check_setresgid mac_proc_check_setresuid -> mac_cred_check_setresuid mac_proc_check_setreuid -> mac_cred_check_setreuid mac_proc_check_setuid -> mac_cred_check_setuid Obtained from: TrustedBSD Project Sponsored by: Google, Inc. 2009-03-08T00:50:37Z Robert Watson rwatson@FreeBSD.org 2009-03-08T00:50:37Z urn:sha1:2087a58ca2406238cd7068bee7be3ea1065786df privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc. 2009-02-24T20:27:48Z Konstantin Belousov kib@FreeBSD.org 2009-02-24T20:27:48Z urn:sha1:ad062f5bb8a357e4bd841bd6acba5cdcbee79a97 Reviewed by: alc 2008-12-22T17:32:52Z Alan Cox alc@FreeBSD.org 2008-12-22T17:32:52Z urn:sha1:1361cdc6449a3fcadf9e78ec74f1f18be12b963d mac_proc_vm_revoke_recurse() requests a read lock on the vm map at the start but does not handle failure by vm_map_lock_upgrade() when it seeks to modify the vm map. At present, this works because all lock request on a vm map are implemented as exclusive locks. Thus, vm_map_lock_upgrade() is a no-op that always reports success. However, that is about to change, and proc_vm_revoke_recurse() will require substantial modifications to handle vm_map_lock_upgrade() failures. For the time being, I am changing mac_proc_vm_revoke_recurse() to request a write lock on the vm map at the start. Approved by: rwatson MFC after: 3 months 2008-10-28T21:53:10Z Robert Watson rwatson@FreeBSD.org 2008-10-28T21:53:10Z urn:sha1:564f8f0fee165503b0b366ccdcc2bd933080a39b new file, mac_cred.c. Obtained from: TrustedBSD Project 2008-10-28T12:49:07Z Robert Watson rwatson@FreeBSD.org 2008-10-28T12:49:07Z urn:sha1:9215889d21ffb366dda6fcbd62483657769367f2 memory mappings when the MAC label on a process changes, to mac_proc_vm_revoke(), It now also acquires its own credential reference directly from the affected process rather than accepting one passed by the the caller, simplifying the API and consumer code. Obtained from: TrustedBSD Project 2008-10-28T11:33:06Z Robert Watson rwatson@FreeBSD.org 2008-10-28T11:33:06Z urn:sha1:212ab0cfb38a01878cc1bd44eeb4e6fcab384d5d that they operate directly on credentials: mac_proc_create_swapper(), mac_proc_create_init(), and mac_proc_associate_nfsd(). Update policies. Obtained from: TrustedBSD Project