| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
labels to 'ks' and 'kslabel' to reflect the convention in posix_sem.c.
MFC after: 3 days
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=172850
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
point to mac_check_vnode_unlink(), reflecting UNIX naming conventions.
This is the first of several commits to synchronize the MAC Framework
in FreeBSD 7.0 with the MAC Framework as it will appear in Mac OS X
Leopard.
Reveiwed by: csjp, Samy Bahra <sbahra at gwu dot edu>
Submitted by: Jacques Vidrine <nectar at apple dot com>
Obtained from: Apple Computer, Inc.
Sponsored by: SPARTA, SPAWAR
Approved by: re (bmah)
Notes:
svn path=/head/; revision=172107
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
previously conditionally acquired Giant based on debug.mpsafenet. As that
has now been removed, they are no longer required. Removing them
significantly simplifies error-handling in the socket layer, eliminated
quite a bit of unwinding of locking in error cases.
While here clean up the now unneeded opt_net.h, which previously was used
for the NET_WITH_GIANT kernel option. Clean up some related gotos for
consistency.
Reviewed by: bz, csjp
Tested by: kris
Approved by: re (kensmith)
Notes:
svn path=/head/; revision=171744
|
| |
|
|
|
|
|
| |
Approved by: re (rwatson)
Notes:
svn path=/head/; revision=171235
|
| |
|
|
|
|
|
|
|
|
|
|
| |
mpo_check_proc_setaudit_addr to be used when controlling use of
setaudit_addr(), rather than mpo_check_proc_setaudit(), which takes a
different argument type.
Reviewed by: csjp
Approved by: re (kensmith)
Notes:
svn path=/head/; revision=171047
|
| |
|
|
|
|
|
|
|
|
|
| |
where similar data structures exist to support devfs and the MAC
Framework, but are named differently.
Obtained from: TrustedBSD Project
Sponsored by: SPARTA, Inc.
Notes:
svn path=/head/; revision=168977
|
| |
|
|
|
|
|
|
|
|
|
|
| |
variable name conventions for arguments passed into the framework --
for example, name network interfaces 'ifp', sockets 'so', mounts 'mp',
mbufs 'm', processes 'p', etc, wherever possible. Previously there
was significant variation in this regard.
Normalize copyright lists to ranges where sensible.
Notes:
svn path=/head/; revision=168955
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
labels: the mount label (label of the mountpoint) and the fs label (label
of the file system). In practice, policies appear to only ever use one,
and the distinction is not helpful.
Combine mnt_mntlabel and mnt_fslabel into a single mnt_label, and
eliminate extra machinery required to maintain the additional label.
Update policies to reflect removal of extra entry points and label.
Obtained from: TrustedBSD Project
Sponsored by: SPARTA, Inc.
Notes:
svn path=/head/; revision=168954
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the introduction of priv(9) and MAC Framework entry points for privilege
checking/granting. These entry points exactly aligned with privileges and
provided no additional security context:
- mac_check_sysarch_ioperm()
- mac_check_kld_unload()
- mac_check_settime()
- mac_check_system_nfsd()
Add mpo_priv_check() implementations to Biba and LOMAC policies, which,
for each privilege, determine if they can be granted to processes
considered unprivileged by those two policies. These mostly, but not
entirely, align with the set of privileges granted in jails.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=168951
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
calls. Add MAC Framework entry points and MAC policy entry points for
audit(), auditctl(), auditon(), setaudit(), aud setauid().
MAC Framework entry points are only added for audit system calls where
additional argument context may be useful for policy decision-making; other
audit system calls without arguments may be controlled via the priv(9)
entry points.
Update various policy modules to implement audit-related checks, and in
some cases, other missing system-related checks.
Obtained from: TrustedBSD Project
Sponsored by: SPARTA, Inc.
Notes:
svn path=/head/; revision=168933
|
| |
|
|
|
|
|
|
|
|
|
| |
system calls now enter without Giant held, and then in some cases, acquire
Giant explicitly.
Remove a number of other MPSAFE annotations in the credential code and
tweak one or two other adjacent comments.
Notes:
svn path=/head/; revision=167211
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
LABEL_TO_SLOT() macro used by policy modules to query and set label data
in struct label. Instead of using a union, store an intptr_t, simplifying
the API.
Update policies: in most cases this required only small tweaks to current
wrapper macros. In two cases, a single wrapper macros had to be split into
separate get and set macros.
Move struct label definition from _label.h to mac_internal.h and remove
_label.h. With this change, policies may now treat struct label * as
opaque, allowing us to change the layout of struct label without breaking
the policy module ABI. For example, we could make the maximum number of
policies with labels modifiable at boot-time rather than just at
compile-time.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=166533
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't perform a nested include of _label.h in mac.h, as mac.h now
describes only the user API to MAC, and _label.h defines the in-kernel
representation of MAC labels.
Remove mac.h includes from policies and MAC framework components that do
not use userspace MAC API definitions.
Add _KERNEL inclusion checks to mac_internal.h and mac_policy.h, as these
are kernel-only include files
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=166531
|
| |
|
|
|
|
|
|
|
|
| |
the code, one being returned is invariant.
Discussed with: rwatson
MFC after: 1 week
Notes:
svn path=/head/; revision=165714
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
exclusive access if there is at least one thread waiting for it to
become available. This may significantly reduce overhead by reducing
the number of unnecessary wakeups issued whenever the framework becomes
idle.
Annotate that we still signal the CV more than necessary and should
fix this.
Obtained from: TrustedBSD Project
Reviewed by: csjp
Tested by: csjp
Notes:
svn path=/head/; revision=165708
|
| |
|
|
|
|
|
|
|
| |
are required.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165646
|
| |
|
|
|
|
|
|
| |
removed from this file. It is required to pick up the definition of
MAC_STATIC.
Notes:
svn path=/head/; revision=165645
|
| |
|
|
|
|
|
|
|
| |
mac_policy.h following move to new location in src/sys/security/mac.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165607
|
| |
|
|
|
|
|
|
|
|
| |
general and detailed comment on the topic of EA transactions and kernel
warnings.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165601
|
| |
|
|
|
|
|
|
|
| |
labels: they are in fact stored in the tag directly.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165600
|
| |
|
|
|
|
|
|
|
| |
that we should assert the socket lock.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165599
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
kernel<->policy ABI version. Add a comment to the definition describing
it and listing known versions. Modify MAC_POLICY_SET() to reference the
current kernel version by name rather than by number.
Staticize mac_late, which is used only in mac_framework.c.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165595
|
| |
|
|
|
|
|
|
|
|
| |
mac_label.c, and use these instead of replicated code in the label zone
constructor and destructor.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165593
|
| |
|
|
| |
Notes:
svn path=/head/; revision=165591
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
mac_framework.c Contains basic MAC Framework functions, policy
registration, sysinits, etc.
mac_syscalls.c Contains implementations of various MAC system calls,
including ENOSYS stubs when compiling without options
MAC.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165590
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
consumes and implements, as well as the location of the framework and
policy modules.
Refactor MAC Framework versioning a bit so that the current ABI version can
be exported via a read-only sysctl.
Further update comments relating to locking/synchronization.
Update copyright to take into account these and other recent changes.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165586
|
| |
|
|
| |
Notes:
svn path=/head/; revision=165505
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Framework and security modules, to src/sys/security/mac/mac_policy.h,
completing the removal of kernel-only MAC Framework include files from
src/sys/sys. Update the MAC Framework and MAC policy modules. Delete
the old mac_policy.h.
Third party policy modules will need similar updating.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165469
|
| |
|
|
| |
Notes:
svn path=/head/; revision=165434
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
subsystems will be a property of policy modules, which may require
access control check entry points to be invoked even when not actively
enforcing (i.e., to track information flow without providing
protection).
Obtained from: TrustedBSD Project
Suggested by: Christopher dot Vance at sparta dot com
Notes:
svn path=/head/; revision=165433
|
| |
|
|
|
|
|
|
|
|
| |
this policy API to avoid encoding struct label binary layout in policy
modules.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165429
|
| |
|
|
|
|
|
|
|
| |
Document mac_associate_nfsd_label().
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165428
|
| |
|
|
| |
Notes:
svn path=/head/; revision=165427
|
| |
|
|
|
|
|
|
|
| |
Clean up comment white space and wrapping.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165426
|
| |
|
|
| |
Notes:
svn path=/head/; revision=165425
|
| |
|
|
|
|
|
|
|
| |
model and the MAC Framework.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165424
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
than from the slab, but don't.
Document mac_mbuf_to_label(), mac_copy_mbuf_tag().
Clean up white space/wrapping for other comments.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165423
|
| |
|
|
|
|
|
| |
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165422
|
| |
|
|
|
|
|
|
|
| |
Provide a comment describing MAC_EXTERNALIZE().
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165421
|
| |
|
|
| |
Notes:
svn path=/head/; revision=165420
|
| |
|
|
|
|
|
|
|
|
| |
Exapnd comments on System V IPC labeling methods, which could use improved
consistency with respect to other object types.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165414
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
the ifnet itself. The stack copy has been made while holding the mutex
protecting ifnet labels, so copying from the ifnet copy could result in
an inconsistent version being copied out.
Reported by: Todd.Miller@sparta.com
Obtained from: TrustedBSD Project
MFC after: 3 weeks
Notes:
svn path=/head/; revision=165412
|
| |
|
|
|
|
|
|
|
|
|
| |
model, interactions between locking and policy init/destroy methods.
Rewrap some comments to 77 character line wrap.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=165411
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
kernel. This LOR snuck in with some of the recent syncache changes. To
fix this, the inpcb handling was changed:
- Hang a MAC label off the syncache object
- When the syncache entry is initially created, we pickup the PCB lock
is held because we extract information from it while initializing the
syncache entry. While we do this, copy the MAC label associated with
the PCB and use it for the syncache entry.
- When the packet is transmitted, copy the label from the syncache entry
to the mbuf so it can be processed by security policies which analyze
mbuf labels.
This change required that the MAC framework be extended to support the
label copy operations from the PCB to the syncache entry, and then from
the syncache entry to the mbuf.
These functions really should be referencing the syncache structure instead
of the label. However, due to some of the complexities associated with
exposing this syncache structure we operate directly on it's label pointer.
This should be OK since we aren't making any access control decisions within
this code directly, we are merely allocating and copying label storage so
we can properly initialize mbuf labels for any packets the syncache code
might create.
This also has a nice side effect of caching. Prior to this change, the
PCB would be looked up/locked for each packet transmitted. Now the label
is cached at the time the syncache entry is initialized.
Submitted by: andre [1]
Discussed with: rwatson
[1] andre submitted the tcp_syncache.c changes
Notes:
svn path=/head/; revision=165149
|
| |
|
|
|
|
|
|
| |
Reviewed by: glanced at by jhb
Approved by: silence on -arch@ and -standards@
Notes:
svn path=/head/; revision=164184
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
specific privilege names to a broad range of privileges. These may
require some future tweaking.
Sponsored by: nCircle Network Security, Inc.
Obtained from: TrustedBSD Project
Discussed on: arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
Alex Lyashkov <umka at sevcity dot net>,
Skip Ford <skip dot ford at verizon dot net>,
Antoine Brodin <antoine dot brodin at laposte dot net>
Notes:
svn path=/head/; revision=164033
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
privilege for threads and credentials. Unlike the existing suser(9)
interface, priv(9) exposes a named privilege identifier to the privilege
checking code, allowing more complex policies regarding the granting of
privilege to be expressed. Two interfaces are provided, replacing the
existing suser(9) interface:
suser(td) -> priv_check(td, priv)
suser_cred(cred, flags) -> priv_check_cred(cred, priv, flags)
A comprehensive list of currently available kernel privileges may be
found in priv.h. New privileges are easily added as required, but the
comments on adding privileges found in priv.h and priv(9) should be read
before doing so.
The new privilege interface exposed sufficient information to the
privilege checking routine that it will now be possible for jail to
determine whether a particular privilege is granted in the check routine,
rather than relying on hints from the calling context via the
SUSER_ALLOWJAIL flag. For now, the flag is maintained, but a new jail
check function, prison_priv_check(), is exposed from kern_jail.c and used
by the privilege check routine to determine if the privilege is permitted
in jail. As a result, a centralized list of privileges permitted in jail
is now present in kern_jail.c.
The MAC Framework is now also able to instrument privilege checks, both
to deny privileges otherwise granted (mac_priv_check()), and to grant
privileges otherwise denied (mac_priv_grant()), permitting MAC Policy
modules to implement privilege models, as well as control a much broader
range of system behavior in order to constrain processes running with
root privilege.
The suser() and suser_cred() functions remain implemented, now in terms
of priv_check() and the PRIV_ROOT privilege, for use during the transition
and possibly continuing use by third party kernel modules that have not
been updated. The PRIV_DRIVER privilege exists to allow device drivers to
check privilege without adopting a more specific privilege identifier.
This change does not modify the actual security policy, rather, it
modifies the interface for privilege checks so changes to the security
policy become more feasible.
Sponsored by: nCircle Network Security, Inc.
Obtained from: TrustedBSD Project
Discussed on: arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
Alex Lyashkov <umka at sevcity dot net>,
Skip Ford <skip dot ford at verizon dot net>,
Antoine Brodin <antoine dot brodin at laposte dot net>
Notes:
svn path=/head/; revision=164032
|
| |
|
|
|
|
|
|
|
| |
function prototypes.
Obtained from: TrustedBSD Project
Notes:
svn path=/head/; revision=163788
|
| |
|
|
| |
Notes:
svn path=/head/; revision=163686
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
begun with a repo-copy of mac.h to mac_framework.h. sys/mac.h now
contains the userspace and user<->kernel API and definitions, with all
in-kernel interfaces moved to mac_framework.h, which is now included
across most of the kernel instead.
This change is the first step in a larger cleanup and sweep of MAC
Framework interfaces in the kernel, and will not be MFC'd.
Obtained from: TrustedBSD Project
Sponsored by: SPARTA
Notes:
svn path=/head/; revision=163606
|
