freebsd-dev/sys/security/mac/mac_framework.h

454 lines
20 KiB
C
Raw Normal View History

/*-
* Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005-2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
*
* This software was developed for the FreeBSD Project in part by Network
* Associates Laboratories, the Security Research Division of Network
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* This software was developed at the University of Cambridge Computer
* Laboratory with support from a grant from Google, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Kernel interface for Mandatory Access Control -- how kernel services
* interact with the TrustedBSD MAC Framework.
*/
#ifndef _SECURITY_MAC_MAC_FRAMEWORK_H_
#define _SECURITY_MAC_MAC_FRAMEWORK_H_
#ifndef _KERNEL
#error "no user-serviceable parts inside"
#endif
struct auditinfo;
struct auditinfo_addr;
struct bpf_d;
struct cdev;
struct componentname;
struct devfs_dirent;
struct ifnet;
struct ifreq;
struct image_params;
struct inpcb;
struct ip6q;
struct ipq;
struct ksem;
struct label;
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
struct m_tag;
struct mac;
struct mbuf;
struct mount;
struct msg;
struct msqid_kernel;
struct proc;
struct semid_kernel;
Add a new file descriptor type for IPC shared memory objects and use it to implement shm_open(2) and shm_unlink(2) in the kernel: - Each shared memory file descriptor is associated with a swap-backed vm object which provides the backing store. Each descriptor starts off with a size of zero, but the size can be altered via ftruncate(2). The shared memory file descriptors also support fstat(2). read(2), write(2), ioctl(2), select(2), poll(2), and kevent(2) are not supported on shared memory file descriptors. - shm_open(2) and shm_unlink(2) are now implemented as system calls that manage shared memory file descriptors. The virtual namespace that maps pathnames to shared memory file descriptors is implemented as a hash table where the hash key is generated via the 32-bit Fowler/Noll/Vo hash of the pathname. - As an extension, the constant 'SHM_ANON' may be specified in place of the path argument to shm_open(2). In this case, an unnamed shared memory file descriptor will be created similar to the IPC_PRIVATE key for shmget(2). Note that the shared memory object can still be shared among processes by sharing the file descriptor via fork(2) or sendmsg(2), but it is unnamed. This effectively serves to implement the getmemfd() idea bandied about the lists several times over the years. - The backing store for shared memory file descriptors are garbage collected when they are not referenced by any open file descriptors or the shm_open(2) virtual namespace. Submitted by: dillon, peter (previous versions) Submitted by: rwatson (I based this on his version) Reviewed by: alc (suggested converting getmemfd() to shm_open())
2008-01-08 21:58:16 +00:00
struct shmfd;
struct shmid_kernel;
struct sockaddr;
struct socket;
struct sysctl_oid;
struct sysctl_req;
Coalesce pipe allocations and frees. Previously, the pipe code would allocate two 'struct pipe's from the pipe zone, and malloc a mutex. - Create a new "struct pipepair" object holding the two 'struct pipe' instances, struct mutex, and struct label reference. Pipe structures now have a back-pointer to the pipe pair, and a 'pipe_present' flag to indicate whether the half has been closed. - Perform mutex init/destroy in zone init/destroy, avoiding reallocating the mutex for each pipe. Perform most pipe structure setup in zone constructor. - VM memory mappings for pageable buffers are still done outside of the UMA zone. - Change MAC API to speak 'struct pipepair' instead of 'struct pipe', update many policies. MAC labels are also handled outside of the UMA zone for now. Label-only policy modules don't have to be recompiled, but if a module is recompiled, its pipe entry points will need to be updated. If a module actually reached into the pipe structures (unlikely), that would also need to be modified. These changes substantially simplify failure handling in the pipe code as there are many fewer possible failure modes. On half-close, pipes no longer free the 'struct pipe' for the closed half until a full-close takes place. However, VM mapped buffers are still released on half-close. Some code refactoring is now possible to clean up some of the back references, etc; this patch attempts not to change the structure of most of the pipe implementation, only allocation/free code paths, so as to avoid introducing bugs (hopefully). This cuts about 8%-9% off the cost of sequential pipe allocation and free in system call tests on UP and SMP in my micro-benchmarks. May or may not make a difference in macro-benchmarks, but doing less work is good. Reviewed by: juli, tjr Testing help: dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
struct pipepair;
struct thread;
struct timespec;
struct ucred;
struct vattr;
struct vnode;
struct vop_setlabel_args;
#include <sys/acl.h> /* XXX acl_type_t */
#include <sys/types.h> /* accmode_t */
/*
* Entry points to the TrustedBSD MAC Framework from the remainder of the
* kernel: entry points are named based on a principle object type and an
* action relating to it. They are sorted alphabetically first by object
* type and then action. In some situations, the principle object type is
* obvious, and in other cases, less so as multiple objects may be inolved
* in the operation.
*/
int mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp);
void mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d);
void mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m);
void mac_bpfdesc_destroy(struct bpf_d *);
void mac_bpfdesc_init(struct bpf_d *);
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
void mac_cred_associate_nfsd(struct ucred *cred);
int mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai);
int mac_cred_check_setaudit_addr(struct ucred *cred,
struct auditinfo_addr *aia);
int mac_cred_check_setauid(struct ucred *cred, uid_t auid);
int mac_cred_check_setegid(struct ucred *cred, gid_t egid);
int mac_cred_check_seteuid(struct ucred *cred, uid_t euid);
int mac_cred_check_setgid(struct ucred *cred, gid_t gid);
int mac_cred_check_setgroups(struct ucred *cred, int ngroups,
gid_t *gidset);
int mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid);
int mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
gid_t sgid);
int mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
uid_t suid);
int mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid);
int mac_cred_check_setuid(struct ucred *cred, uid_t uid);
int mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2);
void mac_cred_copy(struct ucred *cr1, struct ucred *cr2);
void mac_cred_create_init(struct ucred *cred);
void mac_cred_create_swapper(struct ucred *cred);
void mac_cred_destroy(struct ucred *);
void mac_cred_init(struct ucred *);
void mac_devfs_create_device(struct ucred *cred, struct mount *mp,
When devfs cloning takes place, provide access to the credential of the process that caused the clone event to take place for the device driver creating the device. This allows cloned device drivers to adapt the device node based on security aspects of the process, such as the uid, gid, and MAC label. - Add a cred reference to struct cdev, so that when a device node is instantiated as a vnode, the cloning credential can be exposed to MAC. - Add make_dev_cred(), a version of make_dev() that additionally accepts the credential to stick in the struct cdev. Implement it and make_dev() in terms of a back-end make_dev_credv(). - Add a new event handler, dev_clone_cred, which can be registered to receive the credential instead of dev_clone, if desired. - Modify the MAC entry point mac_create_devfs_device() to accept an optional credential pointer (may be NULL), so that MAC policies can inspect and act on the label or other elements of the credential when initializing the skeleton device protections. - Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(), so that the pty clone credential is exposed to the MAC Framework. While currently primarily focussed on MAC policies, this change is also a prerequisite for changes to allow ptys to be instantiated with the UID of the process looking up the pty. This requires further changes to the pty driver -- in particular, to immediately recycle pty nodes on last close so that the credential-related state can be recreated on next lookup. Submitted by: Andrew Reisse <andrew.reisse@sparta.com> Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA MFC after: 1 week MFC note: Merge to 6.x, but not 5.x for ABI reasons
2005-07-14 10:22:09 +00:00
struct cdev *dev, struct devfs_dirent *de);
void mac_devfs_create_directory(struct mount *mp, char *dirname,
int dirnamelen, struct devfs_dirent *de);
void mac_devfs_create_symlink(struct ucred *cred, struct mount *mp,
struct devfs_dirent *dd, struct devfs_dirent *de);
void mac_devfs_destroy(struct devfs_dirent *);
void mac_devfs_init(struct devfs_dirent *);
void mac_devfs_update(struct mount *mp, struct devfs_dirent *de,
struct vnode *vp);
void mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de,
struct vnode *vp);
int mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m);
void mac_ifnet_create(struct ifnet *ifp);
void mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m);
void mac_ifnet_destroy(struct ifnet *);
void mac_ifnet_init(struct ifnet *);
int mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr,
struct ifnet *ifp);
int mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr,
struct ifnet *ifp);
int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m);
int mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp);
void mac_inpcb_create(struct socket *so, struct inpcb *inp);
void mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m);
void mac_inpcb_destroy(struct inpcb *);
int mac_inpcb_init(struct inpcb *, int);
void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp);
void mac_ip6q_create(struct mbuf *m, struct ip6q *q6);
void mac_ip6q_destroy(struct ip6q *q6);
int mac_ip6q_init(struct ip6q *q6, int);
int mac_ip6q_match(struct mbuf *m, struct ip6q *q6);
void mac_ip6q_reassemble(struct ip6q *q6, struct mbuf *m);
void mac_ip6q_update(struct mbuf *m, struct ip6q *q6);
void mac_ipq_create(struct mbuf *m, struct ipq *q);
void mac_ipq_destroy(struct ipq *q);
int mac_ipq_init(struct ipq *q, int);
int mac_ipq_match(struct mbuf *m, struct ipq *q);
void mac_ipq_reassemble(struct ipq *q, struct mbuf *m);
void mac_ipq_update(struct mbuf *m, struct ipq *q);
int mac_kenv_check_dump(struct ucred *cred);
int mac_kenv_check_get(struct ucred *cred, char *name);
int mac_kenv_check_set(struct ucred *cred, char *name, char *value);
int mac_kenv_check_unset(struct ucred *cred, char *name);
int mac_kld_check_load(struct ucred *cred, struct vnode *vp);
int mac_kld_check_stat(struct ucred *cred);
void mac_mbuf_copy(struct mbuf *, struct mbuf *);
int mac_mbuf_init(struct mbuf *, int);
void mac_mbuf_tag_copy(struct m_tag *, struct m_tag *);
void mac_mbuf_tag_destroy(struct m_tag *);
int mac_mbuf_tag_init(struct m_tag *, int);
int mac_mount_check_stat(struct ucred *cred, struct mount *mp);
void mac_mount_create(struct ucred *cred, struct mount *mp);
void mac_mount_destroy(struct mount *);
void mac_mount_init(struct mount *);
void mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m);
void mac_netinet_firewall_reply(struct mbuf *mrecv, struct mbuf *msend);
void mac_netinet_firewall_send(struct mbuf *m);
void mac_netinet_fragment(struct mbuf *m, struct mbuf *frag);
void mac_netinet_icmp_reply(struct mbuf *mrecv, struct mbuf *msend);
void mac_netinet_icmp_replyinplace(struct mbuf *m);
void mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m);
void mac_netinet_tcp_reply(struct mbuf *m);
void mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m);
int mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
unsigned long cmd, void *data);
int mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp);
int mac_pipe_check_read(struct ucred *cred, struct pipepair *pp);
int mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp);
int mac_pipe_check_write(struct ucred *cred, struct pipepair *pp);
void mac_pipe_create(struct ucred *cred, struct pipepair *pp);
void mac_pipe_destroy(struct pipepair *);
void mac_pipe_init(struct pipepair *);
int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
struct label *label);
Rework the lifetime management of the kernel implementation of POSIX semaphores. Specifically, semaphores are now represented as new file descriptor type that is set to close on exec. This removes the need for all of the manual process reference counting (and fork, exec, and exit event handlers) as the normal file descriptor operations handle all of that for us nicely. It is also suggested as one possible implementation in the spec and at least one other OS (OS X) uses this approach. Some bugs that were fixed as a result include: - References to a named semaphore whose name is removed still work after the sem_unlink() operation. Prior to this patch, if a semaphore's name was removed, valid handles from sem_open() would get EINVAL errors from sem_getvalue(), sem_post(), etc. This fixes that. - Unnamed semaphores created with sem_init() were not cleaned up when a process exited or exec'd. They were only cleaned up if the process did an explicit sem_destroy(). This could result in a leak of semaphore objects that could never be cleaned up. - On the other hand, if another process guessed the id (kernel pointer to 'struct ksem' of an unnamed semaphore (created via sem_init)) and had write access to the semaphore based on UID/GID checks, then that other process could manipulate the semaphore via sem_destroy(), sem_post(), sem_wait(), etc. - As part of the permission check (UID/GID), the umask of the proces creating the semaphore was not honored. Thus if your umask denied group read/write access but the explicit mode in the sem_init() call allowed it, the semaphore would be readable/writable by other users in the same group, for example. This includes access via the previous bug. - If the module refused to unload because there were active semaphores, then it might have deregistered one or more of the semaphore system calls before it noticed that there was a problem. I'm not sure if this actually happened as the order that modules are discovered by the kernel linker depends on how the actual .ko file is linked. One can make the order deterministic by using a single module with a mod_event handler that explicitly registers syscalls (and deregisters during unload after any checks). This also fixes a race where even if the sem_module unloaded first it would have destroyed locks that the syscalls might be trying to access if they are still executing when they are unloaded. XXX: By the way, deregistering system calls doesn't do any blocking to drain any threads from the calls. - Some minor fixes to errno values on error. For example, sem_init() isn't documented to return ENFILE or EMFILE if we run out of semaphores the way that sem_open() can. Instead, it should return ENOSPC in that case. Other changes: - Kernel semaphores now use a hash table to manage the namespace of named semaphores nearly in a similar fashion to the POSIX shared memory object file descriptors. Kernel semaphores can now also have names longer than 14 chars (up to MAXPATHLEN) and can include subdirectories in their pathname. - The UID/GID permission checks for access to a named semaphore are now done via vaccess() rather than a home-rolled set of checks. - Now that kernel semaphores have an associated file object, the various MAC checks for POSIX semaphores accept both a file credential and an active credential. There is also a new posixsem_check_stat() since it is possible to fstat() a semaphore file descriptor. - A small set of regression tests (using the ksem API directly) is present in src/tools/regression/posixsem. Reported by: kris (1) Tested by: kris Reviewed by: rwatson (lightly) MFC after: 1 month
2008-06-27 05:39:04 +00:00
int mac_posixsem_check_getvalue(struct ucred *active_cred,
struct ucred *file_cred, struct ksem *ks);
int mac_posixsem_check_open(struct ucred *cred, struct ksem *ks);
Rework the lifetime management of the kernel implementation of POSIX semaphores. Specifically, semaphores are now represented as new file descriptor type that is set to close on exec. This removes the need for all of the manual process reference counting (and fork, exec, and exit event handlers) as the normal file descriptor operations handle all of that for us nicely. It is also suggested as one possible implementation in the spec and at least one other OS (OS X) uses this approach. Some bugs that were fixed as a result include: - References to a named semaphore whose name is removed still work after the sem_unlink() operation. Prior to this patch, if a semaphore's name was removed, valid handles from sem_open() would get EINVAL errors from sem_getvalue(), sem_post(), etc. This fixes that. - Unnamed semaphores created with sem_init() were not cleaned up when a process exited or exec'd. They were only cleaned up if the process did an explicit sem_destroy(). This could result in a leak of semaphore objects that could never be cleaned up. - On the other hand, if another process guessed the id (kernel pointer to 'struct ksem' of an unnamed semaphore (created via sem_init)) and had write access to the semaphore based on UID/GID checks, then that other process could manipulate the semaphore via sem_destroy(), sem_post(), sem_wait(), etc. - As part of the permission check (UID/GID), the umask of the proces creating the semaphore was not honored. Thus if your umask denied group read/write access but the explicit mode in the sem_init() call allowed it, the semaphore would be readable/writable by other users in the same group, for example. This includes access via the previous bug. - If the module refused to unload because there were active semaphores, then it might have deregistered one or more of the semaphore system calls before it noticed that there was a problem. I'm not sure if this actually happened as the order that modules are discovered by the kernel linker depends on how the actual .ko file is linked. One can make the order deterministic by using a single module with a mod_event handler that explicitly registers syscalls (and deregisters during unload after any checks). This also fixes a race where even if the sem_module unloaded first it would have destroyed locks that the syscalls might be trying to access if they are still executing when they are unloaded. XXX: By the way, deregistering system calls doesn't do any blocking to drain any threads from the calls. - Some minor fixes to errno values on error. For example, sem_init() isn't documented to return ENFILE or EMFILE if we run out of semaphores the way that sem_open() can. Instead, it should return ENOSPC in that case. Other changes: - Kernel semaphores now use a hash table to manage the namespace of named semaphores nearly in a similar fashion to the POSIX shared memory object file descriptors. Kernel semaphores can now also have names longer than 14 chars (up to MAXPATHLEN) and can include subdirectories in their pathname. - The UID/GID permission checks for access to a named semaphore are now done via vaccess() rather than a home-rolled set of checks. - Now that kernel semaphores have an associated file object, the various MAC checks for POSIX semaphores accept both a file credential and an active credential. There is also a new posixsem_check_stat() since it is possible to fstat() a semaphore file descriptor. - A small set of regression tests (using the ksem API directly) is present in src/tools/regression/posixsem. Reported by: kris (1) Tested by: kris Reviewed by: rwatson (lightly) MFC after: 1 month
2008-06-27 05:39:04 +00:00
int mac_posixsem_check_post(struct ucred *active_cred,
struct ucred *file_cred, struct ksem *ks);
int mac_posixsem_check_setmode(struct ucred *cred, struct ksem *ks,
mode_t mode);
int mac_posixsem_check_setowner(struct ucred *cred, struct ksem *ks,
uid_t uid, gid_t gid);
Rework the lifetime management of the kernel implementation of POSIX semaphores. Specifically, semaphores are now represented as new file descriptor type that is set to close on exec. This removes the need for all of the manual process reference counting (and fork, exec, and exit event handlers) as the normal file descriptor operations handle all of that for us nicely. It is also suggested as one possible implementation in the spec and at least one other OS (OS X) uses this approach. Some bugs that were fixed as a result include: - References to a named semaphore whose name is removed still work after the sem_unlink() operation. Prior to this patch, if a semaphore's name was removed, valid handles from sem_open() would get EINVAL errors from sem_getvalue(), sem_post(), etc. This fixes that. - Unnamed semaphores created with sem_init() were not cleaned up when a process exited or exec'd. They were only cleaned up if the process did an explicit sem_destroy(). This could result in a leak of semaphore objects that could never be cleaned up. - On the other hand, if another process guessed the id (kernel pointer to 'struct ksem' of an unnamed semaphore (created via sem_init)) and had write access to the semaphore based on UID/GID checks, then that other process could manipulate the semaphore via sem_destroy(), sem_post(), sem_wait(), etc. - As part of the permission check (UID/GID), the umask of the proces creating the semaphore was not honored. Thus if your umask denied group read/write access but the explicit mode in the sem_init() call allowed it, the semaphore would be readable/writable by other users in the same group, for example. This includes access via the previous bug. - If the module refused to unload because there were active semaphores, then it might have deregistered one or more of the semaphore system calls before it noticed that there was a problem. I'm not sure if this actually happened as the order that modules are discovered by the kernel linker depends on how the actual .ko file is linked. One can make the order deterministic by using a single module with a mod_event handler that explicitly registers syscalls (and deregisters during unload after any checks). This also fixes a race where even if the sem_module unloaded first it would have destroyed locks that the syscalls might be trying to access if they are still executing when they are unloaded. XXX: By the way, deregistering system calls doesn't do any blocking to drain any threads from the calls. - Some minor fixes to errno values on error. For example, sem_init() isn't documented to return ENFILE or EMFILE if we run out of semaphores the way that sem_open() can. Instead, it should return ENOSPC in that case. Other changes: - Kernel semaphores now use a hash table to manage the namespace of named semaphores nearly in a similar fashion to the POSIX shared memory object file descriptors. Kernel semaphores can now also have names longer than 14 chars (up to MAXPATHLEN) and can include subdirectories in their pathname. - The UID/GID permission checks for access to a named semaphore are now done via vaccess() rather than a home-rolled set of checks. - Now that kernel semaphores have an associated file object, the various MAC checks for POSIX semaphores accept both a file credential and an active credential. There is also a new posixsem_check_stat() since it is possible to fstat() a semaphore file descriptor. - A small set of regression tests (using the ksem API directly) is present in src/tools/regression/posixsem. Reported by: kris (1) Tested by: kris Reviewed by: rwatson (lightly) MFC after: 1 month
2008-06-27 05:39:04 +00:00
int mac_posixsem_check_stat(struct ucred *active_cred,
struct ucred *file_cred, struct ksem *ks);
int mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks);
Rework the lifetime management of the kernel implementation of POSIX semaphores. Specifically, semaphores are now represented as new file descriptor type that is set to close on exec. This removes the need for all of the manual process reference counting (and fork, exec, and exit event handlers) as the normal file descriptor operations handle all of that for us nicely. It is also suggested as one possible implementation in the spec and at least one other OS (OS X) uses this approach. Some bugs that were fixed as a result include: - References to a named semaphore whose name is removed still work after the sem_unlink() operation. Prior to this patch, if a semaphore's name was removed, valid handles from sem_open() would get EINVAL errors from sem_getvalue(), sem_post(), etc. This fixes that. - Unnamed semaphores created with sem_init() were not cleaned up when a process exited or exec'd. They were only cleaned up if the process did an explicit sem_destroy(). This could result in a leak of semaphore objects that could never be cleaned up. - On the other hand, if another process guessed the id (kernel pointer to 'struct ksem' of an unnamed semaphore (created via sem_init)) and had write access to the semaphore based on UID/GID checks, then that other process could manipulate the semaphore via sem_destroy(), sem_post(), sem_wait(), etc. - As part of the permission check (UID/GID), the umask of the proces creating the semaphore was not honored. Thus if your umask denied group read/write access but the explicit mode in the sem_init() call allowed it, the semaphore would be readable/writable by other users in the same group, for example. This includes access via the previous bug. - If the module refused to unload because there were active semaphores, then it might have deregistered one or more of the semaphore system calls before it noticed that there was a problem. I'm not sure if this actually happened as the order that modules are discovered by the kernel linker depends on how the actual .ko file is linked. One can make the order deterministic by using a single module with a mod_event handler that explicitly registers syscalls (and deregisters during unload after any checks). This also fixes a race where even if the sem_module unloaded first it would have destroyed locks that the syscalls might be trying to access if they are still executing when they are unloaded. XXX: By the way, deregistering system calls doesn't do any blocking to drain any threads from the calls. - Some minor fixes to errno values on error. For example, sem_init() isn't documented to return ENFILE or EMFILE if we run out of semaphores the way that sem_open() can. Instead, it should return ENOSPC in that case. Other changes: - Kernel semaphores now use a hash table to manage the namespace of named semaphores nearly in a similar fashion to the POSIX shared memory object file descriptors. Kernel semaphores can now also have names longer than 14 chars (up to MAXPATHLEN) and can include subdirectories in their pathname. - The UID/GID permission checks for access to a named semaphore are now done via vaccess() rather than a home-rolled set of checks. - Now that kernel semaphores have an associated file object, the various MAC checks for POSIX semaphores accept both a file credential and an active credential. There is also a new posixsem_check_stat() since it is possible to fstat() a semaphore file descriptor. - A small set of regression tests (using the ksem API directly) is present in src/tools/regression/posixsem. Reported by: kris (1) Tested by: kris Reviewed by: rwatson (lightly) MFC after: 1 month
2008-06-27 05:39:04 +00:00
int mac_posixsem_check_wait(struct ucred *active_cred,
struct ucred *file_cred, struct ksem *ks);
void mac_posixsem_create(struct ucred *cred, struct ksem *ks);
void mac_posixsem_destroy(struct ksem *);
void mac_posixsem_init(struct ksem *);
int mac_posixshm_check_create(struct ucred *cred, const char *path);
Add a new file descriptor type for IPC shared memory objects and use it to implement shm_open(2) and shm_unlink(2) in the kernel: - Each shared memory file descriptor is associated with a swap-backed vm object which provides the backing store. Each descriptor starts off with a size of zero, but the size can be altered via ftruncate(2). The shared memory file descriptors also support fstat(2). read(2), write(2), ioctl(2), select(2), poll(2), and kevent(2) are not supported on shared memory file descriptors. - shm_open(2) and shm_unlink(2) are now implemented as system calls that manage shared memory file descriptors. The virtual namespace that maps pathnames to shared memory file descriptors is implemented as a hash table where the hash key is generated via the 32-bit Fowler/Noll/Vo hash of the pathname. - As an extension, the constant 'SHM_ANON' may be specified in place of the path argument to shm_open(2). In this case, an unnamed shared memory file descriptor will be created similar to the IPC_PRIVATE key for shmget(2). Note that the shared memory object can still be shared among processes by sharing the file descriptor via fork(2) or sendmsg(2), but it is unnamed. This effectively serves to implement the getmemfd() idea bandied about the lists several times over the years. - The backing store for shared memory file descriptors are garbage collected when they are not referenced by any open file descriptors or the shm_open(2) virtual namespace. Submitted by: dillon, peter (previous versions) Submitted by: rwatson (I based this on his version) Reviewed by: alc (suggested converting getmemfd() to shm_open())
2008-01-08 21:58:16 +00:00
int mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
int prot, int flags);
int mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
accmode_t accmode);
int mac_posixshm_check_read(struct ucred *active_cred,
struct ucred *file_cred, struct shmfd *shmfd);
int mac_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd,
mode_t mode);
int mac_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd,
uid_t uid, gid_t gid);
Add a new file descriptor type for IPC shared memory objects and use it to implement shm_open(2) and shm_unlink(2) in the kernel: - Each shared memory file descriptor is associated with a swap-backed vm object which provides the backing store. Each descriptor starts off with a size of zero, but the size can be altered via ftruncate(2). The shared memory file descriptors also support fstat(2). read(2), write(2), ioctl(2), select(2), poll(2), and kevent(2) are not supported on shared memory file descriptors. - shm_open(2) and shm_unlink(2) are now implemented as system calls that manage shared memory file descriptors. The virtual namespace that maps pathnames to shared memory file descriptors is implemented as a hash table where the hash key is generated via the 32-bit Fowler/Noll/Vo hash of the pathname. - As an extension, the constant 'SHM_ANON' may be specified in place of the path argument to shm_open(2). In this case, an unnamed shared memory file descriptor will be created similar to the IPC_PRIVATE key for shmget(2). Note that the shared memory object can still be shared among processes by sharing the file descriptor via fork(2) or sendmsg(2), but it is unnamed. This effectively serves to implement the getmemfd() idea bandied about the lists several times over the years. - The backing store for shared memory file descriptors are garbage collected when they are not referenced by any open file descriptors or the shm_open(2) virtual namespace. Submitted by: dillon, peter (previous versions) Submitted by: rwatson (I based this on his version) Reviewed by: alc (suggested converting getmemfd() to shm_open())
2008-01-08 21:58:16 +00:00
int mac_posixshm_check_stat(struct ucred *active_cred,
struct ucred *file_cred, struct shmfd *shmfd);
int mac_posixshm_check_truncate(struct ucred *active_cred,
struct ucred *file_cred, struct shmfd *shmfd);
int mac_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd);
int mac_posixshm_check_write(struct ucred *active_cred,
struct ucred *file_cred, struct shmfd *shmfd);
Add a new file descriptor type for IPC shared memory objects and use it to implement shm_open(2) and shm_unlink(2) in the kernel: - Each shared memory file descriptor is associated with a swap-backed vm object which provides the backing store. Each descriptor starts off with a size of zero, but the size can be altered via ftruncate(2). The shared memory file descriptors also support fstat(2). read(2), write(2), ioctl(2), select(2), poll(2), and kevent(2) are not supported on shared memory file descriptors. - shm_open(2) and shm_unlink(2) are now implemented as system calls that manage shared memory file descriptors. The virtual namespace that maps pathnames to shared memory file descriptors is implemented as a hash table where the hash key is generated via the 32-bit Fowler/Noll/Vo hash of the pathname. - As an extension, the constant 'SHM_ANON' may be specified in place of the path argument to shm_open(2). In this case, an unnamed shared memory file descriptor will be created similar to the IPC_PRIVATE key for shmget(2). Note that the shared memory object can still be shared among processes by sharing the file descriptor via fork(2) or sendmsg(2), but it is unnamed. This effectively serves to implement the getmemfd() idea bandied about the lists several times over the years. - The backing store for shared memory file descriptors are garbage collected when they are not referenced by any open file descriptors or the shm_open(2) virtual namespace. Submitted by: dillon, peter (previous versions) Submitted by: rwatson (I based this on his version) Reviewed by: alc (suggested converting getmemfd() to shm_open())
2008-01-08 21:58:16 +00:00
void mac_posixshm_create(struct ucred *cred, struct shmfd *shmfd);
void mac_posixshm_destroy(struct shmfd *);
void mac_posixshm_init(struct shmfd *);
int mac_priv_check(struct ucred *cred, int priv);
int mac_priv_grant(struct ucred *cred, int priv);
int mac_proc_check_debug(struct ucred *cred, struct proc *p);
int mac_proc_check_sched(struct ucred *cred, struct proc *p);
int mac_proc_check_signal(struct ucred *cred, struct proc *p,
int signum);
int mac_proc_check_wait(struct ucred *cred, struct proc *p);
void mac_proc_destroy(struct proc *);
void mac_proc_init(struct proc *);
void mac_proc_vm_revoke(struct thread *td);
int mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
void mac_execve_exit(struct image_params *imgp);
void mac_execve_interpreter_enter(struct vnode *interpvp,
struct label **interplabel);
void mac_execve_interpreter_exit(struct label *interpvplabel);
int mac_socket_check_accept(struct ucred *cred, struct socket *so);
int mac_socket_check_bind(struct ucred *cred, struct socket *so,
struct sockaddr *sa);
int mac_socket_check_connect(struct ucred *cred, struct socket *so,
struct sockaddr *sa);
int mac_socket_check_create(struct ucred *cred, int domain, int type,
int proto);
int mac_socket_check_deliver(struct socket *so, struct mbuf *m);
int mac_socket_check_listen(struct ucred *cred, struct socket *so);
int mac_socket_check_poll(struct ucred *cred, struct socket *so);
int mac_socket_check_receive(struct ucred *cred, struct socket *so);
int mac_socket_check_send(struct ucred *cred, struct socket *so);
int mac_socket_check_stat(struct ucred *cred, struct socket *so);
int mac_socket_check_visible(struct ucred *cred, struct socket *so);
void mac_socket_create_mbuf(struct socket *so, struct mbuf *m);
void mac_socket_create(struct ucred *cred, struct socket *so);
void mac_socket_destroy(struct socket *);
int mac_socket_init(struct socket *, int);
void mac_socket_newconn(struct socket *oldso, struct socket *newso);
int mac_getsockopt_label(struct ucred *cred, struct socket *so,
struct mac *extmac);
int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so,
struct mac *extmac);
int mac_setsockopt_label(struct ucred *cred, struct socket *so,
struct mac *extmac);
void mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so);
void mac_socketpeer_set_from_socket(struct socket *oldso,
struct socket *newso);
void mac_syncache_create(struct label *l, struct inpcb *inp);
void mac_syncache_create_mbuf(struct label *l, struct mbuf *m);
void mac_syncache_destroy(struct label **l);
int mac_syncache_init(struct label **l);
int mac_system_check_acct(struct ucred *cred, struct vnode *vp);
int mac_system_check_audit(struct ucred *cred, void *record, int length);
int mac_system_check_auditctl(struct ucred *cred, struct vnode *vp);
int mac_system_check_auditon(struct ucred *cred, int cmd);
int mac_system_check_reboot(struct ucred *cred, int howto);
int mac_system_check_swapon(struct ucred *cred, struct vnode *vp);
int mac_system_check_swapoff(struct ucred *cred, struct vnode *vp);
int mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
void *arg1, int arg2, struct sysctl_req *req);
void mac_sysvmsg_cleanup(struct msg *msgptr);
void mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
struct msg *msgptr);
void mac_sysvmsg_destroy(struct msg *);
void mac_sysvmsg_init(struct msg *);
int mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr,
struct msqid_kernel *msqkptr);
int mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr);
int mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr);
int mac_sysvmsq_check_msqctl(struct ucred *cred,
struct msqid_kernel *msqkptr, int cmd);
int mac_sysvmsq_check_msqget(struct ucred *cred,
struct msqid_kernel *msqkptr);
int mac_sysvmsq_check_msqrcv(struct ucred *cred,
struct msqid_kernel *msqkptr);
int mac_sysvmsq_check_msqsnd(struct ucred *cred,
struct msqid_kernel *msqkptr);
void mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr);
void mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr);
void mac_sysvmsq_destroy(struct msqid_kernel *);
void mac_sysvmsq_init(struct msqid_kernel *);
int mac_sysvsem_check_semctl(struct ucred *cred,
struct semid_kernel *semakptr, int cmd);
int mac_sysvsem_check_semget(struct ucred *cred,
struct semid_kernel *semakptr);
int mac_sysvsem_check_semop(struct ucred *cred,
struct semid_kernel *semakptr, size_t accesstype);
void mac_sysvsem_cleanup(struct semid_kernel *semakptr);
void mac_sysvsem_create(struct ucred *cred,
struct semid_kernel *semakptr);
void mac_sysvsem_destroy(struct semid_kernel *);
void mac_sysvsem_init(struct semid_kernel *);
int mac_sysvshm_check_shmat(struct ucred *cred,
struct shmid_kernel *shmsegptr, int shmflg);
int mac_sysvshm_check_shmctl(struct ucred *cred,
struct shmid_kernel *shmsegptr, int cmd);
int mac_sysvshm_check_shmdt(struct ucred *cred,
struct shmid_kernel *shmsegptr);
int mac_sysvshm_check_shmget(struct ucred *cred,
struct shmid_kernel *shmsegptr, int shmflg);
void mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr);
void mac_sysvshm_create(struct ucred *cred,
struct shmid_kernel *shmsegptr);
void mac_sysvshm_destroy(struct shmid_kernel *);
void mac_sysvshm_init(struct shmid_kernel *);
void mac_thread_userret(struct thread *td);
int mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp);
void mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp);
int mac_vnode_check_access(struct ucred *cred, struct vnode *vp,
accmode_t accmode);
int mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp);
int mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp);
int mac_vnode_check_create(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp, struct vattr *vap);
int mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
acl_type_t type);
int mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name);
int mac_vnode_check_exec(struct ucred *cred, struct vnode *vp,
struct image_params *imgp);
int mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
acl_type_t type);
int mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name);
int mac_vnode_check_link(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp);
int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace);
int mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp);
int mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot,
int flags);
int mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp,
int prot);
int mac_vnode_check_open(struct ucred *cred, struct vnode *vp,
accmode_t accmode);
int mac_vnode_check_poll(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
int mac_vnode_check_read(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
int mac_vnode_check_readdir(struct ucred *cred, struct vnode *vp);
int mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp);
int mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp);
int mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, int samedir, struct componentname *cnp);
int mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp);
int mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
acl_type_t type, struct acl *acl);
int mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name);
int mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
u_long flags);
int mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
mode_t mode);
int mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
uid_t uid, gid_t gid);
int mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
struct timespec atime, struct timespec mtime);
int mac_vnode_check_stat(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
int mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp);
int mac_vnode_check_write(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
void mac_vnode_copy_label(struct label *, struct label *);
void mac_vnode_init(struct vnode *);
int mac_vnode_create_extattr(struct ucred *cred, struct mount *mp,
struct vnode *dvp, struct vnode *vp, struct componentname *cnp);
void mac_vnode_destroy(struct vnode *);
void mac_vnode_execve_transition(struct ucred *oldcred,
struct ucred *newcred, struct vnode *vp,
struct label *interpvplabel, struct image_params *imgp);
int mac_vnode_execve_will_transition(struct ucred *cred,
struct vnode *vp, struct label *interpvplabel,
struct image_params *imgp);
void mac_vnode_relabel(struct ucred *cred, struct vnode *vp,
struct label *newlabel);
/*
* Calls to help various file systems implement labeling functionality using
* their existing EA implementation.
*/
int vop_stdsetlabel_ea(struct vop_setlabel_args *ap);
#endif /* !_SECURITY_MAC_MAC_FRAMEWORK_H_ */