Commit Graph

310 Commits

Author SHA1 Message Date
rwatson
bee4df7ecf Update copyright for NETA->McAfee. 2005-01-30 12:38:47 +00:00
rwatson
642c9f6be4 Remove policy references to mpo_check_vnode_mprotect(), which is
currently unimplemented.

Update copyrights.

Pointed out by:	csjp
2005-01-26 23:43:32 +00:00
rwatson
116e320632 Remove an obsoleted comment about struct versions.
MFC after:	3 days
Pointed out by:	trhodes
2005-01-23 14:26:09 +00:00
rwatson
2402e64455 Update mac_test for MAC Framework policy entry points System V IPC
objects (message queues, semaphores, shared memory), exercising and
validating MAC labels on these objects.

Submitted by:	Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, SPAWAR, McAfee Research
2005-01-22 20:31:29 +00:00
rwatson
017d78ac18 Update mac_stub for MAC Framework policy entry points System V IPC
objects (message queues, semaphores, shared memory).

Submitted by:   Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from:  TrustedBSD Project
Sponsored by:   DARPA, SPAWAR, McAfee Research
2005-01-22 20:26:43 +00:00
rwatson
68c20ee2fc Implement MLS confidentiality protection for System V IPC objects
(message queues, semaphores, shared memory).

Submitted by:	Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, SPAWAR, McAfee Research
2005-01-22 20:11:16 +00:00
rwatson
2dc0272f55 Implement Biba integrity protection for System V IPC objects (message
queues, semaphores, shared memory).

Submitted by:	Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, SPAWAR, McAfee Research
2005-01-22 20:07:11 +00:00
rwatson
61be3b18c2 Exempt the superuser from mac_seeotheruids checks.
Submitted by:	bkoenig at cs dot tu-berlin dot de
PR:		72238
MFC after:	2 weeks
2005-01-03 12:08:18 +00:00
rwatson
9d47460c9f Add a new sysctl/tunable to mac_portacl:
security.mac.portacl.autoport_exempt

This sysctl exempts to bind port '0' as long as IP_PORTRANGELOW hasn't
been set on the socket.  This is quite useful as it allows applications
to use automatic binding without adding overly broad rules for the
binding of port 0.  This sysctl defaults to enabled.

This is a slight variation on the patch submitted by the contributor.

MFC after:	2 weeks
Submitted by:	Michal Mertl <mime at traveller dot cz>
2004-12-08 11:46:44 +00:00
rwatson
cfc2a49550 Switch from using an sx lock to a mutex for the mac_portacl rule chain:
the sx lock was used previously because we might sleep allocating
additional memory by using auto-extending sbufs.  However, we no longer
do this, instead retaining the user-submitted rule string, so mutexes
can be used instead.  Annotate the reason for not using the sbuf-related
rule-to-string code with a comment.

Switch to using TAILQ_CONCAT() instead of manual list copying, as it's
O(1), reducing the rule replacement step under the mutex from O(2N) to
O(2).

Remove now uneeded vnode-related includes.

MFC after:	2 weeks
2004-12-06 19:43:45 +00:00
rwatson
685020ad66 Implement MAC entry points relating to System V IPC, calling into the
MAC policies to perform object life cycle operations and access
control checks.

Submitted by:	Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, SPAWAR, McAfee Research
2004-11-17 13:14:24 +00:00
rwatson
c9a43cd544 Define new MAC framework and policy entry points for System V IPC
objects and operations:

- System V IPC message, message queue, semaphore, and shared memory
  segment init, destroy, cleanup, create operations.

- System V IPC message, message queue, seamphore, and shared memory
  segment access control entry points, including rights to attach,
  destroy, and manipulate these IPC objects.

Submitted by:	Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
rwatson
ce354149da Bump MAC Framework version to 2 in preparation for the upcoming API/ABI
changes associated with adding System V IPC support.  This will prevent
old modules from being used with the new kernel, and new modules from
being used with the old kernel.
2004-11-09 11:28:40 +00:00
rwatson
0c742e1c62 Disable use of synchronization early in the boot by the MAC Framework;
for modules linked into the kernel or loaded very early, panics will
result otherwise, as the CV code it calls will panic due to its use
of a mutex before it is initialized.
2004-10-30 14:20:59 +00:00
rwatson
2b39d3f211 /%x/%s/ -- mismerged DEBUGGER() printf() format stirng from the
TrustedBSD branch.

Submitted by:	bde
2004-10-23 15:12:34 +00:00
rwatson
863bf2a8c9 Expand comments on various sections of the MAC Framework Policy API,
as well as document the properties of the mac_policy_conf structure.
Warn about the ABI risks in changing the structure without careful
consideration.

Obtained from:	TrustedBSD Project
Sponsored by:	SPAWAR
2004-10-22 11:29:30 +00:00
rwatson
684936c84e Replace direct reference to kdb_enter() with a DEBUGGER() macro that
will call printf() if KDB isn't compiled into the kernel.

Obtained from:	TrustedBSD Project
Sponsored by:	SPAWAR
2004-10-22 11:24:50 +00:00
rwatson
b7b82ff2b5 Minor white space synchronization and line wrapping. 2004-10-22 11:15:47 +00:00
rwatson
692b8d0a22 In the MAC label zone destructor, assert that the label is only
destroyed in an initialized state.
2004-10-22 11:08:52 +00:00
rwatson
93d412bb88 Remove extern declaration of mac_enforce_sysv, as it's not present in
the CVS version of the MAC Framework.
2004-10-22 11:07:18 +00:00
rwatson
58c1a4e0ca Bump copyright dates for NETA on these files. 2004-10-21 11:29:56 +00:00
rwatson
54b00b391b Modify mac_bsdextended policy so that it defines its own vnode access
right bits rather than piggy-backing on the V* rights defined in
vnode.h.  The mac_bsdextended bits are given the same values as the V*
bits to make the new kernel module binary compatible with the old
version of libugidfw that uses V* bits.  This avoids leaking kernel
API/ABI to user management tools, and in particular should remove the
need for libugidfw to include vnode.h.

Requested by:	phk
2004-10-21 11:19:02 +00:00
trhodes
7388535ec2 Remove the debugging tunable, it was not being used.
Enable first match by default.[1]

We should:	rwatson [1]
2004-09-10 15:14:50 +00:00
trhodes
48df20f124 Allow mac_bsdextended(4) to log failed attempts to syslog's AUTHPRIV
facility.  This is disabled by default but may be turned on by using
the mac_bsdextended_logging sysctl.

Reviewed by:	re (jhb)
Approved by:	re (jhb)
2004-08-21 20:19:19 +00:00
trhodes
6179eaaebd Give the mac_bsdextended(4) policy the ability to match and apply on a first
rule only in place of all rules match.  This is similar to how ipfw(8) works.

Provide a sysctl, mac_bsdextended_firstmatch_enabled, to enable this
feature.

Reviewed by:	re (jhb)
Aprroved by:	re (jhb)
2004-08-21 20:15:08 +00:00
green
b4098a24e5 * Add a "how" argument to uma_zone constructors and initialization functions
so that they know whether the allocation is supposed to be able to sleep
  or not.
* Allow uma_zone constructors and initialation functions to return either
  success or error.  Almost all of the ones in the tree currently return
  success unconditionally, but mbuf is a notable exception: the packet
  zone constructor wants to be able to fail if it cannot suballocate an
  mbuf cluster, and the mbuf allocators want to be able to fail in general
  in a MAC kernel if the MAC mbuf initializer fails.  This fixes the
  panics people are seeing when they run out of memory for mbuf clusters.
* Allow debug.nosleepwithlocks on WITNESS to be disabled, without changing
  the default.

Both bmilekic and jeff have reviewed the changes made to make failable
zone allocations work.
2004-08-02 00:18:36 +00:00
kan
818a0721af Introduce SLOT_SET macro and use it in place of casts as lvalues. 2004-07-28 07:01:33 +00:00
rwatson
6667b7714e Allow an effective uid of root to bypass mac_bsdextended rules; the MAC
Framework can restrict the root user, but this policy is not intended
to support that.

Stylish Swiss footwear provided for:	trhodes
2004-07-23 01:53:28 +00:00
rwatson
6a12a2400a Rename Biba and MLS _single label elements to _effective, which more
accurately represents the intention of the 'single' label element in
Biba and MLS labels.  It also approximates the use of 'effective' in
traditional UNIX credentials, and avoids confusion with 'singlelabel'
in the context of file systems.

Inspired by:	trhodes
2004-07-16 02:03:50 +00:00
phk
803ccd11bd Do a pass over all modules in the kernel and make them return EOPNOTSUPP
for unknown events.

A number of modules return EINVAL in this instance, and I have left
those alone for now and instead taught MOD_QUIESCE to accept this
as "didn't do anything".
2004-07-15 08:26:07 +00:00
marcel
2dc1cdfe05 Update for the KDB framework:
o  Call kdb_enter() instead of Debugger().
2004-07-10 21:47:53 +00:00
rwatson
5b5e6eeb1b Introduce a temporary mutex, mac_ifnet_mtx, to lock MAC labels on
network interfaces.  This global mutex will protect all ifnet labels.
Acquire the mutex across various MAC activities on interfaces, such
as security checks, propagating interface labels to mbufs generated
from the interface, retrieving and setting the interface label.

Introduce mpo_copy_ifnet_label MAC policy entry point to copy the
value of an interface label from one label to another.  Use this
to avoid performing a label externalize while holding mac_ifnet_mtx;
copy the label to a temporary ifnet label and then externalize that.

Implement mpo_copy_ifnet_label for various MAC policies that
implement interface labeling using generic label copying routines.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research
2004-06-24 03:34:46 +00:00
phk
70c86a601e Do the dreaded s/dev_t/struct cdev */
Bump __FreeBSD_version accordingly.
2004-06-16 09:47:26 +00:00
rwatson
0f9a4a0ff3 Socket MAC labels so_label and so_peerlabel are now protected by
SOCK_LOCK(so):

- Hold socket lock over calls to MAC entry points reading or
  manipulating socket labels.

- Assert socket lock in MAC entry point implementations.

- When externalizing the socket label, first make a thread-local
  copy while holding the socket lock, then release the socket lock
  to externalize to userspace.
2004-06-13 02:50:07 +00:00
phk
560bcad7ab add missing #include <sys/module.h> 2004-05-30 20:27:19 +00:00
cperciva
77ddd4dd00 Remove dead code. (This loop counted the number of rules, but the count
was never used.)

Reported by:	pjd
Approved by:	rwatson
2004-05-15 20:55:19 +00:00
rwatson
d2036883d4 Improve consistency of include file guards in src/sys/sys by terminating
them with '_', as well as beginning with '_'.

Observed by:	bde
2004-05-10 18:38:07 +00:00
rwatson
3c87e03a42 If the mbuf pointer passed to mac_mbuf_to_label() is NULL, or the tag
lookup for the label tag fails, return NULL rather than something close
to NULL.  This scenario occurs if mbuf header labeling is optional and
a policy requiring labeling is loaded, resulting in some mbufs having
labels and others not.  Previously, 0x14 would be returned because the
NULL from m_tag_find() was not treated specially.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research
2004-05-03 23:37:48 +00:00
rwatson
aeb25b32c6 Add /* !MAC */ to final #endif. 2004-05-03 22:54:46 +00:00
rwatson
9b8d7cd7db Update copyright. 2004-05-03 21:38:42 +00:00
rwatson
de230012dd When performing label assertions on an mbuf header label in mac_test,
test the label pointer for NULL before testing the label slot for
permitted values.  When loading mac_test dynamically with conditional
mbuf labels, the label pointer may be NULL if the mbuf was
instantiated while labels were not required on mbufs by any policy.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research
2004-05-03 21:38:23 +00:00
rwatson
34a605f5f2 Bump copyright date for NETA to 2004. 2004-05-03 20:53:27 +00:00
rwatson
09a6846044 Add MAC_STATIC, a kernel option that disables internal MAC Framework
synchronization protecting against dynamic load and unload of MAC
policies, and instead simply blocks load and unload.  In a static
configuration, this allows you to avoid the synchronization costs
associated with introducing dynamicism.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research
2004-05-03 20:53:05 +00:00
rwatson
51381a2b94 Define BPFD_LOCK_ASSERT() to assert the BPF descriptor lock.
Assert the BPF descriptor lock in the MAC calls referencing live
BPF descriptors.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research
2004-02-29 15:33:56 +00:00
rwatson
cf72109a50 Forward declare struct proc, struct sockaddr, and struct thread, which
are employed in entry points later in the same include file.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Air Force Research Laboratory, McAfee Research
2004-02-26 20:44:50 +00:00
rwatson
e62b3e3c22 Forward declare struct bpf_d, struct ifnet, struct image_params, and
struct vattr in mac_policy.h.  This permits policies not
implementing entry points using these types to compile without
including include files with these types.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Air Force Research Laboratory
2004-02-26 16:15:14 +00:00
rwatson
959ca72205 Move inet and inet6 related MAC Framework entry points from mac_net.c
to a new mac_inet.c.  This code is now conditionally compiled based
on inet support being compiled into the kernel.

Move socket related MAC Framework entry points from mac_net.c to a new
mac_socket.c.

To do this, some additional _enforce MIB variables are now non-static.
In addition, mbuf_to_label() is now mac_mbuf_to_label() and non-static.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research
2004-02-26 03:51:04 +00:00
pjd
f3a9dcba57 Reimplement sysctls handling by MAC framework.
Now I believe it is done in the right way.

Removed some XXMAC cases, we now assume 'high' integrity level for all
sysctls, except those with CTLFLAG_ANYBODY flag set. No more magic.

Reviewed by:	rwatson
Approved by:	rwatson, scottl (mentor)
Tested with:	LINT (compilation), mac_biba(4) (functionality)
2004-02-22 12:31:44 +00:00
rwatson
26aea431f8 Update my personal copyrights and NETA copyrights in the kernel
to use the "year1-year3" format, as opposed to "year1, year2, year3".
This seems to make lawyers more happy, but also prevents the
lines from getting excessively long as the years start to add up.

Suggested by:	imp
2004-02-22 00:33:12 +00:00
rwatson
0595460202 Commit file missed in last pass: MAC api uses 'struct pipepair', not
'struct pipe' now.
2004-02-01 21:52:09 +00:00