Commit Graph

7 Commits

Author SHA1 Message Date
Robert Watson
f51e58036e Redesign the externalization APIs from the MAC Framework to
the MAC policy modules to improve robustness against C string
bugs and vulnerabilities.  Following these revisions, all
string construction of labels for export to userspace (or
elsewhere) is performed using the sbuf API, which prevents
the consumer from having to perform laborious and intricate
pointer and buffer checks.  This substantially simplifies
the externalization logic, both at the MAC Framework level,
and in individual policies; this becomes especially useful
when policies export more complex label data, such as with
compartments in Biba and MLS.

Bundled in here are some other minor fixes associated with
externalization: including avoiding malloc while holding the
process mutex in mac_lomac, and hence avoid a failure mode
when printing labels during a downgrade operation due to
the removal of the M_NOWAIT case.

This has been running in the MAC development tree for about
three weeks without problems.

Obtained from:	TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-06-23 01:26:34 +00:00
Robert Watson
78183ac2d2 Trim "trustedbsd_" from the front of the policy module "short names";
the vendor is only included in the long name currently, reducing
verbosity when modules are registered and unregistered.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-27 19:26:39 +00:00
Robert Watson
ef5def596d Update MAC modules for changes in arguments for exec MAC policy
entry points to include an explicit execlabel.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-08 18:04:36 +00:00
Robert Watson
dc858fcabe License and wording updates: NAI has authorized the removal of clause
three from their BSD-style license.  Also, s/NAI Labs/Network Associates
Laboratories/.
2002-11-04 01:53:12 +00:00
Robert Watson
0d89ccd7d5 Change privilege model for mac_partition such that BSD superuser can change
the partition once a partition has been set.  This is required for correct
operation of sendmail between partitions.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-03 00:53:03 +00:00
Robert Watson
5c8dd34218 Move to C99 sparse structure initialization for the mac_policy_ops
structure definition, rather than using an operation vector
we translate into the structure.  Originally, we used a vector
for two reasons:

(1) We wanted to define the structure sparsely, which wasn't
    supported by the C compiler for structures.  For a policy
    with five entry points, you don't want to have to stick in
    a few hundred NULL function pointers.

(2) We thought it would improve ABI compatibility allowing modules
    to work with kernels that had a superset of the entry points
    defined in the module, even if the kernel had changed its
    entry point set.

Both of these no longer apply:

(1) C99 gives us a way to sparsely define a static structure.

(2) The ABI problems existed anyway, due to enumeration numbers,
    argument changes, and semantic mismatches.  Since the going
    rule for FreeBSD is that you really need your modules to
    pretty closely match your kernel, it's not worth the
    complexity.

This submit eliminates the operation vector, dynamic allocation
of the operation structure, copying of the vector to the
structure, and redoes the vectors in each policy to direct
structure definitions.  One enourmous benefit of this change
is that we now get decent type checking on policy entry point
implementation arguments.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-30 18:48:51 +00:00
Robert Watson
8c7327e183 Provide a simple sample labeled access control policy, mac_partition.
This policy can be loaded dynamically, and assigns each process a
partition number, as well as permitting processes to operate outside
the partition.  Processes contained in a partition can only "see"
processes inside the same partition, so it's a little like jail.
The partition of a user can be set using the label mechanisms in
login.conf.  This sample policy is a good starting point for developers
wanting to learn about how to produce labeled policies, as it labels
only one kernel object, the process credential.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-23 23:36:27 +00:00