d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
e1cef62715
freebsd-dev/sys/security/mac/mac_system.c

269 lines
5.5 KiB
C
Raw Normal View History

Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
/*-
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
* Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
* All rights reserved.
*
License clarification and wording changes: NAI has approved removal of clause three, and NAI Labs now goes by the name Network Associates Laboratories.
2002-11-04 01:42:39 +00:00
* This software was developed for the FreeBSD Project in part by Network
* Associates Laboratories, the Security Research Division of Network
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
Use __FBSDID().
2003-06-11 00:56:59 +00:00
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
#include "opt_mac.h"
Include file cleanup; mac.h and malloc.h at one point had ordering relationship requirements, and no longer do. Reminded by: bde
2002-08-01 17:47:56 +00:00
Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
#include <sys/param.h>
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
#include <sys/kernel.h>
#include <sys/lock.h>
Include <sys/malloc.h> instead of depending on namespace pollution 2 layers deep in <sys/proc.h> or <sys/vnode.h>. Removed unused includes. Fixed some printf format errors (1 fatal on i386's; 1 fatal on alphas; 1 not fatal on any supported machine).
2002-09-05 07:02:43 +00:00
#include <sys/malloc.h>
add missing #include <sys/module.h>
2004-05-30 20:27:19 +00:00
#include <sys/module.h>
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
#include <sys/mutex.h>
#include <sys/mac.h>
#include <sys/systm.h>
#include <sys/vnode.h>
#include <sys/sysctl.h>
#include <sys/mac_policy.h>
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
#include <security/mac/mac_internal.h>
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Merge kld access control checks from the MAC tree: these access control checks permit policy modules to augment the system policy for permitting kld operations. This permits policies to limit access to kld operations based on credential (and other) properties, as well as to perform checks on the kld being loaded (integrity, etc). Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-11-19 22:12:42 +00:00
static int mac_enforce_kld = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW,
&mac_enforce_kld, 0, "Enforce MAC policy on kld operations");
TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld);
Centrally manage enforcement of {reboot,swapon,sysctl} using the mac_enforce_system toggle, rather than several separate toggles. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-27 15:50:49 +00:00
static int mac_enforce_system = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_system, CTLFLAG_RW,
&mac_enforce_system, 0, "Enforce MAC policy on system operations");
TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system);
Implement mac_check_system_sysctl(), a MAC Framework entry point to permit MAC policies to augment the security protections on sysctl() operations. This is not really a wonderful entry point, as we only have access to the MIB of the target sysctl entry, rather than the more useful entry name, but this is sufficient for policies like Biba that wish to use their notions of privilege or integrity to prevent inappropriate sysctl modification. Affects MAC kernels only. Since SYSCTL_LOCK isn't in sysctl.h, just kern_sysctl.c, we can't assert the SYSCTL subsystem lockin the MAC Framework. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-27 07:12:34 +00:00
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
int
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
mac_check_kenv_dump(struct ucred *cred)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
int error;
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
if (!mac_enforce_system)
return (0);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
MAC_CHECK(check_kenv_dump, cred);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
int
mac_check_kenv_get(struct ucred *cred, char *name)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
int error;
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
if (!mac_enforce_system)
Synch from TrustedBSD MAC tree: - If a policy isn't registered when a policy module unloads, silently succeed. - Hold the policy list lock across more of the validity tests to avoid races. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:46:03 +00:00
return (0);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
MAC_CHECK(check_kenv_get, cred, name);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
int
mac_check_kenv_set(struct ucred *cred, char *name, char *value)
Abstract access to the mbuf header label behind a new function, mbuf_to_label(). This permits the vast majority of entry point code to be unaware that labels are stored in m->m_pkthdr.label, such that we can experiment storage of labels elsewhere (such as in m_tags). Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 18:11:18 +00:00
{
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
int error;
Abstract access to the mbuf header label behind a new function, mbuf_to_label(). This permits the vast majority of entry point code to be unaware that labels are stored in m->m_pkthdr.label, such that we can experiment storage of labels elsewhere (such as in m_tags). Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 18:11:18 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
if (!mac_enforce_system)
return (0);
Abstract access to the mbuf header label behind a new function, mbuf_to_label(). This permits the vast majority of entry point code to be unaware that labels are stored in m->m_pkthdr.label, such that we can experiment storage of labels elsewhere (such as in m_tags). Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 18:11:18 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
MAC_CHECK(check_kenv_set, cred, name, value);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
int
mac_check_kenv_unset(struct ucred *cred, char *name)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
int error;
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
if (!mac_enforce_system)
return (0);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
MAC_CHECK(check_kenv_unset, cred, name);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
int
mac_check_kld_load(struct ucred *cred, struct vnode *vp)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
int error;
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
ASSERT_VOP_LOCKED(vp, "mac_check_kld_load");
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
if (!mac_enforce_kld)
return (0);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
MAC_CHECK(check_kld_load, cred, vp, vp->v_label);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
return (error);
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
}
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
int
mac_check_kld_stat(struct ucred *cred)
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
{
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
int error;
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
if (!mac_enforce_kld)
return (0);
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
MAC_CHECK(check_kld_stat, cred);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
return (error);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
}
Modify the mac_init_ipq() MAC Framework entry point to accept an additional flags argument to indicate blocking disposition, and pass in M_NOWAIT from the IP reassembly code to indicate that blocking is not OK when labeling a new IP fragment reassembly queue. This should eliminate some of the WITNESS warnings that have started popping up since fine-grained IP stack locking started going in; if memory allocation fails, the creation of the fragment queue will be aborted. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-03-26 15:12:03 +00:00
int
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
mac_check_kld_unload(struct ucred *cred)
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
{
Modify the mac_init_ipq() MAC Framework entry point to accept an additional flags argument to indicate blocking disposition, and pass in M_NOWAIT from the IP reassembly code to indicate that blocking is not OK when labeling a new IP fragment reassembly queue. This should eliminate some of the WITNESS warnings that have started popping up since fine-grained IP stack locking started going in; if memory allocation fails, the creation of the fragment queue will be aborted. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-03-26 15:12:03 +00:00
int error;
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
if (!mac_enforce_kld)
return (0);
MAC_CHECK(check_kld_unload, cred);
Modify the mac_init_ipq() MAC Framework entry point to accept an additional flags argument to indicate blocking disposition, and pass in M_NOWAIT from the IP reassembly code to indicate that blocking is not OK when labeling a new IP fragment reassembly queue. This should eliminate some of the WITNESS warnings that have started popping up since fine-grained IP stack locking started going in; if memory allocation fails, the creation of the fragment queue will be aborted. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-03-26 15:12:03 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Rearrange object and label init/destroy functions to match the order used in mac_policy.h and elsewhere. Sort order is basically "by operation category", then "alphabetically by object". Sync to MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 17:38:45 +00:00
int
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
mac_check_sysarch_ioperm(struct ucred *cred)
Rearrange object and label init/destroy functions to match the order used in mac_policy.h and elsewhere. Sort order is basically "by operation category", then "alphabetically by object". Sync to MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 17:38:45 +00:00
{
mac_init_mbuf_tag() accepts malloc flags, not mbuf allocator flags, so don't try and convert the argument flags to malloc flags, or we risk implicitly requesting blocking and generating witness warnings. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-15 19:33:23 +00:00
int error;
Rearrange object and label init/destroy functions to match the order used in mac_policy.h and elsewhere. Sort order is basically "by operation category", then "alphabetically by object". Sync to MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 17:38:45 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
if (!mac_enforce_system)
return (0);
Rearrange object and label init/destroy functions to match the order used in mac_policy.h and elsewhere. Sort order is basically "by operation category", then "alphabetically by object". Sync to MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 17:38:45 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
MAC_CHECK(check_sysarch_ioperm, cred);
While the MAC API has supported the ability to handle M_NOWAIT passed to mbuf label initialization, that functionality was never merged to the main tree. Go ahead and merge that functionality now. Note that this requires policy modules to accept the case where the label element may be destroyed even if init has not succeeded on it (in the event that policy failed the init). This will shortly also apply to sockets. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 17:44:49 +00:00
return (error);
Rearrange object and label init/destroy functions to match the order used in mac_policy.h and elsewhere. Sort order is basically "by operation category", then "alphabetically by object". Sync to MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 17:38:45 +00:00
}
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
int
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
mac_check_system_acct(struct ucred *cred, struct vnode *vp)
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
{
int error;
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
if (vp != NULL) {
ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
}
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
if (!mac_enforce_system)
return (0);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
MAC_CHECK(check_system_acct, cred, vp,
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
vp != NULL ? vp->v_label : NULL);
Introduce p_label, extensible security label storage for the MAC framework in struct proc. While the process label is actually stored in the struct ucred pointed to by p_ucred, there is a need for transient storage that may be used when asynchronous (deferred) updates need to be performed on the "real" label for locking reasons. Unlike other label storage, this label has no locking semantics, relying on policies to provide their own protection for the label contents, meaning that a policy leaf mutex may be used, avoiding lock order issues. This permits policies that act based on historical process behavior (such as audit policies, the MAC Framework port of LOMAC, etc) can update process properties even when many existing locks are held without violating the lock order. No currently committed policies implement use of this label storage. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-11-20 15:41:25 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
return (error);
Introduce p_label, extensible security label storage for the MAC framework in struct proc. While the process label is actually stored in the struct ucred pointed to by p_ucred, there is a need for transient storage that may be used when asynchronous (deferred) updates need to be performed on the "real" label for locking reasons. Unlike other label storage, this label has no locking semantics, relying on policies to provide their own protection for the label contents, meaning that a policy leaf mutex may be used, avoiding lock order issues. This permits policies that act based on historical process behavior (such as audit policies, the MAC Framework port of LOMAC, etc) can update process properties even when many existing locks are held without violating the lock order. No currently committed policies implement use of this label storage. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-11-20 15:41:25 +00:00
}
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
int
mac_check_system_nfsd(struct ucred *cred)
Move all object label init/destroy routines to the head of the entry points to better match the entry point ordering in mac_policy.h. Big diff, no functional change; merge from the MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
{
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
int error;
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
if (!mac_enforce_system)
return (0);
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
MAC_CHECK(check_system_nfsd, cred);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
return (error);
}
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
int
mac_check_system_reboot(struct ucred *cred, int howto)
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
{
int error;
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
if (!mac_enforce_system)
return (0);
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
MAC_CHECK(check_system_reboot, cred, howto);
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
return (error);
}
int
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
mac_check_system_settime(struct ucred *cred)
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
{
int error;
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
if (!mac_enforce_system)
return (0);
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
MAC_CHECK(check_system_settime, cred);
Modify label allocation semantics for sockets: pass in soalloc's malloc flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
int
mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
int error;
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon");
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
if (!mac_enforce_system)
return (0);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
MAC_CHECK(check_system_swapon, cred, vp, vp->v_label);
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
{
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
int error;
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
if (!mac_enforce_system)
return (0);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label);
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
return (error);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
}
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
int
Reimplement sysctls handling by MAC framework. Now I believe it is done in the right way. Removed some XXMAC cases, we now assume 'high' integrity level for all sysctls, except those with CTLFLAG_ANYBODY flag set. No more magic. Reviewed by: rwatson Approved by: rwatson, scottl (mentor) Tested with: LINT (compilation), mac_biba(4) (functionality)
2004-02-22 12:31:44 +00:00
mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1,
int arg2, struct sysctl_req *req)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
{
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
int error;
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
/*
Correct grammar error in comment MFC after: 3 days
2005-06-10 04:44:38 +00:00
* XXXMAC: We would very much like to assert the SYSCTL_LOCK here,
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
* but since it's not exported from kern_sysctl.c, we can't.
*/
if (!mac_enforce_system)
return (0);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Reimplement sysctls handling by MAC framework. Now I believe it is done in the right way. Removed some XXMAC cases, we now assume 'high' integrity level for all sysctls, except those with CTLFLAG_ANYBODY flag set. No more magic. Reviewed by: rwatson Approved by: rwatson, scottl (mentor) Tested with: LINT (compilation), mac_biba(4) (functionality)
2004-02-22 12:31:44 +00:00
MAC_CHECK(check_system_sysctl, cred, oidp, arg1, arg2, req);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
Remove non-system bits from mac_system.c. Leave: Enforce_kld, enforce_system access control toggles. Access control checks for: kenv operation, kld operations, sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(), swapoff(), sysctl(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
return (error);
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
}
Reference in New Issue Copy Permalink