Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
/*-
|
2004-02-22 00:33:12 +00:00
|
|
|
* Copyright (c) 1999-2002 Robert N. M. Watson
|
2005-04-16 18:46:29 +00:00
|
|
|
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
|
2005-07-05 22:49:10 +00:00
|
|
|
* Copyright (c) 2005 SPARTA, Inc.
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
* All rights reserved.
|
|
|
|
|
*
|
|
|
|
|
* This software was developed by Robert Watson for the TrustedBSD Project.
|
|
|
|
|
*
|
2002-11-04 01:42:39 +00:00
|
|
|
* This software was developed for the FreeBSD Project in part by Network
|
|
|
|
|
* Associates Laboratories, the Security Research Division of Network
|
|
|
|
|
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
|
|
|
|
|
* as part of the DARPA CHATS research program.
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
*
|
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
* are met:
|
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
|
*
|
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
|
*
|
|
|
|
|
* $FreeBSD$
|
|
|
|
|
*/
|
|
|
|
|
/*
|
|
|
|
|
* Kernel interface for MAC policy modules.
|
|
|
|
|
*/
|
2004-05-10 18:38:07 +00:00
|
|
|
#ifndef _SYS_MAC_POLICY_H_
|
|
|
|
|
#define _SYS_MAC_POLICY_H_
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
|
|
|
|
/*-
|
|
|
|
|
* Pluggable access control policy definition structure.
|
|
|
|
|
*
|
|
|
|
|
* List of operations that are performed as part of the implementation
|
|
|
|
|
* of a MAC policy. Policy implementors declare operations with a
|
|
|
|
|
* mac_policy_ops structure, and using the MAC_POLICY_SET() macro.
|
|
|
|
|
* If an entry point is not declared, then then the policy will be ignored
|
|
|
|
|
* during evaluation of that event or check.
|
|
|
|
|
*
|
|
|
|
|
* Operations are sorted first by general class of operation, then
|
|
|
|
|
* alphabetically.
|
|
|
|
|
*/
|
2003-06-22 16:36:00 +00:00
|
|
|
struct acl;
|
2004-02-26 16:15:14 +00:00
|
|
|
struct bpf_d;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct componentname;
|
|
|
|
|
struct devfs_dirent;
|
2004-02-26 16:15:14 +00:00
|
|
|
struct ifnet;
|
|
|
|
|
struct image_params;
|
Introduce a MAC label reference in 'struct inpcb', which caches
the MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols. This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.
For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks. Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.
Reviewed by: sam, bms
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
|
|
|
struct inpcb;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct ipq;
|
2005-05-04 10:39:15 +00:00
|
|
|
struct ksem;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct label;
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct mac_policy_conf;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct mbuf;
|
|
|
|
|
struct mount;
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct msqid_kernel;
|
Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.
- Create a new "struct pipepair" object holding the two 'struct
pipe' instances, struct mutex, and struct label reference. Pipe
structures now have a back-pointer to the pipe pair, and a
'pipe_present' flag to indicate whether the half has been
closed.
- Perform mutex init/destroy in zone init/destroy, avoiding
reallocating the mutex for each pipe. Perform most pipe structure
setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of
the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
update many policies. MAC labels are also handled outside of the
UMA zone for now. Label-only policy modules don't have to be
recompiled, but if a module is recompiled, its pipe entry points
will need to be updated. If a module actually reached into the
pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place. However, VM mapped buffers
are still released on half-close.
Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.
Reviewed by: juli, tjr
Testing help: dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
|
|
|
struct pipepair;
|
2004-02-26 20:44:50 +00:00
|
|
|
struct proc;
|
2003-06-23 01:26:34 +00:00
|
|
|
struct sbuf;
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct semid_kernel;
|
|
|
|
|
struct shmid_kernel;
|
2004-02-26 20:44:50 +00:00
|
|
|
struct sockaddr;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct socket;
|
2004-02-22 12:31:44 +00:00
|
|
|
struct sysctl_oid;
|
|
|
|
|
struct sysctl_req;
|
2004-02-26 20:44:50 +00:00
|
|
|
struct thread;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct ucred;
|
|
|
|
|
struct uio;
|
2004-02-26 16:15:14 +00:00
|
|
|
struct vattr;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct vnode;
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct mac_policy_ops {
|
|
|
|
|
/*
|
|
|
|
|
* Policy module operations.
|
|
|
|
|
*/
|
|
|
|
|
void (*mpo_destroy)(struct mac_policy_conf *mpc);
|
|
|
|
|
void (*mpo_init)(struct mac_policy_conf *mpc);
|
|
|
|
|
|
2002-08-19 17:59:48 +00:00
|
|
|
/*
|
2004-10-22 11:29:30 +00:00
|
|
|
* General policy-directed security system call so that policies may
|
|
|
|
|
* implement new services without reserving explicit system call
|
|
|
|
|
* numbers.
|
2002-08-19 17:59:48 +00:00
|
|
|
*/
|
|
|
|
|
int (*mpo_syscall)(struct thread *td, int call, void *arg);
|
|
|
|
|
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
/*
|
2004-10-22 11:29:30 +00:00
|
|
|
* Label operations. Initialize label storage, destroy label
|
|
|
|
|
* storage, recycle for re-use without init/destroy, copy a label to
|
|
|
|
|
* initialized storage, and externalize/internalize from/to
|
|
|
|
|
* initialized storage.
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
*/
|
Begin another merge from the TrustedBSD MAC branch:
- Change mpo_init_foo(obj, label) and mpo_destroy_foo(obj, label) policy
entry points to mpo_init_foo_label(label) and
mpo_destroy_foo_label(label). This will permit the use of the same
entry points for holding temporary type-specific label during
internalization and externalization, as well as for caching purposes.
- Because of this, break out mpo_{init,destroy}_socket() and
mpo_{init,destroy}_mount() into seperate entry points for socket
main/peer labels and mount main/fs labels.
- Since the prototype for label initialization is the same across almost
all entry points, implement these entry points using common
implementations for Biba, MLS, and Test, reducing the number of
almost identical looking functions.
This simplifies policy implementation, as well as preparing us for the
merge of the new flexible userland API for managing labels on objects.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 15:10:00 +00:00
|
|
|
void (*mpo_init_bpfdesc_label)(struct label *label);
|
|
|
|
|
void (*mpo_init_cred_label)(struct label *label);
|
|
|
|
|
void (*mpo_init_devfsdirent_label)(struct label *label);
|
|
|
|
|
void (*mpo_init_ifnet_label)(struct label *label);
|
Introduce a MAC label reference in 'struct inpcb', which caches
the MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols. This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.
For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks. Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.
Reviewed by: sam, bms
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
|
|
|
int (*mpo_init_inpcb_label)(struct label *label, int flag);
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
void (*mpo_init_sysv_msgmsg_label)(struct label *label);
|
|
|
|
|
void (*mpo_init_sysv_msgqueue_label)(struct label *label);
|
2005-06-07 05:03:28 +00:00
|
|
|
void (*mpo_init_sysv_sem_label)(struct label *label);
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
void (*mpo_init_sysv_shm_label)(struct label *label);
|
2003-03-26 15:12:03 +00:00
|
|
|
int (*mpo_init_ipq_label)(struct label *label, int flag);
|
Begin another merge from the TrustedBSD MAC branch:
- Change mpo_init_foo(obj, label) and mpo_destroy_foo(obj, label) policy
entry points to mpo_init_foo_label(label) and
mpo_destroy_foo_label(label). This will permit the use of the same
entry points for holding temporary type-specific label during
internalization and externalization, as well as for caching purposes.
- Because of this, break out mpo_{init,destroy}_socket() and
mpo_{init,destroy}_mount() into seperate entry points for socket
main/peer labels and mount main/fs labels.
- Since the prototype for label initialization is the same across almost
all entry points, implement these entry points using common
implementations for Biba, MLS, and Test, reducing the number of
almost identical looking functions.
This simplifies policy implementation, as well as preparing us for the
merge of the new flexible userland API for managing labels on objects.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 15:10:00 +00:00
|
|
|
int (*mpo_init_mbuf_label)(struct label *label, int flag);
|
|
|
|
|
void (*mpo_init_mount_label)(struct label *label);
|
|
|
|
|
void (*mpo_init_mount_fs_label)(struct label *label);
|
2002-10-05 21:23:47 +00:00
|
|
|
int (*mpo_init_socket_label)(struct label *label, int flag);
|
|
|
|
|
int (*mpo_init_socket_peer_label)(struct label *label, int flag);
|
Begin another merge from the TrustedBSD MAC branch:
- Change mpo_init_foo(obj, label) and mpo_destroy_foo(obj, label) policy
entry points to mpo_init_foo_label(label) and
mpo_destroy_foo_label(label). This will permit the use of the same
entry points for holding temporary type-specific label during
internalization and externalization, as well as for caching purposes.
- Because of this, break out mpo_{init,destroy}_socket() and
mpo_{init,destroy}_mount() into seperate entry points for socket
main/peer labels and mount main/fs labels.
- Since the prototype for label initialization is the same across almost
all entry points, implement these entry points using common
implementations for Biba, MLS, and Test, reducing the number of
almost identical looking functions.
This simplifies policy implementation, as well as preparing us for the
merge of the new flexible userland API for managing labels on objects.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 15:10:00 +00:00
|
|
|
void (*mpo_init_pipe_label)(struct label *label);
|
2005-05-04 10:39:15 +00:00
|
|
|
void (*mpo_init_posix_sem_label)(struct label *label);
|
2002-11-20 15:41:25 +00:00
|
|
|
void (*mpo_init_proc_label)(struct label *label);
|
Begin another merge from the TrustedBSD MAC branch:
- Change mpo_init_foo(obj, label) and mpo_destroy_foo(obj, label) policy
entry points to mpo_init_foo_label(label) and
mpo_destroy_foo_label(label). This will permit the use of the same
entry points for holding temporary type-specific label during
internalization and externalization, as well as for caching purposes.
- Because of this, break out mpo_{init,destroy}_socket() and
mpo_{init,destroy}_mount() into seperate entry points for socket
main/peer labels and mount main/fs labels.
- Since the prototype for label initialization is the same across almost
all entry points, implement these entry points using common
implementations for Biba, MLS, and Test, reducing the number of
almost identical looking functions.
This simplifies policy implementation, as well as preparing us for the
merge of the new flexible userland API for managing labels on objects.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 15:10:00 +00:00
|
|
|
void (*mpo_init_vnode_label)(struct label *label);
|
|
|
|
|
void (*mpo_destroy_bpfdesc_label)(struct label *label);
|
|
|
|
|
void (*mpo_destroy_cred_label)(struct label *label);
|
|
|
|
|
void (*mpo_destroy_devfsdirent_label)(struct label *label);
|
|
|
|
|
void (*mpo_destroy_ifnet_label)(struct label *label);
|
Introduce a MAC label reference in 'struct inpcb', which caches
the MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols. This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.
For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks. Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.
Reviewed by: sam, bms
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
|
|
|
void (*mpo_destroy_inpcb_label)(struct label *label);
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
void (*mpo_destroy_sysv_msgmsg_label)(struct label *label);
|
|
|
|
|
void (*mpo_destroy_sysv_msgqueue_label)(struct label *label);
|
2005-06-07 05:03:28 +00:00
|
|
|
void (*mpo_destroy_sysv_sem_label)(struct label *label);
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
void (*mpo_destroy_sysv_shm_label)(struct label *label);
|
Begin another merge from the TrustedBSD MAC branch:
- Change mpo_init_foo(obj, label) and mpo_destroy_foo(obj, label) policy
entry points to mpo_init_foo_label(label) and
mpo_destroy_foo_label(label). This will permit the use of the same
entry points for holding temporary type-specific label during
internalization and externalization, as well as for caching purposes.
- Because of this, break out mpo_{init,destroy}_socket() and
mpo_{init,destroy}_mount() into seperate entry points for socket
main/peer labels and mount main/fs labels.
- Since the prototype for label initialization is the same across almost
all entry points, implement these entry points using common
implementations for Biba, MLS, and Test, reducing the number of
almost identical looking functions.
This simplifies policy implementation, as well as preparing us for the
merge of the new flexible userland API for managing labels on objects.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 15:10:00 +00:00
|
|
|
void (*mpo_destroy_ipq_label)(struct label *label);
|
|
|
|
|
void (*mpo_destroy_mbuf_label)(struct label *label);
|
|
|
|
|
void (*mpo_destroy_mount_label)(struct label *label);
|
|
|
|
|
void (*mpo_destroy_mount_fs_label)(struct label *label);
|
|
|
|
|
void (*mpo_destroy_socket_label)(struct label *label);
|
|
|
|
|
void (*mpo_destroy_socket_peer_label)(struct label *label);
|
|
|
|
|
void (*mpo_destroy_pipe_label)(struct label *label);
|
2005-05-04 10:39:15 +00:00
|
|
|
void (*mpo_destroy_posix_sem_label)(struct label *label);
|
2002-11-20 15:41:25 +00:00
|
|
|
void (*mpo_destroy_proc_label)(struct label *label);
|
Begin another merge from the TrustedBSD MAC branch:
- Change mpo_init_foo(obj, label) and mpo_destroy_foo(obj, label) policy
entry points to mpo_init_foo_label(label) and
mpo_destroy_foo_label(label). This will permit the use of the same
entry points for holding temporary type-specific label during
internalization and externalization, as well as for caching purposes.
- Because of this, break out mpo_{init,destroy}_socket() and
mpo_{init,destroy}_mount() into seperate entry points for socket
main/peer labels and mount main/fs labels.
- Since the prototype for label initialization is the same across almost
all entry points, implement these entry points using common
implementations for Biba, MLS, and Test, reducing the number of
almost identical looking functions.
This simplifies policy implementation, as well as preparing us for the
merge of the new flexible userland API for managing labels on objects.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-05 15:10:00 +00:00
|
|
|
void (*mpo_destroy_vnode_label)(struct label *label);
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
void (*mpo_cleanup_sysv_msgmsg)(struct label *msglabel);
|
|
|
|
|
void (*mpo_cleanup_sysv_msgqueue)(struct label *msqlabel);
|
2005-06-07 05:03:28 +00:00
|
|
|
void (*mpo_cleanup_sysv_sem)(struct label *semalabel);
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
void (*mpo_cleanup_sysv_shm)(struct label *shmlabel);
|
2003-12-06 21:48:03 +00:00
|
|
|
void (*mpo_copy_cred_label)(struct label *src,
|
|
|
|
|
struct label *dest);
|
2004-06-24 03:34:46 +00:00
|
|
|
void (*mpo_copy_ifnet_label)(struct label *src,
|
|
|
|
|
struct label *dest);
|
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure,
returning some additional room in the first mbuf in a chain, and
avoiding feature-specific contents in the mbuf header. To do this:
- Modify mbuf_to_label() to extract the tag, returning NULL if not
found.
- Introduce mac_init_mbuf_tag() which does most of the work
mac_init_mbuf() used to do, except on an m_tag rather than an
mbuf.
- Scale back mac_init_mbuf() to perform m_tag allocation and invoke
mac_init_mbuf_tag().
- Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since
m_tag's are now GC'd deep in the m_tag/mbuf code rather than
at a higher level when mbufs are directly free()'d.
- Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related
notions.
- Generally change all references to mbuf labels so that they use
mbuf_to_label() rather than &mbuf->m_pkthdr.label. This
required no changes in the MAC policies (yay!).
- Tweak mbuf release routines to not call mac_destroy_mbuf(),
tag destruction takes care of it for us now.
- Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() --
the existing m_tag support does all this for us. Note that
we can no longer just zero the m_tag list on the target mbuf,
rather, we have to delete the chain because m_tag's will
already be hung off freshly allocated mbuf's.
- Tweak m_tag copying routines so that if we're copying a MAC
m_tag, we don't do a binary copy, rather, we initialize the
new storage and do a deep copy of the label.
- Remove use of MAC_FLAG_INITIALIZED in a few bizarre places
having to do with mbuf header copies previously.
- When an mbuf is copied in ip_input(), we no longer need to
explicitly copy the label because it will get handled by the
m_tag code now.
- No longer any weird handling of MAC labels in if_loop.c during
header copies.
- Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test.
In mac_test, handle the label==NULL case, since it can be
dynamically loaded.
In order to improve performance with this change, introduce the notion
of "lazy MAC label allocation" -- only allocate m_tag storage for MAC
labels if we're running with a policy that uses MAC labels on mbufs.
Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS
flag in their load-time flags field during declaration. Note: this
opens up the possibility of post-boot policy modules getting back NULL
slot entries even though they have policy invariants of non-NULL slot
entries, as the policy might have been loaded after the mbuf was
allocated, leaving the mbuf without label storage. Policies that cannot
handle this case must be declared as NOTLATE, or must be modified.
- mac_labelmbufs holds the current cumulative status as to whether
any policies require mbuf labeling or not. This is updated whenever
the active policy set changes by the function mac_policy_updateflags().
The function iterates the list and checks whether any have the
flag set. Write access to this variable is protected by the policy
list; read access is currently not protected for performance reasons.
This might change if it causes problems.
- Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update
function to assert appropriate locks.
- This makes allocation in mac_init_mbuf() conditional on the flag.
Reviewed by: sam
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
|
|
|
void (*mpo_copy_mbuf_label)(struct label *src,
|
|
|
|
|
struct label *dest);
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
void (*mpo_copy_pipe_label)(struct label *src,
|
|
|
|
|
struct label *dest);
|
Implement sockets support for __mac_get_fd() and __mac_set_fd()
system calls, and prefer these calls over getsockopt()/setsockopt()
for ABI reasons. When addressing UNIX domain sockets, these calls
retrieve and modify the socket label, not the label of the
rendezvous vnode.
- Create mac_copy_socket_label() entry point based on
mac_copy_pipe_label() entry point, intended to copy the socket
label into temporary storage that doesn't require a socket lock
to be held (currently Giant).
- Implement mac_copy_socket_label() for various policies.
- Expose socket label allocation, free, internalize, externalize
entry points as non-static from mac_net.c.
- Use mac_socket_label_set() in __mac_set_fd().
MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and
mac_get_peer() to retrieve and set various socket labels without
directly invoking the getsockopt() interface.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-16 23:31:45 +00:00
|
|
|
void (*mpo_copy_socket_label)(struct label *src,
|
|
|
|
|
struct label *dest);
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
void (*mpo_copy_vnode_label)(struct label *src,
|
|
|
|
|
struct label *dest);
|
|
|
|
|
int (*mpo_externalize_cred_label)(struct label *label,
|
2003-06-23 01:26:34 +00:00
|
|
|
char *element_name, struct sbuf *sb, int *claimed);
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
int (*mpo_externalize_ifnet_label)(struct label *label,
|
2003-06-23 01:26:34 +00:00
|
|
|
char *element_name, struct sbuf *sb, int *claimed);
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
int (*mpo_externalize_pipe_label)(struct label *label,
|
2003-06-23 01:26:34 +00:00
|
|
|
char *element_name, struct sbuf *sb, int *claimed);
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
int (*mpo_externalize_socket_label)(struct label *label,
|
2003-06-23 01:26:34 +00:00
|
|
|
char *element_name, struct sbuf *sb, int *claimed);
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
int (*mpo_externalize_socket_peer_label)(struct label *label,
|
2003-06-23 01:26:34 +00:00
|
|
|
char *element_name, struct sbuf *sb, int *claimed);
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
int (*mpo_externalize_vnode_label)(struct label *label,
|
2003-06-23 01:26:34 +00:00
|
|
|
char *element_name, struct sbuf *sb, int *claimed);
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
int (*mpo_internalize_cred_label)(struct label *label,
|
|
|
|
|
char *element_name, char *element_data, int *claimed);
|
|
|
|
|
int (*mpo_internalize_ifnet_label)(struct label *label,
|
|
|
|
|
char *element_name, char *element_data, int *claimed);
|
|
|
|
|
int (*mpo_internalize_pipe_label)(struct label *label,
|
|
|
|
|
char *element_name, char *element_data, int *claimed);
|
|
|
|
|
int (*mpo_internalize_socket_label)(struct label *label,
|
|
|
|
|
char *element_name, char *element_data, int *claimed);
|
|
|
|
|
int (*mpo_internalize_vnode_label)(struct label *label,
|
|
|
|
|
char *element_name, char *element_data, int *claimed);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Labeling event operations: file system objects, and things that
|
|
|
|
|
* look a lot like file system objects.
|
|
|
|
|
*/
|
Slightly change the semantics of vnode labels for MAC: rather than
"refreshing" the label on the vnode before use, just get the label
right from inception. For single-label file systems, set the label
in the generic VFS getnewvnode() code; for multi-label file systems,
leave the labeling up to the file system. With UFS1/2, this means
reading the extended attribute during vfs_vget() as the inode is
pulled off disk, rather than hitting the extended attributes
frequently during operations later, improving performance. This
also corrects sematics for shared vnode locks, which were not
previously present in the system. This chances the cache
coherrency properties WRT out-of-band access to label data, but in
an acceptable form. With UFS1, there is a small race condition
during automatic extended attribute start -- this is not present
with UFS2, and occurs because EAs aren't available at vnode
inception. We'll introduce a work around for this shortly.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
|
|
|
void (*mpo_associate_vnode_devfs)(struct mount *mp,
|
|
|
|
|
struct label *fslabel, struct devfs_dirent *de,
|
|
|
|
|
struct label *delabel, struct vnode *vp,
|
|
|
|
|
struct label *vlabel);
|
|
|
|
|
int (*mpo_associate_vnode_extattr)(struct mount *mp,
|
|
|
|
|
struct label *fslabel, struct vnode *vp,
|
|
|
|
|
struct label *vlabel);
|
|
|
|
|
void (*mpo_associate_vnode_singlelabel)(struct mount *mp,
|
|
|
|
|
struct label *fslabel, struct vnode *vp,
|
|
|
|
|
struct label *vlabel);
|
2004-06-16 09:47:26 +00:00
|
|
|
void (*mpo_create_devfs_device)(struct mount *mp, struct cdev *dev,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct devfs_dirent *de, struct label *label);
|
2002-12-09 03:44:28 +00:00
|
|
|
void (*mpo_create_devfs_directory)(struct mount *mp, char *dirname,
|
|
|
|
|
int dirnamelen, struct devfs_dirent *de,
|
|
|
|
|
struct label *label);
|
2002-10-05 18:40:10 +00:00
|
|
|
void (*mpo_create_devfs_symlink)(struct ucred *cred,
|
2002-12-09 03:44:28 +00:00
|
|
|
struct mount *mp, struct devfs_dirent *dd,
|
|
|
|
|
struct label *ddlabel, struct devfs_dirent *de,
|
|
|
|
|
struct label *delabel);
|
Slightly change the semantics of vnode labels for MAC: rather than
"refreshing" the label on the vnode before use, just get the label
right from inception. For single-label file systems, set the label
in the generic VFS getnewvnode() code; for multi-label file systems,
leave the labeling up to the file system. With UFS1/2, this means
reading the extended attribute during vfs_vget() as the inode is
pulled off disk, rather than hitting the extended attributes
frequently during operations later, improving performance. This
also corrects sematics for shared vnode locks, which were not
previously present in the system. This chances the cache
coherrency properties WRT out-of-band access to label data, but in
an acceptable form. With UFS1, there is a small race condition
during automatic extended attribute start -- this is not present
with UFS2, and occurs because EAs aren't available at vnode
inception. We'll introduce a work around for this shortly.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
|
|
|
int (*mpo_create_vnode_extattr)(struct ucred *cred,
|
|
|
|
|
struct mount *mp, struct label *fslabel,
|
|
|
|
|
struct vnode *dvp, struct label *dlabel,
|
|
|
|
|
struct vnode *vp, struct label *vlabel,
|
|
|
|
|
struct componentname *cnp);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
void (*mpo_create_mount)(struct ucred *cred, struct mount *mp,
|
|
|
|
|
struct label *mntlabel, struct label *fslabel);
|
|
|
|
|
void (*mpo_create_root_mount)(struct ucred *cred, struct mount *mp,
|
|
|
|
|
struct label *mountlabel, struct label *fslabel);
|
|
|
|
|
void (*mpo_relabel_vnode)(struct ucred *cred, struct vnode *vp,
|
|
|
|
|
struct label *vnodelabel, struct label *label);
|
Slightly change the semantics of vnode labels for MAC: rather than
"refreshing" the label on the vnode before use, just get the label
right from inception. For single-label file systems, set the label
in the generic VFS getnewvnode() code; for multi-label file systems,
leave the labeling up to the file system. With UFS1/2, this means
reading the extended attribute during vfs_vget() as the inode is
pulled off disk, rather than hitting the extended attributes
frequently during operations later, improving performance. This
also corrects sematics for shared vnode locks, which were not
previously present in the system. This chances the cache
coherrency properties WRT out-of-band access to label data, but in
an acceptable form. With UFS1, there is a small race condition
during automatic extended attribute start -- this is not present
with UFS2, and occurs because EAs aren't available at vnode
inception. We'll introduce a work around for this shortly.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
|
|
|
int (*mpo_setlabel_vnode_extattr)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *vlabel,
|
|
|
|
|
struct label *intlabel);
|
2002-12-09 03:44:28 +00:00
|
|
|
void (*mpo_update_devfsdirent)(struct mount *mp,
|
|
|
|
|
struct devfs_dirent *devfs_dirent,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *direntlabel, struct vnode *vp,
|
|
|
|
|
struct label *vnodelabel);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Labeling event operations: IPC objects.
|
|
|
|
|
*/
|
|
|
|
|
void (*mpo_create_mbuf_from_socket)(struct socket *so,
|
|
|
|
|
struct label *socketlabel, struct mbuf *m,
|
|
|
|
|
struct label *mbuflabel);
|
|
|
|
|
void (*mpo_create_socket)(struct ucred *cred, struct socket *so,
|
|
|
|
|
struct label *socketlabel);
|
|
|
|
|
void (*mpo_create_socket_from_socket)(struct socket *oldsocket,
|
|
|
|
|
struct label *oldsocketlabel, struct socket *newsocket,
|
|
|
|
|
struct label *newsocketlabel);
|
|
|
|
|
void (*mpo_relabel_socket)(struct ucred *cred, struct socket *so,
|
|
|
|
|
struct label *oldlabel, struct label *newlabel);
|
Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.
- Create a new "struct pipepair" object holding the two 'struct
pipe' instances, struct mutex, and struct label reference. Pipe
structures now have a back-pointer to the pipe pair, and a
'pipe_present' flag to indicate whether the half has been
closed.
- Perform mutex init/destroy in zone init/destroy, avoiding
reallocating the mutex for each pipe. Perform most pipe structure
setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of
the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
update many policies. MAC labels are also handled outside of the
UMA zone for now. Label-only policy modules don't have to be
recompiled, but if a module is recompiled, its pipe entry points
will need to be updated. If a module actually reached into the
pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place. However, VM mapped buffers
are still released on half-close.
Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.
Reviewed by: juli, tjr
Testing help: dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
|
|
|
void (*mpo_relabel_pipe)(struct ucred *cred, struct pipepair *pp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *oldlabel, struct label *newlabel);
|
|
|
|
|
void (*mpo_set_socket_peer_from_mbuf)(struct mbuf *mbuf,
|
|
|
|
|
struct label *mbuflabel, struct socket *so,
|
|
|
|
|
struct label *socketpeerlabel);
|
|
|
|
|
void (*mpo_set_socket_peer_from_socket)(struct socket *oldsocket,
|
|
|
|
|
struct label *oldsocketlabel, struct socket *newsocket,
|
|
|
|
|
struct label *newsocketpeerlabel);
|
Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.
- Create a new "struct pipepair" object holding the two 'struct
pipe' instances, struct mutex, and struct label reference. Pipe
structures now have a back-pointer to the pipe pair, and a
'pipe_present' flag to indicate whether the half has been
closed.
- Perform mutex init/destroy in zone init/destroy, avoiding
reallocating the mutex for each pipe. Perform most pipe structure
setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of
the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
update many policies. MAC labels are also handled outside of the
UMA zone for now. Label-only policy modules don't have to be
recompiled, but if a module is recompiled, its pipe entry points
will need to be updated. If a module actually reached into the
pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place. However, VM mapped buffers
are still released on half-close.
Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.
Reviewed by: juli, tjr
Testing help: dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
|
|
|
void (*mpo_create_pipe)(struct ucred *cred, struct pipepair *pp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *pipelabel);
|
|
|
|
|
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
/*
|
|
|
|
|
* Labeling event operations: System V IPC primitives.
|
|
|
|
|
*/
|
|
|
|
|
void (*mpo_create_sysv_msgmsg)(struct ucred *cred,
|
|
|
|
|
struct msqid_kernel *msqkptr, struct label *msqlabel,
|
|
|
|
|
struct msg *msgptr, struct label *msglabel);
|
|
|
|
|
void (*mpo_create_sysv_msgqueue)(struct ucred *cred,
|
|
|
|
|
struct msqid_kernel *msqkptr, struct label *msqlabel);
|
2005-06-07 05:03:28 +00:00
|
|
|
void (*mpo_create_sysv_sem)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct semid_kernel *semakptr, struct label *semalabel);
|
|
|
|
|
void (*mpo_create_sysv_shm)(struct ucred *cred,
|
|
|
|
|
struct shmid_kernel *shmsegptr, struct label *shmlabel);
|
|
|
|
|
|
2005-05-04 10:39:15 +00:00
|
|
|
/*
|
|
|
|
|
* Labeling event operations: POSIX (global/inter-process) semaphores.
|
|
|
|
|
*/
|
|
|
|
|
void (*mpo_create_posix_sem)(struct ucred *cred,
|
|
|
|
|
struct ksem *ksemptr, struct label *ks_label);
|
|
|
|
|
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
/*
|
|
|
|
|
* Labeling event operations: network objects.
|
|
|
|
|
*/
|
|
|
|
|
void (*mpo_create_bpfdesc)(struct ucred *cred, struct bpf_d *bpf_d,
|
|
|
|
|
struct label *bpflabel);
|
|
|
|
|
void (*mpo_create_ifnet)(struct ifnet *ifnet,
|
|
|
|
|
struct label *ifnetlabel);
|
Introduce a MAC label reference in 'struct inpcb', which caches
the MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols. This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.
For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks. Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.
Reviewed by: sam, bms
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
|
|
|
void (*mpo_create_inpcb_from_socket)(struct socket *so,
|
|
|
|
|
struct label *solabel, struct inpcb *inp,
|
|
|
|
|
struct label *inplabel);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
void (*mpo_create_ipq)(struct mbuf *fragment,
|
|
|
|
|
struct label *fragmentlabel, struct ipq *ipq,
|
|
|
|
|
struct label *ipqlabel);
|
|
|
|
|
void (*mpo_create_datagram_from_ipq)
|
|
|
|
|
(struct ipq *ipq, struct label *ipqlabel,
|
|
|
|
|
struct mbuf *datagram, struct label *datagramlabel);
|
|
|
|
|
void (*mpo_create_fragment)(struct mbuf *datagram,
|
|
|
|
|
struct label *datagramlabel, struct mbuf *fragment,
|
|
|
|
|
struct label *fragmentlabel);
|
2003-12-17 14:55:11 +00:00
|
|
|
void (*mpo_create_mbuf_from_inpcb)(struct inpcb *inp,
|
|
|
|
|
struct label *inplabel, struct mbuf *m,
|
|
|
|
|
struct label *mlabel);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
void (*mpo_create_mbuf_linklayer)(struct ifnet *ifnet,
|
|
|
|
|
struct label *ifnetlabel, struct mbuf *mbuf,
|
|
|
|
|
struct label *mbuflabel);
|
|
|
|
|
void (*mpo_create_mbuf_from_bpfdesc)(struct bpf_d *bpf_d,
|
|
|
|
|
struct label *bpflabel, struct mbuf *mbuf,
|
|
|
|
|
struct label *mbuflabel);
|
|
|
|
|
void (*mpo_create_mbuf_from_ifnet)(struct ifnet *ifnet,
|
|
|
|
|
struct label *ifnetlabel, struct mbuf *mbuf,
|
|
|
|
|
struct label *mbuflabel);
|
|
|
|
|
void (*mpo_create_mbuf_multicast_encap)(struct mbuf *oldmbuf,
|
|
|
|
|
struct label *oldmbuflabel, struct ifnet *ifnet,
|
|
|
|
|
struct label *ifnetlabel, struct mbuf *newmbuf,
|
|
|
|
|
struct label *newmbuflabel);
|
|
|
|
|
void (*mpo_create_mbuf_netlayer)(struct mbuf *oldmbuf,
|
|
|
|
|
struct label *oldmbuflabel, struct mbuf *newmbuf,
|
|
|
|
|
struct label *newmbuflabel);
|
|
|
|
|
int (*mpo_fragment_match)(struct mbuf *fragment,
|
|
|
|
|
struct label *fragmentlabel, struct ipq *ipq,
|
|
|
|
|
struct label *ipqlabel);
|
2003-08-21 18:21:22 +00:00
|
|
|
void (*mpo_reflect_mbuf_icmp)(struct mbuf *m,
|
|
|
|
|
struct label *mlabel);
|
|
|
|
|
void (*mpo_reflect_mbuf_tcp)(struct mbuf *m, struct label *mlabel);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
void (*mpo_relabel_ifnet)(struct ucred *cred, struct ifnet *ifnet,
|
|
|
|
|
struct label *ifnetlabel, struct label *newlabel);
|
|
|
|
|
void (*mpo_update_ipq)(struct mbuf *fragment,
|
|
|
|
|
struct label *fragmentlabel, struct ipq *ipq,
|
|
|
|
|
struct label *ipqlabel);
|
Introduce a MAC label reference in 'struct inpcb', which caches
the MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols. This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.
For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks. Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.
Reviewed by: sam, bms
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
|
|
|
void (*mpo_inpcb_sosetlabel)(struct socket *so,
|
|
|
|
|
struct label *label, struct inpcb *inp,
|
|
|
|
|
struct label *inplabel);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Labeling event operations: processes.
|
|
|
|
|
*/
|
|
|
|
|
void (*mpo_execve_transition)(struct ucred *old, struct ucred *new,
|
2002-11-05 17:51:56 +00:00
|
|
|
struct vnode *vp, struct label *vnodelabel,
|
|
|
|
|
struct label *interpvnodelabel,
|
2002-11-08 18:04:00 +00:00
|
|
|
struct image_params *imgp, struct label *execlabel);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int (*mpo_execve_will_transition)(struct ucred *old,
|
2002-11-05 17:51:56 +00:00
|
|
|
struct vnode *vp, struct label *vnodelabel,
|
|
|
|
|
struct label *interpvnodelabel,
|
2002-11-08 18:04:00 +00:00
|
|
|
struct image_params *imgp, struct label *execlabel);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
void (*mpo_create_proc0)(struct ucred *cred);
|
|
|
|
|
void (*mpo_create_proc1)(struct ucred *cred);
|
|
|
|
|
void (*mpo_relabel_cred)(struct ucred *cred,
|
|
|
|
|
struct label *newlabel);
|
2002-10-02 02:42:38 +00:00
|
|
|
void (*mpo_thread_userret)(struct thread *thread);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Access control checks.
|
|
|
|
|
*/
|
|
|
|
|
int (*mpo_check_bpfdesc_receive)(struct bpf_d *bpf_d,
|
|
|
|
|
struct label *bpflabel, struct ifnet *ifnet,
|
|
|
|
|
struct label *ifnetlabel);
|
|
|
|
|
int (*mpo_check_cred_relabel)(struct ucred *cred,
|
|
|
|
|
struct label *newlabel);
|
|
|
|
|
int (*mpo_check_cred_visible)(struct ucred *u1, struct ucred *u2);
|
|
|
|
|
int (*mpo_check_ifnet_relabel)(struct ucred *cred,
|
|
|
|
|
struct ifnet *ifnet, struct label *ifnetlabel,
|
|
|
|
|
struct label *newlabel);
|
|
|
|
|
int (*mpo_check_ifnet_transmit)(struct ifnet *ifnet,
|
|
|
|
|
struct label *ifnetlabel, struct mbuf *m,
|
|
|
|
|
struct label *mbuflabel);
|
Introduce a MAC label reference in 'struct inpcb', which caches
the MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols. This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.
For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks. Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.
Reviewed by: sam, bms
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
|
|
|
int (*mpo_check_inpcb_deliver)(struct inpcb *inp,
|
|
|
|
|
struct label *inplabel, struct mbuf *m,
|
|
|
|
|
struct label *mlabel);
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
int (*mpo_check_sysv_msgmsq)(struct ucred *cred,
|
|
|
|
|
struct msg *msgptr, struct label *msglabel,
|
|
|
|
|
struct msqid_kernel *msqkptr, struct label *msqklabel);
|
|
|
|
|
int (*mpo_check_sysv_msgrcv)(struct ucred *cred,
|
|
|
|
|
struct msg *msgptr, struct label *msglabel);
|
|
|
|
|
int (*mpo_check_sysv_msgrmid)(struct ucred *cred,
|
|
|
|
|
struct msg *msgptr, struct label *msglabel);
|
|
|
|
|
int (*mpo_check_sysv_msqget)(struct ucred *cred,
|
|
|
|
|
struct msqid_kernel *msqkptr, struct label *msqklabel);
|
|
|
|
|
int (*mpo_check_sysv_msqsnd)(struct ucred *cred,
|
|
|
|
|
struct msqid_kernel *msqkptr, struct label *msqklabel);
|
|
|
|
|
int (*mpo_check_sysv_msqrcv)(struct ucred *cred,
|
|
|
|
|
struct msqid_kernel *msqkptr, struct label *msqklabel);
|
|
|
|
|
int (*mpo_check_sysv_msqctl)(struct ucred *cred,
|
|
|
|
|
struct msqid_kernel *msqkptr, struct label *msqklabel,
|
|
|
|
|
int cmd);
|
|
|
|
|
int (*mpo_check_sysv_semctl)(struct ucred *cred,
|
|
|
|
|
struct semid_kernel *semakptr, struct label *semaklabel,
|
|
|
|
|
int cmd);
|
|
|
|
|
int (*mpo_check_sysv_semget)(struct ucred *cred,
|
|
|
|
|
struct semid_kernel *semakptr, struct label *semaklabel);
|
|
|
|
|
int (*mpo_check_sysv_semop)(struct ucred *cred,
|
|
|
|
|
struct semid_kernel *semakptr, struct label *semaklabel,
|
|
|
|
|
size_t accesstype);
|
|
|
|
|
int (*mpo_check_sysv_shmat)(struct ucred *cred,
|
|
|
|
|
struct shmid_kernel *shmsegptr,
|
|
|
|
|
struct label *shmseglabel, int shmflg);
|
|
|
|
|
int (*mpo_check_sysv_shmctl)(struct ucred *cred,
|
|
|
|
|
struct shmid_kernel *shmsegptr,
|
|
|
|
|
struct label *shmseglabel, int cmd);
|
|
|
|
|
int (*mpo_check_sysv_shmdt)(struct ucred *cred,
|
|
|
|
|
struct shmid_kernel *shmsegptr,
|
|
|
|
|
struct label *shmseglabel);
|
|
|
|
|
int (*mpo_check_sysv_shmget)(struct ucred *cred,
|
|
|
|
|
struct shmid_kernel *shmsegptr,
|
|
|
|
|
struct label *shmseglabel, int shmflg);
|
2002-11-01 20:46:53 +00:00
|
|
|
int (*mpo_check_kenv_dump)(struct ucred *cred);
|
|
|
|
|
int (*mpo_check_kenv_get)(struct ucred *cred, char *name);
|
|
|
|
|
int (*mpo_check_kenv_set)(struct ucred *cred, char *name,
|
|
|
|
|
char *value);
|
|
|
|
|
int (*mpo_check_kenv_unset)(struct ucred *cred, char *name);
|
2002-11-19 22:12:42 +00:00
|
|
|
int (*mpo_check_kld_load)(struct ucred *cred, struct vnode *vp,
|
|
|
|
|
struct label *vlabel);
|
|
|
|
|
int (*mpo_check_kld_stat)(struct ucred *cred);
|
|
|
|
|
int (*mpo_check_kld_unload)(struct ucred *cred);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int (*mpo_check_mount_stat)(struct ucred *cred, struct mount *mp,
|
|
|
|
|
struct label *mntlabel);
|
Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.
- Create a new "struct pipepair" object holding the two 'struct
pipe' instances, struct mutex, and struct label reference. Pipe
structures now have a back-pointer to the pipe pair, and a
'pipe_present' flag to indicate whether the half has been
closed.
- Perform mutex init/destroy in zone init/destroy, avoiding
reallocating the mutex for each pipe. Perform most pipe structure
setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of
the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
update many policies. MAC labels are also handled outside of the
UMA zone for now. Label-only policy modules don't have to be
recompiled, but if a module is recompiled, its pipe entry points
will need to be updated. If a module actually reached into the
pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place. However, VM mapped buffers
are still released on half-close.
Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.
Reviewed by: juli, tjr
Testing help: dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
|
|
|
int (*mpo_check_pipe_ioctl)(struct ucred *cred,
|
|
|
|
|
struct pipepair *pp, struct label *pipelabel,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
unsigned long cmd, void *data);
|
Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.
- Create a new "struct pipepair" object holding the two 'struct
pipe' instances, struct mutex, and struct label reference. Pipe
structures now have a back-pointer to the pipe pair, and a
'pipe_present' flag to indicate whether the half has been
closed.
- Perform mutex init/destroy in zone init/destroy, avoiding
reallocating the mutex for each pipe. Perform most pipe structure
setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of
the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
update many policies. MAC labels are also handled outside of the
UMA zone for now. Label-only policy modules don't have to be
recompiled, but if a module is recompiled, its pipe entry points
will need to be updated. If a module actually reached into the
pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place. However, VM mapped buffers
are still released on half-close.
Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.
Reviewed by: juli, tjr
Testing help: dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
|
|
|
int (*mpo_check_pipe_poll)(struct ucred *cred,
|
|
|
|
|
struct pipepair *pp, struct label *pipelabel);
|
|
|
|
|
int (*mpo_check_pipe_read)(struct ucred *cred,
|
|
|
|
|
struct pipepair *pp, struct label *pipelabel);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int (*mpo_check_pipe_relabel)(struct ucred *cred,
|
Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.
- Create a new "struct pipepair" object holding the two 'struct
pipe' instances, struct mutex, and struct label reference. Pipe
structures now have a back-pointer to the pipe pair, and a
'pipe_present' flag to indicate whether the half has been
closed.
- Perform mutex init/destroy in zone init/destroy, avoiding
reallocating the mutex for each pipe. Perform most pipe structure
setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of
the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
update many policies. MAC labels are also handled outside of the
UMA zone for now. Label-only policy modules don't have to be
recompiled, but if a module is recompiled, its pipe entry points
will need to be updated. If a module actually reached into the
pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place. However, VM mapped buffers
are still released on half-close.
Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.
Reviewed by: juli, tjr
Testing help: dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
|
|
|
struct pipepair *pp, struct label *pipelabel,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *newlabel);
|
Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.
- Create a new "struct pipepair" object holding the two 'struct
pipe' instances, struct mutex, and struct label reference. Pipe
structures now have a back-pointer to the pipe pair, and a
'pipe_present' flag to indicate whether the half has been
closed.
- Perform mutex init/destroy in zone init/destroy, avoiding
reallocating the mutex for each pipe. Perform most pipe structure
setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of
the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
update many policies. MAC labels are also handled outside of the
UMA zone for now. Label-only policy modules don't have to be
recompiled, but if a module is recompiled, its pipe entry points
will need to be updated. If a module actually reached into the
pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place. However, VM mapped buffers
are still released on half-close.
Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.
Reviewed by: juli, tjr
Testing help: dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
|
|
|
int (*mpo_check_pipe_stat)(struct ucred *cred,
|
|
|
|
|
struct pipepair *pp, struct label *pipelabel);
|
|
|
|
|
int (*mpo_check_pipe_write)(struct ucred *cred,
|
|
|
|
|
struct pipepair *pp, struct label *pipelabel);
|
2005-05-04 10:39:15 +00:00
|
|
|
int (*mpo_check_posix_sem_destroy)(struct ucred *cred,
|
|
|
|
|
struct ksem *ksemptr, struct label *ks_label);
|
|
|
|
|
int (*mpo_check_posix_sem_getvalue)(struct ucred *cred,
|
|
|
|
|
struct ksem *ksemptr, struct label *ks_label);
|
|
|
|
|
int (*mpo_check_posix_sem_open)(struct ucred *cred,
|
|
|
|
|
struct ksem *ksemptr, struct label *ks_label);
|
|
|
|
|
int (*mpo_check_posix_sem_post)(struct ucred *cred,
|
|
|
|
|
struct ksem *ksemptr, struct label *ks_label);
|
|
|
|
|
int (*mpo_check_posix_sem_unlink)(struct ucred *cred,
|
|
|
|
|
struct ksem *ksemptr, struct label *ks_label);
|
|
|
|
|
int (*mpo_check_posix_sem_wait)(struct ucred *cred,
|
|
|
|
|
struct ksem *ksemptr, struct label *ks_label);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int (*mpo_check_proc_debug)(struct ucred *cred,
|
|
|
|
|
struct proc *proc);
|
|
|
|
|
int (*mpo_check_proc_sched)(struct ucred *cred,
|
|
|
|
|
struct proc *proc);
|
2005-04-16 13:29:15 +00:00
|
|
|
int (*mpo_check_proc_setuid)(struct ucred *cred, uid_t uid);
|
|
|
|
|
int (*mpo_check_proc_seteuid)(struct ucred *cred, uid_t euid);
|
|
|
|
|
int (*mpo_check_proc_setgid)(struct ucred *cred, gid_t gid);
|
|
|
|
|
int (*mpo_check_proc_setegid)(struct ucred *cred, gid_t egid);
|
|
|
|
|
int (*mpo_check_proc_setgroups)(struct ucred *cred, int ngroups,
|
|
|
|
|
gid_t *gidset);
|
|
|
|
|
int (*mpo_check_proc_setreuid)(struct ucred *cred, uid_t ruid,
|
|
|
|
|
uid_t euid);
|
|
|
|
|
int (*mpo_check_proc_setregid)(struct ucred *cred, gid_t rgid,
|
|
|
|
|
gid_t egid);
|
|
|
|
|
int (*mpo_check_proc_setresuid)(struct ucred *cred, uid_t ruid,
|
|
|
|
|
uid_t euid, uid_t suid);
|
|
|
|
|
int (*mpo_check_proc_setresgid)(struct ucred *cred, gid_t rgid,
|
|
|
|
|
gid_t egid, gid_t sgid);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int (*mpo_check_proc_signal)(struct ucred *cred,
|
|
|
|
|
struct proc *proc, int signum);
|
2005-04-18 13:36:57 +00:00
|
|
|
int (*mpo_check_proc_wait)(struct ucred *cred,
|
|
|
|
|
struct proc *proc);
|
2005-04-16 18:46:29 +00:00
|
|
|
int (*mpo_check_socket_accept)(struct ucred *cred,
|
|
|
|
|
struct socket *so, struct label *socketlabel);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int (*mpo_check_socket_bind)(struct ucred *cred,
|
|
|
|
|
struct socket *so, struct label *socketlabel,
|
|
|
|
|
struct sockaddr *sockaddr);
|
|
|
|
|
int (*mpo_check_socket_connect)(struct ucred *cred,
|
|
|
|
|
struct socket *so, struct label *socketlabel,
|
|
|
|
|
struct sockaddr *sockaddr);
|
2005-07-05 22:49:10 +00:00
|
|
|
int (*mpo_check_socket_create)(struct ucred *cred, int domain,
|
|
|
|
|
int type, int protocol);
|
2002-08-15 18:51:27 +00:00
|
|
|
int (*mpo_check_socket_deliver)(struct socket *so,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *socketlabel, struct mbuf *m,
|
|
|
|
|
struct label *mbuflabel);
|
2002-08-15 18:51:27 +00:00
|
|
|
int (*mpo_check_socket_listen)(struct ucred *cred,
|
|
|
|
|
struct socket *so, struct label *socketlabel);
|
2005-04-16 18:46:29 +00:00
|
|
|
int (*mpo_check_socket_poll)(struct ucred *cred,
|
|
|
|
|
struct socket *so, struct label *socketlabel);
|
2002-10-06 14:39:15 +00:00
|
|
|
int (*mpo_check_socket_receive)(struct ucred *cred,
|
|
|
|
|
struct socket *so, struct label *socketlabel);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int (*mpo_check_socket_relabel)(struct ucred *cred,
|
|
|
|
|
struct socket *so, struct label *socketlabel,
|
|
|
|
|
struct label *newlabel);
|
2002-10-06 14:39:15 +00:00
|
|
|
int (*mpo_check_socket_send)(struct ucred *cred,
|
|
|
|
|
struct socket *so, struct label *socketlabel);
|
2005-04-16 18:46:29 +00:00
|
|
|
int (*mpo_check_socket_stat)(struct ucred *cred,
|
|
|
|
|
struct socket *so, struct label *socketlabel);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int (*mpo_check_socket_visible)(struct ucred *cred,
|
|
|
|
|
struct socket *so, struct label *socketlabel);
|
2003-03-06 04:47:47 +00:00
|
|
|
int (*mpo_check_sysarch_ioperm)(struct ucred *cred);
|
2002-11-04 15:13:36 +00:00
|
|
|
int (*mpo_check_system_acct)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *vlabel);
|
|
|
|
|
int (*mpo_check_system_nfsd)(struct ucred *cred);
|
2002-10-27 07:03:29 +00:00
|
|
|
int (*mpo_check_system_reboot)(struct ucred *cred, int howto);
|
2002-11-03 02:39:42 +00:00
|
|
|
int (*mpo_check_system_settime)(struct ucred *cred);
|
2002-10-27 06:54:06 +00:00
|
|
|
int (*mpo_check_system_swapon)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *label);
|
2003-03-05 23:50:15 +00:00
|
|
|
int (*mpo_check_system_swapoff)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *label);
|
2004-02-22 12:31:44 +00:00
|
|
|
int (*mpo_check_system_sysctl)(struct ucred *cred,
|
|
|
|
|
struct sysctl_oid *oidp, void *arg1, int arg2,
|
|
|
|
|
struct sysctl_req *req);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int (*mpo_check_vnode_access)(struct ucred *cred,
|
2002-10-30 17:56:57 +00:00
|
|
|
struct vnode *vp, struct label *label, int acc_mode);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int (*mpo_check_vnode_chdir)(struct ucred *cred,
|
|
|
|
|
struct vnode *dvp, struct label *dlabel);
|
|
|
|
|
int (*mpo_check_vnode_chroot)(struct ucred *cred,
|
|
|
|
|
struct vnode *dvp, struct label *dlabel);
|
|
|
|
|
int (*mpo_check_vnode_create)(struct ucred *cred,
|
|
|
|
|
struct vnode *dvp, struct label *dlabel,
|
|
|
|
|
struct componentname *cnp, struct vattr *vap);
|
|
|
|
|
int (*mpo_check_vnode_delete)(struct ucred *cred,
|
|
|
|
|
struct vnode *dvp, struct label *dlabel,
|
Move to C99 sparse structure initialization for the mac_policy_ops
structure definition, rather than using an operation vector
we translate into the structure. Originally, we used a vector
for two reasons:
(1) We wanted to define the structure sparsely, which wasn't
supported by the C compiler for structures. For a policy
with five entry points, you don't want to have to stick in
a few hundred NULL function pointers.
(2) We thought it would improve ABI compatibility allowing modules
to work with kernels that had a superset of the entry points
defined in the module, even if the kernel had changed its
entry point set.
Both of these no longer apply:
(1) C99 gives us a way to sparsely define a static structure.
(2) The ABI problems existed anyway, due to enumeration numbers,
argument changes, and semantic mismatches. Since the going
rule for FreeBSD is that you really need your modules to
pretty closely match your kernel, it's not worth the
complexity.
This submit eliminates the operation vector, dynamic allocation
of the operation structure, copying of the vector to the
structure, and redoes the vectors in each policy to direct
structure definitions. One enourmous benefit of this change
is that we now get decent type checking on policy entry point
implementation arguments.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-30 18:48:51 +00:00
|
|
|
struct vnode *vp, struct label *label,
|
|
|
|
|
struct componentname *cnp);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int (*mpo_check_vnode_deleteacl)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *label, acl_type_t type);
|
2003-08-21 13:53:01 +00:00
|
|
|
int (*mpo_check_vnode_deleteextattr)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *label, int attrnamespace,
|
|
|
|
|
const char *name);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int (*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp,
|
2002-11-08 18:04:00 +00:00
|
|
|
struct label *label, struct image_params *imgp,
|
|
|
|
|
struct label *execlabel);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int (*mpo_check_vnode_getacl)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *label, acl_type_t type);
|
|
|
|
|
int (*mpo_check_vnode_getextattr)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *label, int attrnamespace,
|
|
|
|
|
const char *name, struct uio *uio);
|
2002-10-05 18:11:36 +00:00
|
|
|
int (*mpo_check_vnode_link)(struct ucred *cred, struct vnode *dvp,
|
|
|
|
|
struct label *dlabel, struct vnode *vp,
|
|
|
|
|
struct label *label, struct componentname *cnp);
|
2003-08-21 13:53:01 +00:00
|
|
|
int (*mpo_check_vnode_listextattr)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *label, int attrnamespace);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int (*mpo_check_vnode_lookup)(struct ucred *cred,
|
|
|
|
|
struct vnode *dvp, struct label *dlabel,
|
|
|
|
|
struct componentname *cnp);
|
2002-10-06 02:46:26 +00:00
|
|
|
int (*mpo_check_vnode_mmap)(struct ucred *cred, struct vnode *vp,
|
2005-04-14 16:03:30 +00:00
|
|
|
struct label *label, int prot, int flags);
|
2002-10-06 02:46:26 +00:00
|
|
|
void (*mpo_check_vnode_mmap_downgrade)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *label, int *prot);
|
|
|
|
|
int (*mpo_check_vnode_mprotect)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *label, int prot);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int (*mpo_check_vnode_open)(struct ucred *cred, struct vnode *vp,
|
2002-10-30 17:56:57 +00:00
|
|
|
struct label *label, int acc_mode);
|
2002-08-19 19:04:53 +00:00
|
|
|
int (*mpo_check_vnode_poll)(struct ucred *active_cred,
|
|
|
|
|
struct ucred *file_cred, struct vnode *vp,
|
2002-08-19 16:43:25 +00:00
|
|
|
struct label *label);
|
2002-08-19 19:04:53 +00:00
|
|
|
int (*mpo_check_vnode_read)(struct ucred *active_cred,
|
|
|
|
|
struct ucred *file_cred, struct vnode *vp,
|
2002-08-19 16:43:25 +00:00
|
|
|
struct label *label);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
int (*mpo_check_vnode_readdir)(struct ucred *cred,
|
|
|
|
|
struct vnode *dvp, struct label *dlabel);
|
|
|
|
|
int (*mpo_check_vnode_readlink)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *label);
|
|
|
|
|
int (*mpo_check_vnode_relabel)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *vnodelabel,
|
|
|
|
|
struct label *newlabel);
|
|
|
|
|
int (*mpo_check_vnode_rename_from)(struct ucred *cred,
|
|
|
|
|
struct vnode *dvp, struct label *dlabel, struct vnode *vp,
|
|
|
|
|
struct label *label, struct componentname *cnp);
|
|
|
|
|
int (*mpo_check_vnode_rename_to)(struct ucred *cred,
|
|
|
|
|
struct vnode *dvp, struct label *dlabel, struct vnode *vp,
|
|
|
|
|
struct label *label, int samedir,
|
|
|
|
|
struct componentname *cnp);
|
|
|
|
|
int (*mpo_check_vnode_revoke)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *label);
|
|
|
|
|
int (*mpo_check_vnode_setacl)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *label, acl_type_t type,
|
|
|
|
|
struct acl *acl);
|
|
|
|
|
int (*mpo_check_vnode_setextattr)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *label, int attrnamespace,
|
|
|
|
|
const char *name, struct uio *uio);
|
|
|
|
|
int (*mpo_check_vnode_setflags)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *label, u_long flags);
|
|
|
|
|
int (*mpo_check_vnode_setmode)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *label, mode_t mode);
|
|
|
|
|
int (*mpo_check_vnode_setowner)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *label, uid_t uid,
|
|
|
|
|
gid_t gid);
|
|
|
|
|
int (*mpo_check_vnode_setutimes)(struct ucred *cred,
|
|
|
|
|
struct vnode *vp, struct label *label,
|
|
|
|
|
struct timespec atime, struct timespec mtime);
|
2002-08-19 19:04:53 +00:00
|
|
|
int (*mpo_check_vnode_stat)(struct ucred *active_cred,
|
|
|
|
|
struct ucred *file_cred, struct vnode *vp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *label);
|
2002-08-19 19:04:53 +00:00
|
|
|
int (*mpo_check_vnode_write)(struct ucred *active_cred,
|
|
|
|
|
struct ucred *file_cred, struct vnode *vp,
|
2002-08-19 16:43:25 +00:00
|
|
|
struct label *label);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
};
|
|
|
|
|
|
2004-10-22 11:29:30 +00:00
|
|
|
/*
|
|
|
|
|
* struct mac_policy_conf is the registration structure for policies, and is
|
|
|
|
|
* provided to the MAC Framework using MAC_POLICY_SET() to invoke a SYSINIT
|
|
|
|
|
* to register the policy. In general, the fields are immutable, with the
|
|
|
|
|
* exception of the "security field", run-time flags, and policy list entry,
|
|
|
|
|
* which are managed by the MAC Framework. Be careful when modifying this
|
|
|
|
|
* structure, as its layout is statically compiled into all policies.
|
|
|
|
|
*/
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct mac_policy_conf {
|
|
|
|
|
char *mpc_name; /* policy name */
|
|
|
|
|
char *mpc_fullname; /* policy full name */
|
|
|
|
|
struct mac_policy_ops *mpc_ops; /* policy operations */
|
|
|
|
|
int mpc_loadtime_flags; /* flags */
|
|
|
|
|
int *mpc_field_off; /* security field */
|
|
|
|
|
int mpc_runtime_flags; /* flags */
|
|
|
|
|
LIST_ENTRY(mac_policy_conf) mpc_list; /* global list */
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/* Flags for the mpc_loadtime_flags field. */
|
|
|
|
|
#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001
|
|
|
|
|
#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002
|
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure,
returning some additional room in the first mbuf in a chain, and
avoiding feature-specific contents in the mbuf header. To do this:
- Modify mbuf_to_label() to extract the tag, returning NULL if not
found.
- Introduce mac_init_mbuf_tag() which does most of the work
mac_init_mbuf() used to do, except on an m_tag rather than an
mbuf.
- Scale back mac_init_mbuf() to perform m_tag allocation and invoke
mac_init_mbuf_tag().
- Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since
m_tag's are now GC'd deep in the m_tag/mbuf code rather than
at a higher level when mbufs are directly free()'d.
- Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related
notions.
- Generally change all references to mbuf labels so that they use
mbuf_to_label() rather than &mbuf->m_pkthdr.label. This
required no changes in the MAC policies (yay!).
- Tweak mbuf release routines to not call mac_destroy_mbuf(),
tag destruction takes care of it for us now.
- Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() --
the existing m_tag support does all this for us. Note that
we can no longer just zero the m_tag list on the target mbuf,
rather, we have to delete the chain because m_tag's will
already be hung off freshly allocated mbuf's.
- Tweak m_tag copying routines so that if we're copying a MAC
m_tag, we don't do a binary copy, rather, we initialize the
new storage and do a deep copy of the label.
- Remove use of MAC_FLAG_INITIALIZED in a few bizarre places
having to do with mbuf header copies previously.
- When an mbuf is copied in ip_input(), we no longer need to
explicitly copy the label because it will get handled by the
m_tag code now.
- No longer any weird handling of MAC labels in if_loop.c during
header copies.
- Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test.
In mac_test, handle the label==NULL case, since it can be
dynamically loaded.
In order to improve performance with this change, introduce the notion
of "lazy MAC label allocation" -- only allocate m_tag storage for MAC
labels if we're running with a policy that uses MAC labels on mbufs.
Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS
flag in their load-time flags field during declaration. Note: this
opens up the possibility of post-boot policy modules getting back NULL
slot entries even though they have policy invariants of non-NULL slot
entries, as the policy might have been loaded after the mbuf was
allocated, leaving the mbuf without label storage. Policies that cannot
handle this case must be declared as NOTLATE, or must be modified.
- mac_labelmbufs holds the current cumulative status as to whether
any policies require mbuf labeling or not. This is updated whenever
the active policy set changes by the function mac_policy_updateflags().
The function iterates the list and checks whether any have the
flag set. Write access to this variable is protected by the policy
list; read access is currently not protected for performance reasons.
This might change if it causes problems.
- Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update
function to assert appropriate locks.
- This makes allocation in mac_init_mbuf() conditional on the flag.
Reviewed by: sam
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
|
|
|
#define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
|
|
|
|
/* Flags for the mpc_runtime_flags field. */
|
|
|
|
|
#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001
|
|
|
|
|
|
Move to C99 sparse structure initialization for the mac_policy_ops
structure definition, rather than using an operation vector
we translate into the structure. Originally, we used a vector
for two reasons:
(1) We wanted to define the structure sparsely, which wasn't
supported by the C compiler for structures. For a policy
with five entry points, you don't want to have to stick in
a few hundred NULL function pointers.
(2) We thought it would improve ABI compatibility allowing modules
to work with kernels that had a superset of the entry points
defined in the module, even if the kernel had changed its
entry point set.
Both of these no longer apply:
(1) C99 gives us a way to sparsely define a static structure.
(2) The ABI problems existed anyway, due to enumeration numbers,
argument changes, and semantic mismatches. Since the going
rule for FreeBSD is that you really need your modules to
pretty closely match your kernel, it's not worth the
complexity.
This submit eliminates the operation vector, dynamic allocation
of the operation structure, copying of the vector to the
structure, and redoes the vectors in each policy to direct
structure definitions. One enourmous benefit of this change
is that we now get decent type checking on policy entry point
implementation arguments.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-30 18:48:51 +00:00
|
|
|
#define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
static struct mac_policy_conf mpname##_mac_policy_conf = { \
|
|
|
|
|
#mpname, \
|
|
|
|
|
mpfullname, \
|
Move to C99 sparse structure initialization for the mac_policy_ops
structure definition, rather than using an operation vector
we translate into the structure. Originally, we used a vector
for two reasons:
(1) We wanted to define the structure sparsely, which wasn't
supported by the C compiler for structures. For a policy
with five entry points, you don't want to have to stick in
a few hundred NULL function pointers.
(2) We thought it would improve ABI compatibility allowing modules
to work with kernels that had a superset of the entry points
defined in the module, even if the kernel had changed its
entry point set.
Both of these no longer apply:
(1) C99 gives us a way to sparsely define a static structure.
(2) The ABI problems existed anyway, due to enumeration numbers,
argument changes, and semantic mismatches. Since the going
rule for FreeBSD is that you really need your modules to
pretty closely match your kernel, it's not worth the
complexity.
This submit eliminates the operation vector, dynamic allocation
of the operation structure, copying of the vector to the
structure, and redoes the vectors in each policy to direct
structure definitions. One enourmous benefit of this change
is that we now get decent type checking on policy entry point
implementation arguments.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-30 18:48:51 +00:00
|
|
|
mpops, \
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
mpflags, \
|
|
|
|
|
privdata_wanted, \
|
|
|
|
|
0, \
|
|
|
|
|
}; \
|
|
|
|
|
static moduledata_t mpname##_mod = { \
|
|
|
|
|
#mpname, \
|
|
|
|
|
mac_policy_modevent, \
|
|
|
|
|
&mpname##_mac_policy_conf \
|
|
|
|
|
}; \
|
2004-11-09 11:28:40 +00:00
|
|
|
MODULE_DEPEND(mpname, kernel_mac_support, 2, 2, 2); \
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
DECLARE_MODULE(mpname, mpname##_mod, SI_SUB_MAC_POLICY, \
|
|
|
|
|
SI_ORDER_MIDDLE)
|
|
|
|
|
|
|
|
|
|
int mac_policy_modevent(module_t mod, int type, void *data);
|
|
|
|
|
|
|
|
|
|
#define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s]
|
|
|
|
|
|
2004-05-10 18:38:07 +00:00
|
|
|
#endif /* !_SYS_MAC_POLICY_H_ */
|
