Commit Graph

255 Commits

Author SHA1 Message Date
Robert Watson
13763f5074 Continue cleanup and sync of mac_biba and mac_mls policies to the
TrustedBSD MAC Perforce tree.  Remove unused functions
mac_biba_equal_range and mac_mls_equal_range, which determined if the
ranges in two range-enabled labels were equal.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-09-21 19:20:01 +00:00
Robert Watson
164634351b Remove mac_biba_high_single() check for interface renaming: we now
use the notion that a subject range of (low-high) connotes Biba
privilege rather than a single of high.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-09-21 19:01:44 +00:00
Robert Watson
728fbeea52 As INVARIANTS isn't supported for code that loads only as a kernel
module and is not linked into the base system, two KASSERT's rotted.
Fix them by fixing variable names.  It would be really nice if
opt_global.h was used when building modules as part of a buildkernel.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-09-21 18:29:37 +00:00
Robert Watson
cc51a2b55e Remove un-needed stack variable 'ops'.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-09-18 22:35:02 +00:00
Robert Watson
ca7850c313 Add a toggle to disable VM enforcement.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-09-18 02:02:08 +00:00
Robert Watson
b88c98f6b1 At the cost of seeming a little gauche, make use of more traditional
alphabetization for mac_enforce_pipe sysctl.

Obtained from:	TrustedBSD Project
Sponsored by:	DAPRA, NAI Labs
2002-09-18 02:00:19 +00:00
Nate Lawson
06be2aaa83 Remove all use of vnode->v_tag, replacing with appropriate substitutes.
v_tag is now const char * and should only be used for debugging.

Additionally:
1. All users of VT_NTS now check vfsconf->vf_type VFCF_NETWORK
2. The user of VT_PROCFS now checks for the new flag VV_PROCDEP, which
is propagated by pseudofs to all child vnodes if the fs sets PFS_PROCDEP.

Suggested by:   phk
Reviewed by:    bde, rwatson (earlier version)
2002-09-14 09:02:28 +00:00
Bruce Evans
cebf94317e Include <sys/malloc.h> instead of depending on namespace pollution 2
layers deep in <sys/proc.h> or <sys/vnode.h>.
2002-09-10 12:45:02 +00:00
Robert Watson
c0f3990523 Add security.mac.mmap_revocation, a flag indicating whether we
should revoke access to memory maps on a process label change.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-09-09 17:12:24 +00:00
Robert Watson
1614003510 Minor code sync to MAC tree: push Giant locking up from
mac_cred_mmapped_drop_perms() to the caller.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-09-09 17:10:16 +00:00
Robert Watson
8768e441cd Re-insert TUNABLE() export of MAC Biba and MAC MLS module 'enabled'
sysctls.  Apparently lost during some or another merge.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-09-05 18:52:52 +00:00
Bruce Evans
b656366b46 Include <sys/malloc.h> instead of depending on namespace pollution 2
layers deep in <sys/proc.h> or <sys/vnode.h>.

Removed unused includes.

Fixed some printf format errors (1 fatal on i386's; 1 fatal on alphas;
1 not fatal on any supported machine).
2002-09-05 07:02:43 +00:00
Robert Watson
740348c40a Prefer NULL to 0 when passing a NULL pointer. 2002-08-20 02:54:09 +00:00
Robert Watson
8a97ecf648 Provide stub mpo_syscall() implementations for mac_none and mac_test.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-20 02:53:35 +00:00
Robert Watson
e5cb5e37d4 Close a race in process label changing opened due to dropping the
proc locking when revoking access to mmaps.  Instead, perform this
later once we've changed the process label (hold onto a reference
to the new cred so that we don't lose it when we release the
process lock if another thread changes the credential).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-19 20:26:32 +00:00
Robert Watson
177142e458 Pass active_cred and file_cred into the MAC framework explicitly
for mac_check_vnode_{poll,read,stat,write}().  Pass in fp->f_cred
when calling these checks with a struct file available.  Otherwise,
pass NOCRED.  All currently MAC policies use active_cred, but
could now offer the cached credential semantic used for the base
system security model.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-19 19:04:53 +00:00
Robert Watson
27f2eac7f3 Provide an implementation of mac_syscall() so that security modules
can offer new services without reserving system call numbers, or
augmented versions of existing services.  User code requests a
target policy by name, and specifies the policy-specific API plus
target.  This is required in particular for our port of SELinux/FLASK
to the MAC framework since it offers additional security services.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-19 17:59:48 +00:00
Robert Watson
c024c3eeb1 Break out mac_check_pipe_op() into component check entry points:
mac_check_pipe_poll(), mac_check_pipe_read(), mac_check_pipe_stat(),
and mac_check_pipe_write().  This is improves consistency with other
access control entry points and permits security modules to only
control the object methods that they are interested in, avoiding
switch statements.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-19 16:59:37 +00:00
Robert Watson
7f724f8b51 Break out mac_check_vnode_op() into three seperate checks:
mac_check_vnode_poll(), mac_check_vnode_read(), mac_check_vnode_write().
This improves the consistency with other existing vnode checks, and
allows policies to avoid implementing switch statements to determine
what operations they do and do not want to authorize.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-19 16:43:25 +00:00
Robert Watson
b12baf55a4 Assert process locks in proces-related access control checks.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-19 15:30:30 +00:00
Robert Watson
851704bbd0 Add a missing vnode assertion for the exec() check.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-19 15:28:39 +00:00
Poul-Henning Kamp
fee7d450d8 Keep a copy of the credential used to mount filesystems around so
we can check and use it later on.

Change the pieces of code which relied on mount->mnt_stat.f_owner
to check which user mounted the filesystem.

This became needed as the EA code needs to be able to allocate
blocks for "system" EA users like ACLs.

There seems to be some half-baked (probably only quarter- actually)
notion that the superuser for a given filesystem is the user who
mounted it, but this has far from been carried through.  It is
unclear if it should be.

Sponsored by: DARPA & NAI Labs.
2002-08-19 06:52:21 +00:00
Robert Watson
f050add5c1 Wrap maintenance of varios nmac{objectname} counters in MAC_DEBUG so we
can avoid the cost of a large number of atomic operations if we're not
interested in the object count statistics.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-16 14:21:38 +00:00
Robert Watson
fb95b5d3c3 Rename mac_check_socket_receive() to mac_check_socket_deliver() so that
we can use the names _receive() and _send() for the receive() and send()
checks.  Rename related constants, policy implementations, etc.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-15 18:51:27 +00:00
Robert Watson
d61198e422 Rename mac_check_socket_receive() to mac_check_socket_deliver() so that
we can use the names _receive() and _send() for the receive() and send()
checks.  Rename related constants, policy implementations, etc.

PR:
Submitted by:
Reviewed by:
Approved by:
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
MFC after:
2002-08-15 18:51:26 +00:00
Robert Watson
99fa64f863 Sync to trustedbsd_mac tree: default to sigsegv rather than copy-on-write
during a label change resulting in an mmap removal.  This is "fail stop"
behavior, which is preferred, although it offers slightly less
transparency.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-15 02:28:32 +00:00
Robert Watson
f6d4af7c72 Define 'struct label' in _label.h rather than mac.h, which will permit
us to reduce namespace pollution by doing a nested include of _label.h
rather than mac.h.  mac.h contains lots of baggage, whereas _label.h
contains much less.  A follow-up sweep to change nested inclusion will
follow.  The problem regarding exporting 'struct label' to userland
due to excessive exporting of kernel structures to userland still
needs to be resolved.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
Suggested by:	bde
2002-08-13 15:54:28 +00:00
Robert Watson
7ba28492c5 Declare a module service "kernel_mac_support" when MAC support is
enabled and the kernel provides the MAC registration and entry point
service.  Declare a dependency on that module service for any
MAC module registered using mac_policy.h.  For now, hard code the
version as 1, but once we've come up with a versioning policy, we'll
move to a #define of some sort.  In the mean time, this will prevent
loading a MAC module when 'options MAC' isn't present, which (due to
a bug in the kernel linker) can result if the MAC module is preloaded
via loader.conf.

This particular evil recommended by:	peter
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI LAbs
2002-08-12 02:00:21 +00:00
Jeff Roberson
e6e370a7fe - Replace v_flag with v_iflag and v_vflag
- v_vflag is protected by the vnode lock and is used when synchronization
   with VOP calls is needed.
 - v_iflag is protected by interlock and is used for dealing with vnode
   management issues.  These flags include X/O LOCK, FREE, DOOMED, etc.
 - All accesses to v_iflag and v_vflag have either been locked or marked with
   mp_fixme's.
 - Many ASSERT_VOP_LOCKED calls have been added where the locking was not
   clear.
 - Many functions in vfs_subr.c were restructured to provide for stronger
   locking.

Idea stolen from:	BSD/OS
2002-08-04 10:29:36 +00:00
Robert Watson
01e990be89 Improve ordering of MAC entry points in mac_policy_op structure.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-02 20:33:05 +00:00
Robert Watson
f9d0d52459 Include file cleanup; mac.h and malloc.h at one point had ordering
relationship requirements, and no longer do.

Reminded by:	bde
2002-08-01 17:47:56 +00:00
Robert Watson
4b826b4cfc Change macop_t to const, use macop_t in MAC policy entry point definition
structure.  This prevents a boatload of warnings in the MAC modules,
so we can hook them up to the build.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-01 17:32:01 +00:00
Robert Watson
d8a7b7a3cd Introduce support for Mandatory Access Control and extensible
kernel access control.

Provide implementations of some sample operating system security
policy extensions.  These are not yet hooked up to the build as
other infrastructure is still being committed.  Most of these
work fairly well and are in daily use in our development and (limited)
production environments.  Some are not yet in their final form,
and a number of the labeled policies waste a lot of kernel memory
and will be fixed over the next month or so to be more conservative.
They do give good examples of the flexibility of the MAC framework
for implementing a variety of security policies.

mac_biba:	Implementation of fixed-label Biba integrity policy,
		similar to those found in a number of commercial
		trusted operating systems.  All subjects and objects
		are assigned integrity levels, and information flow
		is controlled based on a read-up, write-down
		policy.  Currently, purely hierarchal.

mac_bsdextended:	Implementation of a "file system firewall",
		which allows the administrator to specify a series
		of rules limiting access by users and groups to
		objects owned by other users and groups.  This
		policy is unlabeled, relying on existing system
		security labeling (file permissions/ownership,
		process credentials).

mac_ifoff:	Secure interface silencing.  Special-purpose module
		to limit inappropriate out-going network traffic
		for silent monitoring scenarios.  Prevents the
		various network stacks from generating any output
		despite an interface being live for reception.

mac_mls:	Implementation of fixed-label Multi-Level Security
		confidentiality policy, similar to those found in
		a number of commercial trusted operating systems.
		All subjects and objects are assigned confidentiality
		levels, and information flow is controlled based on
		a write-up, read-down policy.  Currently, purely
		hiearchal, although non-hierarchal support is in the
		works.

mac_none:	Policy module implementing all MAC policy entry
		points with empty stubs.  A good place to start if
		you want all the prototypes types in for you, and
		don't mind a bit of pruning.  Can be loaded, but
		has no access control impact.  Useful also for
		performance measurements.

mac_seeotheruids:	Policy module implementing a security service
		similar to security.bsd.seeotheruids, only a slightly
		more detailed policy involving exceptions for members
		of specific groups, etc.  This policy is unlabeled,
		relying on existing system security labeling
		(process credentials).

mac_test:	Policy module implementing basic sanity tests for
		label handling.  Attempts to ensure that labels are
		not freed multiple times, etc, etc.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-07-31 18:07:45 +00:00
Robert Watson
9453a033ff Reduce the memory footprint of MAC in the base system by halving
the number of policy slots to 4.

(Having run a quick errand, time to start on phase 2 of the MAC
integration)

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-07-31 00:03:26 +00:00
Robert Watson
95fab37ea8 Begin committing support for Mandatory Access Control and extensible
kernel access control.  The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy.  This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported.  Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.

kern_mac.c contains the body of the MAC framework.  Kernel and
user APIs defined in mac.h are implemented here, providing a front end
to loaded security modules.  This code implements a module registration
service, state (label) management, security configuration and policy
composition.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
Robert Watson
ddcdf2650b Begin committing support for Mandatory Access Control and extensible
kernel access control.  The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy.  This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported.  Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.

Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h).  These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module.  These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
Robert Watson
7bc8250003 Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC
userland code to operate on kernel's from the main tree.  Not much
in this file yet.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
Alfred Perlstein
5e8176f9cb Get rid of warnings, there's no need to do preprocessor concatination of
things with commas and equal signs.
2002-06-01 18:45:33 +00:00
Seigo Tanimura
4cc20ab1f0 Back out my lats commit of locking down a socket, it conflicts with hsu's work.
Requested by:	hsu
2002-05-31 11:52:35 +00:00
Alfred Perlstein
99b9331a4f Check for defined(__i386__) instead of just defined(i386) since the compiler
will be updated to only define(__i386__) for ANSI cleanliness.
2002-05-30 07:32:58 +00:00
Seigo Tanimura
243917fe3b Lock down a socket, milestone 1.
o Add a mutex (sb_mtx) to struct sockbuf. This protects the data in a
  socket buffer. The mutex in the receive buffer also protects the data
  in struct socket.

o Determine the lock strategy for each members in struct socket.

o Lock down the following members:

  - so_count
  - so_options
  - so_linger
  - so_state

o Remove *_locked() socket APIs.  Make the following socket APIs
  touching the members above now require a locked socket:

 - sodisconnect()
 - soisconnected()
 - soisconnecting()
 - soisdisconnected()
 - soisdisconnecting()
 - sofree()
 - soref()
 - sorele()
 - sorwakeup()
 - sotryfree()
 - sowakeup()
 - sowwakeup()

Reviewed by:	alfred
2002-05-20 05:41:09 +00:00
John Baldwin
f44d9e24fb Change p_can{debug,see,sched,signal}()'s first argument to be a thread
pointer instead of a proc pointer and require the process pointed to
by the second argument to be locked.  We now use the thread ucred reference
for the credential checks in p_can*() as a result.  p_canfoo() should now
no longer need Giant.
2002-05-19 00:14:50 +00:00
Tom Rhodes
d394511de3 More s/file system/filesystem/g 2002-05-16 21:28:32 +00:00
John Baldwin
59cfd37dd4 Use the proc lock to protect p_ucred while we read a few items from it. 2002-04-11 21:17:45 +00:00
John Baldwin
44731cab3b Change the suser() API to take advantage of td_ucred as well as do a
general cleanup of the API.  The entire API now consists of two functions
similar to the pre-KSE API.  The suser() function takes a thread pointer
as its only argument.  The td_ucred member of this thread must be valid
so the only valid thread pointers are curthread and a few kernel threads
such as thread0.  The suser_cred() function takes a pointer to a struct
ucred as its first argument and an integer flag as its second argument.
The flag is currently only used for the PRISON_ROOT flag.

Discussed on:	smp@
2002-04-01 21:31:13 +00:00
Robert Watson
419fe413e5 DBA update: pick the right DBA for various LOMAC copyrights. 2002-03-13 22:55:20 +00:00
John Baldwin
a854ed9893 Simple p_ucred -> td_ucred changes to start using the per-thread ucred
reference.
2002-02-27 18:32:23 +00:00
Dima Dorfman
76183f3453 Introduce a version field to `struct xucred' in place of one of the
spares (the size of the field was changed from u_short to u_int to
reflect what it really ends up being).  Accordingly, change users of
xucred to set and check this field as appropriate.  In the kernel,
this is being done inside the new cru2x() routine which takes a
`struct ucred' and fills out a `struct xucred' according to the
former.  This also has the pleasant sideaffect of removing some
duplicate code.

Reviewed by:	rwatson
2002-02-27 04:45:37 +00:00
Robert Watson
74237f55b0 Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
  as not to use the scatter gather API (which appeared not to be used
  by any consumers, and be less portable), rather, accepts 'data'
  and 'nbytes' in the style of other simple read/write interfaces.
  This changes the API and ABI.

o Modify system call semantics so that extattr_get_{fd,file}() return
  a size_t.  When performing a read, the number of bytes read will
  be returned, unless the data pointer is NULL, in which case the
  number of bytes of data are returned.  This changes the API only.

o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
  argument so as to return the size, if desirable.  If set to NULL,
  the size will not be returned.

o Update various filesystems (pseodofs, ufs) to DTRT.

These changes should make extended attributes more useful and more
portable.  More commits to rebuild the system call files, as well
as update userland utilities to follow.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
Matt Jacob
280304eb49 Replace a few more lines of code orphaned by MFREE going away.
MFC after:	1 day
2002-02-07 22:08:32 +00:00
Julian Elischer
079b7badea Pre-KSE/M3 commit.
this is a low-functionality change that changes the kernel to access the main
thread of a process via the linked list of threads rather than
assuming that it is embedded in the process. It IS still embeded there
but remove all teh code that assumes that in preparation for the next commit
which will actually move it out.

Reviewed by: peter@freebsd.org, gallatin@cs.duke.edu, benno rice,
2002-02-07 20:58:47 +00:00
Brian Feldman
18f29213d4 s/sonewconn3/sonewconn/ forgotten by the modifier. 2001-12-26 18:31:22 +00:00
Brian Feldman
830681f547 Split out NAI Labs license and BSD license to prevent the accidental
violation of either.
2001-12-03 00:21:18 +00:00
Brian Feldman
30454e1977 Return a POSIX-compliant error for write(2) failure. 2001-11-28 23:02:33 +00:00
Brian Feldman
3795613d1d Import LOMAC preliminary release 2.0.0 in src/sys/security. These files may
be modified and do not have to remain on the vendor branch.

http://opensource.nailabs.com/lomac/index.html

Sponsored by: DARPA, NAI Labs (CBOSS project)
2001-11-19 22:34:06 +00:00