Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
/*-
|
2007-10-28 15:55:23 +00:00
|
|
|
* Copyright (c) 1999-2002, 2007 Robert N. M. Watson
|
2005-04-16 18:46:29 +00:00
|
|
|
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
|
2006-10-22 11:52:19 +00:00
|
|
|
* Copyright (c) 2005-2006 SPARTA, Inc.
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
* All rights reserved.
|
|
|
|
|
*
|
|
|
|
|
* This software was developed by Robert Watson for the TrustedBSD Project.
|
|
|
|
|
*
|
2002-11-04 01:42:39 +00:00
|
|
|
* This software was developed for the FreeBSD Project in part by Network
|
|
|
|
|
* Associates Laboratories, the Security Research Division of Network
|
|
|
|
|
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
|
|
|
|
|
* as part of the DARPA CHATS research program.
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
*
|
2005-07-05 22:49:10 +00:00
|
|
|
* This software was enhanced by SPARTA ISSO under SPAWAR contract
|
|
|
|
|
* N66001-04-C-6019 ("SEFOS").
|
|
|
|
|
*
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
* are met:
|
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
|
*
|
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
|
*
|
|
|
|
|
* $FreeBSD$
|
|
|
|
|
*/
|
|
|
|
|
|
2002-08-19 17:59:48 +00:00
|
|
|
/*
|
2006-10-22 11:52:19 +00:00
|
|
|
* Kernel interface for Mandatory Access Control -- how kernel services
|
|
|
|
|
* interact with the TrustedBSD MAC Framework.
|
2002-08-19 17:59:48 +00:00
|
|
|
*/
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
|
2008-04-13 21:45:52 +00:00
|
|
|
#ifndef _SECURITY_MAC_MAC_FRAMEWORK_H_
|
|
|
|
|
#define _SECURITY_MAC_MAC_FRAMEWORK_H_
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
|
|
|
|
|
#ifndef _KERNEL
|
2006-10-22 11:52:19 +00:00
|
|
|
#error "no user-serviceable parts inside"
|
|
|
|
|
#endif
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
|
2007-04-21 22:08:48 +00:00
|
|
|
struct auditinfo;
|
2007-06-26 14:14:01 +00:00
|
|
|
struct auditinfo_addr;
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct bpf_d;
|
2004-06-16 09:47:26 +00:00
|
|
|
struct cdev;
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct componentname;
|
|
|
|
|
struct devfs_dirent;
|
|
|
|
|
struct ifnet;
|
|
|
|
|
struct ifreq;
|
2002-11-05 17:51:56 +00:00
|
|
|
struct image_params;
|
Introduce a MAC label reference in 'struct inpcb', which caches
the MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols. This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.
For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks. Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.
Reviewed by: sam, bms
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
|
|
|
struct inpcb;
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct ipq;
|
2005-05-04 10:39:15 +00:00
|
|
|
struct ksem;
|
2007-02-06 14:19:25 +00:00
|
|
|
struct label;
|
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure,
returning some additional room in the first mbuf in a chain, and
avoiding feature-specific contents in the mbuf header. To do this:
- Modify mbuf_to_label() to extract the tag, returning NULL if not
found.
- Introduce mac_init_mbuf_tag() which does most of the work
mac_init_mbuf() used to do, except on an m_tag rather than an
mbuf.
- Scale back mac_init_mbuf() to perform m_tag allocation and invoke
mac_init_mbuf_tag().
- Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since
m_tag's are now GC'd deep in the m_tag/mbuf code rather than
at a higher level when mbufs are directly free()'d.
- Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related
notions.
- Generally change all references to mbuf labels so that they use
mbuf_to_label() rather than &mbuf->m_pkthdr.label. This
required no changes in the MAC policies (yay!).
- Tweak mbuf release routines to not call mac_destroy_mbuf(),
tag destruction takes care of it for us now.
- Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() --
the existing m_tag support does all this for us. Note that
we can no longer just zero the m_tag list on the target mbuf,
rather, we have to delete the chain because m_tag's will
already be hung off freshly allocated mbuf's.
- Tweak m_tag copying routines so that if we're copying a MAC
m_tag, we don't do a binary copy, rather, we initialize the
new storage and do a deep copy of the label.
- Remove use of MAC_FLAG_INITIALIZED in a few bizarre places
having to do with mbuf header copies previously.
- When an mbuf is copied in ip_input(), we no longer need to
explicitly copy the label because it will get handled by the
m_tag code now.
- No longer any weird handling of MAC labels in if_loop.c during
header copies.
- Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test.
In mac_test, handle the label==NULL case, since it can be
dynamically loaded.
In order to improve performance with this change, introduce the notion
of "lazy MAC label allocation" -- only allocate m_tag storage for MAC
labels if we're running with a policy that uses MAC labels on mbufs.
Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS
flag in their load-time flags field during declaration. Note: this
opens up the possibility of post-boot policy modules getting back NULL
slot entries even though they have policy invariants of non-NULL slot
entries, as the policy might have been loaded after the mbuf was
allocated, leaving the mbuf without label storage. Policies that cannot
handle this case must be declared as NOTLATE, or must be modified.
- mac_labelmbufs holds the current cumulative status as to whether
any policies require mbuf labeling or not. This is updated whenever
the active policy set changes by the function mac_policy_updateflags().
The function iterates the list and checks whether any have the
flag set. Write access to this variable is protected by the policy
list; read access is currently not protected for performance reasons.
This might change if it causes problems.
- Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update
function to assert appropriate locks.
- This makes allocation in mac_init_mbuf() conditional on the flag.
Reviewed by: sam
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
|
|
|
struct m_tag;
|
2006-10-22 11:52:19 +00:00
|
|
|
struct mac;
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct mbuf;
|
|
|
|
|
struct mount;
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct msg;
|
|
|
|
|
struct msqid_kernel;
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct proc;
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct semid_kernel;
|
Add a new file descriptor type for IPC shared memory objects and use it to
implement shm_open(2) and shm_unlink(2) in the kernel:
- Each shared memory file descriptor is associated with a swap-backed vm
object which provides the backing store. Each descriptor starts off with
a size of zero, but the size can be altered via ftruncate(2). The shared
memory file descriptors also support fstat(2). read(2), write(2),
ioctl(2), select(2), poll(2), and kevent(2) are not supported on shared
memory file descriptors.
- shm_open(2) and shm_unlink(2) are now implemented as system calls that
manage shared memory file descriptors. The virtual namespace that maps
pathnames to shared memory file descriptors is implemented as a hash
table where the hash key is generated via the 32-bit Fowler/Noll/Vo hash
of the pathname.
- As an extension, the constant 'SHM_ANON' may be specified in place of the
path argument to shm_open(2). In this case, an unnamed shared memory
file descriptor will be created similar to the IPC_PRIVATE key for
shmget(2). Note that the shared memory object can still be shared among
processes by sharing the file descriptor via fork(2) or sendmsg(2), but
it is unnamed. This effectively serves to implement the getmemfd() idea
bandied about the lists several times over the years.
- The backing store for shared memory file descriptors are garbage
collected when they are not referenced by any open file descriptors or
the shm_open(2) virtual namespace.
Submitted by: dillon, peter (previous versions)
Submitted by: rwatson (I based this on his version)
Reviewed by: alc (suggested converting getmemfd() to shm_open())
2008-01-08 21:58:16 +00:00
|
|
|
struct shmfd;
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct shmid_kernel;
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct sockaddr;
|
|
|
|
|
struct socket;
|
2004-02-22 12:31:44 +00:00
|
|
|
struct sysctl_oid;
|
|
|
|
|
struct sysctl_req;
|
Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.
- Create a new "struct pipepair" object holding the two 'struct
pipe' instances, struct mutex, and struct label reference. Pipe
structures now have a back-pointer to the pipe pair, and a
'pipe_present' flag to indicate whether the half has been
closed.
- Perform mutex init/destroy in zone init/destroy, avoiding
reallocating the mutex for each pipe. Perform most pipe structure
setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of
the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
update many policies. MAC labels are also handled outside of the
UMA zone for now. Label-only policy modules don't have to be
recompiled, but if a module is recompiled, its pipe entry points
will need to be updated. If a module actually reached into the
pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place. However, VM mapped buffers
are still released on half-close.
Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.
Reviewed by: juli, tjr
Testing help: dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
|
|
|
struct pipepair;
|
2002-10-02 02:42:38 +00:00
|
|
|
struct thread;
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct timespec;
|
|
|
|
|
struct ucred;
|
|
|
|
|
struct uio;
|
|
|
|
|
struct vattr;
|
|
|
|
|
struct vnode;
|
2006-10-22 11:52:19 +00:00
|
|
|
struct vop_setlabel_args;
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
|
|
|
|
#include <sys/acl.h> /* XXX acl_type_t */
|
|
|
|
|
|
|
|
|
|
/*
|
2007-10-26 21:16:34 +00:00
|
|
|
* Entry points to the TrustedBSD MAC Framework from the remainder of the
|
|
|
|
|
* kernel: entry points are named based on a principle object type and an
|
|
|
|
|
* action relating to it. They are sorted alphabetically first by object
|
|
|
|
|
* type and then action. In some situations, the principle object type is
|
|
|
|
|
* obvious, and in other cases, less so as multiple objects may be inolved
|
|
|
|
|
* in the operation.
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
*/
|
2007-10-25 22:45:25 +00:00
|
|
|
int mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp);
|
|
|
|
|
void mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d);
|
|
|
|
|
void mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m);
|
2007-10-24 19:04:04 +00:00
|
|
|
void mac_bpfdesc_destroy(struct bpf_d *);
|
2007-10-25 22:45:25 +00:00
|
|
|
void mac_bpfdesc_init(struct bpf_d *);
|
Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
|
|
|
|
2007-10-25 22:45:25 +00:00
|
|
|
int mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2);
|
|
|
|
|
void mac_cred_copy(struct ucred *cr1, struct ucred *cr2);
|
|
|
|
|
void mac_cred_destroy(struct ucred *);
|
|
|
|
|
void mac_cred_init(struct ucred *);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
void mac_devfs_create_device(struct ucred *cred, struct mount *mp,
|
When devfs cloning takes place, provide access to the credential of the
process that caused the clone event to take place for the device driver
creating the device. This allows cloned device drivers to adapt the
device node based on security aspects of the process, such as the uid,
gid, and MAC label.
- Add a cred reference to struct cdev, so that when a device node is
instantiated as a vnode, the cloning credential can be exposed to
MAC.
- Add make_dev_cred(), a version of make_dev() that additionally
accepts the credential to stick in the struct cdev. Implement it and
make_dev() in terms of a back-end make_dev_credv().
- Add a new event handler, dev_clone_cred, which can be registered to
receive the credential instead of dev_clone, if desired.
- Modify the MAC entry point mac_create_devfs_device() to accept an
optional credential pointer (may be NULL), so that MAC policies can
inspect and act on the label or other elements of the credential
when initializing the skeleton device protections.
- Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(),
so that the pty clone credential is exposed to the MAC Framework.
While currently primarily focussed on MAC policies, this change is also
a prerequisite for changes to allow ptys to be instantiated with the UID
of the process looking up the pty. This requires further changes to the
pty driver -- in particular, to immediately recycle pty nodes on last
close so that the credential-related state can be recreated on next
lookup.
Submitted by: Andrew Reisse <andrew.reisse@sparta.com>
Obtained from: TrustedBSD Project
Sponsored by: SPAWAR, SPARTA
MFC after: 1 week
MFC note: Merge to 6.x, but not 5.x for ABI reasons
2005-07-14 10:22:09 +00:00
|
|
|
struct cdev *dev, struct devfs_dirent *de);
|
2007-10-24 19:04:04 +00:00
|
|
|
void mac_devfs_create_directory(struct mount *mp, char *dirname,
|
2002-12-09 03:44:28 +00:00
|
|
|
int dirnamelen, struct devfs_dirent *de);
|
2007-10-24 19:04:04 +00:00
|
|
|
void mac_devfs_create_symlink(struct ucred *cred, struct mount *mp,
|
2002-12-09 03:44:28 +00:00
|
|
|
struct devfs_dirent *dd, struct devfs_dirent *de);
|
2007-10-25 22:45:25 +00:00
|
|
|
void mac_devfs_destroy(struct devfs_dirent *);
|
|
|
|
|
void mac_devfs_init(struct devfs_dirent *);
|
2007-10-24 19:04:04 +00:00
|
|
|
void mac_devfs_update(struct mount *mp, struct devfs_dirent *de,
|
2002-12-09 03:44:28 +00:00
|
|
|
struct vnode *vp);
|
2007-10-25 22:45:25 +00:00
|
|
|
void mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de,
|
|
|
|
|
struct vnode *vp);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
2007-10-25 22:45:25 +00:00
|
|
|
int mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m);
|
2007-10-24 19:04:04 +00:00
|
|
|
void mac_ifnet_create(struct ifnet *ifp);
|
2007-10-25 22:45:25 +00:00
|
|
|
void mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m);
|
|
|
|
|
void mac_ifnet_destroy(struct ifnet *);
|
|
|
|
|
void mac_ifnet_init(struct ifnet *);
|
|
|
|
|
int mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr,
|
|
|
|
|
struct ifnet *ifp);
|
|
|
|
|
int mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr,
|
|
|
|
|
struct ifnet *ifp);
|
|
|
|
|
|
|
|
|
|
int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m);
|
2008-10-17 12:54:28 +00:00
|
|
|
int mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp);
|
2007-10-24 19:04:04 +00:00
|
|
|
void mac_inpcb_create(struct socket *so, struct inpcb *inp);
|
|
|
|
|
void mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m);
|
2007-10-25 22:45:25 +00:00
|
|
|
void mac_inpcb_destroy(struct inpcb *);
|
|
|
|
|
int mac_inpcb_init(struct inpcb *, int);
|
Introduce a MAC label reference in 'struct inpcb', which caches
the MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols. This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.
For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks. Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.
Reviewed by: sam, bms
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
|
|
|
void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp);
|
2006-12-20 20:43:19 +00:00
|
|
|
|
2008-06-13 22:14:15 +00:00
|
|
|
void mac_ipq_create(struct mbuf *m, struct ipq *q);
|
|
|
|
|
void mac_ipq_destroy(struct ipq *q);
|
|
|
|
|
int mac_ipq_init(struct ipq *q, int);
|
|
|
|
|
int mac_ipq_match(struct mbuf *m, struct ipq *q);
|
|
|
|
|
void mac_ipq_reassemble(struct ipq *q, struct mbuf *m);
|
|
|
|
|
void mac_ipq_update(struct mbuf *m, struct ipq *q);
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_kenv_check_dump(struct ucred *cred);
|
|
|
|
|
int mac_kenv_check_get(struct ucred *cred, char *name);
|
|
|
|
|
int mac_kenv_check_set(struct ucred *cred, char *name, char *value);
|
|
|
|
|
int mac_kenv_check_unset(struct ucred *cred, char *name);
|
2007-10-25 22:45:25 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_kld_check_load(struct ucred *cred, struct vnode *vp);
|
|
|
|
|
int mac_kld_check_stat(struct ucred *cred);
|
2007-10-25 22:45:25 +00:00
|
|
|
|
|
|
|
|
void mac_mbuf_copy(struct mbuf *, struct mbuf *);
|
|
|
|
|
int mac_mbuf_init(struct mbuf *, int);
|
|
|
|
|
|
|
|
|
|
void mac_mbuf_tag_copy(struct m_tag *, struct m_tag *);
|
|
|
|
|
void mac_mbuf_tag_destroy(struct m_tag *);
|
|
|
|
|
int mac_mbuf_tag_init(struct m_tag *, int);
|
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_mount_check_stat(struct ucred *cred, struct mount *mp);
|
2007-10-25 22:45:25 +00:00
|
|
|
void mac_mount_create(struct ucred *cred, struct mount *mp);
|
|
|
|
|
void mac_mount_destroy(struct mount *);
|
|
|
|
|
void mac_mount_init(struct mount *);
|
|
|
|
|
|
2007-10-28 15:55:23 +00:00
|
|
|
void mac_netatalk_aarp_send(struct ifnet *ifp, struct mbuf *m);
|
|
|
|
|
|
|
|
|
|
void mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m);
|
2007-10-28 17:12:48 +00:00
|
|
|
void mac_netinet_firewall_reply(struct mbuf *mrecv, struct mbuf *msend);
|
2007-10-26 13:18:38 +00:00
|
|
|
void mac_netinet_firewall_send(struct mbuf *m);
|
2007-10-25 22:45:25 +00:00
|
|
|
void mac_netinet_fragment(struct mbuf *m, struct mbuf *frag);
|
2007-10-28 17:12:48 +00:00
|
|
|
void mac_netinet_icmp_reply(struct mbuf *mrecv, struct mbuf *msend);
|
|
|
|
|
void mac_netinet_icmp_replyinplace(struct mbuf *m);
|
2007-10-28 15:55:23 +00:00
|
|
|
void mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m);
|
2007-10-25 22:45:25 +00:00
|
|
|
void mac_netinet_tcp_reply(struct mbuf *m);
|
|
|
|
|
|
2007-10-28 15:55:23 +00:00
|
|
|
void mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m);
|
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
unsigned long cmd, void *data);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp);
|
|
|
|
|
int mac_pipe_check_read(struct ucred *cred, struct pipepair *pp);
|
|
|
|
|
int mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp);
|
|
|
|
|
int mac_pipe_check_write(struct ucred *cred, struct pipepair *pp);
|
2007-10-25 22:45:25 +00:00
|
|
|
void mac_pipe_create(struct ucred *cred, struct pipepair *pp);
|
|
|
|
|
void mac_pipe_destroy(struct pipepair *);
|
|
|
|
|
void mac_pipe_init(struct pipepair *);
|
|
|
|
|
int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
|
|
|
|
|
struct label *label);
|
|
|
|
|
|
Rework the lifetime management of the kernel implementation of POSIX
semaphores. Specifically, semaphores are now represented as new file
descriptor type that is set to close on exec. This removes the need for
all of the manual process reference counting (and fork, exec, and exit
event handlers) as the normal file descriptor operations handle all of
that for us nicely. It is also suggested as one possible implementation
in the spec and at least one other OS (OS X) uses this approach.
Some bugs that were fixed as a result include:
- References to a named semaphore whose name is removed still work after
the sem_unlink() operation. Prior to this patch, if a semaphore's name
was removed, valid handles from sem_open() would get EINVAL errors from
sem_getvalue(), sem_post(), etc. This fixes that.
- Unnamed semaphores created with sem_init() were not cleaned up when a
process exited or exec'd. They were only cleaned up if the process
did an explicit sem_destroy(). This could result in a leak of semaphore
objects that could never be cleaned up.
- On the other hand, if another process guessed the id (kernel pointer to
'struct ksem' of an unnamed semaphore (created via sem_init)) and had
write access to the semaphore based on UID/GID checks, then that other
process could manipulate the semaphore via sem_destroy(), sem_post(),
sem_wait(), etc.
- As part of the permission check (UID/GID), the umask of the proces
creating the semaphore was not honored. Thus if your umask denied group
read/write access but the explicit mode in the sem_init() call allowed
it, the semaphore would be readable/writable by other users in the
same group, for example. This includes access via the previous bug.
- If the module refused to unload because there were active semaphores,
then it might have deregistered one or more of the semaphore system
calls before it noticed that there was a problem. I'm not sure if
this actually happened as the order that modules are discovered by the
kernel linker depends on how the actual .ko file is linked. One can
make the order deterministic by using a single module with a mod_event
handler that explicitly registers syscalls (and deregisters during
unload after any checks). This also fixes a race where even if the
sem_module unloaded first it would have destroyed locks that the
syscalls might be trying to access if they are still executing when
they are unloaded.
XXX: By the way, deregistering system calls doesn't do any blocking
to drain any threads from the calls.
- Some minor fixes to errno values on error. For example, sem_init()
isn't documented to return ENFILE or EMFILE if we run out of semaphores
the way that sem_open() can. Instead, it should return ENOSPC in that
case.
Other changes:
- Kernel semaphores now use a hash table to manage the namespace of
named semaphores nearly in a similar fashion to the POSIX shared memory
object file descriptors. Kernel semaphores can now also have names
longer than 14 chars (up to MAXPATHLEN) and can include subdirectories
in their pathname.
- The UID/GID permission checks for access to a named semaphore are now
done via vaccess() rather than a home-rolled set of checks.
- Now that kernel semaphores have an associated file object, the various
MAC checks for POSIX semaphores accept both a file credential and an
active credential. There is also a new posixsem_check_stat() since it
is possible to fstat() a semaphore file descriptor.
- A small set of regression tests (using the ksem API directly) is present
in src/tools/regression/posixsem.
Reported by: kris (1)
Tested by: kris
Reviewed by: rwatson (lightly)
MFC after: 1 month
2008-06-27 05:39:04 +00:00
|
|
|
int mac_posixsem_check_getvalue(struct ucred *active_cred,
|
|
|
|
|
struct ucred *file_cred, struct ksem *ks);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_posixsem_check_open(struct ucred *cred, struct ksem *ks);
|
Rework the lifetime management of the kernel implementation of POSIX
semaphores. Specifically, semaphores are now represented as new file
descriptor type that is set to close on exec. This removes the need for
all of the manual process reference counting (and fork, exec, and exit
event handlers) as the normal file descriptor operations handle all of
that for us nicely. It is also suggested as one possible implementation
in the spec and at least one other OS (OS X) uses this approach.
Some bugs that were fixed as a result include:
- References to a named semaphore whose name is removed still work after
the sem_unlink() operation. Prior to this patch, if a semaphore's name
was removed, valid handles from sem_open() would get EINVAL errors from
sem_getvalue(), sem_post(), etc. This fixes that.
- Unnamed semaphores created with sem_init() were not cleaned up when a
process exited or exec'd. They were only cleaned up if the process
did an explicit sem_destroy(). This could result in a leak of semaphore
objects that could never be cleaned up.
- On the other hand, if another process guessed the id (kernel pointer to
'struct ksem' of an unnamed semaphore (created via sem_init)) and had
write access to the semaphore based on UID/GID checks, then that other
process could manipulate the semaphore via sem_destroy(), sem_post(),
sem_wait(), etc.
- As part of the permission check (UID/GID), the umask of the proces
creating the semaphore was not honored. Thus if your umask denied group
read/write access but the explicit mode in the sem_init() call allowed
it, the semaphore would be readable/writable by other users in the
same group, for example. This includes access via the previous bug.
- If the module refused to unload because there were active semaphores,
then it might have deregistered one or more of the semaphore system
calls before it noticed that there was a problem. I'm not sure if
this actually happened as the order that modules are discovered by the
kernel linker depends on how the actual .ko file is linked. One can
make the order deterministic by using a single module with a mod_event
handler that explicitly registers syscalls (and deregisters during
unload after any checks). This also fixes a race where even if the
sem_module unloaded first it would have destroyed locks that the
syscalls might be trying to access if they are still executing when
they are unloaded.
XXX: By the way, deregistering system calls doesn't do any blocking
to drain any threads from the calls.
- Some minor fixes to errno values on error. For example, sem_init()
isn't documented to return ENFILE or EMFILE if we run out of semaphores
the way that sem_open() can. Instead, it should return ENOSPC in that
case.
Other changes:
- Kernel semaphores now use a hash table to manage the namespace of
named semaphores nearly in a similar fashion to the POSIX shared memory
object file descriptors. Kernel semaphores can now also have names
longer than 14 chars (up to MAXPATHLEN) and can include subdirectories
in their pathname.
- The UID/GID permission checks for access to a named semaphore are now
done via vaccess() rather than a home-rolled set of checks.
- Now that kernel semaphores have an associated file object, the various
MAC checks for POSIX semaphores accept both a file credential and an
active credential. There is also a new posixsem_check_stat() since it
is possible to fstat() a semaphore file descriptor.
- A small set of regression tests (using the ksem API directly) is present
in src/tools/regression/posixsem.
Reported by: kris (1)
Tested by: kris
Reviewed by: rwatson (lightly)
MFC after: 1 month
2008-06-27 05:39:04 +00:00
|
|
|
int mac_posixsem_check_post(struct ucred *active_cred,
|
|
|
|
|
struct ucred *file_cred, struct ksem *ks);
|
|
|
|
|
int mac_posixsem_check_stat(struct ucred *active_cred,
|
|
|
|
|
struct ucred *file_cred, struct ksem *ks);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks);
|
Rework the lifetime management of the kernel implementation of POSIX
semaphores. Specifically, semaphores are now represented as new file
descriptor type that is set to close on exec. This removes the need for
all of the manual process reference counting (and fork, exec, and exit
event handlers) as the normal file descriptor operations handle all of
that for us nicely. It is also suggested as one possible implementation
in the spec and at least one other OS (OS X) uses this approach.
Some bugs that were fixed as a result include:
- References to a named semaphore whose name is removed still work after
the sem_unlink() operation. Prior to this patch, if a semaphore's name
was removed, valid handles from sem_open() would get EINVAL errors from
sem_getvalue(), sem_post(), etc. This fixes that.
- Unnamed semaphores created with sem_init() were not cleaned up when a
process exited or exec'd. They were only cleaned up if the process
did an explicit sem_destroy(). This could result in a leak of semaphore
objects that could never be cleaned up.
- On the other hand, if another process guessed the id (kernel pointer to
'struct ksem' of an unnamed semaphore (created via sem_init)) and had
write access to the semaphore based on UID/GID checks, then that other
process could manipulate the semaphore via sem_destroy(), sem_post(),
sem_wait(), etc.
- As part of the permission check (UID/GID), the umask of the proces
creating the semaphore was not honored. Thus if your umask denied group
read/write access but the explicit mode in the sem_init() call allowed
it, the semaphore would be readable/writable by other users in the
same group, for example. This includes access via the previous bug.
- If the module refused to unload because there were active semaphores,
then it might have deregistered one or more of the semaphore system
calls before it noticed that there was a problem. I'm not sure if
this actually happened as the order that modules are discovered by the
kernel linker depends on how the actual .ko file is linked. One can
make the order deterministic by using a single module with a mod_event
handler that explicitly registers syscalls (and deregisters during
unload after any checks). This also fixes a race where even if the
sem_module unloaded first it would have destroyed locks that the
syscalls might be trying to access if they are still executing when
they are unloaded.
XXX: By the way, deregistering system calls doesn't do any blocking
to drain any threads from the calls.
- Some minor fixes to errno values on error. For example, sem_init()
isn't documented to return ENFILE or EMFILE if we run out of semaphores
the way that sem_open() can. Instead, it should return ENOSPC in that
case.
Other changes:
- Kernel semaphores now use a hash table to manage the namespace of
named semaphores nearly in a similar fashion to the POSIX shared memory
object file descriptors. Kernel semaphores can now also have names
longer than 14 chars (up to MAXPATHLEN) and can include subdirectories
in their pathname.
- The UID/GID permission checks for access to a named semaphore are now
done via vaccess() rather than a home-rolled set of checks.
- Now that kernel semaphores have an associated file object, the various
MAC checks for POSIX semaphores accept both a file credential and an
active credential. There is also a new posixsem_check_stat() since it
is possible to fstat() a semaphore file descriptor.
- A small set of regression tests (using the ksem API directly) is present
in src/tools/regression/posixsem.
Reported by: kris (1)
Tested by: kris
Reviewed by: rwatson (lightly)
MFC after: 1 month
2008-06-27 05:39:04 +00:00
|
|
|
int mac_posixsem_check_wait(struct ucred *active_cred,
|
|
|
|
|
struct ucred *file_cred, struct ksem *ks);
|
2007-10-25 22:45:25 +00:00
|
|
|
void mac_posixsem_create(struct ucred *cred, struct ksem *ks);
|
|
|
|
|
void mac_posixsem_destroy(struct ksem *);
|
|
|
|
|
void mac_posixsem_init(struct ksem *);
|
|
|
|
|
|
Add a new file descriptor type for IPC shared memory objects and use it to
implement shm_open(2) and shm_unlink(2) in the kernel:
- Each shared memory file descriptor is associated with a swap-backed vm
object which provides the backing store. Each descriptor starts off with
a size of zero, but the size can be altered via ftruncate(2). The shared
memory file descriptors also support fstat(2). read(2), write(2),
ioctl(2), select(2), poll(2), and kevent(2) are not supported on shared
memory file descriptors.
- shm_open(2) and shm_unlink(2) are now implemented as system calls that
manage shared memory file descriptors. The virtual namespace that maps
pathnames to shared memory file descriptors is implemented as a hash
table where the hash key is generated via the 32-bit Fowler/Noll/Vo hash
of the pathname.
- As an extension, the constant 'SHM_ANON' may be specified in place of the
path argument to shm_open(2). In this case, an unnamed shared memory
file descriptor will be created similar to the IPC_PRIVATE key for
shmget(2). Note that the shared memory object can still be shared among
processes by sharing the file descriptor via fork(2) or sendmsg(2), but
it is unnamed. This effectively serves to implement the getmemfd() idea
bandied about the lists several times over the years.
- The backing store for shared memory file descriptors are garbage
collected when they are not referenced by any open file descriptors or
the shm_open(2) virtual namespace.
Submitted by: dillon, peter (previous versions)
Submitted by: rwatson (I based this on his version)
Reviewed by: alc (suggested converting getmemfd() to shm_open())
2008-01-08 21:58:16 +00:00
|
|
|
int mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
|
|
|
|
|
int prot, int flags);
|
|
|
|
|
int mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd);
|
|
|
|
|
int mac_posixshm_check_stat(struct ucred *active_cred,
|
|
|
|
|
struct ucred *file_cred, struct shmfd *shmfd);
|
|
|
|
|
int mac_posixshm_check_truncate(struct ucred *active_cred,
|
|
|
|
|
struct ucred *file_cred, struct shmfd *shmfd);
|
|
|
|
|
int mac_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd);
|
|
|
|
|
void mac_posixshm_create(struct ucred *cred, struct shmfd *shmfd);
|
|
|
|
|
void mac_posixshm_destroy(struct shmfd *);
|
|
|
|
|
void mac_posixshm_init(struct shmfd *);
|
|
|
|
|
|
2007-10-25 22:45:25 +00:00
|
|
|
int mac_priv_check(struct ucred *cred, int priv);
|
|
|
|
|
int mac_priv_grant(struct ucred *cred, int priv);
|
|
|
|
|
|
|
|
|
|
void mac_proc_associate_nfsd(struct ucred *cred);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_proc_check_debug(struct ucred *cred, struct proc *p);
|
|
|
|
|
int mac_proc_check_sched(struct ucred *cred, struct proc *p);
|
|
|
|
|
int mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai);
|
|
|
|
|
int mac_proc_check_setaudit_addr(struct ucred *cred,
|
2007-06-26 14:14:01 +00:00
|
|
|
struct auditinfo_addr *aia);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_proc_check_setauid(struct ucred *cred, uid_t auid);
|
2007-10-25 22:45:25 +00:00
|
|
|
int mac_proc_check_setegid(struct proc *p, struct ucred *cred,
|
|
|
|
|
gid_t egid);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_proc_check_seteuid(struct proc *p, struct ucred *cred,
|
2005-04-16 13:29:15 +00:00
|
|
|
uid_t euid);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_proc_check_setgid(struct proc *p, struct ucred *cred,
|
2005-04-16 13:29:15 +00:00
|
|
|
gid_t gid);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_proc_check_setgroups(struct proc *p, struct ucred *cred,
|
2005-04-16 13:29:15 +00:00
|
|
|
int ngroups, gid_t *gidset);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_proc_check_setregid(struct proc *p, struct ucred *cred,
|
2005-04-16 13:29:15 +00:00
|
|
|
gid_t rgid, gid_t egid);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_proc_check_setresgid(struct proc *p, struct ucred *cred,
|
2005-04-16 13:29:15 +00:00
|
|
|
gid_t rgid, gid_t egid, gid_t sgid);
|
2007-10-25 22:45:25 +00:00
|
|
|
int mac_proc_check_setresuid(struct proc *p, struct ucred *cred,
|
|
|
|
|
uid_t ruid, uid_t euid, uid_t suid);
|
|
|
|
|
int mac_proc_check_setreuid(struct proc *p, struct ucred *cred,
|
|
|
|
|
uid_t ruid, uid_t euid);
|
|
|
|
|
int mac_proc_check_setuid(struct proc *p, struct ucred *cred,
|
|
|
|
|
uid_t uid);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_proc_check_signal(struct ucred *cred, struct proc *p,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int signum);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_proc_check_wait(struct ucred *cred, struct proc *p);
|
2007-10-25 22:45:25 +00:00
|
|
|
void mac_proc_create_init(struct ucred *cred);
|
|
|
|
|
void mac_proc_create_swapper(struct ucred *cred);
|
|
|
|
|
void mac_proc_destroy(struct proc *);
|
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
2008-08-23 15:26:36 +00:00
|
|
|
void mac_proc_init(struct proc *);
|
2007-10-25 22:45:25 +00:00
|
|
|
int mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
|
|
|
|
|
void mac_execve_exit(struct image_params *imgp);
|
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
2008-08-23 15:26:36 +00:00
|
|
|
void mac_execve_interpreter_enter(struct vnode *interpvp,
|
|
|
|
|
struct label **interplabel);
|
|
|
|
|
void mac_execve_interpreter_exit(struct label *interpvplabel);
|
2007-10-25 22:45:25 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_socket_check_accept(struct ucred *cred, struct socket *so);
|
|
|
|
|
int mac_socket_check_bind(struct ucred *cred, struct socket *so,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct sockaddr *sa);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_socket_check_connect(struct ucred *cred, struct socket *so,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct sockaddr *sa);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_socket_check_create(struct ucred *cred, int domain, int type,
|
2007-04-22 19:55:56 +00:00
|
|
|
int proto);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_socket_check_deliver(struct socket *so, struct mbuf *m);
|
|
|
|
|
int mac_socket_check_listen(struct ucred *cred, struct socket *so);
|
|
|
|
|
int mac_socket_check_poll(struct ucred *cred, struct socket *so);
|
|
|
|
|
int mac_socket_check_receive(struct ucred *cred, struct socket *so);
|
|
|
|
|
int mac_socket_check_send(struct ucred *cred, struct socket *so);
|
|
|
|
|
int mac_socket_check_stat(struct ucred *cred, struct socket *so);
|
|
|
|
|
int mac_socket_check_visible(struct ucred *cred, struct socket *so);
|
2007-10-25 22:45:25 +00:00
|
|
|
void mac_socket_create_mbuf(struct socket *so, struct mbuf *m);
|
|
|
|
|
void mac_socket_create(struct ucred *cred, struct socket *so);
|
|
|
|
|
void mac_socket_destroy(struct socket *);
|
|
|
|
|
int mac_socket_init(struct socket *, int);
|
|
|
|
|
void mac_socket_newconn(struct socket *oldso, struct socket *newso);
|
|
|
|
|
int mac_getsockopt_label(struct ucred *cred, struct socket *so,
|
|
|
|
|
struct mac *extmac);
|
|
|
|
|
int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so,
|
|
|
|
|
struct mac *extmac);
|
|
|
|
|
int mac_setsockopt_label(struct ucred *cred, struct socket *so,
|
|
|
|
|
struct mac *extmac);
|
|
|
|
|
|
|
|
|
|
void mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so);
|
|
|
|
|
void mac_socketpeer_set_from_socket(struct socket *oldso,
|
|
|
|
|
struct socket *newso);
|
|
|
|
|
|
|
|
|
|
void mac_syncache_create(struct label *l, struct inpcb *inp);
|
|
|
|
|
void mac_syncache_create_mbuf(struct label *l, struct mbuf *m);
|
|
|
|
|
void mac_syncache_destroy(struct label **l);
|
|
|
|
|
int mac_syncache_init(struct label **l);
|
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_system_check_acct(struct ucred *cred, struct vnode *vp);
|
|
|
|
|
int mac_system_check_audit(struct ucred *cred, void *record, int length);
|
|
|
|
|
int mac_system_check_auditctl(struct ucred *cred, struct vnode *vp);
|
|
|
|
|
int mac_system_check_auditon(struct ucred *cred, int cmd);
|
|
|
|
|
int mac_system_check_reboot(struct ucred *cred, int howto);
|
|
|
|
|
int mac_system_check_swapon(struct ucred *cred, struct vnode *vp);
|
|
|
|
|
int mac_system_check_swapoff(struct ucred *cred, struct vnode *vp);
|
|
|
|
|
int mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
|
2004-02-22 12:31:44 +00:00
|
|
|
void *arg1, int arg2, struct sysctl_req *req);
|
2007-10-25 22:45:25 +00:00
|
|
|
|
|
|
|
|
void mac_sysvmsg_cleanup(struct msg *msgptr);
|
|
|
|
|
void mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
|
|
|
|
|
struct msg *msgptr);
|
|
|
|
|
void mac_sysvmsg_destroy(struct msg *);
|
|
|
|
|
void mac_sysvmsg_init(struct msg *);
|
|
|
|
|
|
|
|
|
|
int mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr,
|
|
|
|
|
struct msqid_kernel *msqkptr);
|
|
|
|
|
int mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr);
|
|
|
|
|
int mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr);
|
|
|
|
|
int mac_sysvmsq_check_msqctl(struct ucred *cred,
|
|
|
|
|
struct msqid_kernel *msqkptr, int cmd);
|
|
|
|
|
int mac_sysvmsq_check_msqget(struct ucred *cred,
|
|
|
|
|
struct msqid_kernel *msqkptr);
|
|
|
|
|
int mac_sysvmsq_check_msqrcv(struct ucred *cred,
|
|
|
|
|
struct msqid_kernel *msqkptr);
|
|
|
|
|
int mac_sysvmsq_check_msqsnd(struct ucred *cred,
|
|
|
|
|
struct msqid_kernel *msqkptr);
|
|
|
|
|
void mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr);
|
|
|
|
|
void mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr);
|
|
|
|
|
void mac_sysvmsq_destroy(struct msqid_kernel *);
|
|
|
|
|
void mac_sysvmsq_init(struct msqid_kernel *);
|
|
|
|
|
|
|
|
|
|
int mac_sysvsem_check_semctl(struct ucred *cred,
|
|
|
|
|
struct semid_kernel *semakptr, int cmd);
|
|
|
|
|
int mac_sysvsem_check_semget(struct ucred *cred,
|
|
|
|
|
struct semid_kernel *semakptr);
|
|
|
|
|
int mac_sysvsem_check_semop(struct ucred *cred,
|
|
|
|
|
struct semid_kernel *semakptr, size_t accesstype);
|
|
|
|
|
void mac_sysvsem_cleanup(struct semid_kernel *semakptr);
|
|
|
|
|
void mac_sysvsem_create(struct ucred *cred,
|
|
|
|
|
struct semid_kernel *semakptr);
|
|
|
|
|
void mac_sysvsem_destroy(struct semid_kernel *);
|
|
|
|
|
void mac_sysvsem_init(struct semid_kernel *);
|
|
|
|
|
|
|
|
|
|
int mac_sysvshm_check_shmat(struct ucred *cred,
|
|
|
|
|
struct shmid_kernel *shmsegptr, int shmflg);
|
|
|
|
|
int mac_sysvshm_check_shmctl(struct ucred *cred,
|
|
|
|
|
struct shmid_kernel *shmsegptr, int cmd);
|
|
|
|
|
int mac_sysvshm_check_shmdt(struct ucred *cred,
|
|
|
|
|
struct shmid_kernel *shmsegptr);
|
|
|
|
|
int mac_sysvshm_check_shmget(struct ucred *cred,
|
|
|
|
|
struct shmid_kernel *shmsegptr, int shmflg);
|
|
|
|
|
void mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr);
|
|
|
|
|
void mac_sysvshm_create(struct ucred *cred,
|
|
|
|
|
struct shmid_kernel *shmsegptr);
|
|
|
|
|
void mac_sysvshm_destroy(struct shmid_kernel *);
|
|
|
|
|
void mac_sysvshm_init(struct shmid_kernel *);
|
|
|
|
|
|
|
|
|
|
void mac_thread_userret(struct thread *td);
|
|
|
|
|
|
|
|
|
|
int mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp);
|
|
|
|
|
void mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_access(struct ucred *cred, struct vnode *vp,
|
2002-10-30 17:56:57 +00:00
|
|
|
int acc_mode);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp);
|
|
|
|
|
int mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp);
|
|
|
|
|
int mac_vnode_check_create(struct ucred *cred, struct vnode *dvp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct componentname *cnp, struct vattr *vap);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
acl_type_t type);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
|
2003-08-21 13:53:01 +00:00
|
|
|
int attrnamespace, const char *name);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_exec(struct ucred *cred, struct vnode *vp,
|
2002-11-05 17:51:56 +00:00
|
|
|
struct image_params *imgp);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
acl_type_t type);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int attrnamespace, const char *name, struct uio *uio);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_link(struct ucred *cred, struct vnode *dvp,
|
2002-10-05 18:11:36 +00:00
|
|
|
struct vnode *vp, struct componentname *cnp);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
|
2003-08-21 13:53:01 +00:00
|
|
|
int attrnamespace);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct componentname *cnp);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot,
|
2007-04-22 19:55:56 +00:00
|
|
|
int flags);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp,
|
2002-10-06 02:46:26 +00:00
|
|
|
int prot);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_open(struct ucred *cred, struct vnode *vp,
|
2002-10-30 17:56:57 +00:00
|
|
|
int acc_mode);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_poll(struct ucred *active_cred,
|
2002-08-19 19:04:53 +00:00
|
|
|
struct ucred *file_cred, struct vnode *vp);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_read(struct ucred *active_cred,
|
2002-08-19 19:04:53 +00:00
|
|
|
struct ucred *file_cred, struct vnode *vp);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_readdir(struct ucred *cred, struct vnode *vp);
|
|
|
|
|
int mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp);
|
|
|
|
|
int mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *vp, struct componentname *cnp);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *vp, int samedir, struct componentname *cnp);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp);
|
|
|
|
|
int mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
acl_type_t type, struct acl *acl);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int attrnamespace, const char *name, struct uio *uio);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
u_long flags);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
mode_t mode);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
uid_t uid, gid_t gid);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct timespec atime, struct timespec mtime);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_stat(struct ucred *active_cred,
|
2002-08-19 19:04:53 +00:00
|
|
|
struct ucred *file_cred, struct vnode *vp);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
|
2007-09-10 00:00:18 +00:00
|
|
|
struct vnode *vp, struct componentname *cnp);
|
2007-10-24 19:04:04 +00:00
|
|
|
int mac_vnode_check_write(struct ucred *active_cred,
|
2002-08-19 19:04:53 +00:00
|
|
|
struct ucred *file_cred, struct vnode *vp);
|
2007-10-25 22:45:25 +00:00
|
|
|
void mac_vnode_copy_label(struct label *, struct label *);
|
|
|
|
|
void mac_vnode_init(struct vnode *);
|
|
|
|
|
int mac_vnode_create_extattr(struct ucred *cred, struct mount *mp,
|
|
|
|
|
struct vnode *dvp, struct vnode *vp, struct componentname *cnp);
|
|
|
|
|
void mac_vnode_destroy(struct vnode *);
|
|
|
|
|
void mac_vnode_execve_transition(struct ucred *oldcred,
|
|
|
|
|
struct ucred *newcred, struct vnode *vp,
|
|
|
|
|
struct label *interpvplabel, struct image_params *imgp);
|
|
|
|
|
int mac_vnode_execve_will_transition(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *interpvplabel,
|
|
|
|
|
struct image_params *imgp);
|
|
|
|
|
void mac_vnode_relabel(struct ucred *cred, struct vnode *vp,
|
|
|
|
|
struct label *newlabel);
|
|
|
|
|
|
2002-11-26 17:11:57 +00:00
|
|
|
void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
|
|
|
|
/*
|
2006-12-20 20:43:19 +00:00
|
|
|
* Calls to help various file systems implement labeling functionality using
|
|
|
|
|
* their existing EA implementation.
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
*/
|
|
|
|
|
int vop_stdsetlabel_ea(struct vop_setlabel_args *ap);
|
|
|
|
|
|
2008-04-13 21:45:52 +00:00
|
|
|
#endif /* !_SECURITY_MAC_MAC_FRAMEWORK_H_ */
|
