d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
e9d1d719e0
freebsd-dev/sys/security/mac/mac_internal.h

289 lines
9.7 KiB
C
Raw Normal View History

Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
/*-
Update my personal copyrights and NETA copyrights in the kernel to use the "year1-year3" format, as opposed to "year1, year2, year3". This seems to make lawyers more happy, but also prevents the lines from getting excessively long as the years start to add up. Suggested by: imp
2004-02-22 00:33:12 +00:00
* Copyright (c) 1999-2002 Robert N. M. Watson
Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
* Copyright (c) 2001 Ilmar S. Habibulin
Move inet and inet6 related MAC Framework entry points from mac_net.c to a new mac_inet.c. This code is now conditionally compiled based on inet support being compiled into the kernel. Move socket related MAC Framework entry points from mac_net.c to a new mac_socket.c. To do this, some additional _enforce MIB variables are now non-static. In addition, mbuf_to_label() is now mac_mbuf_to_label() and non-static. Obtained from: TrustedBSD Project Sponsored by: DARPA, McAfee Research
2004-02-26 03:51:04 +00:00
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
* All rights reserved.
*
* This software was developed by Robert Watson and Ilmar Habibulin for the
* TrustedBSD Project.
*
License clarification and wording changes: NAI has approved removal of clause three, and NAI Labs now goes by the name Network Associates Laboratories.
2002-11-04 01:42:39 +00:00
* This software was developed for the FreeBSD Project in part by Network
* Associates Laboratories, the Security Research Division of Network
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
*
* $FreeBSD$
Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
*/
Use __FBSDID().
2003-06-11 00:56:59 +00:00
Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC userland code to operate on kernel's from the main tree. Not much in this file yet. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
/*
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
* MAC Framework sysctl namespace.
Declare a module service "kernel_mac_support" when MAC support is enabled and the kernel provides the MAC registration and entry point service. Declare a dependency on that module service for any MAC module registered using mac_policy.h. For now, hard code the version as 1, but once we've come up with a versioning policy, we'll move to a #define of some sort. In the mean time, this will prevent loading a MAC module when 'options MAC' isn't present, which (due to a bug in the kernel linker) can result if the MAC module is preloaded via loader.conf. This particular evil recommended by: peter Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI LAbs
2002-08-12 02:00:21 +00:00
*/
Reduced prequisites by only using MALLOC_DECLARE() if it is defined. This fixes a dependency of mac_label.c on namespace pollution in <vm/uma.h>. Similarly for SYSCTL_DECL() although I had no problems with it. This probably makes some includes of <sys/sysctl.h> bogus.
2003-11-14 21:18:04 +00:00
#ifdef SYSCTL_DECL
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
SYSCTL_DECL(_security);
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
SYSCTL_DECL(_security_mac);
#ifdef MAC_DEBUG
SYSCTL_DECL(_security_mac_debug);
SYSCTL_DECL(_security_mac_debug_counters);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
#endif
Reduced prequisites by only using MALLOC_DECLARE() if it is defined. This fixes a dependency of mac_label.c on namespace pollution in <vm/uma.h>. Similarly for SYSCTL_DECL() although I had no problems with it. This probably makes some includes of <sys/sysctl.h> bogus.
2003-11-14 21:18:04 +00:00
#endif /* SYSCTL_DECL */
If MAC_MAX_POLICIES isn't defined, don't try to define it, just let the compile fail. MAC_MAX_POLICIES should always be defined, or we have bigger problems at hand. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-20 03:41:09 +00:00
Slightly change the semantics of vnode labels for MAC: rather than "refreshing" the label on the vnode before use, just get the label right from inception. For single-label file systems, set the label in the generic VFS getnewvnode() code; for multi-label file systems, leave the labeling up to the file system. With UFS1/2, this means reading the extended attribute during vfs_vget() as the inode is pulled off disk, rather than hitting the extended attributes frequently during operations later, improving performance. This also corrects sematics for shared vnode locks, which were not previously present in the system. This chances the cache coherrency properties WRT out-of-band access to label data, but in an acceptable form. With UFS1, there is a small race condition during automatic extended attribute start -- this is not present with UFS2, and occurs because EAs aren't available at vnode inception. We'll introduce a work around for this shortly. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
/*
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
* MAC Framework global types and typedefs.
Slightly change the semantics of vnode labels for MAC: rather than "refreshing" the label on the vnode before use, just get the label right from inception. For single-label file systems, set the label in the generic VFS getnewvnode() code; for multi-label file systems, leave the labeling up to the file system. With UFS1/2, this means reading the extended attribute during vfs_vget() as the inode is pulled off disk, rather than hitting the extended attributes frequently during operations later, improving performance. This also corrects sematics for shared vnode locks, which were not previously present in the system. This chances the cache coherrency properties WRT out-of-band access to label data, but in an acceptable form. With UFS1, there is a small race condition during automatic extended attribute start -- this is not present with UFS2, and occurs because EAs aren't available at vnode inception. We'll introduce a work around for this shortly. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
*/
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
LIST_HEAD(mac_policy_list_head, mac_policy_conf);
Reduced prequisites by only using MALLOC_DECLARE() if it is defined. This fixes a dependency of mac_label.c on namespace pollution in <vm/uma.h>. Similarly for SYSCTL_DECL() although I had no problems with it. This probably makes some includes of <sys/sysctl.h> bogus.
2003-11-14 21:18:04 +00:00
#ifdef MALLOC_DECLARE
Sort type declarations together. Remove an excess carriage return. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-25 03:50:44 +00:00
MALLOC_DECLARE(M_MACTEMP);
Reduced prequisites by only using MALLOC_DECLARE() if it is defined. This fixes a dependency of mac_label.c on namespace pollution in <vm/uma.h>. Similarly for SYSCTL_DECL() although I had no problems with it. This probably makes some includes of <sys/sysctl.h> bogus.
2003-11-14 21:18:04 +00:00
#endif
Slightly change the semantics of vnode labels for MAC: rather than "refreshing" the label on the vnode before use, just get the label right from inception. For single-label file systems, set the label in the generic VFS getnewvnode() code; for multi-label file systems, leave the labeling up to the file system. With UFS1/2, this means reading the extended attribute during vfs_vget() as the inode is pulled off disk, rather than hitting the extended attributes frequently during operations later, improving performance. This also corrects sematics for shared vnode locks, which were not previously present in the system. This chances the cache coherrency properties WRT out-of-band access to label data, but in an acceptable form. With UFS1, there is a small race condition during automatic extended attribute start -- this is not present with UFS2, and occurs because EAs aren't available at vnode inception. We'll introduce a work around for this shortly. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
/*
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
* MAC Framework global variables.
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
*/
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
extern struct mac_policy_list_head mac_policy_list;
extern struct mac_policy_list_head mac_static_policy_list;
extern int mac_late;
Move inet and inet6 related MAC Framework entry points from mac_net.c to a new mac_inet.c. This code is now conditionally compiled based on inet support being compiled into the kernel. Move socket related MAC Framework entry points from mac_net.c to a new mac_socket.c. To do this, some additional _enforce MIB variables are now non-static. In addition, mbuf_to_label() is now mac_mbuf_to_label() and non-static. Obtained from: TrustedBSD Project Sponsored by: DARPA, McAfee Research
2004-02-26 03:51:04 +00:00
extern int mac_enforce_network;
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
extern int mac_enforce_process;
Move inet and inet6 related MAC Framework entry points from mac_net.c to a new mac_inet.c. This code is now conditionally compiled based on inet support being compiled into the kernel. Move socket related MAC Framework entry points from mac_net.c to a new mac_socket.c. To do this, some additional _enforce MIB variables are now non-static. In addition, mbuf_to_label() is now mac_mbuf_to_label() and non-static. Obtained from: TrustedBSD Project Sponsored by: DARPA, McAfee Research
2004-02-26 03:51:04 +00:00
extern int mac_enforce_socket;
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
extern int mac_enforce_sysv;
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
extern int mac_enforce_vm;
Attempt to simplify #ifdef logic for MAC_ALWAYS_LABEL_MBUF. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-08-01 15:45:14 +00:00
#ifndef MAC_ALWAYS_LABEL_MBUF
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
extern int mac_labelmbufs;
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure, returning some additional room in the first mbuf in a chain, and avoiding feature-specific contents in the mbuf header. To do this: - Modify mbuf_to_label() to extract the tag, returning NULL if not found. - Introduce mac_init_mbuf_tag() which does most of the work mac_init_mbuf() used to do, except on an m_tag rather than an mbuf. - Scale back mac_init_mbuf() to perform m_tag allocation and invoke mac_init_mbuf_tag(). - Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since m_tag's are now GC'd deep in the m_tag/mbuf code rather than at a higher level when mbufs are directly free()'d. - Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related notions. - Generally change all references to mbuf labels so that they use mbuf_to_label() rather than &mbuf->m_pkthdr.label. This required no changes in the MAC policies (yay!). - Tweak mbuf release routines to not call mac_destroy_mbuf(), tag destruction takes care of it for us now. - Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() -- the existing m_tag support does all this for us. Note that we can no longer just zero the m_tag list on the target mbuf, rather, we have to delete the chain because m_tag's will already be hung off freshly allocated mbuf's. - Tweak m_tag copying routines so that if we're copying a MAC m_tag, we don't do a binary copy, rather, we initialize the new storage and do a deep copy of the label. - Remove use of MAC_FLAG_INITIALIZED in a few bizarre places having to do with mbuf header copies previously. - When an mbuf is copied in ip_input(), we no longer need to explicitly copy the label because it will get handled by the m_tag code now. - No longer any weird handling of MAC labels in if_loop.c during header copies. - Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test. In mac_test, handle the label==NULL case, since it can be dynamically loaded. In order to improve performance with this change, introduce the notion of "lazy MAC label allocation" -- only allocate m_tag storage for MAC labels if we're running with a policy that uses MAC labels on mbufs. Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS flag in their load-time flags field during declaration. Note: this opens up the possibility of post-boot policy modules getting back NULL slot entries even though they have policy invariants of non-NULL slot entries, as the policy might have been loaded after the mbuf was allocated, leaving the mbuf without label storage. Policies that cannot handle this case must be declared as NOTLATE, or must be modified. - mac_labelmbufs holds the current cumulative status as to whether any policies require mbuf labeling or not. This is updated whenever the active policy set changes by the function mac_policy_updateflags(). The function iterates the list and checks whether any have the flag set. Write access to this variable is protected by the policy list; read access is currently not protected for performance reasons. This might change if it causes problems. - Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update function to assert appropriate locks. - This makes allocation in mac_init_mbuf() conditional on the flag. Reviewed by: sam Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
#endif
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
/*
* MAC Framework object/access counter primitives, conditionally
* compiled.
*/
Wrap maintenance of varios nmac{objectname} counters in MAC_DEBUG so we can avoid the cost of a large number of atomic operations if we're not interested in the object count statistics. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-08-16 14:21:38 +00:00
#ifdef MAC_DEBUG
Remove about 40 lines of #ifdef/#endif by using new macros MAC_DEBUG_COUNTER_INC() and MAC_DEBUG_COUNTER_DEC() to maintain debugging counter values rather than #ifdef'ing the atomic operations to MAC_DEBUG. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-08-20 19:16:49 +00:00
#define MAC_DEBUG_COUNTER_INC(x) atomic_add_int(x, 1);
#define MAC_DEBUG_COUNTER_DEC(x) atomic_subtract_int(x, 1);
#else
#define MAC_DEBUG_COUNTER_INC(x)
#define MAC_DEBUG_COUNTER_DEC(x)
Wrap maintenance of varios nmac{objectname} counters in MAC_DEBUG so we can avoid the cost of a large number of atomic operations if we're not interested in the object count statistics. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-08-16 14:21:38 +00:00
#endif
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
/*
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
* MAC Framework infrastructure functions.
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
*/
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
int mac_error_select(int error1, int error2);
void mac_policy_grab_exclusive(void);
void mac_policy_assert_exclusive(void);
void mac_policy_release_exclusive(void);
void mac_policy_list_busy(void);
int mac_policy_list_conditional_busy(void);
void mac_policy_list_unbusy(void);
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
struct label *mac_labelzone_alloc(int flags);
void mac_labelzone_free(struct label *label);
void mac_labelzone_init(void);
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
void mac_init_label(struct label *label);
void mac_destroy_label(struct label *label);
int mac_check_structmac_consistent(struct mac *mac);
int mac_allocate_slot(void);
Trim trailing whitespace.
2003-11-07 04:48:24 +00:00
/*
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
* MAC Framework per-object type functions. It's not yet clear how
* the namespaces, etc, should work for these, so for now, sort by
* object type.
Introduce a condition variable to avoid returning EBUSY when the MAC policy list is busy during a load or unload attempt. We assert no locks held during the cv wait, meaning we should be fairly deadlock-safe. Because of the cv model and busy count, it's possible for a cv waiter waiting for exclusive access to the policy list to be starved by active and long-lived access control/labeling events. For now, we accept that as a necessary tradeoff. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-11-13 15:47:09 +00:00
*/
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
struct label *mac_pipe_label_alloc(void);
void mac_pipe_label_free(struct label *label);
Implement sockets support for __mac_get_fd() and __mac_set_fd() system calls, and prefer these calls over getsockopt()/setsockopt() for ABI reasons. When addressing UNIX domain sockets, these calls retrieve and modify the socket label, not the label of the rendezvous vnode. - Create mac_copy_socket_label() entry point based on mac_copy_pipe_label() entry point, intended to copy the socket label into temporary storage that doesn't require a socket lock to be held (currently Giant). - Implement mac_copy_socket_label() for various policies. - Expose socket label allocation, free, internalize, externalize entry points as non-static from mac_net.c. - Use mac_socket_label_set() in __mac_set_fd(). MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and mac_get_peer() to retrieve and set various socket labels without directly invoking the getsockopt() interface. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-16 23:31:45 +00:00
struct label *mac_socket_label_alloc(int flag);
void mac_socket_label_free(struct label *label);
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel);
Modify the MAC Framework so that instead of embedding a (struct label) in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
int mac_externalize_cred_label(struct label *label, char *elements,
Remove the flags argument from mac_externalize_*_label(), as it's not passed into policies or used internally to the MAC Framework. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-06 03:42:43 +00:00
char *outbuf, size_t outbuflen);
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
int mac_internalize_cred_label(struct label *label, char *string);
void mac_relabel_cred(struct ucred *cred, struct label *newlabel);
Move inet and inet6 related MAC Framework entry points from mac_net.c to a new mac_inet.c. This code is now conditionally compiled based on inet support being compiled into the kernel. Move socket related MAC Framework entry points from mac_net.c to a new mac_socket.c. To do this, some additional _enforce MIB variables are now non-static. In addition, mbuf_to_label() is now mac_mbuf_to_label() and non-static. Obtained from: TrustedBSD Project Sponsored by: DARPA, McAfee Research
2004-02-26 03:51:04 +00:00
struct label *mac_mbuf_to_label(struct mbuf *m);
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
void mac_copy_pipe_label(struct label *src, struct label *dest);
int mac_externalize_pipe_label(struct label *label, char *elements,
Remove the flags argument from mac_externalize_*_label(), as it's not passed into policies or used internally to the MAC Framework. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-06 03:42:43 +00:00
char *outbuf, size_t outbuflen);
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
int mac_internalize_pipe_label(struct label *label, char *string);
Abstract the label checking and setting logic from mac_setsockopt_label() into mac_socket_label_set(); make it non-static so that it can be invoked from kern_mac.c for mac_set_fd(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-16 20:01:50 +00:00
int mac_socket_label_set(struct ucred *cred, struct socket *so,
struct label *label);
Implement sockets support for __mac_get_fd() and __mac_set_fd() system calls, and prefer these calls over getsockopt()/setsockopt() for ABI reasons. When addressing UNIX domain sockets, these calls retrieve and modify the socket label, not the label of the rendezvous vnode. - Create mac_copy_socket_label() entry point based on mac_copy_pipe_label() entry point, intended to copy the socket label into temporary storage that doesn't require a socket lock to be held (currently Giant). - Implement mac_copy_socket_label() for various policies. - Expose socket label allocation, free, internalize, externalize entry points as non-static from mac_net.c. - Use mac_socket_label_set() in __mac_set_fd(). MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and mac_get_peer() to retrieve and set various socket labels without directly invoking the getsockopt() interface. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-16 23:31:45 +00:00
void mac_copy_socket_label(struct label *src, struct label *dest);
int mac_externalize_socket_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen);
int mac_internalize_socket_label(struct label *label, char *string);
Abstract the label checking and setting logic from mac_setsockopt_label() into mac_socket_label_set(); make it non-static so that it can be invoked from kern_mac.c for mac_set_fd(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-16 20:01:50 +00:00
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
int mac_externalize_vnode_label(struct label *label, char *elements,
Remove the flags argument from mac_externalize_*_label(), as it's not passed into policies or used internally to the MAC Framework. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-11-06 03:42:43 +00:00
char *outbuf, size_t outbuflen);
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
int mac_internalize_vnode_label(struct label *label, char *string);
void mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp,
int *prot);
int vn_setlabel(struct vnode *vp, struct label *intlabel,
struct ucred *cred);
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
/*
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
* MAC_CHECK performs the designated check by walking the policy module
* list and checking with each as to how it feels about the request.
* Note that it returns its value via 'error' in the scope of the caller.
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
*/
#define MAC_CHECK(check, args...) do { \
struct mac_policy_conf *mpc; \
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
int entrycount; \
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
\
error = 0; \
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
if (mpc->mpc_ops->mpo_ ## check != NULL) \
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
error = mac_error_select( \
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
mpc->mpc_ops->mpo_ ## check (args), \
error); \
} \
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
if ((entrycount = mac_policy_list_conditional_busy()) != 0) { \
LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
if (mpc->mpc_ops->mpo_ ## check != NULL) \
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
error = mac_error_select( \
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
mpc->mpc_ops->mpo_ ## check (args), \
error); \
} \
mac_policy_list_unbusy(); \
} \
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
} while (0)
/*
* MAC_BOOLEAN performs the designated boolean composition by walking
* the module list, invoking each instance of the operation, and
* combining the results using the passed C operator. Note that it
* returns its value via 'result' in the scope of the caller, which
* should be initialized by the caller in a meaningful way to get
* a meaningful result.
*/
#define MAC_BOOLEAN(operation, composition, args...) do { \
struct mac_policy_conf *mpc; \
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
int entrycount; \
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
\
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
if (mpc->mpc_ops->mpo_ ## operation != NULL) \
result = result composition \
mpc->mpc_ops->mpo_ ## operation (args); \
} \
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
if ((entrycount = mac_policy_list_conditional_busy()) != 0) { \
LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
if (mpc->mpc_ops->mpo_ ## operation != NULL) \
result = result composition \
mpc->mpc_ops->mpo_ ## operation \
(args); \
} \
mac_policy_list_unbusy(); \
} \
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
} while (0)
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
#define MAC_EXTERNALIZE(type, label, elementlist, outbuf, \
outbuflen) do { \
Redesign the externalization APIs from the MAC Framework to the MAC policy modules to improve robustness against C string bugs and vulnerabilities. Following these revisions, all string construction of labels for export to userspace (or elsewhere) is performed using the sbuf API, which prevents the consumer from having to perform laborious and intricate pointer and buffer checks. This substantially simplifies the externalization logic, both at the MAC Framework level, and in individual policies; this becomes especially useful when policies export more complex label data, such as with compartments in Biba and MLS. Bundled in here are some other minor fixes associated with externalization: including avoiding malloc while holding the process mutex in mac_lomac, and hence avoid a failure mode when printing labels during a downgrade operation due to the removal of the M_NOWAIT case. This has been running in the MAC development tree for about three weeks without problems. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-06-23 01:26:34 +00:00
int claimed, first, ignorenotfound, savedlen; \
char *element_name, *element_temp; \
struct sbuf sb; \
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
\
error = 0; \
first = 1; \
Redesign the externalization APIs from the MAC Framework to the MAC policy modules to improve robustness against C string bugs and vulnerabilities. Following these revisions, all string construction of labels for export to userspace (or elsewhere) is performed using the sbuf API, which prevents the consumer from having to perform laborious and intricate pointer and buffer checks. This substantially simplifies the externalization logic, both at the MAC Framework level, and in individual policies; this becomes especially useful when policies export more complex label data, such as with compartments in Biba and MLS. Bundled in here are some other minor fixes associated with externalization: including avoiding malloc while holding the process mutex in mac_lomac, and hence avoid a failure mode when printing labels during a downgrade operation due to the removal of the M_NOWAIT case. This has been running in the MAC development tree for about three weeks without problems. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-06-23 01:26:34 +00:00
sbuf_new(&sb, outbuf, outbuflen, SBUF_FIXEDLEN); \
element_temp = elementlist; \
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
while ((element_name = strsep(&element_temp, ",")) != NULL) { \
if (element_name[0] == '?') { \
element_name++; \
ignorenotfound = 1; \
Redesign the externalization APIs from the MAC Framework to the MAC policy modules to improve robustness against C string bugs and vulnerabilities. Following these revisions, all string construction of labels for export to userspace (or elsewhere) is performed using the sbuf API, which prevents the consumer from having to perform laborious and intricate pointer and buffer checks. This substantially simplifies the externalization logic, both at the MAC Framework level, and in individual policies; this becomes especially useful when policies export more complex label data, such as with compartments in Biba and MLS. Bundled in here are some other minor fixes associated with externalization: including avoiding malloc while holding the process mutex in mac_lomac, and hence avoid a failure mode when printing labels during a downgrade operation due to the removal of the M_NOWAIT case. This has been running in the MAC development tree for about three weeks without problems. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-06-23 01:26:34 +00:00
} else \
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
ignorenotfound = 0; \
Redesign the externalization APIs from the MAC Framework to the MAC policy modules to improve robustness against C string bugs and vulnerabilities. Following these revisions, all string construction of labels for export to userspace (or elsewhere) is performed using the sbuf API, which prevents the consumer from having to perform laborious and intricate pointer and buffer checks. This substantially simplifies the externalization logic, both at the MAC Framework level, and in individual policies; this becomes especially useful when policies export more complex label data, such as with compartments in Biba and MLS. Bundled in here are some other minor fixes associated with externalization: including avoiding malloc while holding the process mutex in mac_lomac, and hence avoid a failure mode when printing labels during a downgrade operation due to the removal of the M_NOWAIT case. This has been running in the MAC development tree for about three weeks without problems. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-06-23 01:26:34 +00:00
savedlen = sbuf_len(&sb); \
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
if (first) \
Redesign the externalization APIs from the MAC Framework to the MAC policy modules to improve robustness against C string bugs and vulnerabilities. Following these revisions, all string construction of labels for export to userspace (or elsewhere) is performed using the sbuf API, which prevents the consumer from having to perform laborious and intricate pointer and buffer checks. This substantially simplifies the externalization logic, both at the MAC Framework level, and in individual policies; this becomes especially useful when policies export more complex label data, such as with compartments in Biba and MLS. Bundled in here are some other minor fixes associated with externalization: including avoiding malloc while holding the process mutex in mac_lomac, and hence avoid a failure mode when printing labels during a downgrade operation due to the removal of the M_NOWAIT case. This has been running in the MAC development tree for about three weeks without problems. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-06-23 01:26:34 +00:00
error = sbuf_printf(&sb, "%s/", element_name); \
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
else \
Redesign the externalization APIs from the MAC Framework to the MAC policy modules to improve robustness against C string bugs and vulnerabilities. Following these revisions, all string construction of labels for export to userspace (or elsewhere) is performed using the sbuf API, which prevents the consumer from having to perform laborious and intricate pointer and buffer checks. This substantially simplifies the externalization logic, both at the MAC Framework level, and in individual policies; this becomes especially useful when policies export more complex label data, such as with compartments in Biba and MLS. Bundled in here are some other minor fixes associated with externalization: including avoiding malloc while holding the process mutex in mac_lomac, and hence avoid a failure mode when printing labels during a downgrade operation due to the removal of the M_NOWAIT case. This has been running in the MAC development tree for about three weeks without problems. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-06-23 01:26:34 +00:00
error = sbuf_printf(&sb, ",%s/", element_name); \
if (error == -1) { \
error = EINVAL; /* XXX: E2BIG? */ \
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
break; \
} \
Redesign the externalization APIs from the MAC Framework to the MAC policy modules to improve robustness against C string bugs and vulnerabilities. Following these revisions, all string construction of labels for export to userspace (or elsewhere) is performed using the sbuf API, which prevents the consumer from having to perform laborious and intricate pointer and buffer checks. This substantially simplifies the externalization logic, both at the MAC Framework level, and in individual policies; this becomes especially useful when policies export more complex label data, such as with compartments in Biba and MLS. Bundled in here are some other minor fixes associated with externalization: including avoiding malloc while holding the process mutex in mac_lomac, and hence avoid a failure mode when printing labels during a downgrade operation due to the removal of the M_NOWAIT case. This has been running in the MAC development tree for about three weeks without problems. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-06-23 01:26:34 +00:00
claimed = 0; \
Make MAC_EXTERNALIZE() and MAC_INTERNALIZE() simply take the object type, rather than "object_label" as the first argument. This reduces complexity a little for the consumer, and also makes it easier for use to rename the underlying entry points in struct mac_policy_obj. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-25 15:28:20 +00:00
MAC_CHECK(externalize_ ## type ## _label, label, \
element_name, &sb, &claimed); \
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
if (error) \
break; \
Redesign the externalization APIs from the MAC Framework to the MAC policy modules to improve robustness against C string bugs and vulnerabilities. Following these revisions, all string construction of labels for export to userspace (or elsewhere) is performed using the sbuf API, which prevents the consumer from having to perform laborious and intricate pointer and buffer checks. This substantially simplifies the externalization logic, both at the MAC Framework level, and in individual policies; this becomes especially useful when policies export more complex label data, such as with compartments in Biba and MLS. Bundled in here are some other minor fixes associated with externalization: including avoiding malloc while holding the process mutex in mac_lomac, and hence avoid a failure mode when printing labels during a downgrade operation due to the removal of the M_NOWAIT case. This has been running in the MAC development tree for about three weeks without problems. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-06-23 01:26:34 +00:00
if (claimed == 0 && ignorenotfound) { \
/* Revert last label name. */ \
sbuf_setpos(&sb, savedlen); \
} else if (claimed != 1) { \
error = EINVAL; /* XXX: ENOLABEL? */ \
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
break; \
The following shared types/constants/interfaces/... are required in mac_internal.h: Sysctl tree declarations. Policy list structure definition. Policy list variables (static, dynamic). mac_late flag. Enforcement flags for process, vm, which have checks in multiple files. mac_labelmbufs variable to drive conditional mbuf labeling. M_MACTEMP malloc type. Debugging counter macros. MAC Framework infrastructure primitives, including policy locking primitives, kernel label initialization/destruction, userland label consistency checks, policy slot allocation. Per-object interfaces for objects that are internalized and externalized using system calls that will remain centrally defined: credentials, pipes, vnodes. MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE, MAC_INTERNALIZE, MAC_PERFORM. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
} else { \
first = 0; \
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
} \
} \
Redesign the externalization APIs from the MAC Framework to the MAC policy modules to improve robustness against C string bugs and vulnerabilities. Following these revisions, all string construction of labels for export to userspace (or elsewhere) is performed using the sbuf API, which prevents the consumer from having to perform laborious and intricate pointer and buffer checks. This substantially simplifies the externalization logic, both at the MAC Framework level, and in individual policies; this becomes especially useful when policies export more complex label data, such as with compartments in Biba and MLS. Bundled in here are some other minor fixes associated with externalization: including avoiding malloc while holding the process mutex in mac_lomac, and hence avoid a failure mode when printing labels during a downgrade operation due to the removal of the M_NOWAIT case. This has been running in the MAC development tree for about three weeks without problems. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-06-23 01:26:34 +00:00
sbuf_finish(&sb); \
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
} while (0)
#define MAC_INTERNALIZE(type, label, instring) do { \
char *element, *element_name, *element_data; \
int claimed; \
\
error = 0; \
element = instring; \
while ((element_name = strsep(&element, ",")) != NULL) { \
element_data = element_name; \
element_name = strsep(&element_data, "/"); \
if (element_data == NULL) { \
error = EINVAL; \
break; \
} \
claimed = 0; \
Make MAC_EXTERNALIZE() and MAC_INTERNALIZE() simply take the object type, rather than "object_label" as the first argument. This reduces complexity a little for the consumer, and also makes it easier for use to rename the underlying entry points in struct mac_policy_obj. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-10-25 15:28:20 +00:00
MAC_CHECK(internalize_ ## type ## _label, label, \
element_name, element_data, &claimed); \
Support the new MAC user API in kernel: modify existing system calls to use a modified notion of 'struct mac', and flesh out the new variation system calls (almost identical to existing ones except that they permit a pid to be specified for process label retrieval, and don't follow symlinks). This generalizes the label API so that the framework is now almost entirely policy-agnostic. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
if (error) \
break; \
if (claimed != 1) { \
/* XXXMAC: Another error here? */ \
error = EINVAL; \
break; \
} \
} \
} while (0)
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
/*
* MAC_PERFORM performs the designated operation by walking the policy
* module list and invoking that operation for each policy.
*/
#define MAC_PERFORM(operation, args...) do { \
struct mac_policy_conf *mpc; \
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
int entrycount; \
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
\
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
if (mpc->mpc_ops->mpo_ ## operation != NULL) \
mpc->mpc_ops->mpo_ ## operation (args); \
} \
Clean up locking for the MAC Framework: (1) Accept that we're now going to use mutexes, so don't attempt to avoid treating them as mutexes. This cleans up locking accessor function names some. (2) Rename variables to _mtx, _cv, _count, simplifying the naming. (3) Add a new form of the _busy() primitive that conditionally makes the list busy: if there are entries on the list, bump the busy count. If there are no entries, don't bump the busy count. Return a boolean indicating whether or not the busy count was bumped. (4) Break mac_policy_list into two lists: one with the same name holding dynamic policies, and a new list, mac_static_policy_list, which holds policies loaded before mac_late and without the unload flag set. The static list may be accessed without holding the busy count, since it can't change at run-time. (5) In general, prefer making the list busy conditionally, meaning we pay only one mutex lock per entry point if all modules are on the static list, rather than two (since we don't have to lower the busy count when we're done with the framework). For systems running just Biba or MLS, this will halve the mutex accesses in the network stack, and may offer a substantial performance benefits. (6) Lay the groundwork for a dynamic-free kernel option which eliminates all locking associated with dynamically loaded or unloaded policies, for pre-configured systems requiring maximum performance but less run-time flexibility. These changes have been running for a few weeks on MAC development branch systems. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
if ((entrycount = mac_policy_list_conditional_busy()) != 0) { \
LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
if (mpc->mpc_ops->mpo_ ## operation != NULL) \
mpc->mpc_ops->mpo_ ## operation (args); \
} \
mac_policy_list_unbusy(); \
} \
Begin committing support for Mandatory Access Control and extensible kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. kern_mac.c contains the body of the MAC framework. Kernel and user APIs defined in mac.h are implemented here, providing a front end to loaded security modules. This code implements a module registration service, state (label) management, security configuration and policy composition. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
} while (0)
Reference in New Issue Copy Permalink