Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
/*-
|
2009-03-08 10:58:37 +00:00
|
|
|
* Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
|
2005-04-16 18:46:29 +00:00
|
|
|
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
|
2006-04-26 14:18:55 +00:00
|
|
|
* Copyright (c) 2005-2006 SPARTA, Inc.
|
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
2008-08-23 15:26:36 +00:00
|
|
|
* Copyright (c) 2008 Apple Inc.
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* This software was developed by Robert Watson for the TrustedBSD Project.
|
|
|
|
*
|
2002-11-04 01:42:39 +00:00
|
|
|
* This software was developed for the FreeBSD Project in part by Network
|
|
|
|
* Associates Laboratories, the Security Research Division of Network
|
|
|
|
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
|
|
|
|
* as part of the DARPA CHATS research program.
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
*
|
When devfs cloning takes place, provide access to the credential of the
process that caused the clone event to take place for the device driver
creating the device. This allows cloned device drivers to adapt the
device node based on security aspects of the process, such as the uid,
gid, and MAC label.
- Add a cred reference to struct cdev, so that when a device node is
instantiated as a vnode, the cloning credential can be exposed to
MAC.
- Add make_dev_cred(), a version of make_dev() that additionally
accepts the credential to stick in the struct cdev. Implement it and
make_dev() in terms of a back-end make_dev_credv().
- Add a new event handler, dev_clone_cred, which can be registered to
receive the credential instead of dev_clone, if desired.
- Modify the MAC entry point mac_create_devfs_device() to accept an
optional credential pointer (may be NULL), so that MAC policies can
inspect and act on the label or other elements of the credential
when initializing the skeleton device protections.
- Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(),
so that the pty clone credential is exposed to the MAC Framework.
While currently primarily focussed on MAC policies, this change is also
a prerequisite for changes to allow ptys to be instantiated with the UID
of the process looking up the pty. This requires further changes to the
pty driver -- in particular, to immediately recycle pty nodes on last
close so that the credential-related state can be recreated on next
lookup.
Submitted by: Andrew Reisse <andrew.reisse@sparta.com>
Obtained from: TrustedBSD Project
Sponsored by: SPAWAR, SPARTA
MFC after: 1 week
MFC note: Merge to 6.x, but not 5.x for ABI reasons
2005-07-14 10:22:09 +00:00
|
|
|
* This software was enhanced by SPARTA ISSO under SPAWAR contract
|
|
|
|
* N66001-04-C-6019 ("SEFOS").
|
|
|
|
*
|
2009-03-08 10:58:37 +00:00
|
|
|
* This software was developed at the University of Cambridge Computer
|
|
|
|
* Laboratory with support from a grant from Google, Inc.
|
|
|
|
*
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*
|
|
|
|
* $FreeBSD$
|
|
|
|
*/
|
|
|
|
/*
|
|
|
|
* Kernel interface for MAC policy modules.
|
|
|
|
*/
|
2008-04-13 21:45:52 +00:00
|
|
|
#ifndef _SECURITY_MAC_MAC_POLICY_H_
|
|
|
|
#define _SECURITY_MAC_MAC_POLICY_H_
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
2007-02-06 10:59:23 +00:00
|
|
|
#ifndef _KERNEL
|
|
|
|
#error "no user-serviceable parts inside"
|
|
|
|
#endif
|
|
|
|
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
/*-
|
|
|
|
* Pluggable access control policy definition structure.
|
|
|
|
*
|
2006-12-23 22:21:13 +00:00
|
|
|
* List of operations that are performed as part of the implementation of a
|
|
|
|
* MAC policy. Policy implementors declare operations with a mac_policy_ops
|
|
|
|
* structure, and using the MAC_POLICY_SET() macro. If an entry point is not
|
|
|
|
* declared, then then the policy will be ignored during evaluation of that
|
|
|
|
* event or check.
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
*
|
|
|
|
* Operations are sorted first by general class of operation, then
|
|
|
|
* alphabetically.
|
|
|
|
*/
|
2006-10-22 11:52:19 +00:00
|
|
|
#include <sys/acl.h> /* XXX acl_type_t */
|
2008-10-28 13:44:11 +00:00
|
|
|
#include <sys/types.h> /* XXX accmode_t */
|
2006-10-22 11:52:19 +00:00
|
|
|
|
2003-06-22 16:36:00 +00:00
|
|
|
struct acl;
|
2007-04-21 22:08:48 +00:00
|
|
|
struct auditinfo;
|
2007-07-05 06:45:37 +00:00
|
|
|
struct auditinfo_addr;
|
2004-02-26 16:15:14 +00:00
|
|
|
struct bpf_d;
|
2006-10-30 15:20:49 +00:00
|
|
|
struct cdev;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct componentname;
|
|
|
|
struct devfs_dirent;
|
2004-02-26 16:15:14 +00:00
|
|
|
struct ifnet;
|
|
|
|
struct image_params;
|
Introduce a MAC label reference in 'struct inpcb', which caches
the MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols. This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.
For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks. Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.
Reviewed by: sam, bms
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
|
|
|
struct inpcb;
|
2008-10-26 22:45:18 +00:00
|
|
|
struct ip6q;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct ipq;
|
2005-05-04 10:39:15 +00:00
|
|
|
struct ksem;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct label;
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct mac_policy_conf;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct mbuf;
|
|
|
|
struct mount;
|
2006-09-09 16:35:44 +00:00
|
|
|
struct msg;
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct msqid_kernel;
|
Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.
- Create a new "struct pipepair" object holding the two 'struct
pipe' instances, struct mutex, and struct label reference. Pipe
structures now have a back-pointer to the pipe pair, and a
'pipe_present' flag to indicate whether the half has been
closed.
- Perform mutex init/destroy in zone init/destroy, avoiding
reallocating the mutex for each pipe. Perform most pipe structure
setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of
the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
update many policies. MAC labels are also handled outside of the
UMA zone for now. Label-only policy modules don't have to be
recompiled, but if a module is recompiled, its pipe entry points
will need to be updated. If a module actually reached into the
pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place. However, VM mapped buffers
are still released on half-close.
Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.
Reviewed by: juli, tjr
Testing help: dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
|
|
|
struct pipepair;
|
2004-02-26 20:44:50 +00:00
|
|
|
struct proc;
|
2003-06-23 01:26:34 +00:00
|
|
|
struct sbuf;
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct semid_kernel;
|
Add a new file descriptor type for IPC shared memory objects and use it to
implement shm_open(2) and shm_unlink(2) in the kernel:
- Each shared memory file descriptor is associated with a swap-backed vm
object which provides the backing store. Each descriptor starts off with
a size of zero, but the size can be altered via ftruncate(2). The shared
memory file descriptors also support fstat(2). read(2), write(2),
ioctl(2), select(2), poll(2), and kevent(2) are not supported on shared
memory file descriptors.
- shm_open(2) and shm_unlink(2) are now implemented as system calls that
manage shared memory file descriptors. The virtual namespace that maps
pathnames to shared memory file descriptors is implemented as a hash
table where the hash key is generated via the 32-bit Fowler/Noll/Vo hash
of the pathname.
- As an extension, the constant 'SHM_ANON' may be specified in place of the
path argument to shm_open(2). In this case, an unnamed shared memory
file descriptor will be created similar to the IPC_PRIVATE key for
shmget(2). Note that the shared memory object can still be shared among
processes by sharing the file descriptor via fork(2) or sendmsg(2), but
it is unnamed. This effectively serves to implement the getmemfd() idea
bandied about the lists several times over the years.
- The backing store for shared memory file descriptors are garbage
collected when they are not referenced by any open file descriptors or
the shm_open(2) virtual namespace.
Submitted by: dillon, peter (previous versions)
Submitted by: rwatson (I based this on his version)
Reviewed by: alc (suggested converting getmemfd() to shm_open())
2008-01-08 21:58:16 +00:00
|
|
|
struct shmfd;
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct shmid_kernel;
|
2004-02-26 20:44:50 +00:00
|
|
|
struct sockaddr;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct socket;
|
2004-02-22 12:31:44 +00:00
|
|
|
struct sysctl_oid;
|
|
|
|
struct sysctl_req;
|
2004-02-26 20:44:50 +00:00
|
|
|
struct thread;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct ucred;
|
2004-02-26 16:15:14 +00:00
|
|
|
struct vattr;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct vnode;
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
2006-04-26 14:18:55 +00:00
|
|
|
/*
|
|
|
|
* Policy module operations.
|
|
|
|
*/
|
|
|
|
typedef void (*mpo_destroy_t)(struct mac_policy_conf *mpc);
|
|
|
|
typedef void (*mpo_init_t)(struct mac_policy_conf *mpc);
|
2002-08-19 17:59:48 +00:00
|
|
|
|
2006-04-26 14:18:55 +00:00
|
|
|
/*
|
|
|
|
* General policy-directed security system call so that policies may
|
2006-12-23 22:21:13 +00:00
|
|
|
* implement new services without reserving explicit system call numbers.
|
2006-04-26 14:18:55 +00:00
|
|
|
*/
|
|
|
|
typedef int (*mpo_syscall_t)(struct thread *td, int call, void *arg);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Place-holder function pointers for ABI-compatibility purposes.
|
|
|
|
*/
|
|
|
|
typedef void (*mpo_placeholder_t)(void);
|
|
|
|
|
|
|
|
/*
|
2007-10-25 22:45:25 +00:00
|
|
|
* Operations sorted alphabetically by primary object type and then method.
|
2006-04-26 14:18:55 +00:00
|
|
|
*/
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef int (*mpo_bpfdesc_check_receive_t)(struct bpf_d *d,
|
|
|
|
struct label *dlabel, struct ifnet *ifp,
|
|
|
|
struct label *ifplabel);
|
|
|
|
typedef void (*mpo_bpfdesc_create_t)(struct ucred *cred,
|
|
|
|
struct bpf_d *d, struct label *dlabel);
|
|
|
|
typedef void (*mpo_bpfdesc_create_mbuf_t)(struct bpf_d *d,
|
|
|
|
struct label *dlabel, struct mbuf *m,
|
|
|
|
struct label *mlabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef void (*mpo_bpfdesc_destroy_label_t)(struct label *label);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef void (*mpo_bpfdesc_init_label_t)(struct label *label);
|
|
|
|
|
2008-10-28 11:33:06 +00:00
|
|
|
typedef void (*mpo_cred_associate_nfsd_t)(struct ucred *cred);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef int (*mpo_cred_check_relabel_t)(struct ucred *cred,
|
|
|
|
struct label *newlabel);
|
2009-03-08 10:58:37 +00:00
|
|
|
typedef int (*mpo_cred_check_setaudit_t)(struct ucred *cred,
|
|
|
|
struct auditinfo *ai);
|
|
|
|
typedef int (*mpo_cred_check_setaudit_addr_t)(struct ucred *cred,
|
|
|
|
struct auditinfo_addr *aia);
|
|
|
|
typedef int (*mpo_cred_check_setauid_t)(struct ucred *cred, uid_t auid);
|
|
|
|
typedef int (*mpo_cred_check_setegid_t)(struct ucred *cred, gid_t egid);
|
|
|
|
typedef int (*mpo_cred_check_seteuid_t)(struct ucred *cred, uid_t euid);
|
|
|
|
typedef int (*mpo_cred_check_setgid_t)(struct ucred *cred, gid_t gid);
|
|
|
|
typedef int (*mpo_cred_check_setgroups_t)(struct ucred *cred, int ngroups,
|
|
|
|
gid_t *gidset);
|
|
|
|
typedef int (*mpo_cred_check_setregid_t)(struct ucred *cred, gid_t rgid,
|
|
|
|
gid_t egid);
|
|
|
|
typedef int (*mpo_cred_check_setresgid_t)(struct ucred *cred, gid_t rgid,
|
|
|
|
gid_t egid, gid_t sgid);
|
|
|
|
typedef int (*mpo_cred_check_setresuid_t)(struct ucred *cred, uid_t ruid,
|
|
|
|
uid_t euid, uid_t suid);
|
|
|
|
typedef int (*mpo_cred_check_setreuid_t)(struct ucred *cred, uid_t ruid,
|
|
|
|
uid_t euid);
|
|
|
|
typedef int (*mpo_cred_check_setuid_t)(struct ucred *cred, uid_t uid);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef int (*mpo_cred_check_visible_t)(struct ucred *cr1,
|
|
|
|
struct ucred *cr2);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef void (*mpo_cred_copy_label_t)(struct label *src,
|
2003-12-06 21:48:03 +00:00
|
|
|
struct label *dest);
|
2008-10-28 11:33:06 +00:00
|
|
|
typedef void (*mpo_cred_create_init_t)(struct ucred *cred);
|
|
|
|
typedef void (*mpo_cred_create_swapper_t)(struct ucred *cred);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef void (*mpo_cred_destroy_label_t)(struct label *label);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_cred_externalize_label_t)(struct label *label,
|
2003-06-23 01:26:34 +00:00
|
|
|
char *element_name, struct sbuf *sb, int *claimed);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef void (*mpo_cred_init_label_t)(struct label *label);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_cred_internalize_label_t)(struct label *label,
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
char *element_name, char *element_data, int *claimed);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef void (*mpo_cred_relabel_t)(struct ucred *cred,
|
|
|
|
struct label *newlabel);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef void (*mpo_devfs_create_device_t)(struct ucred *cred,
|
When devfs cloning takes place, provide access to the credential of the
process that caused the clone event to take place for the device driver
creating the device. This allows cloned device drivers to adapt the
device node based on security aspects of the process, such as the uid,
gid, and MAC label.
- Add a cred reference to struct cdev, so that when a device node is
instantiated as a vnode, the cloning credential can be exposed to
MAC.
- Add make_dev_cred(), a version of make_dev() that additionally
accepts the credential to stick in the struct cdev. Implement it and
make_dev() in terms of a back-end make_dev_credv().
- Add a new event handler, dev_clone_cred, which can be registered to
receive the credential instead of dev_clone, if desired.
- Modify the MAC entry point mac_create_devfs_device() to accept an
optional credential pointer (may be NULL), so that MAC policies can
inspect and act on the label or other elements of the credential
when initializing the skeleton device protections.
- Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(),
so that the pty clone credential is exposed to the MAC Framework.
While currently primarily focussed on MAC policies, this change is also
a prerequisite for changes to allow ptys to be instantiated with the UID
of the process looking up the pty. This requires further changes to the
pty driver -- in particular, to immediately recycle pty nodes on last
close so that the credential-related state can be recreated on next
lookup.
Submitted by: Andrew Reisse <andrew.reisse@sparta.com>
Obtained from: TrustedBSD Project
Sponsored by: SPAWAR, SPARTA
MFC after: 1 week
MFC note: Merge to 6.x, but not 5.x for ABI reasons
2005-07-14 10:22:09 +00:00
|
|
|
struct mount *mp, struct cdev *dev,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct devfs_dirent *de, struct label *delabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef void (*mpo_devfs_create_directory_t)(struct mount *mp,
|
2006-04-26 14:18:55 +00:00
|
|
|
char *dirname, int dirnamelen, struct devfs_dirent *de,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct label *delabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef void (*mpo_devfs_create_symlink_t)(struct ucred *cred,
|
2002-12-09 03:44:28 +00:00
|
|
|
struct mount *mp, struct devfs_dirent *dd,
|
|
|
|
struct label *ddlabel, struct devfs_dirent *de,
|
|
|
|
struct label *delabel);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef void (*mpo_devfs_destroy_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_devfs_init_label_t)(struct label *label);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef void (*mpo_devfs_update_t)(struct mount *mp,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct devfs_dirent *de, struct label *delabel,
|
|
|
|
struct vnode *vp, struct label *vplabel);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef void (*mpo_devfs_vnode_associate_t)(struct mount *mp,
|
|
|
|
struct label *mplabel, struct devfs_dirent *de,
|
|
|
|
struct label *delabel, struct vnode *vp,
|
|
|
|
struct label *vplabel);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef int (*mpo_ifnet_check_relabel_t)(struct ucred *cred,
|
|
|
|
struct ifnet *ifp, struct label *ifplabel,
|
|
|
|
struct label *newlabel);
|
|
|
|
typedef int (*mpo_ifnet_check_transmit_t)(struct ifnet *ifp,
|
|
|
|
struct label *ifplabel, struct mbuf *m,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct label *mlabel);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef void (*mpo_ifnet_copy_label_t)(struct label *src,
|
|
|
|
struct label *dest);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef void (*mpo_ifnet_create_t)(struct ifnet *ifp,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct label *ifplabel);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef void (*mpo_ifnet_create_mbuf_t)(struct ifnet *ifp,
|
|
|
|
struct label *ifplabel, struct mbuf *m,
|
|
|
|
struct label *mlabel);
|
|
|
|
typedef void (*mpo_ifnet_destroy_label_t)(struct label *label);
|
|
|
|
typedef int (*mpo_ifnet_externalize_label_t)(struct label *label,
|
|
|
|
char *element_name, struct sbuf *sb, int *claimed);
|
|
|
|
typedef void (*mpo_ifnet_init_label_t)(struct label *label);
|
|
|
|
typedef int (*mpo_ifnet_internalize_label_t)(struct label *label,
|
|
|
|
char *element_name, char *element_data, int *claimed);
|
|
|
|
typedef void (*mpo_ifnet_relabel_t)(struct ucred *cred, struct ifnet *ifp,
|
|
|
|
struct label *ifplabel, struct label *newlabel);
|
|
|
|
|
|
|
|
typedef int (*mpo_inpcb_check_deliver_t)(struct inpcb *inp,
|
|
|
|
struct label *inplabel, struct mbuf *m,
|
|
|
|
struct label *mlabel);
|
2008-10-17 12:54:28 +00:00
|
|
|
typedef int (*mpo_inpcb_check_visible_t)(struct ucred *cred,
|
|
|
|
struct inpcb *inp, struct label *inplabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef void (*mpo_inpcb_create_t)(struct socket *so,
|
Introduce a MAC label reference in 'struct inpcb', which caches
the MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols. This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.
For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks. Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.
Reviewed by: sam, bms
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
|
|
|
struct label *solabel, struct inpcb *inp,
|
|
|
|
struct label *inplabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef void (*mpo_inpcb_create_mbuf_t)(struct inpcb *inp,
|
2003-12-17 14:55:11 +00:00
|
|
|
struct label *inplabel, struct mbuf *m,
|
|
|
|
struct label *mlabel);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef void (*mpo_inpcb_destroy_label_t)(struct label *label);
|
|
|
|
typedef int (*mpo_inpcb_init_label_t)(struct label *label, int flag);
|
|
|
|
typedef void (*mpo_inpcb_sosetlabel_t)(struct socket *so,
|
|
|
|
struct label *label, struct inpcb *inp,
|
|
|
|
struct label *inplabel);
|
|
|
|
|
2008-10-26 22:45:18 +00:00
|
|
|
typedef void (*mpo_ip6q_create_t)(struct mbuf *m, struct label *mlabel,
|
|
|
|
struct ip6q *q6, struct label *q6label);
|
|
|
|
typedef void (*mpo_ip6q_destroy_label_t)(struct label *label);
|
|
|
|
typedef int (*mpo_ip6q_init_label_t)(struct label *label, int flag);
|
|
|
|
typedef int (*mpo_ip6q_match_t)(struct mbuf *m, struct label *mlabel,
|
|
|
|
struct ip6q *q6, struct label *q6label);
|
|
|
|
typedef void (*mpo_ip6q_reassemble)(struct ip6q *q6, struct label *q6label,
|
|
|
|
struct mbuf *m, struct label *mlabel);
|
|
|
|
typedef void (*mpo_ip6q_update_t)(struct mbuf *m, struct label *mlabel,
|
|
|
|
struct ip6q *q6, struct label *q6label);
|
|
|
|
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef void (*mpo_ipq_create_t)(struct mbuf *m, struct label *mlabel,
|
2008-06-13 22:14:15 +00:00
|
|
|
struct ipq *q, struct label *qlabel);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef void (*mpo_ipq_destroy_label_t)(struct label *label);
|
|
|
|
typedef int (*mpo_ipq_init_label_t)(struct label *label, int flag);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_ipq_match_t)(struct mbuf *m, struct label *mlabel,
|
2008-06-13 22:14:15 +00:00
|
|
|
struct ipq *q, struct label *qlabel);
|
|
|
|
typedef void (*mpo_ipq_reassemble)(struct ipq *q, struct label *qlabel,
|
|
|
|
struct mbuf *m, struct label *mlabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef void (*mpo_ipq_update_t)(struct mbuf *m, struct label *mlabel,
|
2008-06-13 22:14:15 +00:00
|
|
|
struct ipq *q, struct label *qlabel);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_kenv_check_dump_t)(struct ucred *cred);
|
|
|
|
typedef int (*mpo_kenv_check_get_t)(struct ucred *cred, char *name);
|
|
|
|
typedef int (*mpo_kenv_check_set_t)(struct ucred *cred, char *name,
|
2002-11-01 20:46:53 +00:00
|
|
|
char *value);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_kenv_check_unset_t)(struct ucred *cred, char *name);
|
2007-10-25 22:45:25 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_kld_check_load_t)(struct ucred *cred, struct vnode *vp,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct label *vplabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_kld_check_stat_t)(struct ucred *cred);
|
2007-10-25 22:45:25 +00:00
|
|
|
|
|
|
|
typedef void (*mpo_mbuf_copy_label_t)(struct label *src,
|
|
|
|
struct label *dest);
|
|
|
|
typedef void (*mpo_mbuf_destroy_label_t)(struct label *label);
|
|
|
|
typedef int (*mpo_mbuf_init_label_t)(struct label *label, int flag);
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_mount_check_stat_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct mount *mp, struct label *mplabel);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef void (*mpo_mount_create_t)(struct ucred *cred, struct mount *mp,
|
|
|
|
struct label *mplabel);
|
|
|
|
typedef void (*mpo_mount_destroy_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_mount_init_label_t)(struct label *label);
|
|
|
|
|
2007-10-28 15:55:23 +00:00
|
|
|
typedef void (*mpo_netatalk_aarp_send_t)(struct ifnet *ifp,
|
|
|
|
struct label *ifplabel, struct mbuf *m,
|
|
|
|
struct label *mlabel);
|
|
|
|
|
|
|
|
typedef void (*mpo_netinet_arp_send_t)(struct ifnet *ifp,
|
|
|
|
struct label *ifplabel, struct mbuf *m,
|
|
|
|
struct label *mlabel);
|
2007-10-28 17:12:48 +00:00
|
|
|
typedef void (*mpo_netinet_firewall_reply_t)(struct mbuf *mrecv,
|
|
|
|
struct label *mrecvlabel, struct mbuf *msend,
|
|
|
|
struct label *msendlabel);
|
2007-10-26 13:18:38 +00:00
|
|
|
typedef void (*mpo_netinet_firewall_send_t)(struct mbuf *m,
|
|
|
|
struct label *mlabel);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef void (*mpo_netinet_fragment_t)(struct mbuf *m,
|
|
|
|
struct label *mlabel, struct mbuf *frag,
|
|
|
|
struct label *fraglabel);
|
2007-10-28 17:12:48 +00:00
|
|
|
typedef void (*mpo_netinet_icmp_reply_t)(struct mbuf *mrecv,
|
|
|
|
struct label *mrecvlabel, struct mbuf *msend,
|
|
|
|
struct label *msendlabel);
|
|
|
|
typedef void (*mpo_netinet_icmp_replyinplace_t)(struct mbuf *m,
|
2007-10-25 22:45:25 +00:00
|
|
|
struct label *mlabel);
|
2007-10-28 15:55:23 +00:00
|
|
|
typedef void (*mpo_netinet_igmp_send_t)(struct ifnet *ifp,
|
|
|
|
struct label *ifplabel, struct mbuf *m,
|
|
|
|
struct label *mlabel);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef void (*mpo_netinet_tcp_reply_t)(struct mbuf *m,
|
|
|
|
struct label *mlabel);
|
|
|
|
|
2007-10-28 15:55:23 +00:00
|
|
|
typedef void (*mpo_netinet6_nd6_send_t)(struct ifnet *ifp,
|
|
|
|
struct label *ifplabel, struct mbuf *m,
|
|
|
|
struct label *mlabel);
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_pipe_check_ioctl_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct pipepair *pp, struct label *pplabel,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
unsigned long cmd, void *data);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_pipe_check_poll_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct pipepair *pp, struct label *pplabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_pipe_check_read_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct pipepair *pp, struct label *pplabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_pipe_check_relabel_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct pipepair *pp, struct label *pplabel,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *newlabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_pipe_check_stat_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct pipepair *pp, struct label *pplabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_pipe_check_write_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct pipepair *pp, struct label *pplabel);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef void (*mpo_pipe_copy_label_t)(struct label *src,
|
|
|
|
struct label *dest);
|
|
|
|
typedef void (*mpo_pipe_create_t)(struct ucred *cred, struct pipepair *pp,
|
|
|
|
struct label *pplabel);
|
|
|
|
typedef void (*mpo_pipe_destroy_label_t)(struct label *label);
|
|
|
|
typedef int (*mpo_pipe_externalize_label_t)(struct label *label,
|
|
|
|
char *element_name, struct sbuf *sb, int *claimed);
|
|
|
|
typedef void (*mpo_pipe_init_label_t)(struct label *label);
|
|
|
|
typedef int (*mpo_pipe_internalize_label_t)(struct label *label,
|
|
|
|
char *element_name, char *element_data, int *claimed);
|
|
|
|
typedef void (*mpo_pipe_relabel_t)(struct ucred *cred, struct pipepair *pp,
|
|
|
|
struct label *oldlabel, struct label *newlabel);
|
|
|
|
|
Rework the lifetime management of the kernel implementation of POSIX
semaphores. Specifically, semaphores are now represented as new file
descriptor type that is set to close on exec. This removes the need for
all of the manual process reference counting (and fork, exec, and exit
event handlers) as the normal file descriptor operations handle all of
that for us nicely. It is also suggested as one possible implementation
in the spec and at least one other OS (OS X) uses this approach.
Some bugs that were fixed as a result include:
- References to a named semaphore whose name is removed still work after
the sem_unlink() operation. Prior to this patch, if a semaphore's name
was removed, valid handles from sem_open() would get EINVAL errors from
sem_getvalue(), sem_post(), etc. This fixes that.
- Unnamed semaphores created with sem_init() were not cleaned up when a
process exited or exec'd. They were only cleaned up if the process
did an explicit sem_destroy(). This could result in a leak of semaphore
objects that could never be cleaned up.
- On the other hand, if another process guessed the id (kernel pointer to
'struct ksem' of an unnamed semaphore (created via sem_init)) and had
write access to the semaphore based on UID/GID checks, then that other
process could manipulate the semaphore via sem_destroy(), sem_post(),
sem_wait(), etc.
- As part of the permission check (UID/GID), the umask of the proces
creating the semaphore was not honored. Thus if your umask denied group
read/write access but the explicit mode in the sem_init() call allowed
it, the semaphore would be readable/writable by other users in the
same group, for example. This includes access via the previous bug.
- If the module refused to unload because there were active semaphores,
then it might have deregistered one or more of the semaphore system
calls before it noticed that there was a problem. I'm not sure if
this actually happened as the order that modules are discovered by the
kernel linker depends on how the actual .ko file is linked. One can
make the order deterministic by using a single module with a mod_event
handler that explicitly registers syscalls (and deregisters during
unload after any checks). This also fixes a race where even if the
sem_module unloaded first it would have destroyed locks that the
syscalls might be trying to access if they are still executing when
they are unloaded.
XXX: By the way, deregistering system calls doesn't do any blocking
to drain any threads from the calls.
- Some minor fixes to errno values on error. For example, sem_init()
isn't documented to return ENFILE or EMFILE if we run out of semaphores
the way that sem_open() can. Instead, it should return ENOSPC in that
case.
Other changes:
- Kernel semaphores now use a hash table to manage the namespace of
named semaphores nearly in a similar fashion to the POSIX shared memory
object file descriptors. Kernel semaphores can now also have names
longer than 14 chars (up to MAXPATHLEN) and can include subdirectories
in their pathname.
- The UID/GID permission checks for access to a named semaphore are now
done via vaccess() rather than a home-rolled set of checks.
- Now that kernel semaphores have an associated file object, the various
MAC checks for POSIX semaphores accept both a file credential and an
active credential. There is also a new posixsem_check_stat() since it
is possible to fstat() a semaphore file descriptor.
- A small set of regression tests (using the ksem API directly) is present
in src/tools/regression/posixsem.
Reported by: kris (1)
Tested by: kris
Reviewed by: rwatson (lightly)
MFC after: 1 month
2008-06-27 05:39:04 +00:00
|
|
|
typedef int (*mpo_posixsem_check_getvalue_t)(struct ucred *active_cred,
|
|
|
|
struct ucred *file_cred, struct ksem *ks,
|
|
|
|
struct label *kslabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_posixsem_check_open_t)(struct ucred *cred,
|
2007-10-21 11:11:07 +00:00
|
|
|
struct ksem *ks, struct label *kslabel);
|
Rework the lifetime management of the kernel implementation of POSIX
semaphores. Specifically, semaphores are now represented as new file
descriptor type that is set to close on exec. This removes the need for
all of the manual process reference counting (and fork, exec, and exit
event handlers) as the normal file descriptor operations handle all of
that for us nicely. It is also suggested as one possible implementation
in the spec and at least one other OS (OS X) uses this approach.
Some bugs that were fixed as a result include:
- References to a named semaphore whose name is removed still work after
the sem_unlink() operation. Prior to this patch, if a semaphore's name
was removed, valid handles from sem_open() would get EINVAL errors from
sem_getvalue(), sem_post(), etc. This fixes that.
- Unnamed semaphores created with sem_init() were not cleaned up when a
process exited or exec'd. They were only cleaned up if the process
did an explicit sem_destroy(). This could result in a leak of semaphore
objects that could never be cleaned up.
- On the other hand, if another process guessed the id (kernel pointer to
'struct ksem' of an unnamed semaphore (created via sem_init)) and had
write access to the semaphore based on UID/GID checks, then that other
process could manipulate the semaphore via sem_destroy(), sem_post(),
sem_wait(), etc.
- As part of the permission check (UID/GID), the umask of the proces
creating the semaphore was not honored. Thus if your umask denied group
read/write access but the explicit mode in the sem_init() call allowed
it, the semaphore would be readable/writable by other users in the
same group, for example. This includes access via the previous bug.
- If the module refused to unload because there were active semaphores,
then it might have deregistered one or more of the semaphore system
calls before it noticed that there was a problem. I'm not sure if
this actually happened as the order that modules are discovered by the
kernel linker depends on how the actual .ko file is linked. One can
make the order deterministic by using a single module with a mod_event
handler that explicitly registers syscalls (and deregisters during
unload after any checks). This also fixes a race where even if the
sem_module unloaded first it would have destroyed locks that the
syscalls might be trying to access if they are still executing when
they are unloaded.
XXX: By the way, deregistering system calls doesn't do any blocking
to drain any threads from the calls.
- Some minor fixes to errno values on error. For example, sem_init()
isn't documented to return ENFILE or EMFILE if we run out of semaphores
the way that sem_open() can. Instead, it should return ENOSPC in that
case.
Other changes:
- Kernel semaphores now use a hash table to manage the namespace of
named semaphores nearly in a similar fashion to the POSIX shared memory
object file descriptors. Kernel semaphores can now also have names
longer than 14 chars (up to MAXPATHLEN) and can include subdirectories
in their pathname.
- The UID/GID permission checks for access to a named semaphore are now
done via vaccess() rather than a home-rolled set of checks.
- Now that kernel semaphores have an associated file object, the various
MAC checks for POSIX semaphores accept both a file credential and an
active credential. There is also a new posixsem_check_stat() since it
is possible to fstat() a semaphore file descriptor.
- A small set of regression tests (using the ksem API directly) is present
in src/tools/regression/posixsem.
Reported by: kris (1)
Tested by: kris
Reviewed by: rwatson (lightly)
MFC after: 1 month
2008-06-27 05:39:04 +00:00
|
|
|
typedef int (*mpo_posixsem_check_post_t)(struct ucred *active_cred,
|
|
|
|
struct ucred *file_cred, struct ksem *ks,
|
|
|
|
struct label *kslabel);
|
2011-08-16 20:07:47 +00:00
|
|
|
typedef int (*mpo_posixsem_check_setmode_t)(struct ucred *cred,
|
|
|
|
struct ksem *ks, struct label *shmlabel,
|
|
|
|
mode_t mode);
|
|
|
|
typedef int (*mpo_posixsem_check_setowner_t)(struct ucred *cred,
|
|
|
|
struct ksem *ks, struct label *shmlabel,
|
|
|
|
uid_t uid, gid_t gid);
|
Rework the lifetime management of the kernel implementation of POSIX
semaphores. Specifically, semaphores are now represented as new file
descriptor type that is set to close on exec. This removes the need for
all of the manual process reference counting (and fork, exec, and exit
event handlers) as the normal file descriptor operations handle all of
that for us nicely. It is also suggested as one possible implementation
in the spec and at least one other OS (OS X) uses this approach.
Some bugs that were fixed as a result include:
- References to a named semaphore whose name is removed still work after
the sem_unlink() operation. Prior to this patch, if a semaphore's name
was removed, valid handles from sem_open() would get EINVAL errors from
sem_getvalue(), sem_post(), etc. This fixes that.
- Unnamed semaphores created with sem_init() were not cleaned up when a
process exited or exec'd. They were only cleaned up if the process
did an explicit sem_destroy(). This could result in a leak of semaphore
objects that could never be cleaned up.
- On the other hand, if another process guessed the id (kernel pointer to
'struct ksem' of an unnamed semaphore (created via sem_init)) and had
write access to the semaphore based on UID/GID checks, then that other
process could manipulate the semaphore via sem_destroy(), sem_post(),
sem_wait(), etc.
- As part of the permission check (UID/GID), the umask of the proces
creating the semaphore was not honored. Thus if your umask denied group
read/write access but the explicit mode in the sem_init() call allowed
it, the semaphore would be readable/writable by other users in the
same group, for example. This includes access via the previous bug.
- If the module refused to unload because there were active semaphores,
then it might have deregistered one or more of the semaphore system
calls before it noticed that there was a problem. I'm not sure if
this actually happened as the order that modules are discovered by the
kernel linker depends on how the actual .ko file is linked. One can
make the order deterministic by using a single module with a mod_event
handler that explicitly registers syscalls (and deregisters during
unload after any checks). This also fixes a race where even if the
sem_module unloaded first it would have destroyed locks that the
syscalls might be trying to access if they are still executing when
they are unloaded.
XXX: By the way, deregistering system calls doesn't do any blocking
to drain any threads from the calls.
- Some minor fixes to errno values on error. For example, sem_init()
isn't documented to return ENFILE or EMFILE if we run out of semaphores
the way that sem_open() can. Instead, it should return ENOSPC in that
case.
Other changes:
- Kernel semaphores now use a hash table to manage the namespace of
named semaphores nearly in a similar fashion to the POSIX shared memory
object file descriptors. Kernel semaphores can now also have names
longer than 14 chars (up to MAXPATHLEN) and can include subdirectories
in their pathname.
- The UID/GID permission checks for access to a named semaphore are now
done via vaccess() rather than a home-rolled set of checks.
- Now that kernel semaphores have an associated file object, the various
MAC checks for POSIX semaphores accept both a file credential and an
active credential. There is also a new posixsem_check_stat() since it
is possible to fstat() a semaphore file descriptor.
- A small set of regression tests (using the ksem API directly) is present
in src/tools/regression/posixsem.
Reported by: kris (1)
Tested by: kris
Reviewed by: rwatson (lightly)
MFC after: 1 month
2008-06-27 05:39:04 +00:00
|
|
|
typedef int (*mpo_posixsem_check_stat_t)(struct ucred *active_cred,
|
|
|
|
struct ucred *file_cred, struct ksem *ks,
|
|
|
|
struct label *kslabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_posixsem_check_unlink_t)(struct ucred *cred,
|
2007-10-21 11:11:07 +00:00
|
|
|
struct ksem *ks, struct label *kslabel);
|
Rework the lifetime management of the kernel implementation of POSIX
semaphores. Specifically, semaphores are now represented as new file
descriptor type that is set to close on exec. This removes the need for
all of the manual process reference counting (and fork, exec, and exit
event handlers) as the normal file descriptor operations handle all of
that for us nicely. It is also suggested as one possible implementation
in the spec and at least one other OS (OS X) uses this approach.
Some bugs that were fixed as a result include:
- References to a named semaphore whose name is removed still work after
the sem_unlink() operation. Prior to this patch, if a semaphore's name
was removed, valid handles from sem_open() would get EINVAL errors from
sem_getvalue(), sem_post(), etc. This fixes that.
- Unnamed semaphores created with sem_init() were not cleaned up when a
process exited or exec'd. They were only cleaned up if the process
did an explicit sem_destroy(). This could result in a leak of semaphore
objects that could never be cleaned up.
- On the other hand, if another process guessed the id (kernel pointer to
'struct ksem' of an unnamed semaphore (created via sem_init)) and had
write access to the semaphore based on UID/GID checks, then that other
process could manipulate the semaphore via sem_destroy(), sem_post(),
sem_wait(), etc.
- As part of the permission check (UID/GID), the umask of the proces
creating the semaphore was not honored. Thus if your umask denied group
read/write access but the explicit mode in the sem_init() call allowed
it, the semaphore would be readable/writable by other users in the
same group, for example. This includes access via the previous bug.
- If the module refused to unload because there were active semaphores,
then it might have deregistered one or more of the semaphore system
calls before it noticed that there was a problem. I'm not sure if
this actually happened as the order that modules are discovered by the
kernel linker depends on how the actual .ko file is linked. One can
make the order deterministic by using a single module with a mod_event
handler that explicitly registers syscalls (and deregisters during
unload after any checks). This also fixes a race where even if the
sem_module unloaded first it would have destroyed locks that the
syscalls might be trying to access if they are still executing when
they are unloaded.
XXX: By the way, deregistering system calls doesn't do any blocking
to drain any threads from the calls.
- Some minor fixes to errno values on error. For example, sem_init()
isn't documented to return ENFILE or EMFILE if we run out of semaphores
the way that sem_open() can. Instead, it should return ENOSPC in that
case.
Other changes:
- Kernel semaphores now use a hash table to manage the namespace of
named semaphores nearly in a similar fashion to the POSIX shared memory
object file descriptors. Kernel semaphores can now also have names
longer than 14 chars (up to MAXPATHLEN) and can include subdirectories
in their pathname.
- The UID/GID permission checks for access to a named semaphore are now
done via vaccess() rather than a home-rolled set of checks.
- Now that kernel semaphores have an associated file object, the various
MAC checks for POSIX semaphores accept both a file credential and an
active credential. There is also a new posixsem_check_stat() since it
is possible to fstat() a semaphore file descriptor.
- A small set of regression tests (using the ksem API directly) is present
in src/tools/regression/posixsem.
Reported by: kris (1)
Tested by: kris
Reviewed by: rwatson (lightly)
MFC after: 1 month
2008-06-27 05:39:04 +00:00
|
|
|
typedef int (*mpo_posixsem_check_wait_t)(struct ucred *active_cred,
|
|
|
|
struct ucred *file_cred, struct ksem *ks,
|
|
|
|
struct label *kslabel);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef void (*mpo_posixsem_create_t)(struct ucred *cred,
|
|
|
|
struct ksem *ks, struct label *kslabel);
|
|
|
|
typedef void (*mpo_posixsem_destroy_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_posixsem_init_label_t)(struct label *label);
|
|
|
|
|
Add a new file descriptor type for IPC shared memory objects and use it to
implement shm_open(2) and shm_unlink(2) in the kernel:
- Each shared memory file descriptor is associated with a swap-backed vm
object which provides the backing store. Each descriptor starts off with
a size of zero, but the size can be altered via ftruncate(2). The shared
memory file descriptors also support fstat(2). read(2), write(2),
ioctl(2), select(2), poll(2), and kevent(2) are not supported on shared
memory file descriptors.
- shm_open(2) and shm_unlink(2) are now implemented as system calls that
manage shared memory file descriptors. The virtual namespace that maps
pathnames to shared memory file descriptors is implemented as a hash
table where the hash key is generated via the 32-bit Fowler/Noll/Vo hash
of the pathname.
- As an extension, the constant 'SHM_ANON' may be specified in place of the
path argument to shm_open(2). In this case, an unnamed shared memory
file descriptor will be created similar to the IPC_PRIVATE key for
shmget(2). Note that the shared memory object can still be shared among
processes by sharing the file descriptor via fork(2) or sendmsg(2), but
it is unnamed. This effectively serves to implement the getmemfd() idea
bandied about the lists several times over the years.
- The backing store for shared memory file descriptors are garbage
collected when they are not referenced by any open file descriptors or
the shm_open(2) virtual namespace.
Submitted by: dillon, peter (previous versions)
Submitted by: rwatson (I based this on his version)
Reviewed by: alc (suggested converting getmemfd() to shm_open())
2008-01-08 21:58:16 +00:00
|
|
|
typedef int (*mpo_posixshm_check_mmap_t)(struct ucred *cred,
|
|
|
|
struct shmfd *shmfd, struct label *shmlabel, int prot,
|
|
|
|
int flags);
|
|
|
|
typedef int (*mpo_posixshm_check_open_t)(struct ucred *cred,
|
|
|
|
struct shmfd *shmfd, struct label *shmlabel);
|
2011-08-16 20:07:47 +00:00
|
|
|
typedef int (*mpo_posixshm_check_setmode_t)(struct ucred *cred,
|
|
|
|
struct shmfd *shmfd, struct label *shmlabel,
|
|
|
|
mode_t mode);
|
|
|
|
typedef int (*mpo_posixshm_check_setowner_t)(struct ucred *cred,
|
|
|
|
struct shmfd *shmfd, struct label *shmlabel,
|
|
|
|
uid_t uid, gid_t gid);
|
Add a new file descriptor type for IPC shared memory objects and use it to
implement shm_open(2) and shm_unlink(2) in the kernel:
- Each shared memory file descriptor is associated with a swap-backed vm
object which provides the backing store. Each descriptor starts off with
a size of zero, but the size can be altered via ftruncate(2). The shared
memory file descriptors also support fstat(2). read(2), write(2),
ioctl(2), select(2), poll(2), and kevent(2) are not supported on shared
memory file descriptors.
- shm_open(2) and shm_unlink(2) are now implemented as system calls that
manage shared memory file descriptors. The virtual namespace that maps
pathnames to shared memory file descriptors is implemented as a hash
table where the hash key is generated via the 32-bit Fowler/Noll/Vo hash
of the pathname.
- As an extension, the constant 'SHM_ANON' may be specified in place of the
path argument to shm_open(2). In this case, an unnamed shared memory
file descriptor will be created similar to the IPC_PRIVATE key for
shmget(2). Note that the shared memory object can still be shared among
processes by sharing the file descriptor via fork(2) or sendmsg(2), but
it is unnamed. This effectively serves to implement the getmemfd() idea
bandied about the lists several times over the years.
- The backing store for shared memory file descriptors are garbage
collected when they are not referenced by any open file descriptors or
the shm_open(2) virtual namespace.
Submitted by: dillon, peter (previous versions)
Submitted by: rwatson (I based this on his version)
Reviewed by: alc (suggested converting getmemfd() to shm_open())
2008-01-08 21:58:16 +00:00
|
|
|
typedef int (*mpo_posixshm_check_stat_t)(struct ucred *active_cred,
|
|
|
|
struct ucred *file_cred, struct shmfd *shmfd,
|
|
|
|
struct label *shmlabel);
|
|
|
|
typedef int (*mpo_posixshm_check_truncate_t)(struct ucred *active_cred,
|
|
|
|
struct ucred *file_cred, struct shmfd *shmfd,
|
|
|
|
struct label *shmlabel);
|
|
|
|
typedef int (*mpo_posixshm_check_unlink_t)(struct ucred *cred,
|
|
|
|
struct shmfd *shmfd, struct label *shmlabel);
|
|
|
|
typedef void (*mpo_posixshm_create_t)(struct ucred *cred,
|
|
|
|
struct shmfd *shmfd, struct label *shmlabel);
|
|
|
|
typedef void (*mpo_posixshm_destroy_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_posixshm_init_label_t)(struct label *label);
|
|
|
|
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef int (*mpo_priv_check_t)(struct ucred *cred, int priv);
|
|
|
|
typedef int (*mpo_priv_grant_t)(struct ucred *cred, int priv);
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_proc_check_debug_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct proc *p);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_proc_check_sched_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct proc *p);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_proc_check_signal_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct proc *proc, int signum);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_proc_check_wait_t)(struct ucred *cred,
|
2005-04-18 13:36:57 +00:00
|
|
|
struct proc *proc);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef void (*mpo_proc_destroy_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_proc_init_label_t)(struct label *label);
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_socket_check_accept_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct socket *so, struct label *solabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_socket_check_bind_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct socket *so, struct label *solabel,
|
|
|
|
struct sockaddr *sa);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_socket_check_connect_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct socket *so, struct label *solabel,
|
|
|
|
struct sockaddr *sa);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_socket_check_create_t)(struct ucred *cred, int domain,
|
2005-07-05 22:49:10 +00:00
|
|
|
int type, int protocol);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_socket_check_deliver_t)(struct socket *so,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct label *solabel, struct mbuf *m,
|
|
|
|
struct label *mlabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_socket_check_listen_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct socket *so, struct label *solabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_socket_check_poll_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct socket *so, struct label *solabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_socket_check_receive_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct socket *so, struct label *solabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_socket_check_relabel_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct socket *so, struct label *solabel,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *newlabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_socket_check_send_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct socket *so, struct label *solabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_socket_check_stat_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct socket *so, struct label *solabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_socket_check_visible_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct socket *so, struct label *solabel);
|
2007-10-25 22:45:25 +00:00
|
|
|
typedef void (*mpo_socket_copy_label_t)(struct label *src,
|
|
|
|
struct label *dest);
|
|
|
|
typedef void (*mpo_socket_create_t)(struct ucred *cred, struct socket *so,
|
|
|
|
struct label *solabel);
|
|
|
|
typedef void (*mpo_socket_create_mbuf_t)(struct socket *so,
|
|
|
|
struct label *solabel, struct mbuf *m,
|
|
|
|
struct label *mlabel);
|
|
|
|
typedef void (*mpo_socket_destroy_label_t)(struct label *label);
|
|
|
|
typedef int (*mpo_socket_externalize_label_t)(struct label *label,
|
|
|
|
char *element_name, struct sbuf *sb, int *claimed);
|
|
|
|
typedef int (*mpo_socket_init_label_t)(struct label *label, int flag);
|
|
|
|
typedef int (*mpo_socket_internalize_label_t)(struct label *label,
|
|
|
|
char *element_name, char *element_data, int *claimed);
|
|
|
|
typedef void (*mpo_socket_newconn_t)(struct socket *oldso,
|
|
|
|
struct label *oldsolabel, struct socket *newso,
|
|
|
|
struct label *newsolabel);
|
|
|
|
typedef void (*mpo_socket_relabel_t)(struct ucred *cred, struct socket *so,
|
|
|
|
struct label *oldlabel, struct label *newlabel);
|
|
|
|
|
|
|
|
typedef void (*mpo_socketpeer_destroy_label_t)(struct label *label);
|
|
|
|
typedef int (*mpo_socketpeer_externalize_label_t)(struct label *label,
|
|
|
|
char *element_name, struct sbuf *sb, int *claimed);
|
|
|
|
typedef int (*mpo_socketpeer_init_label_t)(struct label *label,
|
|
|
|
int flag);
|
|
|
|
typedef void (*mpo_socketpeer_set_from_mbuf_t)(struct mbuf *m,
|
|
|
|
struct label *mlabel, struct socket *so,
|
|
|
|
struct label *sopeerlabel);
|
|
|
|
typedef void (*mpo_socketpeer_set_from_socket_t)(struct socket *oldso,
|
|
|
|
struct label *oldsolabel, struct socket *newso,
|
|
|
|
struct label *newsopeerlabel);
|
|
|
|
|
|
|
|
typedef void (*mpo_syncache_create_t)(struct label *label,
|
|
|
|
struct inpcb *inp);
|
|
|
|
typedef void (*mpo_syncache_create_mbuf_t)(struct label *sc_label,
|
|
|
|
struct mbuf *m, struct label *mlabel);
|
|
|
|
typedef void (*mpo_syncache_destroy_label_t)(struct label *label);
|
|
|
|
typedef int (*mpo_syncache_init_label_t)(struct label *label, int flag);
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_system_check_acct_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_system_check_audit_t)(struct ucred *cred, void *record,
|
2007-04-21 22:08:48 +00:00
|
|
|
int length);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_system_check_auditctl_t)(struct ucred *cred,
|
2007-04-21 22:08:48 +00:00
|
|
|
struct vnode *vp, struct label *vplabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_system_check_auditon_t)(struct ucred *cred, int cmd);
|
|
|
|
typedef int (*mpo_system_check_reboot_t)(struct ucred *cred, int howto);
|
|
|
|
typedef int (*mpo_system_check_swapon_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_system_check_swapoff_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_system_check_sysctl_t)(struct ucred *cred,
|
2004-02-22 12:31:44 +00:00
|
|
|
struct sysctl_oid *oidp, void *arg1, int arg2,
|
|
|
|
struct sysctl_req *req);
|
2007-10-25 22:45:25 +00:00
|
|
|
|
|
|
|
typedef void (*mpo_sysvmsg_cleanup_t)(struct label *msglabel);
|
|
|
|
typedef void (*mpo_sysvmsg_create_t)(struct ucred *cred,
|
|
|
|
struct msqid_kernel *msqkptr, struct label *msqlabel,
|
|
|
|
struct msg *msgptr, struct label *msglabel);
|
|
|
|
typedef void (*mpo_sysvmsg_destroy_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_sysvmsg_init_label_t)(struct label *label);
|
|
|
|
|
|
|
|
typedef int (*mpo_sysvmsq_check_msgmsq_t)(struct ucred *cred,
|
|
|
|
struct msg *msgptr, struct label *msglabel,
|
|
|
|
struct msqid_kernel *msqkptr, struct label *msqklabel);
|
|
|
|
typedef int (*mpo_sysvmsq_check_msgrcv_t)(struct ucred *cred,
|
|
|
|
struct msg *msgptr, struct label *msglabel);
|
|
|
|
typedef int (*mpo_sysvmsq_check_msgrmid_t)(struct ucred *cred,
|
|
|
|
struct msg *msgptr, struct label *msglabel);
|
|
|
|
typedef int (*mpo_sysvmsq_check_msqget_t)(struct ucred *cred,
|
|
|
|
struct msqid_kernel *msqkptr, struct label *msqklabel);
|
|
|
|
typedef int (*mpo_sysvmsq_check_msqctl_t)(struct ucred *cred,
|
|
|
|
struct msqid_kernel *msqkptr, struct label *msqklabel,
|
|
|
|
int cmd);
|
|
|
|
typedef int (*mpo_sysvmsq_check_msqrcv_t)(struct ucred *cred,
|
|
|
|
struct msqid_kernel *msqkptr, struct label *msqklabel);
|
|
|
|
typedef int (*mpo_sysvmsq_check_msqsnd_t)(struct ucred *cred,
|
|
|
|
struct msqid_kernel *msqkptr, struct label *msqklabel);
|
|
|
|
typedef void (*mpo_sysvmsq_cleanup_t)(struct label *msqlabel);
|
|
|
|
typedef void (*mpo_sysvmsq_create_t)(struct ucred *cred,
|
|
|
|
struct msqid_kernel *msqkptr, struct label *msqlabel);
|
|
|
|
typedef void (*mpo_sysvmsq_destroy_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_sysvmsq_init_label_t)(struct label *label);
|
|
|
|
|
|
|
|
typedef int (*mpo_sysvsem_check_semctl_t)(struct ucred *cred,
|
|
|
|
struct semid_kernel *semakptr, struct label *semaklabel,
|
|
|
|
int cmd);
|
|
|
|
typedef int (*mpo_sysvsem_check_semget_t)(struct ucred *cred,
|
|
|
|
struct semid_kernel *semakptr, struct label *semaklabel);
|
|
|
|
typedef int (*mpo_sysvsem_check_semop_t)(struct ucred *cred,
|
|
|
|
struct semid_kernel *semakptr, struct label *semaklabel,
|
|
|
|
size_t accesstype);
|
|
|
|
typedef void (*mpo_sysvsem_cleanup_t)(struct label *semalabel);
|
|
|
|
typedef void (*mpo_sysvsem_create_t)(struct ucred *cred,
|
|
|
|
struct semid_kernel *semakptr, struct label *semalabel);
|
|
|
|
typedef void (*mpo_sysvsem_destroy_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_sysvsem_init_label_t)(struct label *label);
|
|
|
|
|
|
|
|
typedef int (*mpo_sysvshm_check_shmat_t)(struct ucred *cred,
|
|
|
|
struct shmid_kernel *shmsegptr,
|
|
|
|
struct label *shmseglabel, int shmflg);
|
|
|
|
typedef int (*mpo_sysvshm_check_shmctl_t)(struct ucred *cred,
|
|
|
|
struct shmid_kernel *shmsegptr,
|
|
|
|
struct label *shmseglabel, int cmd);
|
|
|
|
typedef int (*mpo_sysvshm_check_shmdt_t)(struct ucred *cred,
|
|
|
|
struct shmid_kernel *shmsegptr,
|
|
|
|
struct label *shmseglabel);
|
|
|
|
typedef int (*mpo_sysvshm_check_shmget_t)(struct ucred *cred,
|
|
|
|
struct shmid_kernel *shmsegptr,
|
|
|
|
struct label *shmseglabel, int shmflg);
|
|
|
|
typedef void (*mpo_sysvshm_cleanup_t)(struct label *shmlabel);
|
|
|
|
typedef void (*mpo_sysvshm_create_t)(struct ucred *cred,
|
|
|
|
struct shmid_kernel *shmsegptr, struct label *shmlabel);
|
|
|
|
typedef void (*mpo_sysvshm_destroy_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_sysvshm_init_label_t)(struct label *label);
|
|
|
|
|
|
|
|
typedef void (*mpo_thread_userret_t)(struct thread *thread);
|
|
|
|
|
|
|
|
typedef int (*mpo_vnode_associate_extattr_t)(struct mount *mp,
|
|
|
|
struct label *mplabel, struct vnode *vp,
|
|
|
|
struct label *vplabel);
|
|
|
|
typedef void (*mpo_vnode_associate_singlelabel_t)(struct mount *mp,
|
|
|
|
struct label *mplabel, struct vnode *vp,
|
|
|
|
struct label *vplabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_access_t)(struct ucred *cred,
|
2008-10-28 13:44:11 +00:00
|
|
|
struct vnode *vp, struct label *vplabel,
|
|
|
|
accmode_t accmode);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_chdir_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *dvp, struct label *dvplabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_chroot_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *dvp, struct label *dvplabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_create_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *dvp, struct label *dvplabel,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct componentname *cnp, struct vattr *vap);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_deleteacl_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel,
|
|
|
|
acl_type_t type);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_deleteextattr_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel,
|
|
|
|
int attrnamespace, const char *name);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_exec_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel,
|
2006-04-26 14:18:55 +00:00
|
|
|
struct image_params *imgp, struct label *execlabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_getacl_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel,
|
|
|
|
acl_type_t type);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_getextattr_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel,
|
2009-03-08 12:32:06 +00:00
|
|
|
int attrnamespace, const char *name);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_link_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *dvp, struct label *dvplabel,
|
|
|
|
struct vnode *vp, struct label *vplabel,
|
|
|
|
struct componentname *cnp);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_listextattr_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel,
|
2006-04-26 14:18:55 +00:00
|
|
|
int attrnamespace);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_lookup_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *dvp, struct label *dvplabel,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct componentname *cnp);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_mmap_t)(struct ucred *cred,
|
2006-04-26 14:18:55 +00:00
|
|
|
struct vnode *vp, struct label *label, int prot,
|
|
|
|
int flags);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef void (*mpo_vnode_check_mmap_downgrade_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel, int *prot);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_mprotect_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel, int prot);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_open_t)(struct ucred *cred,
|
2008-10-28 13:44:11 +00:00
|
|
|
struct vnode *vp, struct label *vplabel,
|
|
|
|
accmode_t accmode);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_poll_t)(struct ucred *active_cred,
|
2002-08-19 19:04:53 +00:00
|
|
|
struct ucred *file_cred, struct vnode *vp,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct label *vplabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_read_t)(struct ucred *active_cred,
|
2002-08-19 19:04:53 +00:00
|
|
|
struct ucred *file_cred, struct vnode *vp,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct label *vplabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_readdir_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *dvp, struct label *dvplabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_readlink_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_relabel_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *newlabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_rename_from_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *dvp, struct label *dvplabel,
|
|
|
|
struct vnode *vp, struct label *vplabel,
|
2006-04-26 14:18:55 +00:00
|
|
|
struct componentname *cnp);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_rename_to_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *dvp, struct label *dvplabel,
|
|
|
|
struct vnode *vp, struct label *vplabel, int samedir,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct componentname *cnp);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_revoke_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_setacl_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel, acl_type_t type,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct acl *acl);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_setextattr_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel,
|
2009-03-08 12:32:06 +00:00
|
|
|
int attrnamespace, const char *name);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_setflags_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel, u_long flags);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_setmode_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel, mode_t mode);
|
2007-10-24 19:04:04 +00:00
|
|
|
typedef int (*mpo_vnode_check_setowner_t)(struct ucred *cred,
|
2007-04-22 19:55:56 +00:00
|
|
|
struct vnode *vp, struct label *vplabel, uid_t uid,
|
2007-10-25 22:45:25 +00:00
|
|
|
gid_t gid);
|
|
|
|
typedef int (*mpo_vnode_check_setutimes_t)(struct ucred *cred,
|
|
|
|
struct vnode *vp, struct label *vplabel,
|
|
|
|
struct timespec atime, struct timespec mtime);
|
|
|
|
typedef int (*mpo_vnode_check_stat_t)(struct ucred *active_cred,
|
|
|
|
struct ucred *file_cred, struct vnode *vp,
|
|
|
|
struct label *vplabel);
|
|
|
|
typedef int (*mpo_vnode_check_unlink_t)(struct ucred *cred,
|
|
|
|
struct vnode *dvp, struct label *dvplabel,
|
|
|
|
struct vnode *vp, struct label *vplabel,
|
|
|
|
struct componentname *cnp);
|
|
|
|
typedef int (*mpo_vnode_check_write_t)(struct ucred *active_cred,
|
|
|
|
struct ucred *file_cred, struct vnode *vp,
|
|
|
|
struct label *vplabel);
|
|
|
|
typedef void (*mpo_vnode_copy_label_t)(struct label *src,
|
|
|
|
struct label *dest);
|
|
|
|
typedef int (*mpo_vnode_create_extattr_t)(struct ucred *cred,
|
|
|
|
struct mount *mp, struct label *mplabel,
|
|
|
|
struct vnode *dvp, struct label *dvplabel,
|
|
|
|
struct vnode *vp, struct label *vplabel,
|
|
|
|
struct componentname *cnp);
|
|
|
|
typedef void (*mpo_vnode_destroy_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_vnode_execve_transition_t)(struct ucred *old,
|
|
|
|
struct ucred *new, struct vnode *vp,
|
|
|
|
struct label *vplabel, struct label *interpvplabel,
|
|
|
|
struct image_params *imgp, struct label *execlabel);
|
|
|
|
typedef int (*mpo_vnode_execve_will_transition_t)(struct ucred *old,
|
|
|
|
struct vnode *vp, struct label *vplabel,
|
|
|
|
struct label *interpvplabel, struct image_params *imgp,
|
|
|
|
struct label *execlabel);
|
|
|
|
typedef int (*mpo_vnode_externalize_label_t)(struct label *label,
|
|
|
|
char *element_name, struct sbuf *sb, int *claimed);
|
|
|
|
typedef void (*mpo_vnode_init_label_t)(struct label *label);
|
|
|
|
typedef int (*mpo_vnode_internalize_label_t)(struct label *label,
|
|
|
|
char *element_name, char *element_data, int *claimed);
|
|
|
|
typedef void (*mpo_vnode_relabel_t)(struct ucred *cred, struct vnode *vp,
|
|
|
|
struct label *vplabel, struct label *label);
|
|
|
|
typedef int (*mpo_vnode_setlabel_extattr_t)(struct ucred *cred,
|
|
|
|
struct vnode *vp, struct label *vplabel,
|
|
|
|
struct label *intlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
|
2007-10-25 22:45:25 +00:00
|
|
|
struct mac_policy_ops {
|
2006-04-26 14:18:55 +00:00
|
|
|
/*
|
2007-10-25 22:45:25 +00:00
|
|
|
* Policy module operations.
|
2006-04-26 14:18:55 +00:00
|
|
|
*/
|
2007-10-25 22:45:25 +00:00
|
|
|
mpo_destroy_t mpo_destroy;
|
|
|
|
mpo_init_t mpo_init;
|
2006-04-26 14:18:55 +00:00
|
|
|
|
|
|
|
/*
|
2007-10-25 22:45:25 +00:00
|
|
|
* General policy-directed security system call so that policies may
|
|
|
|
* implement new services without reserving explicit system call
|
|
|
|
* numbers.
|
2006-04-26 14:18:55 +00:00
|
|
|
*/
|
2007-10-25 22:45:25 +00:00
|
|
|
mpo_syscall_t mpo_syscall;
|
2006-04-26 14:18:55 +00:00
|
|
|
|
|
|
|
/*
|
2007-10-25 22:45:25 +00:00
|
|
|
* Label operations. Initialize label storage, destroy label
|
|
|
|
* storage, recycle for re-use without init/destroy, copy a label to
|
|
|
|
* initialized storage, and externalize/internalize from/to
|
|
|
|
* initialized storage.
|
2006-04-26 14:18:55 +00:00
|
|
|
*/
|
2007-10-25 22:45:25 +00:00
|
|
|
mpo_bpfdesc_check_receive_t mpo_bpfdesc_check_receive;
|
2007-10-24 19:04:04 +00:00
|
|
|
mpo_bpfdesc_create_t mpo_bpfdesc_create;
|
|
|
|
mpo_bpfdesc_create_mbuf_t mpo_bpfdesc_create_mbuf;
|
2007-10-25 22:45:25 +00:00
|
|
|
mpo_bpfdesc_destroy_label_t mpo_bpfdesc_destroy_label;
|
|
|
|
mpo_bpfdesc_init_label_t mpo_bpfdesc_init_label;
|
2006-04-26 14:18:55 +00:00
|
|
|
|
2008-10-28 11:33:06 +00:00
|
|
|
mpo_cred_associate_nfsd_t mpo_cred_associate_nfsd;
|
2007-10-24 19:04:04 +00:00
|
|
|
mpo_cred_check_relabel_t mpo_cred_check_relabel;
|
2009-03-08 10:58:37 +00:00
|
|
|
mpo_cred_check_setaudit_t mpo_cred_check_setaudit;
|
|
|
|
mpo_cred_check_setaudit_addr_t mpo_cred_check_setaudit_addr;
|
|
|
|
mpo_cred_check_setauid_t mpo_cred_check_setauid;
|
|
|
|
mpo_cred_check_setuid_t mpo_cred_check_setuid;
|
|
|
|
mpo_cred_check_seteuid_t mpo_cred_check_seteuid;
|
|
|
|
mpo_cred_check_setgid_t mpo_cred_check_setgid;
|
|
|
|
mpo_cred_check_setegid_t mpo_cred_check_setegid;
|
|
|
|
mpo_cred_check_setgroups_t mpo_cred_check_setgroups;
|
|
|
|
mpo_cred_check_setreuid_t mpo_cred_check_setreuid;
|
|
|
|
mpo_cred_check_setregid_t mpo_cred_check_setregid;
|
|
|
|
mpo_cred_check_setresuid_t mpo_cred_check_setresuid;
|
|
|
|
mpo_cred_check_setresgid_t mpo_cred_check_setresgid;
|
2007-10-24 19:04:04 +00:00
|
|
|
mpo_cred_check_visible_t mpo_cred_check_visible;
|
2007-10-25 22:45:25 +00:00
|
|
|
mpo_cred_copy_label_t mpo_cred_copy_label;
|
2008-10-28 11:33:06 +00:00
|
|
|
mpo_cred_create_swapper_t mpo_cred_create_swapper;
|
|
|
|
mpo_cred_create_init_t mpo_cred_create_init;
|
2007-10-25 22:45:25 +00:00
|
|
|
mpo_cred_destroy_label_t mpo_cred_destroy_label;
|
|
|
|
mpo_cred_externalize_label_t mpo_cred_externalize_label;
|
|
|
|
mpo_cred_init_label_t mpo_cred_init_label;
|
|
|
|
mpo_cred_internalize_label_t mpo_cred_internalize_label;
|
|
|
|
mpo_cred_relabel_t mpo_cred_relabel;
|
|
|
|
|
|
|
|
mpo_devfs_create_device_t mpo_devfs_create_device;
|
|
|
|
mpo_devfs_create_directory_t mpo_devfs_create_directory;
|
|
|
|
mpo_devfs_create_symlink_t mpo_devfs_create_symlink;
|
|
|
|
mpo_devfs_destroy_label_t mpo_devfs_destroy_label;
|
|
|
|
mpo_devfs_init_label_t mpo_devfs_init_label;
|
|
|
|
mpo_devfs_update_t mpo_devfs_update;
|
|
|
|
mpo_devfs_vnode_associate_t mpo_devfs_vnode_associate;
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
mpo_ifnet_check_relabel_t mpo_ifnet_check_relabel;
|
|
|
|
mpo_ifnet_check_transmit_t mpo_ifnet_check_transmit;
|
2007-10-25 22:45:25 +00:00
|
|
|
mpo_ifnet_copy_label_t mpo_ifnet_copy_label;
|
|
|
|
mpo_ifnet_create_t mpo_ifnet_create;
|
|
|
|
mpo_ifnet_create_mbuf_t mpo_ifnet_create_mbuf;
|
|
|
|
mpo_ifnet_destroy_label_t mpo_ifnet_destroy_label;
|
|
|
|
mpo_ifnet_externalize_label_t mpo_ifnet_externalize_label;
|
|
|
|
mpo_ifnet_init_label_t mpo_ifnet_init_label;
|
|
|
|
mpo_ifnet_internalize_label_t mpo_ifnet_internalize_label;
|
|
|
|
mpo_ifnet_relabel_t mpo_ifnet_relabel;
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
mpo_inpcb_check_deliver_t mpo_inpcb_check_deliver;
|
2008-10-17 12:54:28 +00:00
|
|
|
mpo_inpcb_check_visible_t mpo_inpcb_check_visible;
|
2007-10-25 22:45:25 +00:00
|
|
|
mpo_inpcb_create_t mpo_inpcb_create;
|
|
|
|
mpo_inpcb_create_mbuf_t mpo_inpcb_create_mbuf;
|
|
|
|
mpo_inpcb_destroy_label_t mpo_inpcb_destroy_label;
|
|
|
|
mpo_inpcb_init_label_t mpo_inpcb_init_label;
|
|
|
|
mpo_inpcb_sosetlabel_t mpo_inpcb_sosetlabel;
|
|
|
|
|
2008-10-26 22:45:18 +00:00
|
|
|
mpo_ip6q_create_t mpo_ip6q_create;
|
|
|
|
mpo_ip6q_destroy_label_t mpo_ip6q_destroy_label;
|
|
|
|
mpo_ip6q_init_label_t mpo_ip6q_init_label;
|
|
|
|
mpo_ip6q_match_t mpo_ip6q_match;
|
|
|
|
mpo_ip6q_reassemble mpo_ip6q_reassemble;
|
|
|
|
mpo_ip6q_update_t mpo_ip6q_update;
|
|
|
|
|
2007-10-25 22:45:25 +00:00
|
|
|
mpo_ipq_create_t mpo_ipq_create;
|
|
|
|
mpo_ipq_destroy_label_t mpo_ipq_destroy_label;
|
|
|
|
mpo_ipq_init_label_t mpo_ipq_init_label;
|
|
|
|
mpo_ipq_match_t mpo_ipq_match;
|
|
|
|
mpo_ipq_reassemble mpo_ipq_reassemble;
|
|
|
|
mpo_ipq_update_t mpo_ipq_update;
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
mpo_kenv_check_dump_t mpo_kenv_check_dump;
|
|
|
|
mpo_kenv_check_get_t mpo_kenv_check_get;
|
|
|
|
mpo_kenv_check_set_t mpo_kenv_check_set;
|
|
|
|
mpo_kenv_check_unset_t mpo_kenv_check_unset;
|
2007-10-25 22:45:25 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
mpo_kld_check_load_t mpo_kld_check_load;
|
|
|
|
mpo_kld_check_stat_t mpo_kld_check_stat;
|
2007-10-25 22:45:25 +00:00
|
|
|
|
|
|
|
mpo_mbuf_copy_label_t mpo_mbuf_copy_label;
|
|
|
|
mpo_mbuf_destroy_label_t mpo_mbuf_destroy_label;
|
|
|
|
mpo_mbuf_init_label_t mpo_mbuf_init_label;
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
mpo_mount_check_stat_t mpo_mount_check_stat;
|
2007-10-25 22:45:25 +00:00
|
|
|
mpo_mount_create_t mpo_mount_create;
|
|
|
|
mpo_mount_destroy_label_t mpo_mount_destroy_label;
|
|
|
|
mpo_mount_init_label_t mpo_mount_init_label;
|
|
|
|
|
2007-10-28 15:55:23 +00:00
|
|
|
mpo_netatalk_aarp_send_t mpo_netatalk_aarp_send;
|
|
|
|
|
|
|
|
mpo_netinet_arp_send_t mpo_netinet_arp_send;
|
2007-10-28 17:12:48 +00:00
|
|
|
mpo_netinet_firewall_reply_t mpo_netinet_firewall_reply;
|
2007-10-26 13:18:38 +00:00
|
|
|
mpo_netinet_firewall_send_t mpo_netinet_firewall_send;
|
2007-10-25 22:45:25 +00:00
|
|
|
mpo_netinet_fragment_t mpo_netinet_fragment;
|
|
|
|
mpo_netinet_icmp_reply_t mpo_netinet_icmp_reply;
|
2007-10-28 17:12:48 +00:00
|
|
|
mpo_netinet_icmp_replyinplace_t mpo_netinet_icmp_replyinplace;
|
2007-10-28 15:55:23 +00:00
|
|
|
mpo_netinet_igmp_send_t mpo_netinet_igmp_send;
|
2007-10-25 22:45:25 +00:00
|
|
|
mpo_netinet_tcp_reply_t mpo_netinet_tcp_reply;
|
|
|
|
|
2007-10-28 15:55:23 +00:00
|
|
|
mpo_netinet6_nd6_send_t mpo_netinet6_nd6_send;
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
mpo_pipe_check_ioctl_t mpo_pipe_check_ioctl;
|
|
|
|
mpo_pipe_check_poll_t mpo_pipe_check_poll;
|
|
|
|
mpo_pipe_check_read_t mpo_pipe_check_read;
|
|
|
|
mpo_pipe_check_relabel_t mpo_pipe_check_relabel;
|
|
|
|
mpo_pipe_check_stat_t mpo_pipe_check_stat;
|
|
|
|
mpo_pipe_check_write_t mpo_pipe_check_write;
|
2007-10-25 22:45:25 +00:00
|
|
|
mpo_pipe_copy_label_t mpo_pipe_copy_label;
|
|
|
|
mpo_pipe_create_t mpo_pipe_create;
|
|
|
|
mpo_pipe_destroy_label_t mpo_pipe_destroy_label;
|
|
|
|
mpo_pipe_externalize_label_t mpo_pipe_externalize_label;
|
|
|
|
mpo_pipe_init_label_t mpo_pipe_init_label;
|
|
|
|
mpo_pipe_internalize_label_t mpo_pipe_internalize_label;
|
|
|
|
mpo_pipe_relabel_t mpo_pipe_relabel;
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
mpo_posixsem_check_getvalue_t mpo_posixsem_check_getvalue;
|
|
|
|
mpo_posixsem_check_open_t mpo_posixsem_check_open;
|
|
|
|
mpo_posixsem_check_post_t mpo_posixsem_check_post;
|
2011-08-16 20:07:47 +00:00
|
|
|
mpo_posixsem_check_setmode_t mpo_posixsem_check_setmode;
|
|
|
|
mpo_posixsem_check_setowner_t mpo_posixsem_check_setowner;
|
Rework the lifetime management of the kernel implementation of POSIX
semaphores. Specifically, semaphores are now represented as new file
descriptor type that is set to close on exec. This removes the need for
all of the manual process reference counting (and fork, exec, and exit
event handlers) as the normal file descriptor operations handle all of
that for us nicely. It is also suggested as one possible implementation
in the spec and at least one other OS (OS X) uses this approach.
Some bugs that were fixed as a result include:
- References to a named semaphore whose name is removed still work after
the sem_unlink() operation. Prior to this patch, if a semaphore's name
was removed, valid handles from sem_open() would get EINVAL errors from
sem_getvalue(), sem_post(), etc. This fixes that.
- Unnamed semaphores created with sem_init() were not cleaned up when a
process exited or exec'd. They were only cleaned up if the process
did an explicit sem_destroy(). This could result in a leak of semaphore
objects that could never be cleaned up.
- On the other hand, if another process guessed the id (kernel pointer to
'struct ksem' of an unnamed semaphore (created via sem_init)) and had
write access to the semaphore based on UID/GID checks, then that other
process could manipulate the semaphore via sem_destroy(), sem_post(),
sem_wait(), etc.
- As part of the permission check (UID/GID), the umask of the proces
creating the semaphore was not honored. Thus if your umask denied group
read/write access but the explicit mode in the sem_init() call allowed
it, the semaphore would be readable/writable by other users in the
same group, for example. This includes access via the previous bug.
- If the module refused to unload because there were active semaphores,
then it might have deregistered one or more of the semaphore system
calls before it noticed that there was a problem. I'm not sure if
this actually happened as the order that modules are discovered by the
kernel linker depends on how the actual .ko file is linked. One can
make the order deterministic by using a single module with a mod_event
handler that explicitly registers syscalls (and deregisters during
unload after any checks). This also fixes a race where even if the
sem_module unloaded first it would have destroyed locks that the
syscalls might be trying to access if they are still executing when
they are unloaded.
XXX: By the way, deregistering system calls doesn't do any blocking
to drain any threads from the calls.
- Some minor fixes to errno values on error. For example, sem_init()
isn't documented to return ENFILE or EMFILE if we run out of semaphores
the way that sem_open() can. Instead, it should return ENOSPC in that
case.
Other changes:
- Kernel semaphores now use a hash table to manage the namespace of
named semaphores nearly in a similar fashion to the POSIX shared memory
object file descriptors. Kernel semaphores can now also have names
longer than 14 chars (up to MAXPATHLEN) and can include subdirectories
in their pathname.
- The UID/GID permission checks for access to a named semaphore are now
done via vaccess() rather than a home-rolled set of checks.
- Now that kernel semaphores have an associated file object, the various
MAC checks for POSIX semaphores accept both a file credential and an
active credential. There is also a new posixsem_check_stat() since it
is possible to fstat() a semaphore file descriptor.
- A small set of regression tests (using the ksem API directly) is present
in src/tools/regression/posixsem.
Reported by: kris (1)
Tested by: kris
Reviewed by: rwatson (lightly)
MFC after: 1 month
2008-06-27 05:39:04 +00:00
|
|
|
mpo_posixsem_check_stat_t mpo_posixsem_check_stat;
|
2007-10-24 19:04:04 +00:00
|
|
|
mpo_posixsem_check_unlink_t mpo_posixsem_check_unlink;
|
|
|
|
mpo_posixsem_check_wait_t mpo_posixsem_check_wait;
|
2007-10-25 22:45:25 +00:00
|
|
|
mpo_posixsem_create_t mpo_posixsem_create;
|
|
|
|
mpo_posixsem_destroy_label_t mpo_posixsem_destroy_label;
|
|
|
|
mpo_posixsem_init_label_t mpo_posixsem_init_label;
|
|
|
|
|
Add a new file descriptor type for IPC shared memory objects and use it to
implement shm_open(2) and shm_unlink(2) in the kernel:
- Each shared memory file descriptor is associated with a swap-backed vm
object which provides the backing store. Each descriptor starts off with
a size of zero, but the size can be altered via ftruncate(2). The shared
memory file descriptors also support fstat(2). read(2), write(2),
ioctl(2), select(2), poll(2), and kevent(2) are not supported on shared
memory file descriptors.
- shm_open(2) and shm_unlink(2) are now implemented as system calls that
manage shared memory file descriptors. The virtual namespace that maps
pathnames to shared memory file descriptors is implemented as a hash
table where the hash key is generated via the 32-bit Fowler/Noll/Vo hash
of the pathname.
- As an extension, the constant 'SHM_ANON' may be specified in place of the
path argument to shm_open(2). In this case, an unnamed shared memory
file descriptor will be created similar to the IPC_PRIVATE key for
shmget(2). Note that the shared memory object can still be shared among
processes by sharing the file descriptor via fork(2) or sendmsg(2), but
it is unnamed. This effectively serves to implement the getmemfd() idea
bandied about the lists several times over the years.
- The backing store for shared memory file descriptors are garbage
collected when they are not referenced by any open file descriptors or
the shm_open(2) virtual namespace.
Submitted by: dillon, peter (previous versions)
Submitted by: rwatson (I based this on his version)
Reviewed by: alc (suggested converting getmemfd() to shm_open())
2008-01-08 21:58:16 +00:00
|
|
|
mpo_posixshm_check_mmap_t mpo_posixshm_check_mmap;
|
|
|
|
mpo_posixshm_check_open_t mpo_posixshm_check_open;
|
2011-08-16 20:07:47 +00:00
|
|
|
mpo_posixshm_check_setmode_t mpo_posixshm_check_setmode;
|
|
|
|
mpo_posixshm_check_setowner_t mpo_posixshm_check_setowner;
|
Add a new file descriptor type for IPC shared memory objects and use it to
implement shm_open(2) and shm_unlink(2) in the kernel:
- Each shared memory file descriptor is associated with a swap-backed vm
object which provides the backing store. Each descriptor starts off with
a size of zero, but the size can be altered via ftruncate(2). The shared
memory file descriptors also support fstat(2). read(2), write(2),
ioctl(2), select(2), poll(2), and kevent(2) are not supported on shared
memory file descriptors.
- shm_open(2) and shm_unlink(2) are now implemented as system calls that
manage shared memory file descriptors. The virtual namespace that maps
pathnames to shared memory file descriptors is implemented as a hash
table where the hash key is generated via the 32-bit Fowler/Noll/Vo hash
of the pathname.
- As an extension, the constant 'SHM_ANON' may be specified in place of the
path argument to shm_open(2). In this case, an unnamed shared memory
file descriptor will be created similar to the IPC_PRIVATE key for
shmget(2). Note that the shared memory object can still be shared among
processes by sharing the file descriptor via fork(2) or sendmsg(2), but
it is unnamed. This effectively serves to implement the getmemfd() idea
bandied about the lists several times over the years.
- The backing store for shared memory file descriptors are garbage
collected when they are not referenced by any open file descriptors or
the shm_open(2) virtual namespace.
Submitted by: dillon, peter (previous versions)
Submitted by: rwatson (I based this on his version)
Reviewed by: alc (suggested converting getmemfd() to shm_open())
2008-01-08 21:58:16 +00:00
|
|
|
mpo_posixshm_check_stat_t mpo_posixshm_check_stat;
|
|
|
|
mpo_posixshm_check_truncate_t mpo_posixshm_check_truncate;
|
|
|
|
mpo_posixshm_check_unlink_t mpo_posixshm_check_unlink;
|
|
|
|
mpo_posixshm_create_t mpo_posixshm_create;
|
|
|
|
mpo_posixshm_destroy_label_t mpo_posixshm_destroy_label;
|
|
|
|
mpo_posixshm_init_label_t mpo_posixshm_init_label;
|
|
|
|
|
2007-10-25 22:45:25 +00:00
|
|
|
mpo_priv_check_t mpo_priv_check;
|
|
|
|
mpo_priv_grant_t mpo_priv_grant;
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
mpo_proc_check_debug_t mpo_proc_check_debug;
|
|
|
|
mpo_proc_check_sched_t mpo_proc_check_sched;
|
|
|
|
mpo_proc_check_signal_t mpo_proc_check_signal;
|
|
|
|
mpo_proc_check_wait_t mpo_proc_check_wait;
|
2007-10-25 22:45:25 +00:00
|
|
|
mpo_proc_destroy_label_t mpo_proc_destroy_label;
|
|
|
|
mpo_proc_init_label_t mpo_proc_init_label;
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
mpo_socket_check_accept_t mpo_socket_check_accept;
|
|
|
|
mpo_socket_check_bind_t mpo_socket_check_bind;
|
|
|
|
mpo_socket_check_connect_t mpo_socket_check_connect;
|
|
|
|
mpo_socket_check_create_t mpo_socket_check_create;
|
|
|
|
mpo_socket_check_deliver_t mpo_socket_check_deliver;
|
|
|
|
mpo_socket_check_listen_t mpo_socket_check_listen;
|
|
|
|
mpo_socket_check_poll_t mpo_socket_check_poll;
|
|
|
|
mpo_socket_check_receive_t mpo_socket_check_receive;
|
|
|
|
mpo_socket_check_relabel_t mpo_socket_check_relabel;
|
|
|
|
mpo_socket_check_send_t mpo_socket_check_send;
|
|
|
|
mpo_socket_check_stat_t mpo_socket_check_stat;
|
|
|
|
mpo_socket_check_visible_t mpo_socket_check_visible;
|
2007-10-25 22:45:25 +00:00
|
|
|
mpo_socket_copy_label_t mpo_socket_copy_label;
|
|
|
|
mpo_socket_create_t mpo_socket_create;
|
|
|
|
mpo_socket_create_mbuf_t mpo_socket_create_mbuf;
|
|
|
|
mpo_socket_destroy_label_t mpo_socket_destroy_label;
|
|
|
|
mpo_socket_externalize_label_t mpo_socket_externalize_label;
|
|
|
|
mpo_socket_init_label_t mpo_socket_init_label;
|
|
|
|
mpo_socket_internalize_label_t mpo_socket_internalize_label;
|
|
|
|
mpo_socket_newconn_t mpo_socket_newconn;
|
|
|
|
mpo_socket_relabel_t mpo_socket_relabel;
|
|
|
|
|
|
|
|
mpo_socketpeer_destroy_label_t mpo_socketpeer_destroy_label;
|
|
|
|
mpo_socketpeer_externalize_label_t mpo_socketpeer_externalize_label;
|
|
|
|
mpo_socketpeer_init_label_t mpo_socketpeer_init_label;
|
|
|
|
mpo_socketpeer_set_from_mbuf_t mpo_socketpeer_set_from_mbuf;
|
|
|
|
mpo_socketpeer_set_from_socket_t mpo_socketpeer_set_from_socket;
|
|
|
|
|
|
|
|
mpo_syncache_init_label_t mpo_syncache_init_label;
|
|
|
|
mpo_syncache_destroy_label_t mpo_syncache_destroy_label;
|
|
|
|
mpo_syncache_create_t mpo_syncache_create;
|
|
|
|
mpo_syncache_create_mbuf_t mpo_syncache_create_mbuf;
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
mpo_system_check_acct_t mpo_system_check_acct;
|
|
|
|
mpo_system_check_audit_t mpo_system_check_audit;
|
|
|
|
mpo_system_check_auditctl_t mpo_system_check_auditctl;
|
|
|
|
mpo_system_check_auditon_t mpo_system_check_auditon;
|
|
|
|
mpo_system_check_reboot_t mpo_system_check_reboot;
|
|
|
|
mpo_system_check_swapon_t mpo_system_check_swapon;
|
|
|
|
mpo_system_check_swapoff_t mpo_system_check_swapoff;
|
|
|
|
mpo_system_check_sysctl_t mpo_system_check_sysctl;
|
2007-10-25 22:45:25 +00:00
|
|
|
|
|
|
|
mpo_sysvmsg_cleanup_t mpo_sysvmsg_cleanup;
|
|
|
|
mpo_sysvmsg_create_t mpo_sysvmsg_create;
|
|
|
|
mpo_sysvmsg_destroy_label_t mpo_sysvmsg_destroy_label;
|
|
|
|
mpo_sysvmsg_init_label_t mpo_sysvmsg_init_label;
|
|
|
|
|
|
|
|
mpo_sysvmsq_check_msgmsq_t mpo_sysvmsq_check_msgmsq;
|
|
|
|
mpo_sysvmsq_check_msgrcv_t mpo_sysvmsq_check_msgrcv;
|
|
|
|
mpo_sysvmsq_check_msgrmid_t mpo_sysvmsq_check_msgrmid;
|
|
|
|
mpo_sysvmsq_check_msqctl_t mpo_sysvmsq_check_msqctl;
|
|
|
|
mpo_sysvmsq_check_msqget_t mpo_sysvmsq_check_msqget;
|
|
|
|
mpo_sysvmsq_check_msqrcv_t mpo_sysvmsq_check_msqrcv;
|
|
|
|
mpo_sysvmsq_check_msqsnd_t mpo_sysvmsq_check_msqsnd;
|
|
|
|
mpo_sysvmsq_cleanup_t mpo_sysvmsq_cleanup;
|
|
|
|
mpo_sysvmsq_create_t mpo_sysvmsq_create;
|
|
|
|
mpo_sysvmsq_destroy_label_t mpo_sysvmsq_destroy_label;
|
|
|
|
mpo_sysvmsq_init_label_t mpo_sysvmsq_init_label;
|
|
|
|
|
|
|
|
mpo_sysvsem_check_semctl_t mpo_sysvsem_check_semctl;
|
|
|
|
mpo_sysvsem_check_semget_t mpo_sysvsem_check_semget;
|
|
|
|
mpo_sysvsem_check_semop_t mpo_sysvsem_check_semop;
|
|
|
|
mpo_sysvsem_cleanup_t mpo_sysvsem_cleanup;
|
|
|
|
mpo_sysvsem_create_t mpo_sysvsem_create;
|
|
|
|
mpo_sysvsem_destroy_label_t mpo_sysvsem_destroy_label;
|
|
|
|
mpo_sysvsem_init_label_t mpo_sysvsem_init_label;
|
|
|
|
|
|
|
|
mpo_sysvshm_check_shmat_t mpo_sysvshm_check_shmat;
|
|
|
|
mpo_sysvshm_check_shmctl_t mpo_sysvshm_check_shmctl;
|
|
|
|
mpo_sysvshm_check_shmdt_t mpo_sysvshm_check_shmdt;
|
|
|
|
mpo_sysvshm_check_shmget_t mpo_sysvshm_check_shmget;
|
|
|
|
mpo_sysvshm_cleanup_t mpo_sysvshm_cleanup;
|
|
|
|
mpo_sysvshm_create_t mpo_sysvshm_create;
|
|
|
|
mpo_sysvshm_destroy_label_t mpo_sysvshm_destroy_label;
|
|
|
|
mpo_sysvshm_init_label_t mpo_sysvshm_init_label;
|
|
|
|
|
|
|
|
mpo_thread_userret_t mpo_thread_userret;
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
mpo_vnode_check_access_t mpo_vnode_check_access;
|
|
|
|
mpo_vnode_check_chdir_t mpo_vnode_check_chdir;
|
|
|
|
mpo_vnode_check_chroot_t mpo_vnode_check_chroot;
|
|
|
|
mpo_vnode_check_create_t mpo_vnode_check_create;
|
|
|
|
mpo_vnode_check_deleteacl_t mpo_vnode_check_deleteacl;
|
|
|
|
mpo_vnode_check_deleteextattr_t mpo_vnode_check_deleteextattr;
|
|
|
|
mpo_vnode_check_exec_t mpo_vnode_check_exec;
|
|
|
|
mpo_vnode_check_getacl_t mpo_vnode_check_getacl;
|
|
|
|
mpo_vnode_check_getextattr_t mpo_vnode_check_getextattr;
|
|
|
|
mpo_vnode_check_link_t mpo_vnode_check_link;
|
|
|
|
mpo_vnode_check_listextattr_t mpo_vnode_check_listextattr;
|
|
|
|
mpo_vnode_check_lookup_t mpo_vnode_check_lookup;
|
|
|
|
mpo_vnode_check_mmap_t mpo_vnode_check_mmap;
|
|
|
|
mpo_vnode_check_mmap_downgrade_t mpo_vnode_check_mmap_downgrade;
|
|
|
|
mpo_vnode_check_mprotect_t mpo_vnode_check_mprotect;
|
|
|
|
mpo_vnode_check_open_t mpo_vnode_check_open;
|
|
|
|
mpo_vnode_check_poll_t mpo_vnode_check_poll;
|
|
|
|
mpo_vnode_check_read_t mpo_vnode_check_read;
|
|
|
|
mpo_vnode_check_readdir_t mpo_vnode_check_readdir;
|
|
|
|
mpo_vnode_check_readlink_t mpo_vnode_check_readlink;
|
|
|
|
mpo_vnode_check_relabel_t mpo_vnode_check_relabel;
|
|
|
|
mpo_vnode_check_rename_from_t mpo_vnode_check_rename_from;
|
|
|
|
mpo_vnode_check_rename_to_t mpo_vnode_check_rename_to;
|
|
|
|
mpo_vnode_check_revoke_t mpo_vnode_check_revoke;
|
|
|
|
mpo_vnode_check_setacl_t mpo_vnode_check_setacl;
|
|
|
|
mpo_vnode_check_setextattr_t mpo_vnode_check_setextattr;
|
|
|
|
mpo_vnode_check_setflags_t mpo_vnode_check_setflags;
|
|
|
|
mpo_vnode_check_setmode_t mpo_vnode_check_setmode;
|
|
|
|
mpo_vnode_check_setowner_t mpo_vnode_check_setowner;
|
|
|
|
mpo_vnode_check_setutimes_t mpo_vnode_check_setutimes;
|
|
|
|
mpo_vnode_check_stat_t mpo_vnode_check_stat;
|
|
|
|
mpo_vnode_check_unlink_t mpo_vnode_check_unlink;
|
|
|
|
mpo_vnode_check_write_t mpo_vnode_check_write;
|
2007-10-25 22:45:25 +00:00
|
|
|
mpo_vnode_associate_extattr_t mpo_vnode_associate_extattr;
|
|
|
|
mpo_vnode_associate_singlelabel_t mpo_vnode_associate_singlelabel;
|
|
|
|
mpo_vnode_destroy_label_t mpo_vnode_destroy_label;
|
|
|
|
mpo_vnode_copy_label_t mpo_vnode_copy_label;
|
|
|
|
mpo_vnode_create_extattr_t mpo_vnode_create_extattr;
|
|
|
|
mpo_vnode_execve_transition_t mpo_vnode_execve_transition;
|
|
|
|
mpo_vnode_execve_will_transition_t mpo_vnode_execve_will_transition;
|
|
|
|
mpo_vnode_externalize_label_t mpo_vnode_externalize_label;
|
|
|
|
mpo_vnode_init_label_t mpo_vnode_init_label;
|
|
|
|
mpo_vnode_internalize_label_t mpo_vnode_internalize_label;
|
|
|
|
mpo_vnode_relabel_t mpo_vnode_relabel;
|
|
|
|
mpo_vnode_setlabel_extattr_t mpo_vnode_setlabel_extattr;
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
};
|
|
|
|
|
2004-10-22 11:29:30 +00:00
|
|
|
/*
|
|
|
|
* struct mac_policy_conf is the registration structure for policies, and is
|
|
|
|
* provided to the MAC Framework using MAC_POLICY_SET() to invoke a SYSINIT
|
|
|
|
* to register the policy. In general, the fields are immutable, with the
|
|
|
|
* exception of the "security field", run-time flags, and policy list entry,
|
|
|
|
* which are managed by the MAC Framework. Be careful when modifying this
|
|
|
|
* structure, as its layout is statically compiled into all policies.
|
|
|
|
*/
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct mac_policy_conf {
|
|
|
|
char *mpc_name; /* policy name */
|
|
|
|
char *mpc_fullname; /* policy full name */
|
|
|
|
struct mac_policy_ops *mpc_ops; /* policy operations */
|
|
|
|
int mpc_loadtime_flags; /* flags */
|
|
|
|
int *mpc_field_off; /* security field */
|
|
|
|
int mpc_runtime_flags; /* flags */
|
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
2008-08-23 15:26:36 +00:00
|
|
|
int _mpc_spare1; /* Spare. */
|
|
|
|
uint64_t _mpc_spare2; /* Spare. */
|
2009-01-10 10:58:41 +00:00
|
|
|
uint64_t _mpc_spare3; /* Spare. */
|
|
|
|
void *_mpc_spare4; /* Spare. */
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
LIST_ENTRY(mac_policy_conf) mpc_list; /* global list */
|
|
|
|
};
|
|
|
|
|
|
|
|
/* Flags for the mpc_loadtime_flags field. */
|
|
|
|
#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001
|
|
|
|
#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002
|
|
|
|
|
|
|
|
/* Flags for the mpc_runtime_flags field. */
|
|
|
|
#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001
|
|
|
|
|
2006-12-28 21:48:38 +00:00
|
|
|
/*-
|
|
|
|
* The TrustedBSD MAC Framework has a major version number, MAC_VERSION,
|
|
|
|
* which defines the ABI of the Framework present in the kernel (and depended
|
|
|
|
* on by policy modules compiled against that kernel). Currently,
|
|
|
|
* MAC_POLICY_SET() requires that the kernel and module ABI version numbers
|
|
|
|
* exactly match. The following major versions have been defined to date:
|
|
|
|
*
|
|
|
|
* MAC version FreeBSD versions
|
|
|
|
* 1 5.x
|
|
|
|
* 2 6.x
|
|
|
|
* 3 7.x
|
2007-10-23 14:12:16 +00:00
|
|
|
* 4 8.x
|
2006-12-28 21:48:38 +00:00
|
|
|
*/
|
2007-10-23 14:12:16 +00:00
|
|
|
#define MAC_VERSION 4
|
2006-12-28 21:48:38 +00:00
|
|
|
|
2009-01-10 10:58:41 +00:00
|
|
|
#define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
static struct mac_policy_conf mpname##_mac_policy_conf = { \
|
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
2008-08-23 15:26:36 +00:00
|
|
|
.mpc_name = #mpname, \
|
|
|
|
.mpc_fullname = mpfullname, \
|
|
|
|
.mpc_ops = mpops, \
|
|
|
|
.mpc_loadtime_flags = mpflags, \
|
|
|
|
.mpc_field_off = privdata_wanted, \
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
}; \
|
|
|
|
static moduledata_t mpname##_mod = { \
|
|
|
|
#mpname, \
|
|
|
|
mac_policy_modevent, \
|
|
|
|
&mpname##_mac_policy_conf \
|
|
|
|
}; \
|
2006-12-28 21:48:38 +00:00
|
|
|
MODULE_DEPEND(mpname, kernel_mac_support, MAC_VERSION, \
|
|
|
|
MAC_VERSION, MAC_VERSION); \
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
DECLARE_MODULE(mpname, mpname##_mod, SI_SUB_MAC_POLICY, \
|
|
|
|
SI_ORDER_MIDDLE)
|
|
|
|
|
|
|
|
int mac_policy_modevent(module_t mod, int type, void *data);
|
|
|
|
|
2006-12-20 23:41:59 +00:00
|
|
|
/*
|
|
|
|
* Policy interface to map a struct label pointer to per-policy data.
|
|
|
|
* Typically, policies wrap this in their own accessor macro that casts a
|
2007-02-06 14:19:25 +00:00
|
|
|
* uintptr_t to a policy-specific data type.
|
2006-12-20 23:41:59 +00:00
|
|
|
*/
|
2007-02-06 14:19:25 +00:00
|
|
|
intptr_t mac_label_get(struct label *l, int slot);
|
|
|
|
void mac_label_set(struct label *l, int slot, intptr_t v);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
2008-04-13 21:45:52 +00:00
|
|
|
#endif /* !_SECURITY_MAC_MAC_POLICY_H_ */
|