Commit Graph

180 Commits

Author SHA1 Message Date
Robert Watson
78183ac2d2 Trim "trustedbsd_" from the front of the policy module "short names";
the vendor is only included in the long name currently, reducing
verbosity when modules are registered and unregistered.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-27 19:26:39 +00:00
Robert Watson
5e7ce4785f Modify the mac_init_ipq() MAC Framework entry point to accept an
additional flags argument to indicate blocking disposition, and
pass in M_NOWAIT from the IP reassembly code to indicate that
blocking is not OK when labeling a new IP fragment reassembly
queue.  This should eliminate some of the WITNESS warnings that
have started popping up since fine-grained IP stack locking
started going in; if memory allocation fails, the creation of
the fragment queue will be aborted.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-26 15:12:03 +00:00
Robert Watson
ca26e8ba85 Update the MAC regression test policy to include stubs and testing
functionality for the following entry pints:

  mac_test_init_proc_label()
  mac_test_destroy_proc_label()

For process labeling entry points, now also track the use of process
labels and test assertions about their integrity and life cycle.

  mac_test_thread_userret()
  mac_test_check_kenv_dump()
  mac_test_check_kenv_get()
  mac_test_check_kenv_set()
  mac_test_check_kenv_unset()
  mac_test_check_kld_load()
  mac_test_check_kld_stat()
  mac_test_check_kld_unload()
  mac_test_check_sysarch_ioperm()
  mac_test_check_system_acct()
  mac_test_check_system_reboot()
  mac_test_check_system_settime()
  mac_test_check_system_swapon()
  mac_test_check_system_swapoff()
  mac_test_check_system_sysctl()

For other entry points, just provide testing stubs.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-25 01:20:56 +00:00
Robert Watson
09de2dc22f Update MAC "none" stub policy to include stubs for the following
entry points:

  mac_none_thread_userret()
  mac_none_check_kenv_dump()
  mac_none_check_kenv_get()
  mac_none_check_kenv_set()
  mac_none_check_kenv_unset()
  mac_none_check_kld_load()
  mac_none_check_kld_stat()
  mac_none_check_kld_unload()
  mac_none_check_sysarch_ioperm()
  mac_none_check_system_acct()
  mac_none_check_system_settime()
  mac_none_check_system_swapoff()

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-25 01:18:06 +00:00
Robert Watson
4c64787a5b Expand scope of the MLS policy to include a new entry point available
for enforcement:

  mac_mls_check_system_swapon() - Require that the subject and the
  swapfile target vnode labels dominate one another.  An additional
  check is probably needed here to require that the swapfile target
  has a label of mls/high to prevent information leakage through
  swapfiles.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-25 01:16:10 +00:00
Robert Watson
96c33a0cea Expand scope of the BSD extended "file system firewall" policy to
include a new entry point available for enforcement:

  mac_bsdextended_check_system_swapon() - Apply extended access
  control checks to the file target of swap.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-25 01:14:03 +00:00
Robert Watson
2b03c68008 Expand scope of the Biba policy to include some of the new entry
points available for enforcement:

  mac_biba_check_sysarch_ioperm() - Require Biba privilege to make
  use of privileged machine-dependent interfaces, protecting against
  bypass of the policy via various mechanisms.

  mac_biba_check_system_swapoff() - Require Biba privilege to disable
  swapping against a vnode target.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-25 01:10:54 +00:00
Robert Watson
f09dbc4c57 Garbage collect FREEBSD_MAC_EXTATTR_NAME and FREEBSD_MAC_EXTATTR_NAMESPACE,
which are no longer required now that we have UFS2 with extended
attribute transactions.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-23 02:09:20 +00:00
Poul-Henning Kamp
b4b138c27f Including <sys/stdint.h> is (almost?) universally only to be able to use
%j in printfs, so put a newsted include in <sys/systm.h> where the printf
prototype lives and save everybody else the trouble.
2003-03-18 08:45:25 +00:00
Alexander Kabaev
46300030ec Do not depend on namespace pollution, explicitly include sys/sx.h 2003-03-12 02:55:20 +00:00
Robert Watson
9283578946 Instrument sysarch() MD privileged I/O access interfaces with a MAC
check, mac_check_sysarch_ioperm(), permitting MAC security policy
modules to control access to these interfaces.  Currently, they
protect access to IOPL on i386, and setting HAE on Alpha.
Additional checks might be required on other platforms to prevent
bypass of kernel security protections by unauthorized processes.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-06 04:47:47 +00:00
Robert Watson
1b2c2ab29a Provide a mac_check_system_swapoff() entry point, which permits MAC
modules to authorize disabling of swap against a particular vnode.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-05 23:50:15 +00:00
John Baldwin
263067951a Replace calls to WITNESS_SLEEP() and witness_list() with equivalent calls
to WITNESS_WARN().
2003-03-04 21:03:05 +00:00
Robert Watson
03d031626d A cute yet small MAC policy that provides a simple ACL mechanism to
permit users and groups to bind ports for TCP or UDP, and is intended
to be combined with the recently committed support for
net.inet.ip.portrange.reservedhigh.  The policy is twiddled using
sysctl(8).  To use this module, you will need to compile in MAC
support, and probably set reservedhigh to 0, then twiddle
security.mac.portacl.rules to set things as desired.  This policy
module only restricts ports explicitly bound using bind(), not
implicitly bound ports where the port number is selected by the
IP stack.  It appears to work properly in my local configuration,
but needs more broad testing.

A sample policy might be:

  # sysctl security.mac.portacl.rules="uid:425:tcp:80,uid:425:tcp:79"

This permits uid 425 to bind TCP sockets to ports 79 and 80.  Currently
no distinction is made for incoming vs. outgoing ports with TCP,
although that would probably be easy to add.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-02 23:01:42 +00:00
Warner Losh
a163d034fa Back out M_* changes, per decision of the TRB.
Approved by: trb
2003-02-19 05:47:46 +00:00
Julian Elischer
4a338afd7a Move a bunch of flags from the KSE to the thread.
I was in two minds as to where to put them in the first case..
I should have listenned to the other mind.

Submitted by:	 parts by davidxu@
Reviewed by:	jeff@ mini@
2003-02-17 09:55:10 +00:00
Robert Watson
793274cecf Implement mpo_check_kld_load() and mpo_check_kld_unload() for the Biba
MAC policy.  To load a KLD, require that the subject hold Biba privilege,
and the the kernel module be marked as high integrity.  To unload a
KLD, require that the subject hold Biba privilege.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-02-04 22:38:33 +00:00
Robert Watson
12613c76cc Place more stringent checks on process credential relabeling for the Biba
and MLS policies: as we support both an effective (single) element and
range (available) elements, require that the single be in the range if
both the single and range are defined in the update.  Remove comments
suggesting that such a check might be a good idea.

Don't introduce a similar check for network interfaces; due to different
interpretations of the single and range elements, it's not clear that
it's useful to do so.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-02-04 21:28:46 +00:00
Robert Watson
4d2ec8debb Rename the variable 'grade' to 'type' in interface parsing and
labeling for Biba.

Rename the variable 'level' to 'type' in interface parsing and
labeling for MLS.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-02-04 21:00:51 +00:00
Alfred Perlstein
44956c9863 Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
2003-01-21 08:56:16 +00:00
Matthew Dillon
48e3128b34 Bow to the whining masses and change a union back into void *. Retain
removal of unnecessary casts and throw in some minor cleanups to see if
anyone complains, just for the hell of it.
2003-01-13 00:33:17 +00:00
Matthew Dillon
cd72f2180b Change struct file f_data to un_data, a union of the correct struct
pointer types, and remove a huge number of casts from code using it.

Change struct xfile xf_data to xun_data (ABI is still compatible).

If we need to add a #define for f_data and xf_data we can, but I don't
think it will be necessary.  There are no operational changes in this
commit.
2003-01-12 01:37:13 +00:00
Maxime Henrion
b247d66171 Fix warnings on 64bits architectures.
Noticed by:	alpha tinderbox
2003-01-06 12:07:38 +00:00
Robert Watson
5bf93d2537 Map VAPPEND to VWRITE since the ugidfw rule syntax doesn't specifically
address the append access mode.

Reported by:	"Daniel C. Sobral" <dcs@newsguy.com>
Obtained from:	TrustedBSD Project
Sponosred by:	DARPA, Network Associates Laboratories

MFC Candidate.
2002-12-28 23:41:18 +00:00
Alfred Perlstein
d1e405c5ce SCARGS removal take II. 2002-12-14 01:56:26 +00:00
Alfred Perlstein
bc9e75d7ca Backout removal SCARGS, the code freeze is only "selectively" over. 2002-12-13 22:41:47 +00:00
Alfred Perlstein
0bbe7292e1 Remove SCARGS.
Reviewed by: md5
2002-12-13 22:27:25 +00:00
Robert Watson
eba0370d90 Default policies to on: if you load them or compile them into your
kernel, you should expect them to do something, so now they do.  This
doesn't affect users who don't load or explicitly compile in the
policies.

Approved by:	re (jhb)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-12-10 16:20:34 +00:00
Robert Watson
990b4b2dc5 Remove dm_root entry from struct devfs_mount. It's never set, and is
unused.  Replace it with a dm_mount back-pointer to the struct mount
that the devfs_mount is associated with.  Export that pointer to MAC
Framework entry points, where all current policies don't use the
pointer.  This permits the SEBSD port of SELinux's FLASK/TE to compile
out-of-the-box on 5.0-CURRENT with full file system labeling support.

Approved by:	re (murray)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-12-09 03:44:28 +00:00
Robert Watson
e7cba1c7dd Remove a const that generates a warning: the const isn't strictly
wrong, since we don't want the variable changed, but since we assign
it to variables that may also refer to other non-const strings,
warnings were generated that could break LINT.

Approved by:	re
Spotted by:	sam
2002-12-04 22:01:03 +00:00
Robert Watson
52ac2d6442 License tweak: remove clause 3 per permission of NAI.
Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-12-03 15:26:01 +00:00
Robert Watson
c3a04e1ea4 Unhook the old LOMAC module, now replaced with mac_lomac.
Approved by:	re (jhb)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-12-03 15:12:36 +00:00
Robert Watson
7496ed81c3 Correct two warnings by staticizing a function and removing an unused
function.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-26 17:38:25 +00:00
Robert Watson
db2661ce96 Import an implementation of LOMAC (Low-Watermark Mandatory Access
Control) as a MAC Framework policy module.  Unlike the existing
src/sys/security/lomac implementation, this one has its fingers out
of the kernel lock order and doesn't make use of flags in existing
kernel structures.  This greatly reduces the quantity of replicated
code with src/sys/kern, simplifies the implementation (3000 vs 8500
lines), and correctes a number of known stability problems with
the existing LOMAC implementation, which will be removed.  A bit
more hooking up to do here.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-26 17:26:06 +00:00
Robert Watson
4d10c0ce5f Un-staticize mac_cred_mmapped_drop_perms() so that it may be used
by policy modules making use of downgrades in the MAC AST event.  This
is required by the mac_lomac port of LOMAC to the MAC Framework.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-26 17:11:57 +00:00
Robert Watson
2555374c4f Introduce p_label, extensible security label storage for the MAC framework
in struct proc.  While the process label is actually stored in the
struct ucred pointed to by p_ucred, there is a need for transient
storage that may be used when asynchronous (deferred) updates need to
be performed on the "real" label for locking reasons.  Unlike other
label storage, this label has no locking semantics, relying on policies
to provide their own protection for the label contents, meaning that
a policy leaf mutex may be used, avoiding lock order issues.  This
permits policies that act based on historical process behavior (such
as audit policies, the MAC Framework port of LOMAC, etc) can update
process properties even when many existing locks are held without
violating the lock order.  No currently committed policies implement use
of this label storage.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-20 15:41:25 +00:00
Robert Watson
a3df768b04 Merge kld access control checks from the MAC tree: these access control
checks permit policy modules to augment the system policy for permitting
kld operations.  This permits policies to limit access to kld operations
based on credential (and other) properties, as well as to perform checks
on the kld being loaded (integrity, etc).

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-19 22:12:42 +00:00
Robert Watson
a96acd1ace Introduce a condition variable to avoid returning EBUSY when
the MAC policy list is busy during a load or unload attempt.
We assert no locks held during the cv wait, meaning we should
be fairly deadlock-safe.  Because of the cv model and busy
count, it's possible for a cv waiter waiting for exclusive
access to the policy list to be starved by active and
long-lived access control/labeling events.  For now, we
accept that as a necessary tradeoff.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-13 15:47:09 +00:00
Robert Watson
63b6f478ec Garbage collect mac_create_devfs_vnode() -- it hasn't been used since
we brought in the new cache and locking model for vnode labels.  We
now rely on mac_associate_devfs_vnode().

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-12 04:20:36 +00:00
Robert Watson
2d43d24ed4 Garbage collect definition of M_MACOPVEC -- we no longer perform a
dynamic mapping of an operation vector into an operation structure,
rather, we rely on C99 sparse structure initialization.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-11 14:15:58 +00:00
Robert Watson
ef5def596d Update MAC modules for changes in arguments for exec MAC policy
entry points to include an explicit execlabel.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-08 18:04:36 +00:00
Robert Watson
9fa3506ecd Add an explicit execlabel argument to exec-related MAC policy entry
points, rather than relying on policies to grub around in the
image activator instance structure.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-08 18:04:00 +00:00
Robert Watson
939b97cba6 Update policy modules for changes in arguments associated with support
for label access on the interpreter, not just the shell script.  No
policies currently present in the system rely on the new labels.
2002-11-05 17:52:42 +00:00
Robert Watson
670cb89bf4 Bring in two sets of changes:
(1) Permit userland applications to request a change of label atomic
    with an execve() via mac_execve().  This is required for the
    SEBSD port of SELinux/FLASK.  Attempts to invoke this without
    MAC compiled in result in ENOSYS, as with all other MAC system
    calls.  Complexity, if desired, is present in policy modules,
    rather than the framework.

(2) Permit policies to have access to both the label of the vnode
    being executed as well as the interpreter if it's a shell
    script or related UNIX nonsense.  Because we can't hold both
    vnode locks at the same time, cache the interpreter label.
    SEBSD relies on this because it supports secure transitioning
    via shell script executables.  Other policies might want to
    take both labels into account during an integrity or
    confidentiality decision at execve()-time.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-05 17:51:56 +00:00
Robert Watson
b317d6f0aa Since neither the Biba policy nor the MLS policy make use of
transitioning, remove their transition entry points.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-05 16:44:29 +00:00
Robert Watson
4443e9ff4a Assert that appropriate vnodes are locked in mac_execve_will_transition().
Allow transitioning to be twiddled off using the process and fs enforcement
flags, although at some point this should probably be its own flag.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-05 15:11:33 +00:00
Robert Watson
743d9c6a2d Implement mpo_check_system_acct and mpo_check_system_settime() for Biba:
require Biba privilege to configure either, and require that accounting
files be high integrity.  Note that this does allow implicit information
flow from low to high integrity, but it also protects the integrity
of accounting data.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-04 17:50:52 +00:00
Robert Watson
1980cf9b79 Correct use of mac_biba_subject_privileged() in swapon() code.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-04 17:36:47 +00:00
Robert Watson
e5e820fd1f Permit MAC policies to instrument the access control decisions for
system accounting configuration and for nfsd server thread attach.
Policies might use this to protect the integrity or confidentiality
of accounting data, limit the ability to turn on or off accounting,
as well as to prevent inappropriately labeled threads from becoming nfs
server threads.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-04 15:13:36 +00:00
Robert Watson
3da87a65c7 Remove mac_cache_fslabel_in_vnode sysctl -- with the new VFS/MAC
construction, labels are always cached.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-04 14:55:14 +00:00