Commit Graph

21 Commits

Author SHA1 Message Date
David Malone
89ddbd45e5 Add some new options to mac_bsdestended. We can now match on:
subject: ranges of uid, ranges of gid, jail id
	objects: ranges of uid, ranges of gid, filesystem,
		object is suid, object is sgid, object matches subject uid/gid
		object type

We can also negate individual conditions. The ruleset language is
a superset of the previous language, so old rules should continue
to work.

These changes require a change to the API between libugidfw and the
mac_bsdextended module. Add a version number, so we can tell if
we're running mismatched versions.

Update man pages to reflect changes, add extra test cases to
test_ugidfw.c and add a shell script that checks that the the
module seems to do what we expect.

Suggestions from: rwatson, trhodes
Reviewed by: trhodes
MFC after: 2 months
2006-04-23 17:06:18 +00:00
Ken Smith
a84020c2b9 Bump the shared library version number of all libraries that have not
been bumped since RELENG_5.

Reviewed by:	ru
Approved by:	re (not needed for commit check but in principle...)
2005-07-22 17:19:05 +00:00
Tom Rhodes
0a5660df88 Fix two typos in comments. 2005-04-23 02:20:35 +00:00
Robert Watson
a6c2bc8bcb When parsing the second {uid,gid} in an identity phrase for ugidfw,
check the password or group database before attempting to parse as an
integer, as is done for the first {uid,gid} in an identity phrase.

Obtained from:	TrustedBSD Project
Sponsored by:	SPAWAR, SPARTA
2005-04-16 11:58:55 +00:00
Robert Watson
89afecd482 In practice, you need to include <sys/types.h> and
<security/mac_bsdextended/mac_bsdextended.h> in order to include
<ugidfw.h>, so document that.

MFC after:	3 days
2005-04-16 11:32:46 +00:00
Pawel Jakub Dawidek
4ba88b3d56 Fix typo - link for bsde_add_rule(3) manual page was not created.
MFC after:	1 week
2005-03-28 09:38:43 +00:00
Pawel Jakub Dawidek
fbc822ae3a Properly return rule number.
Submitted by:	Wojciech A. Koszek
PR:		bin/79292
MFC after:	1 week
2005-03-28 09:37:44 +00:00
Robert Watson
f4194603ce Modify libugidfw(3) to use MBI_* permission flags from mac_bsdextended.h
instead of using the V* permission flags from vnode.h.  Remove include
of vnode.h.

Requested by:	phk
2004-10-21 11:21:13 +00:00
Ruslan Ermilov
1a0a934547 Mechanically kill hard sentence breaks. 2004-07-02 23:52:20 +00:00
Ruslan Ermilov
862b46f607 Markup, grammar, punctuation. 2004-07-01 18:20:57 +00:00
Bruce Evans
0f9a2306a5 Fixed misspellings of 0 as NULL. 2004-03-11 09:56:04 +00:00
Robert Watson
47ab23aa82 Add bsde_add_rule(), which is similar to bsde_set_rule() except that
the caller does not specify the rule number -- instead, the kernel
module is probed for the next available rule, which is then used.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research
2004-02-25 03:24:39 +00:00
Ruslan Ermilov
9be025500d Assorted mdoc(7) fixes. 2003-06-01 19:41:49 +00:00
Chris Costello
6e238d7604 Correct a couple small typos.
Submitted by:	Attila Nagy <bra@fsn.hu>
2003-01-07 13:18:21 +00:00
Chris Costello
d69f82076b Document the file system firewall interface library functions.
Sponsored by:	DARPA, Network Associates Laboratories
2003-01-07 11:23:43 +00:00
Robert Watson
0285334bc8 License and blurb update authorized by Network Associates. 2002-11-07 20:37:04 +00:00
Peter Wemm
224af215a6 Zap now-unused SHLIB_MINOR 2002-09-28 00:25:32 +00:00
Robert Watson
da30581ecb Use size_t instead of int for len variables passed in/out of sysctl.
Pointed out by:	jake
2002-09-27 16:35:19 +00:00
Robert Watson
912dd12ad1 Use "ugidfw.h" rather than <ugidfw.h> so that mkdep can find it.
Suggested by:	mike
2002-08-14 22:30:07 +00:00
Robert Watson
5fc5c0cd3b De-gccize CFLAGS by removing it.
NOMAN is no longer required when a man page is not yet present.

Submitted by:	ru
2002-08-02 13:33:17 +00:00
Robert Watson
46d1a925c2 Introduce support for Mandatory Access Control and extensible
kernel access control.

Provide a library to manage user file system firewall-like rules
supported by the mac_bsdextended.ko security model.  The kernel
module exports the current rule set using sysctl, and this
library provides a front end that includes support for retrieving
and setting rules, as well as printing and parsing them.

Note: as with other userland components, this is a WIP.  However,
when used in combination with the soon-to-be-committed ugidfw,
it can actually be quite useful in multi-user environments to
allow the administrator to limit inter-user file operations without
resorting to heavier weight labeled security policies.

Obtained form:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-02 07:07:35 +00:00