FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F5.2.1 2003-12-06T21:48:03Z 2003-12-06T21:48:03Z Robert Watson rwatson@FreeBSD.org 2003-12-06T21:48:03Z urn:sha1:56d9e932072f81ebaa7bb1bf5995a46813bc91c4 and the mpo_create_cred() MAC policy entry point to mpo_copy_cred_label(). This is more consistent with similar entry points for creation and label copying, as mac_create_cred() was called from crdup() as opposed to during process creation. For a number of policies, this removes the requirement for special handling when copying credential labels, and improves consistency. Approved by: re (scottl) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories 2003-11-18T00:39:07Z Robert Watson rwatson@FreeBSD.org 2003-11-18T00:39:07Z urn:sha1:a557af222b70694470f63e2a0f1bf58c9dcc73fd the MAC label referenced from 'struct socket' in the IPv4 and IPv6-based protocols. This permits MAC labels to be checked during network delivery operations without dereferencing inp->inp_socket to get to so->so_label, which will eventually avoid our having to grab the socket lock during delivery at the network layer. This change introduces 'struct inpcb' as a labeled object to the MAC Framework, along with the normal circus of entry points: initialization, creation from socket, destruction, as well as a delivery access control check. For most policies, the inpcb label will simply be a cache of the socket label, so a new protocol switch method is introduced, pr_sosetlabel() to notify protocols that the socket layer label has been updated so that the cache can be updated while holding appropriate locks. Most protocols implement this using pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use the the worker function in_pcbsosetlabel(), which calls into the MAC Framework to perform a cache update. Biba, LOMAC, and MLS implement these entry points, as do the stub policy, and test policy. Reviewed by: sam, bms Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories 2003-11-16T23:31:45Z Robert Watson rwatson@FreeBSD.org 2003-11-16T23:31:45Z urn:sha1:b0323ea3aaf2c98f85c4f28e247ad84759e6d02e system calls, and prefer these calls over getsockopt()/setsockopt() for ABI reasons. When addressing UNIX domain sockets, these calls retrieve and modify the socket label, not the label of the rendezvous vnode. - Create mac_copy_socket_label() entry point based on mac_copy_pipe_label() entry point, intended to copy the socket label into temporary storage that doesn't require a socket lock to be held (currently Giant). - Implement mac_copy_socket_label() for various policies. - Expose socket label allocation, free, internalize, externalize entry points as non-static from mac_net.c. - Use mac_socket_label_set() in __mac_set_fd(). MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and mac_get_peer() to retrieve and set various socket labels without directly invoking the getsockopt() interface. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories 2003-11-16T18:28:58Z Robert Watson rwatson@FreeBSD.org 2003-11-16T18:28:58Z urn:sha1:0196273b2d524eec6918dc2f8f096ca5fb3fc6c5 mac_stub and mac_test. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories 2003-11-15T00:26:02Z Robert Watson rwatson@FreeBSD.org 2003-11-15T00:26:02Z urn:sha1:1862cd57cf06801b19b048ecc3dcc1bbc5d31b57 vnode label; update assertion. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories 2003-11-12T17:21:57Z John Baldwin jhb@FreeBSD.org 2003-11-12T17:21:57Z urn:sha1:e5bc4f1b34be3d9aa2adf63e58884cc3ad54ba5a 2003-11-12T03:14:31Z Robert Watson rwatson@FreeBSD.org 2003-11-12T03:14:31Z urn:sha1:eca8a663d442468f64e21ed869817b9048ab5a7b in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories 2003-08-22T12:32:07Z Robert Watson rwatson@FreeBSD.org 2003-08-22T12:32:07Z urn:sha1:2b6e83104c5e245e43a180d3c6a3b0bbd529ae8f test to the reflect_tcp entry point, rather than the reflect_icmp entry point. Submitted by: naddy 2003-08-21T17:28:45Z Robert Watson rwatson@FreeBSD.org 2003-08-21T17:28:45Z urn:sha1:250ee70636121acab9840a7fcae69380d882398d Framework labels: - Re-work the label state assertions to use a set of central ASSERT_type_LABEL() assertions. - Test to make sure labels passed to externalize/internalize calls haven't been destroyed. - For access control checks, assert the condition of all labels passed in. - For life cycle events, assert the condition of all labels passed in. - Add new entry point implementations for new MAC Framework entry points: mac_test_reflect_mbuf_icmp(), mac_test_reflect_mbuf_tcp(), mac_test_check_vnode_deleteextattr(), mac_test_check_vnode_listextattr(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories 2003-07-05T01:24:36Z Robert Watson rwatson@FreeBSD.org 2003-07-05T01:24:36Z urn:sha1:de88922310093433486b241149c5c3e49d4308e6