d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
62bc689aa6
freebsd-dev/sys/security/mac/mac_vfs.c

1072 lines
26 KiB
C
Raw Normal View History

Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
/*-
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
* Copyright (c) 1999-2002, 2009 Robert N. M. Watson
Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
* Copyright (c) 2001 Ilmar S. Habibulin
Update copyright for NETA->McAfee.
2005-01-30 12:38:47 +00:00
* Copyright (c) 2001-2005 McAfee, Inc.
In the MAC Framework implementation, file systems have two per-mountpoint labels: the mount label (label of the mountpoint) and the fs label (label of the file system). In practice, policies appear to only ever use one, and the distinction is not helpful. Combine mnt_mntlabel and mnt_fslabel into a single mnt_label, and eliminate extra machinery required to maintain the additional label. Update policies to reflect removal of extra entry points and label. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-22 16:18:10 +00:00
* Copyright (c) 2005-2006 SPARTA, Inc.
Introduce two related changes to the TrustedBSD MAC Framework: (1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2) so that the general exec code isn't aware of the details of allocating, copying, and freeing labels, rather, simply passes in a void pointer to start and stop functions that will be used by the framework. This change will be MFC'd. (2) Introduce a new flags field to the MAC_POLICY_SET(9) interface allowing policies to declare which types of objects require label allocation, initialization, and destruction, and define a set of flags covering various supported object types (MPC_OBJECT_PROC, MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the overhead of compiling the MAC Framework into the kernel if policies aren't loaded, or if policies require labels on only a small number or even no object types. Each time a policy is loaded or unloaded, we recalculate a mask of labeled object types across all policies present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it is no longer required. MFC after: 1 week ((1) only) Reviewed by: csjp Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
2008-08-23 15:26:36 +00:00
* Copyright (c) 2008 Apple Inc.
Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
* All rights reserved.
*
* This software was developed by Robert Watson and Ilmar Habibulin for the
* TrustedBSD Project.
*
Update copyright for NETA->McAfee.
2005-01-30 12:38:47 +00:00
* This software was developed for the FreeBSD Project in part by McAfee
* Research, the Security Research Division of McAfee, Inc. under
* DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
* CHATS research program.
Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
*
Trim trailing white space, clean up comment line wrapping and formatting. Document mac_associate_nfsd_label(). Obtained from: TrustedBSD Project
2006-12-20 23:18:17 +00:00
* This software was enhanced by SPARTA ISSO under SPAWAR contract
When devfs cloning takes place, provide access to the credential of the process that caused the clone event to take place for the device driver creating the device. This allows cloned device drivers to adapt the device node based on security aspects of the process, such as the uid, gid, and MAC label. - Add a cred reference to struct cdev, so that when a device node is instantiated as a vnode, the cloning credential can be exposed to MAC. - Add make_dev_cred(), a version of make_dev() that additionally accepts the credential to stick in the struct cdev. Implement it and make_dev() in terms of a back-end make_dev_credv(). - Add a new event handler, dev_clone_cred, which can be registered to receive the credential instead of dev_clone, if desired. - Modify the MAC entry point mac_create_devfs_device() to accept an optional credential pointer (may be NULL), so that MAC policies can inspect and act on the label or other elements of the credential when initializing the skeleton device protections. - Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(), so that the pty clone credential is exposed to the MAC Framework. While currently primarily focussed on MAC policies, this change is also a prerequisite for changes to allow ptys to be instantiated with the UID of the process looking up the pty. This requires further changes to the pty driver -- in particular, to immediately recycle pty nodes on last close so that the credential-related state can be recreated on next lookup. Submitted by: Andrew Reisse <andrew.reisse@sparta.com> Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA MFC after: 1 week MFC note: Merge to 6.x, but not 5.x for ABI reasons
2005-07-14 10:22:09 +00:00
* N66001-04-C-6019 ("SEFOS").
*
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
* This software was developed at the University of Cambridge Computer
* Laboratory with support from a grant from Google, Inc.
*
Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
Use __FBSDID().
2003-06-11 00:56:59 +00:00
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
#include "opt_kdtrace.h"
Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
#include "opt_mac.h"
Include file cleanup; mac.h and malloc.h at one point had ordering relationship requirements, and no longer do. Reminded by: bde
2002-08-01 17:47:56 +00:00
Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
#include <sys/param.h>
Introduce a condition variable to avoid returning EBUSY when the MAC policy list is busy during a load or unload attempt. We assert no locks held during the cv wait, meaning we should be fairly deadlock-safe. Because of the cv model and busy count, it's possible for a cv waiter waiting for exclusive access to the policy list to be starved by active and long-lived access control/labeling events. For now, we accept that as a necessary tradeoff. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-11-13 15:47:09 +00:00
#include <sys/condvar.h>
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
#include <sys/extattr.h>
Bring in two sets of changes: (1) Permit userland applications to request a change of label atomic with an execve() via mac_execve(). This is required for the SEBSD port of SELinux/FLASK. Attempts to invoke this without MAC compiled in result in ENOSYS, as with all other MAC system calls. Complexity, if desired, is present in policy modules, rather than the framework. (2) Permit policies to have access to both the label of the vnode being executed as well as the interpreter if it's a shell script or related UNIX nonsense. Because we can't hold both vnode locks at the same time, cache the interpreter label. SEBSD relies on this because it supports secure transitioning via shell script executables. Other policies might want to take both labels into account during an integrity or confidentiality decision at execve()-time. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-11-05 17:51:56 +00:00
#include <sys/imgact.h>
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
#include <sys/kernel.h>
#include <sys/lock.h>
Include <sys/malloc.h> instead of depending on namespace pollution 2 layers deep in <sys/proc.h> or <sys/vnode.h>. Removed unused includes. Fixed some printf format errors (1 fatal on i386's; 1 fatal on alphas; 1 not fatal on any supported machine).
2002-09-05 07:02:43 +00:00
#include <sys/malloc.h>
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
#include <sys/mutex.h>
#include <sys/proc.h>
Redesign the externalization APIs from the MAC Framework to the MAC policy modules to improve robustness against C string bugs and vulnerabilities. Following these revisions, all string construction of labels for export to userspace (or elsewhere) is performed using the sbuf API, which prevents the consumer from having to perform laborious and intricate pointer and buffer checks. This substantially simplifies the externalization logic, both at the MAC Framework level, and in individual policies; this becomes especially useful when policies export more complex label data, such as with compartments in Biba and MLS. Bundled in here are some other minor fixes associated with externalization: including avoiding malloc while holding the process mutex in mac_lomac, and hence avoid a failure mode when printing labels during a downgrade operation due to the removal of the M_NOWAIT case. This has been running in the MAC development tree for about three weeks without problems. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-06-23 01:26:34 +00:00
#include <sys/sbuf.h>
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
#include <sys/systm.h>
#include <sys/vnode.h>
#include <sys/mount.h>
#include <sys/file.h>
#include <sys/namei.h>
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
#include <sys/sdt.h>
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
#include <sys/sysctl.h>
#include <vm/vm.h>
#include <vm/pmap.h>
#include <vm/vm_map.h>
#include <vm/vm_object.h>
#include <fs/devfs/devfs.h>
Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h begun with a repo-copy of mac.h to mac_framework.h. sys/mac.h now contains the userspace and user<->kernel API and definitions, with all in-kernel interfaces moved to mac_framework.h, which is now included across most of the kernel instead. This change is the first step in a larger cleanup and sweep of MAC Framework interfaces in the kernel, and will not be MFC'd. Obtained from: TrustedBSD Project Sponsored by: SPARTA
2006-10-22 11:52:19 +00:00
#include <security/mac/mac_framework.h>
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
#include <security/mac/mac_internal.h>
Move src/sys/sys/mac_policy.h, the kernel interface between the MAC Framework and security modules, to src/sys/security/mac/mac_policy.h, completing the removal of kernel-only MAC Framework include files from src/sys/sys. Update the MAC Framework and MAC policy modules. Delete the old mac_policy.h. Third party policy modules will need similar updating. Obtained from: TrustedBSD Project
2006-12-22 23:34:47 +00:00
#include <security/mac/mac_policy.h>
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Slightly change the semantics of vnode labels for MAC: rather than "refreshing" the label on the vnode before use, just get the label right from inception. For single-label file systems, set the label in the generic VFS getnewvnode() code; for multi-label file systems, leave the labeling up to the file system. With UFS1/2, this means reading the extended attribute during vfs_vget() as the inode is pulled off disk, rather than hitting the extended attributes frequently during operations later, improving performance. This also corrects sematics for shared vnode locks, which were not previously present in the system. This chances the cache coherrency properties WRT out-of-band access to label data, but in an acceptable form. With UFS1, there is a small race condition during automatic extended attribute start -- this is not present with UFS2, and occurs because EAs aren't available at vnode inception. We'll introduce a work around for this shortly. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
/*
Trim trailing white space, clean up comment line wrapping and formatting. Document mac_associate_nfsd_label(). Obtained from: TrustedBSD Project
2006-12-20 23:18:17 +00:00
* Warn about EA transactions only the first time they happen. No locking on
* this variable.
Slightly change the semantics of vnode labels for MAC: rather than "refreshing" the label on the vnode before use, just get the label right from inception. For single-label file systems, set the label in the generic VFS getnewvnode() code; for multi-label file systems, leave the labeling up to the file system. With UFS1/2, this means reading the extended attribute during vfs_vget() as the inode is pulled off disk, rather than hitting the extended attributes frequently during operations later, improving performance. This also corrects sematics for shared vnode locks, which were not previously present in the system. This chances the cache coherrency properties WRT out-of-band access to label data, but in an acceptable form. With UFS1, there is a small race condition during automatic extended attribute start -- this is not present with UFS2, and occurs because EAs aren't available at vnode inception. We'll introduce a work around for this shortly. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
*/
static int ea_warn_once = 0;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
static int mac_vnode_setlabel_extattr(struct ucred *cred,
Slightly change the semantics of vnode labels for MAC: rather than "refreshing" the label on the vnode before use, just get the label right from inception. For single-label file systems, set the label in the generic VFS getnewvnode() code; for multi-label file systems, leave the labeling up to the file system. With UFS1/2, this means reading the extended attribute during vfs_vget() as the inode is pulled off disk, rather than hitting the extended attributes frequently during operations later, improving performance. This also corrects sematics for shared vnode locks, which were not previously present in the system. This chances the cache coherrency properties WRT out-of-band access to label data, but in an acceptable form. With UFS1, there is a small race condition during automatic extended attribute start -- this is not present with UFS2, and occurs because EAs aren't available at vnode inception. We'll introduce a work around for this shortly. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
struct vnode *vp, struct label *intlabel);
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
static struct label *
Rename mac*devfsdirent*() to mac*devfs*() to synchronize with SEDarwin, where similar data structures exist to support devfs and the MAC Framework, but are named differently. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-23 13:36:54 +00:00
mac_devfs_label_alloc(void)
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
{
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
struct label *label;
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
label = mac_labelzone_alloc(M_WAITOK);
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_PERFORM(devfs_init_label, label);
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
return (label);
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
}
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
void
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_devfs_init(struct devfs_dirent *de)
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
{
Introduce two related changes to the TrustedBSD MAC Framework: (1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2) so that the general exec code isn't aware of the details of allocating, copying, and freeing labels, rather, simply passes in a void pointer to start and stop functions that will be used by the framework. This change will be MFC'd. (2) Introduce a new flags field to the MAC_POLICY_SET(9) interface allowing policies to declare which types of objects require label allocation, initialization, and destruction, and define a set of flags covering various supported object types (MPC_OBJECT_PROC, MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the overhead of compiling the MAC Framework into the kernel if policies aren't loaded, or if policies require labels on only a small number or even no object types. Each time a policy is loaded or unloaded, we recalculate a mask of labeled object types across all policies present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it is no longer required. MFC after: 1 week ((1) only) Reviewed by: csjp Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
2008-08-23 15:26:36 +00:00
if (mac_labeled & MPC_OBJECT_DEVFS)
de->de_label = mac_devfs_label_alloc();
else
de->de_label = NULL;
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
}
static struct label *
mac_mount_label_alloc(void)
{
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_PERFORM(mount_init_label, label);
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
return (label);
}
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
void
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_mount_init(struct mount *mp)
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
{
Introduce two related changes to the TrustedBSD MAC Framework: (1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2) so that the general exec code isn't aware of the details of allocating, copying, and freeing labels, rather, simply passes in a void pointer to start and stop functions that will be used by the framework. This change will be MFC'd. (2) Introduce a new flags field to the MAC_POLICY_SET(9) interface allowing policies to declare which types of objects require label allocation, initialization, and destruction, and define a set of flags covering various supported object types (MPC_OBJECT_PROC, MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the overhead of compiling the MAC Framework into the kernel if policies aren't loaded, or if policies require labels on only a small number or even no object types. Each time a policy is loaded or unloaded, we recalculate a mask of labeled object types across all policies present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it is no longer required. MFC after: 1 week ((1) only) Reviewed by: csjp Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
2008-08-23 15:26:36 +00:00
if (mac_labeled & MPC_OBJECT_MOUNT)
mp->mnt_label = mac_mount_label_alloc();
else
mp->mnt_label = NULL;
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
}
struct label *
mac_vnode_label_alloc(void)
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
{
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
struct label *label;
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
label = mac_labelzone_alloc(M_WAITOK);
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_PERFORM(vnode_init_label, label);
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
return (label);
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
}
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
void
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_init(struct vnode *vp)
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
Introduce two related changes to the TrustedBSD MAC Framework: (1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2) so that the general exec code isn't aware of the details of allocating, copying, and freeing labels, rather, simply passes in a void pointer to start and stop functions that will be used by the framework. This change will be MFC'd. (2) Introduce a new flags field to the MAC_POLICY_SET(9) interface allowing policies to declare which types of objects require label allocation, initialization, and destruction, and define a set of flags covering various supported object types (MPC_OBJECT_PROC, MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the overhead of compiling the MAC Framework into the kernel if policies aren't loaded, or if policies require labels on only a small number or even no object types. Each time a policy is loaded or unloaded, we recalculate a mask of labeled object types across all policies present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it is no longer required. MFC after: 1 week ((1) only) Reviewed by: csjp Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
2008-08-23 15:26:36 +00:00
if (mac_labeled & MPC_OBJECT_VNODE)
vp->v_label = mac_vnode_label_alloc();
else
vp->v_label = NULL;
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
}
static void
Rename mac*devfsdirent*() to mac*devfs*() to synchronize with SEDarwin, where similar data structures exist to support devfs and the MAC Framework, but are named differently. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-23 13:36:54 +00:00
mac_devfs_label_free(struct label *label)
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
{
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_PERFORM_NOSLEEP(devfs_destroy_label, label);
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
mac_labelzone_free(label);
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
}
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
void
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_devfs_destroy(struct devfs_dirent *de)
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
Introduce two related changes to the TrustedBSD MAC Framework: (1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2) so that the general exec code isn't aware of the details of allocating, copying, and freeing labels, rather, simply passes in a void pointer to start and stop functions that will be used by the framework. This change will be MFC'd. (2) Introduce a new flags field to the MAC_POLICY_SET(9) interface allowing policies to declare which types of objects require label allocation, initialization, and destruction, and define a set of flags covering various supported object types (MPC_OBJECT_PROC, MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the overhead of compiling the MAC Framework into the kernel if policies aren't loaded, or if policies require labels on only a small number or even no object types. Each time a policy is loaded or unloaded, we recalculate a mask of labeled object types across all policies present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it is no longer required. MFC after: 1 week ((1) only) Reviewed by: csjp Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
2008-08-23 15:26:36 +00:00
if (de->de_label != NULL) {
mac_devfs_label_free(de->de_label);
de->de_label = NULL;
}
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
}
static void
mac_mount_label_free(struct label *label)
{
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_PERFORM_NOSLEEP(mount_destroy_label, label);
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
mac_labelzone_free(label);
}
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
void
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_mount_destroy(struct mount *mp)
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
{
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Introduce two related changes to the TrustedBSD MAC Framework: (1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2) so that the general exec code isn't aware of the details of allocating, copying, and freeing labels, rather, simply passes in a void pointer to start and stop functions that will be used by the framework. This change will be MFC'd. (2) Introduce a new flags field to the MAC_POLICY_SET(9) interface allowing policies to declare which types of objects require label allocation, initialization, and destruction, and define a set of flags covering various supported object types (MPC_OBJECT_PROC, MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the overhead of compiling the MAC Framework into the kernel if policies aren't loaded, or if policies require labels on only a small number or even no object types. Each time a policy is loaded or unloaded, we recalculate a mask of labeled object types across all policies present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it is no longer required. MFC after: 1 week ((1) only) Reviewed by: csjp Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
2008-08-23 15:26:36 +00:00
if (mp->mnt_label != NULL) {
mac_mount_label_free(mp->mnt_label);
mp->mnt_label = NULL;
}
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
}
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
void
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
mac_vnode_label_free(struct label *label)
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
{
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_PERFORM_NOSLEEP(vnode_destroy_label, label);
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
mac_labelzone_free(label);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
}
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
void
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_destroy(struct vnode *vp)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
Introduce two related changes to the TrustedBSD MAC Framework: (1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2) so that the general exec code isn't aware of the details of allocating, copying, and freeing labels, rather, simply passes in a void pointer to start and stop functions that will be used by the framework. This change will be MFC'd. (2) Introduce a new flags field to the MAC_POLICY_SET(9) interface allowing policies to declare which types of objects require label allocation, initialization, and destruction, and define a set of flags covering various supported object types (MPC_OBJECT_PROC, MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the overhead of compiling the MAC Framework into the kernel if policies aren't loaded, or if policies require labels on only a small number or even no object types. Each time a policy is loaded or unloaded, we recalculate a mask of labeled object types across all policies present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it is no longer required. MFC after: 1 week ((1) only) Reviewed by: csjp Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
2008-08-23 15:26:36 +00:00
if (vp->v_label != NULL) {
mac_vnode_label_free(vp->v_label);
vp->v_label = NULL;
}
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
void
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_copy_label(struct label *src, struct label *dest)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_PERFORM_NOSLEEP(vnode_copy_label, src, dest);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_externalize_label(struct label *label, char *elements,
Remove the flags argument from mac_externalize_*_label(), as it's not passed into policies or used internally to the MAC Framework. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-06 03:42:43 +00:00
char *outbuf, size_t outbuflen)
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int error;
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_EXTERNALIZE(vnode, label, elements, outbuf, outbuflen);
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
}
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_internalize_label(struct label *label, char *string)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
int error;
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_INTERNALIZE(vnode, label, string);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
return (error);
}
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
void
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_devfs_update(struct mount *mp, struct devfs_dirent *de, struct vnode *vp)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_PERFORM_NOSLEEP(devfs_update, mp, de, de->de_label, vp,
Rework MAC Framework synchronization in a number of ways in order to improve performance: - Eliminate custom reference count and condition variable to monitor threads entering the framework, as this had both significant overhead and behaved badly in the face of contention. - Replace reference count with two locks: an rwlock and an sx lock, which will be read-acquired by threads entering the framework depending on whether a give policy entry point is permitted to sleep or not. - Replace previous mutex locking of the reference count for exclusive access with write acquiring of both the policy list sx and rw locks, which occurs only when policies are attached or detached. - Do a lockless read of the dynamic policy list head before acquiring any locks in order to reduce overhead when no dynamic policies are loaded; this a race we can afford to lose. - For every policy entry point invocation, decide whether sleeping is permitted, and if not, use a _NOSLEEP() variant of the composition macros, which will use the rwlock instead of the sxlock. In some cases, we decide which to use based on allocation flags passed to the MAC Framework entry point. As with the move to rwlocks/rmlocks in pfil, this may trigger witness warnings, but these should (generally) be false positives as all acquisition of the locks is for read with two very narrow exceptions for policy load/unload, and those code blocks should never acquire other locks. Sponsored by: Google, Inc. Obtained from: TrustedBSD Project Discussed with: csjp (idea, not specific patch)
2009-03-14 16:06:06 +00:00
vp->v_label);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
}
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
void
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct vnode *vp)
{
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_PERFORM_NOSLEEP(devfs_vnode_associate, mp, mp->mnt_label,
de, de->de_label, vp, vp->v_label);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
}
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp)
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
{
int error;
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_associate_extattr");
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_associate_extattr, mp, mp->mnt_label, vp,
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
vp->v_label);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
void
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_PERFORM_NOSLEEP(vnode_associate_singlelabel, mp,
mp->mnt_label, vp, vp->v_label);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Remove XXX comments about EA transaction support and provide a more general and detailed comment on the topic of EA transactions and kernel warnings. Obtained from: TrustedBSD Project
2006-12-28 22:02:59 +00:00
/*
* Functions implementing extended-attribute backed labels for file systems
* that support it.
*
* Where possible, we use EA transactions to make writes to multiple
* attributes across difference policies mutually atomic. We allow work to
* continue on file systems not supporting EA transactions, but generate a
* printf warning.
*/
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_create_extattr(struct ucred *cred, struct mount *mp,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct vnode *dvp, struct vnode *vp, struct componentname *cnp)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int error;
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(dvp, "mac_vnode_create_extattr");
ASSERT_VOP_LOCKED(vp, "mac_vnode_create_extattr");
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
error = VOP_OPENEXTATTR(vp, cred, curthread);
if (error == EOPNOTSUPP) {
if (ea_warn_once == 0) {
printf("Warning: transactions not supported "
"in EA write.\n");
ea_warn_once = 1;
}
} else if (error)
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_create_extattr, cred, mp, mp->mnt_label, dvp,
In the MAC Framework implementation, file systems have two per-mountpoint labels: the mount label (label of the mountpoint) and the fs label (label of the file system). In practice, policies appear to only ever use one, and the distinction is not helpful. Combine mnt_mntlabel and mnt_fslabel into a single mnt_label, and eliminate extra machinery required to maintain the additional label. Update policies to reflect removal of extra entry points and label. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-22 16:18:10 +00:00
dvp->v_label, vp, vp->v_label, cnp);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
if (error) {
VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
return (error);
}
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread);
if (error == EOPNOTSUPP)
Remove XXX comments about EA transaction support and provide a more general and detailed comment on the topic of EA transactions and kernel warnings. Obtained from: TrustedBSD Project
2006-12-28 22:02:59 +00:00
error = 0;
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
static int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct label *intlabel)
Abstract access to the mbuf header label behind a new function, mbuf_to_label(). This permits the vast majority of entry point code to be unaware that labels are stored in m->m_pkthdr.label, such that we can experiment storage of labels elsewhere (such as in m_tags). Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 18:11:18 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int error;
Abstract access to the mbuf header label behind a new function, mbuf_to_label(). This permits the vast majority of entry point code to be unaware that labels are stored in m->m_pkthdr.label, such that we can experiment storage of labels elsewhere (such as in m_tags). Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 18:11:18 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_setlabel_extattr");
Abstract access to the mbuf header label behind a new function, mbuf_to_label(). This permits the vast majority of entry point code to be unaware that labels are stored in m->m_pkthdr.label, such that we can experiment storage of labels elsewhere (such as in m_tags). Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 18:11:18 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
error = VOP_OPENEXTATTR(vp, cred, curthread);
if (error == EOPNOTSUPP) {
if (ea_warn_once == 0) {
printf("Warning: transactions not supported "
"in EA write.\n");
ea_warn_once = 1;
}
} else if (error)
return (error);
Abstract access to the mbuf header label behind a new function, mbuf_to_label(). This permits the vast majority of entry point code to be unaware that labels are stored in m->m_pkthdr.label, such that we can experiment storage of labels elsewhere (such as in m_tags). Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 18:11:18 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_setlabel_extattr, cred, vp, vp->v_label,
intlabel);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
if (error) {
VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
return (error);
}
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread);
if (error == EOPNOTSUPP)
Remove XXX comments about EA transaction support and provide a more general and detailed comment on the topic of EA transactions and kernel warnings. Obtained from: TrustedBSD Project
2006-12-28 22:02:59 +00:00
error = 0;
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
void
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_execve_transition(struct ucred *old, struct ucred *new,
Further MAC Framework cleanup: normalize some local variable names and clean up some comments. Obtained from: TrustedBSD Project
2007-10-25 07:49:47 +00:00
struct vnode *vp, struct label *interpvplabel, struct image_params *imgp)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_execve_transition");
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_PERFORM(vnode_execve_transition, old, new, vp,
vp->v_label, interpvplabel, imgp, imgp->execlabel);
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
}
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp,
Further MAC Framework cleanup: normalize some local variable names and clean up some comments. Obtained from: TrustedBSD Project
2007-10-25 07:49:47 +00:00
struct label *interpvplabel, struct image_params *imgp)
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int result;
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_execve_will_transition");
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
result = 0;
Rework MAC Framework synchronization in a number of ways in order to improve performance: - Eliminate custom reference count and condition variable to monitor threads entering the framework, as this had both significant overhead and behaved badly in the face of contention. - Replace reference count with two locks: an rwlock and an sx lock, which will be read-acquired by threads entering the framework depending on whether a give policy entry point is permitted to sleep or not. - Replace previous mutex locking of the reference count for exclusive access with write acquiring of both the policy list sx and rw locks, which occurs only when policies are attached or detached. - Do a lockless read of the dynamic policy list head before acquiring any locks in order to reduce overhead when no dynamic policies are loaded; this a race we can afford to lose. - For every policy entry point invocation, decide whether sleeping is permitted, and if not, use a _NOSLEEP() variant of the composition macros, which will use the rwlock instead of the sxlock. In some cases, we decide which to use based on allocation flags passed to the MAC Framework entry point. As with the move to rwlocks/rmlocks in pfil, this may trigger witness warnings, but these should (generally) be false positives as all acquisition of the locks is for read with two very narrow exceptions for policy load/unload, and those code blocks should never acquire other locks. Sponsored by: Google, Inc. Obtained from: TrustedBSD Project Discussed with: csjp (idea, not specific patch)
2009-03-14 16:06:06 +00:00
/* No sleeping since the process lock will be held by the caller. */
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_BOOLEAN_NOSLEEP(vnode_execve_will_transition, ||, old, vp,
Rework MAC Framework synchronization in a number of ways in order to improve performance: - Eliminate custom reference count and condition variable to monitor threads entering the framework, as this had both significant overhead and behaved badly in the face of contention. - Replace reference count with two locks: an rwlock and an sx lock, which will be read-acquired by threads entering the framework depending on whether a give policy entry point is permitted to sleep or not. - Replace previous mutex locking of the reference count for exclusive access with write acquiring of both the policy list sx and rw locks, which occurs only when policies are attached or detached. - Do a lockless read of the dynamic policy list head before acquiring any locks in order to reduce overhead when no dynamic policies are loaded; this a race we can afford to lose. - For every policy entry point invocation, decide whether sleeping is permitted, and if not, use a _NOSLEEP() variant of the composition macros, which will use the rwlock instead of the sxlock. In some cases, we decide which to use based on allocation flags passed to the MAC Framework entry point. As with the move to rwlocks/rmlocks in pfil, this may trigger witness warnings, but these should (generally) be false positives as all acquisition of the locks is for read with two very narrow exceptions for policy load/unload, and those code blocks should never acquire other locks. Sponsored by: Google, Inc. Obtained from: TrustedBSD Project Discussed with: csjp (idea, not specific patch)
2009-03-14 16:06:06 +00:00
vp->v_label, interpvplabel, imgp, imgp->execlabel);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (result);
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
}
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE3(vnode_check_access, "struct ucred *",
"struct vnode *", "accmode_t");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Introduce accmode_t. This is required for NFSv4 ACLs - it will be neccessary to add more V* constants, and the variables changed by this patch were often being assigned to mode_t variables, which is 16 bit. Approved by: rwatson (mentor)
2008-10-28 13:44:11 +00:00
mac_vnode_check_access(struct ucred *cred, struct vnode *vp, accmode_t accmode)
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int error;
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_access");
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_access, cred, vp, vp->v_label, accmode);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE3(vnode_check_access, error, cred, vp, accmode);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE2(vnode_check_chdir, "struct ucred *",
"struct vnode *");
Modify the mac_init_ipq() MAC Framework entry point to accept an additional flags argument to indicate blocking disposition, and pass in M_NOWAIT from the IP reassembly code to indicate that blocking is not OK when labeling a new IP fragment reassembly queue. This should eliminate some of the WITNESS warnings that have started popping up since fine-grained IP stack locking started going in; if memory allocation fails, the creation of the fragment queue will be aborted. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-03-26 15:12:03 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp)
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
{
Modify the mac_init_ipq() MAC Framework entry point to accept an additional flags argument to indicate blocking disposition, and pass in M_NOWAIT from the IP reassembly code to indicate that blocking is not OK when labeling a new IP fragment reassembly queue. This should eliminate some of the WITNESS warnings that have started popping up since fine-grained IP stack locking started going in; if memory allocation fails, the creation of the fragment queue will be aborted. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-03-26 15:12:03 +00:00
int error;
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chdir");
Modify the mac_init_ipq() MAC Framework entry point to accept an additional flags argument to indicate blocking disposition, and pass in M_NOWAIT from the IP reassembly code to indicate that blocking is not OK when labeling a new IP fragment reassembly queue. This should eliminate some of the WITNESS warnings that have started popping up since fine-grained IP stack locking started going in; if memory allocation fails, the creation of the fragment queue will be aborted. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-03-26 15:12:03 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_chdir, cred, dvp, dvp->v_label);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE2(vnode_check_chdir, error, cred, dvp);
Modify the mac_init_ipq() MAC Framework entry point to accept an additional flags argument to indicate blocking disposition, and pass in M_NOWAIT from the IP reassembly code to indicate that blocking is not OK when labeling a new IP fragment reassembly queue. This should eliminate some of the WITNESS warnings that have started popping up since fine-grained IP stack locking started going in; if memory allocation fails, the creation of the fragment queue will be aborted. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-03-26 15:12:03 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE2(vnode_check_chroot, "struct ucred *",
"struct vnode *");
Rearrange object and label init/destroy functions to match the order used in mac_policy.h and elsewhere. Sort order is basically "by operation category", then "alphabetically by object". Sync to MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 17:38:45 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp)
Rearrange object and label init/destroy functions to match the order used in mac_policy.h and elsewhere. Sort order is basically "by operation category", then "alphabetically by object". Sync to MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 17:38:45 +00:00
{
mac_init_mbuf_tag() accepts malloc flags, not mbuf allocator flags, so don't try and convert the argument flags to malloc flags, or we risk implicitly requesting blocking and generating witness warnings. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-15 19:33:23 +00:00
int error;
Rearrange object and label init/destroy functions to match the order used in mac_policy.h and elsewhere. Sort order is basically "by operation category", then "alphabetically by object". Sync to MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 17:38:45 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chroot");
Rearrange object and label init/destroy functions to match the order used in mac_policy.h and elsewhere. Sort order is basically "by operation category", then "alphabetically by object". Sync to MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 17:38:45 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_chroot, cred, dvp, dvp->v_label);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE2(vnode_check_chroot, error, cred, dvp);
While the MAC API has supported the ability to handle M_NOWAIT passed to mbuf label initialization, that functionality was never merged to the main tree. Go ahead and merge that functionality now. Note that this requires policy modules to accept the case where the label element may be destroyed even if init has not succeeded on it (in the event that policy failed the init). This will shortly also apply to sockets. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 17:44:49 +00:00
return (error);
Rearrange object and label init/destroy functions to match the order used in mac_policy.h and elsewhere. Sort order is basically "by operation category", then "alphabetically by object". Sync to MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 17:38:45 +00:00
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE4(vnode_check_create, "struct ucred *",
"struct vnode *", "struct componentname *", "struct vattr *");
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_create(struct ucred *cred, struct vnode *dvp,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct componentname *cnp, struct vattr *vap)
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
{
int error;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_create");
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_create, cred, dvp, dvp->v_label, cnp,
vap);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE4(vnode_check_create, error, cred, dvp, cnp, vap);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE3(vnode_check_deleteacl, "struct ucred *",
"struct vnode *", "acl_type_t");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
acl_type_t type)
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int error;
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteacl");
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_deleteacl, cred, vp, vp->v_label, type);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE3(vnode_check_deleteacl, error, cred, vp, type);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Introduce p_label, extensible security label storage for the MAC framework in struct proc. While the process label is actually stored in the struct ucred pointed to by p_ucred, there is a need for transient storage that may be used when asynchronous (deferred) updates need to be performed on the "real" label for locking reasons. Unlike other label storage, this label has no locking semantics, relying on policies to provide their own protection for the label contents, meaning that a policy leaf mutex may be used, avoiding lock order issues. This permits policies that act based on historical process behavior (such as audit policies, the MAC Framework port of LOMAC, etc) can update process properties even when many existing locks are held without violating the lock order. No currently committed policies implement use of this label storage. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-11-20 15:41:25 +00:00
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE4(vnode_check_deleteextattr, "struct ucred *",
"struct vnode *", "int", "const char *");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int attrnamespace, const char *name)
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
{
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
int error;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteextattr");
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_deleteextattr, cred, vp, vp->v_label,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
attrnamespace, name);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE4(vnode_check_deleteextattr, error, cred, vp,
attrnamespace, name);
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
return (error);
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE3(vnode_check_exec, "struct ucred *", "struct vnode *",
"struct image_params *");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_exec(struct ucred *cred, struct vnode *vp,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct image_params *imgp)
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
{
int error;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_exec");
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_exec, cred, vp, vp->v_label, imgp,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
imgp->execlabel);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE3(vnode_check_exec, error, cred, vp, imgp);
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
return (error);
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE3(vnode_check_getacl, "struct ucred *",
"struct vnode *", "acl_type_t");
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
{
int error;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getacl");
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE3(vnode_check_getacl, error, cred, vp, type);
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE4(vnode_check_getextattr, "struct ucred *",
"struct vnode *", "int", "const char *");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
Remove 'uio' argument from MAC Framework and MAC policy entry points for extended attribute get/set; in the case of get an uninitialized user buffer was passed before the EA was retrieved, making it of relatively little use; the latter was simply unused by any policies. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 12:32:06 +00:00
int attrnamespace, const char *name)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int error;
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getextattr");
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_getextattr, cred, vp, vp->v_label,
Remove 'uio' argument from MAC Framework and MAC policy entry points for extended attribute get/set; in the case of get an uninitialized user buffer was passed before the EA was retrieved, making it of relatively little use; the latter was simply unused by any policies. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 12:32:06 +00:00
attrnamespace, name);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE4(vnode_check_getextattr, error, cred, vp,
attrnamespace, name);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE4(vnode_check_link, "struct ucred *", "struct vnode *",
"struct vnode *", "struct componentname *");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_link(struct ucred *cred, struct vnode *dvp,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct vnode *vp, struct componentname *cnp)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int error;
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_link");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_link");
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_link, cred, dvp, dvp->v_label, vp,
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
vp->v_label, cnp);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE4(vnode_check_link, error, cred, dvp, vp, cnp);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE3(vnode_check_listextattr, "struct ucred *",
"struct vnode *", "int");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int attrnamespace)
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int error;
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_listextattr");
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_listextattr, cred, vp, vp->v_label,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
attrnamespace);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE3(vnode_check_listextattr, error, cred, vp,
attrnamespace);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE3(vnode_check_lookup, "struct ucred *",
"struct vnode *", "struct componentname *");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct componentname *cnp)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int error;
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_lookup");
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE3(vnode_check_lookup, error, cred, dvp, cnp);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE4(vnode_check_mmap, "struct ucred *", "struct vnode *",
"int", "int");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Further MAC Framework cleanup: normalize some local variable names and clean up some comments. Obtained from: TrustedBSD Project
2007-10-25 07:49:47 +00:00
mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot,
int flags)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int error;
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap");
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_mmap, cred, vp, vp->v_label, prot, flags);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE4(vnode_check_mmap, error, cred, vp, prot, flags);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Rearrange object and label init/destroy functions to match the order used in mac_policy.h and elsewhere. Sort order is basically "by operation category", then "alphabetically by object". Sync to MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 17:38:45 +00:00
void
Further MAC Framework cleanup: normalize some local variable names and clean up some comments. Obtained from: TrustedBSD Project
2007-10-25 07:49:47 +00:00
mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp,
int *prot)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int result = *prot;
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap_downgrade");
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_PERFORM(vnode_check_mmap_downgrade, cred, vp, vp->v_label,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
&result);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
*prot = result;
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE3(vnode_check_mprotect, "struct ucred *",
"struct vnode *", "int");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot)
Introduce p_label, extensible security label storage for the MAC framework in struct proc. While the process label is actually stored in the struct ucred pointed to by p_ucred, there is a need for transient storage that may be used when asynchronous (deferred) updates need to be performed on the "real" label for locking reasons. Unlike other label storage, this label has no locking semantics, relying on policies to provide their own protection for the label contents, meaning that a policy leaf mutex may be used, avoiding lock order issues. This permits policies that act based on historical process behavior (such as audit policies, the MAC Framework port of LOMAC, etc) can update process properties even when many existing locks are held without violating the lock order. No currently committed policies implement use of this label storage. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-11-20 15:41:25 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int error;
Introduce p_label, extensible security label storage for the MAC framework in struct proc. While the process label is actually stored in the struct ucred pointed to by p_ucred, there is a need for transient storage that may be used when asynchronous (deferred) updates need to be performed on the "real" label for locking reasons. Unlike other label storage, this label has no locking semantics, relying on policies to provide their own protection for the label contents, meaning that a policy leaf mutex may be used, avoiding lock order issues. This permits policies that act based on historical process behavior (such as audit policies, the MAC Framework port of LOMAC, etc) can update process properties even when many existing locks are held without violating the lock order. No currently committed policies implement use of this label storage. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-11-20 15:41:25 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mprotect");
Introduce p_label, extensible security label storage for the MAC framework in struct proc. While the process label is actually stored in the struct ucred pointed to by p_ucred, there is a need for transient storage that may be used when asynchronous (deferred) updates need to be performed on the "real" label for locking reasons. Unlike other label storage, this label has no locking semantics, relying on policies to provide their own protection for the label contents, meaning that a policy leaf mutex may be used, avoiding lock order issues. This permits policies that act based on historical process behavior (such as audit policies, the MAC Framework port of LOMAC, etc) can update process properties even when many existing locks are held without violating the lock order. No currently committed policies implement use of this label storage. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-11-20 15:41:25 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_mprotect, cred, vp, vp->v_label, prot);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE3(vnode_check_mprotect, error, cred, vp, prot);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE3(vnode_check_open, "struct ucred *", "struct vnode *",
"accmode_t");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Introduce accmode_t. This is required for NFSv4 ACLs - it will be neccessary to add more V* constants, and the variables changed by this patch were often being assigned to mode_t variables, which is 16 bit. Approved by: rwatson (mentor)
2008-10-28 13:44:11 +00:00
mac_vnode_check_open(struct ucred *cred, struct vnode *vp, accmode_t accmode)
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int error;
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_open");
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_open, cred, vp, vp->v_label, accmode);
Add missing DTrace probe invocation to mac_vnode_check_open; the probe was declared, but never used. MFC after: 3 days Sponsored by: Google, Inc.
2010-10-23 16:59:39 +00:00
MAC_CHECK_PROBE3(vnode_check_open, error, cred, vp, accmode);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE3(vnode_check_poll, "struct ucred *", "struct ucred *",
"struct vnode *");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct vnode *vp)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int error;
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_poll");
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_poll, active_cred, file_cred, vp,
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
vp->v_label);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE3(vnode_check_poll, error, active_cred, file_cred,
vp);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE3(vnode_check_read, "struct ucred *", "struct ucred *",
"struct vnode *");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct vnode *vp)
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int error;
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_read");
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_read, active_cred, file_cred, vp,
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
vp->v_label);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE3(vnode_check_read, error, active_cred, file_cred,
vp);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE2(vnode_check_readdir, "struct ucred *",
"struct vnode *");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_readdir(struct ucred *cred, struct vnode *dvp)
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int error;
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_readdir");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_readdir, cred, dvp, dvp->v_label);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE2(vnode_check_readdir, error, cred, dvp);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE2(vnode_check_readlink, "struct ucred *",
"struct vnode *");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp)
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int error;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_readlink");
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_readlink, cred, vp, vp->v_label);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE2(vnode_check_readlink, error, cred, vp);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE3(vnode_check_relabel, "struct ucred *",
"struct vnode *", "struct label *");
Another big diff, little functional change: move label internalization, externalization, and cred label life cycle events to entirely above devfs and vnode events. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:57:16 +00:00
static int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct label *newlabel)
Another big diff, little functional change: move label internalization, externalization, and cred label life cycle events to entirely above devfs and vnode events. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:57:16 +00:00
{
int error;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_relabel");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_relabel, cred, vp, vp->v_label, newlabel);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE3(vnode_check_relabel, error, cred, vp, newlabel);
Another big diff, little functional change: move label internalization, externalization, and cred label life cycle events to entirely above devfs and vnode events. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:57:16 +00:00
return (error);
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE4(vnode_check_rename_from, "struct ucred *",
"struct vnode *", "struct vnode *", "struct componentname *");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct vnode *vp, struct componentname *cnp)
Another big diff, little functional change: move label internalization, externalization, and cred label life cycle events to entirely above devfs and vnode events. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:57:16 +00:00
{
int error;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_rename_from");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_rename_from");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_rename_from, cred, dvp, dvp->v_label, vp,
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
vp->v_label, cnp);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE4(vnode_check_rename_from, error, cred, dvp, vp, cnp);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
return (error);
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE4(vnode_check_rename_to, "struct ucred *",
"struct vnode *", "struct vnode *", "struct componentname *");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct vnode *vp, int samedir, struct componentname *cnp)
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
{
int error;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_rename_to");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_rename_to");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_rename_to, cred, dvp, dvp->v_label, vp,
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
vp != NULL ? vp->v_label : NULL, samedir, cnp);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE4(vnode_check_rename_to, error, cred, dvp, vp, cnp);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
return (error);
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE2(vnode_check_revoke, "struct ucred *",
"struct vnode *");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp)
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
{
int error;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_revoke");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_revoke, cred, vp, vp->v_label);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE2(vnode_check_revoke, error, cred, vp);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
return (error);
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE4(vnode_check_setacl, "struct ucred *",
"struct vnode *", "acl_tpe_t", "struct acl *");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct acl *acl)
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
{
int error;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setacl");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_setacl, cred, vp, vp->v_label, type, acl);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE4(vnode_check_setacl, error, cred, vp, type, acl);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
return (error);
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE4(vnode_check_setextattr, "struct ucred *",
"struct vnode *", "int", "const char *");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
Remove 'uio' argument from MAC Framework and MAC policy entry points for extended attribute get/set; in the case of get an uninitialized user buffer was passed before the EA was retrieved, making it of relatively little use; the latter was simply unused by any policies. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 12:32:06 +00:00
int attrnamespace, const char *name)
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
{
int error;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setextattr");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_setextattr, cred, vp, vp->v_label,
Remove 'uio' argument from MAC Framework and MAC policy entry points for extended attribute get/set; in the case of get an uninitialized user buffer was passed before the EA was retrieved, making it of relatively little use; the latter was simply unused by any policies. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 12:32:06 +00:00
attrnamespace, name);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE4(vnode_check_setextattr, error, cred, vp,
attrnamespace, name);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
return (error);
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE3(vnode_check_setflags, "struct ucred *",
"struct vnode *", "u_long");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
{
int error;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setflags");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_setflags, cred, vp, vp->v_label, flags);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE3(vnode_check_setflags, error, cred, vp, flags);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
return (error);
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE3(vnode_check_setmode, "struct ucred *",
"struct vnode *", "mode_t");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
{
int error;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setmode");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_setmode, cred, vp, vp->v_label, mode);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE3(vnode_check_setmode, error, cred, vp, mode);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
return (error);
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE4(vnode_check_setowner, "struct ucred *",
"struct vnode *", "uid_t", "gid_t");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
gid_t gid)
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
{
int error;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setowner");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_setowner, cred, vp, vp->v_label, uid, gid);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE4(vnode_check_setowner, error, cred, vp, uid, gid);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
return (error);
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE4(vnode_check_setutimes, "struct ucred *",
"struct vnode *", "struct timespec *", "struct timespec *");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct timespec atime, struct timespec mtime)
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
{
int error;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setutimes");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_setutimes, cred, vp, vp->v_label, atime,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
mtime);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE4(vnode_check_setutimes, error, cred, vp, &atime,
&mtime);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
return (error);
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE3(vnode_check_stat, "struct ucred *", "struct ucred *",
"struct vnode *");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct vnode *vp)
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
{
int error;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_stat");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_stat, active_cred, file_cred, vp,
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
vp->v_label);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE3(vnode_check_stat, error, active_cred, file_cred,
vp);
Another big diff, little functional change: move label internalization, externalization, and cred label life cycle events to entirely above devfs and vnode events. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:57:16 +00:00
return (error);
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE4(vnode_check_unlink, "struct ucred *",
"struct vnode *", "struct vnode *", "struct componentname *");
Rename mac_check_vnode_delete() MAC Framework and MAC Policy entry point to mac_check_vnode_unlink(), reflecting UNIX naming conventions. This is the first of several commits to synchronize the MAC Framework in FreeBSD 7.0 with the MAC Framework as it will appear in Mac OS X Leopard. Reveiwed by: csjp, Samy Bahra <sbahra at gwu dot edu> Submitted by: Jacques Vidrine <nectar at apple dot com> Obtained from: Apple Computer, Inc. Sponsored by: SPARTA, SPAWAR Approved by: re (bmah)
2007-09-10 00:00:18 +00:00
int
Further MAC Framework cleanup: normalize some local variable names and clean up some comments. Obtained from: TrustedBSD Project
2007-10-25 07:49:47 +00:00
mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp)
Rename mac_check_vnode_delete() MAC Framework and MAC Policy entry point to mac_check_vnode_unlink(), reflecting UNIX naming conventions. This is the first of several commits to synchronize the MAC Framework in FreeBSD 7.0 with the MAC Framework as it will appear in Mac OS X Leopard. Reveiwed by: csjp, Samy Bahra <sbahra at gwu dot edu> Submitted by: Jacques Vidrine <nectar at apple dot com> Obtained from: Apple Computer, Inc. Sponsored by: SPARTA, SPAWAR Approved by: re (bmah)
2007-09-10 00:00:18 +00:00
{
int error;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_unlink");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_unlink");
Rename mac_check_vnode_delete() MAC Framework and MAC Policy entry point to mac_check_vnode_unlink(), reflecting UNIX naming conventions. This is the first of several commits to synchronize the MAC Framework in FreeBSD 7.0 with the MAC Framework as it will appear in Mac OS X Leopard. Reveiwed by: csjp, Samy Bahra <sbahra at gwu dot edu> Submitted by: Jacques Vidrine <nectar at apple dot com> Obtained from: Apple Computer, Inc. Sponsored by: SPARTA, SPAWAR Approved by: re (bmah)
2007-09-10 00:00:18 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_unlink, cred, dvp, dvp->v_label, vp,
Rename mac_check_vnode_delete() MAC Framework and MAC Policy entry point to mac_check_vnode_unlink(), reflecting UNIX naming conventions. This is the first of several commits to synchronize the MAC Framework in FreeBSD 7.0 with the MAC Framework as it will appear in Mac OS X Leopard. Reveiwed by: csjp, Samy Bahra <sbahra at gwu dot edu> Submitted by: Jacques Vidrine <nectar at apple dot com> Obtained from: Apple Computer, Inc. Sponsored by: SPARTA, SPAWAR Approved by: re (bmah)
2007-09-10 00:00:18 +00:00
vp->v_label, cnp);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE4(vnode_check_unlink, error, cred, dvp, vp, cnp);
Rename mac_check_vnode_delete() MAC Framework and MAC Policy entry point to mac_check_vnode_unlink(), reflecting UNIX naming conventions. This is the first of several commits to synchronize the MAC Framework in FreeBSD 7.0 with the MAC Framework as it will appear in Mac OS X Leopard. Reveiwed by: csjp, Samy Bahra <sbahra at gwu dot edu> Submitted by: Jacques Vidrine <nectar at apple dot com> Obtained from: Apple Computer, Inc. Sponsored by: SPARTA, SPAWAR Approved by: re (bmah)
2007-09-10 00:00:18 +00:00
return (error);
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE3(vnode_check_write, "struct ucred *",
"struct ucred *", "struct vnode *");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct vnode *vp)
Another big diff, little functional change: move label internalization, externalization, and cred label life cycle events to entirely above devfs and vnode events. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:57:16 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int error;
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_write");
Another big diff, little functional change: move label internalization, externalization, and cred label life cycle events to entirely above devfs and vnode events. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:57:16 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK(vnode_check_write, active_cred, file_cred, vp,
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
vp->v_label);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE3(vnode_check_write, error, active_cred, file_cred,
vp);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Another big diff, little functional change: move label internalization, externalization, and cred label life cycle events to entirely above devfs and vnode events. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:57:16 +00:00
}
void
Further MAC Framework cleanup: normalize some local variable names and clean up some comments. Obtained from: TrustedBSD Project
2007-10-25 07:49:47 +00:00
mac_vnode_relabel(struct ucred *cred, struct vnode *vp,
struct label *newlabel)
Another big diff, little functional change: move label internalization, externalization, and cred label life cycle events to entirely above devfs and vnode events. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:57:16 +00:00
{
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_PERFORM(vnode_relabel, cred, vp, vp->v_label, newlabel);
Another big diff, little functional change: move label internalization, externalization, and cred label life cycle events to entirely above devfs and vnode events. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:57:16 +00:00
}
void
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_mount_create(struct ucred *cred, struct mount *mp)
Another big diff, little functional change: move label internalization, externalization, and cred label life cycle events to entirely above devfs and vnode events. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:57:16 +00:00
{
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_PERFORM(mount_create, cred, mp, mp->mnt_label);
Another big diff, little functional change: move label internalization, externalization, and cred label life cycle events to entirely above devfs and vnode events. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:57:16 +00:00
}
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE_DEFINE2(mount_check_stat, "struct ucred *",
"struct mount *");
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_mount_check_stat(struct ucred *cred, struct mount *mount)
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
int error;
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_CHECK_NOSLEEP(mount_check_stat, cred, mount, mount->mnt_label);
Add static DTrace probes for MAC Framework access control checks and privilege grants so that dtrace can be more easily used to monitor the security decisions being generated by the MAC Framework following policy invocation. Successful access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_ok Failed access control checks will be reported by: mac_framework:kernel:<entrypoint>:mac_check_err Successful privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_ok Failed privilege grants will be reported by: mac_framework:kernel:priv_grant:mac_grant_err In all cases, the return value (always 0 for _ok, otherwise an errno for _err) will be reported via arg0 on the probe, and subsequent arguments will hold entrypoint-specific data, in a style similar to privilege tracing. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
2009-03-08 00:50:37 +00:00
MAC_CHECK_PROBE2(mount_check_stat, error, cred, mount);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (error);
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
}
void
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_devfs_create_device(struct ucred *cred, struct mount *mp,
When devfs cloning takes place, provide access to the credential of the process that caused the clone event to take place for the device driver creating the device. This allows cloned device drivers to adapt the device node based on security aspects of the process, such as the uid, gid, and MAC label. - Add a cred reference to struct cdev, so that when a device node is instantiated as a vnode, the cloning credential can be exposed to MAC. - Add make_dev_cred(), a version of make_dev() that additionally accepts the credential to stick in the struct cdev. Implement it and make_dev() in terms of a back-end make_dev_credv(). - Add a new event handler, dev_clone_cred, which can be registered to receive the credential instead of dev_clone, if desired. - Modify the MAC entry point mac_create_devfs_device() to accept an optional credential pointer (may be NULL), so that MAC policies can inspect and act on the label or other elements of the credential when initializing the skeleton device protections. - Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(), so that the pty clone credential is exposed to the MAC Framework. While currently primarily focussed on MAC policies, this change is also a prerequisite for changes to allow ptys to be instantiated with the UID of the process looking up the pty. This requires further changes to the pty driver -- in particular, to immediately recycle pty nodes on last close so that the credential-related state can be recreated on next lookup. Submitted by: Andrew Reisse <andrew.reisse@sparta.com> Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA MFC after: 1 week MFC note: Merge to 6.x, but not 5.x for ABI reasons
2005-07-14 10:22:09 +00:00
struct cdev *dev, struct devfs_dirent *de)
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
{
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_PERFORM_NOSLEEP(devfs_create_device, cred, mp, dev, de,
Rework MAC Framework synchronization in a number of ways in order to improve performance: - Eliminate custom reference count and condition variable to monitor threads entering the framework, as this had both significant overhead and behaved badly in the face of contention. - Replace reference count with two locks: an rwlock and an sx lock, which will be read-acquired by threads entering the framework depending on whether a give policy entry point is permitted to sleep or not. - Replace previous mutex locking of the reference count for exclusive access with write acquiring of both the policy list sx and rw locks, which occurs only when policies are attached or detached. - Do a lockless read of the dynamic policy list head before acquiring any locks in order to reduce overhead when no dynamic policies are loaded; this a race we can afford to lose. - For every policy entry point invocation, decide whether sleeping is permitted, and if not, use a _NOSLEEP() variant of the composition macros, which will use the rwlock instead of the sxlock. In some cases, we decide which to use based on allocation flags passed to the MAC Framework entry point. As with the move to rwlocks/rmlocks in pfil, this may trigger witness warnings, but these should (generally) be false positives as all acquisition of the locks is for read with two very narrow exceptions for policy load/unload, and those code blocks should never acquire other locks. Sponsored by: Google, Inc. Obtained from: TrustedBSD Project Discussed with: csjp (idea, not specific patch)
2009-03-14 16:06:06 +00:00
de->de_label);
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
}
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
void
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_devfs_create_symlink(struct ucred *cred, struct mount *mp,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct devfs_dirent *dd, struct devfs_dirent *de)
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
{
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_PERFORM_NOSLEEP(devfs_create_symlink, cred, mp, dd,
Rework MAC Framework synchronization in a number of ways in order to improve performance: - Eliminate custom reference count and condition variable to monitor threads entering the framework, as this had both significant overhead and behaved badly in the face of contention. - Replace reference count with two locks: an rwlock and an sx lock, which will be read-acquired by threads entering the framework depending on whether a give policy entry point is permitted to sleep or not. - Replace previous mutex locking of the reference count for exclusive access with write acquiring of both the policy list sx and rw locks, which occurs only when policies are attached or detached. - Do a lockless read of the dynamic policy list head before acquiring any locks in order to reduce overhead when no dynamic policies are loaded; this a race we can afford to lose. - For every policy entry point invocation, decide whether sleeping is permitted, and if not, use a _NOSLEEP() variant of the composition macros, which will use the rwlock instead of the sxlock. In some cases, we decide which to use based on allocation flags passed to the MAC Framework entry point. As with the move to rwlocks/rmlocks in pfil, this may trigger witness warnings, but these should (generally) be false positives as all acquisition of the locks is for read with two very narrow exceptions for policy load/unload, and those code blocks should never acquire other locks. Sponsored by: Google, Inc. Obtained from: TrustedBSD Project Discussed with: csjp (idea, not specific patch)
2009-03-14 16:06:06 +00:00
dd->de_label, de, de->de_label);
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
}
void
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen,
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct devfs_dirent *de)
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
{
Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
2009-05-01 21:05:40 +00:00
MAC_POLICY_PERFORM_NOSLEEP(devfs_create_directory, mp, dirname,
dirnamelen, de, de->de_label);
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
}
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
/*
Further MAC Framework cleanup: normalize some local variable names and clean up some comments. Obtained from: TrustedBSD Project
2007-10-25 07:49:47 +00:00
* Implementation of VOP_SETLABEL() that relies on extended attributes to
* store label data. Can be referenced by filesystems supporting extended
* attributes.
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
*/
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
int
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
vop_stdsetlabel_ea(struct vop_setlabel_args *ap)
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
{
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
struct vnode *vp = ap->a_vp;
struct label *intlabel = ap->a_label;
Slightly change the semantics of vnode labels for MAC: rather than "refreshing" the label on the vnode before use, just get the label right from inception. For single-label file systems, set the label in the generic VFS getnewvnode() code; for multi-label file systems, leave the labeling up to the file system. With UFS1/2, this means reading the extended attribute during vfs_vget() as the inode is pulled off disk, rather than hitting the extended attributes frequently during operations later, improving performance. This also corrects sematics for shared vnode locks, which were not previously present in the system. This chances the cache coherrency properties WRT out-of-band access to label data, but in an acceptable form. With UFS1, there is a small race condition during automatic extended attribute start -- this is not present with UFS2, and occurs because EAs aren't available at vnode inception. We'll introduce a work around for this shortly. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
int error;
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea");
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0)
return (EOPNOTSUPP);
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
error = mac_vnode_setlabel_extattr(ap->a_cred, vp, intlabel);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
if (error)
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
return (error);
Slightly change the semantics of vnode labels for MAC: rather than "refreshing" the label on the vnode before use, just get the label right from inception. For single-label file systems, set the label in the generic VFS getnewvnode() code; for multi-label file systems, leave the labeling up to the file system. With UFS1/2, this means reading the extended attribute during vfs_vget() as the inode is pulled off disk, rather than hitting the extended attributes frequently during operations later, improving performance. This also corrects sematics for shared vnode locks, which were not previously present in the system. This chances the cache coherrency properties WRT out-of-band access to label data, but in an acceptable form. With UFS1, there is a small race condition during automatic extended attribute start -- this is not present with UFS2, and occurs because EAs aren't available at vnode inception. We'll introduce a work around for this shortly. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
mac_vnode_relabel(ap->a_cred, vp, intlabel);
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (0);
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
}
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
int
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
int error;
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
if (vp->v_mount == NULL) {
/* printf("vn_setlabel: null v_mount\n"); */
if (vp->v_type != VNON)
printf("vn_setlabel: null v_mount with non-VNON\n");
return (EBADF);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
}
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0)
return (EOPNOTSUPP);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
/*
* Multi-phase commit. First check the policies to confirm the
Trim trailing white space, clean up comment line wrapping and formatting. Document mac_associate_nfsd_label(). Obtained from: TrustedBSD Project
2006-12-20 23:18:17 +00:00
* change is OK. Then commit via the filesystem. Finally, update
* the actual vnode label.
*
* Question: maybe the filesystem should update the vnode at the end
* as part of VOP_SETLABEL()?
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
*/
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
error = mac_vnode_check_relabel(cred, vp, intlabel);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
if (error)
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
return (error);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
/*
* VADMIN provides the opportunity for the filesystem to make
Trim trailing white space, clean up comment line wrapping and formatting. Document mac_associate_nfsd_label(). Obtained from: TrustedBSD Project
2006-12-20 23:18:17 +00:00
* decisions about who is and is not able to modify labels and
* protections on files. This might not be right. We can't assume
Further MAC Framework cleanup: normalize some local variable names and clean up some comments. Obtained from: TrustedBSD Project
2007-10-25 07:49:47 +00:00
* VOP_SETLABEL() will do it, because we might implement that as part
* of vop_stdsetlabel_ea().
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
*/
error = VOP_ACCESS(vp, VADMIN, cred, curthread);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
if (error)
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
error = VOP_SETLABEL(vp, intlabel, cred, curthread);
Provide an implementation of mac_syscall() so that security modules can offer new services without reserving system call numbers, or augmented versions of existing services. User code requests a target policy by name, and specifies the policy-specific API plus target. This is required in particular for our port of SELinux/FLASK to the MAC framework since it offers additional security services. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-08-19 17:59:48 +00:00
if (error)
return (error);
Remove non-VFS related code from mac_vfs.c. Leave: Extended attribute transaction warning flag if transactions aren't supported on the EA implementation being used. Debug fallback flag to permit a less conservative fallback if reading an on-disk label fails. Enforce_fs toggle to enforce file systme access control. Debugging counters for file system objects: mounts, vnodes, devfs_dirents. Object initialization, destruction, copying, internalization, externalization, relabeling for file system objects. Life cycle operations for devfs entries. Generic extended attribute label implementation for use by UFS, UFS2 in multilabel mode. Generic single-level label implementation for use by all file systems when in singlelabel mode. Exec-time transition based on file label entry points. Vnode operation access control checks (many). Mount operation access control checks (few). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
return (0);
Provide an implementation of mac_syscall() so that security modules can offer new services without reserving system call numbers, or augmented versions of existing services. User code requests a target policy by name, and specifies the policy-specific API plus target. This is required in particular for our port of SELinux/FLASK to the MAC framework since it offers additional security services. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-08-19 17:59:48 +00:00
}
Reference in New Issue Copy Permalink