- Add rm_init_flags() and accept extended options only for that variation.
- Add a flags space specifically for rm_init_flags(), rather than borrowing
the lock_init() flag space.
- Define flag RM_RECURSE to use instead of LO_RECURSABLE.
- Define flag RM_NOWITNESS to allow an rmlock to be exempt from WITNESS
checking; this wasn't possible previously as rm_init() always passed
LO_WITNESS when initializing an rmlock's struct lock.
- Add RM_SYSINIT_FLAGS().
- Rename embedded mutex in rmlocks to make it more obvious what it is.
- Update consumers.
- Update man page.
by creating a child jail, which is visible to that jail and to any
parent jails. Child jails may be restricted more than their parents,
but never less. Jail names reflect this hierarchy, being MIB-style
dot-separated strings.
Every thread now points to a jail, the default being prison0, which
contains information about the physical system. Prison0's root
directory is the same as rootvnode; its hostname is the same as the
global hostname, and its securelevel replaces the global securelevel.
Note that the variable "securelevel" has actually gone away, which
should not cause any problems for code that properly uses
securelevel_gt() and securelevel_ge().
Some jail-related permissions that were kept in global variables and
set via sysctls are now per-jail settings. The sysctls still exist for
backward compatibility, used only by the now-deprecated jail(2) system
call.
Approved by: bz (mentor)
the VFS. Now all the VFS_* functions and relating parts don't want the
context as long as it always refers to curthread.
In some points, in particular when dealing with VOPs and functions living
in the same namespace (eg. vflush) which still need to be converted,
pass curthread explicitly in order to retain the old behaviour.
Such loose ends will be fixed ASAP.
While here fix a bug: now, UFS_EXTATTR can be compiled alone without the
UFS_EXTATTR_AUTOSTART option.
VFS KPI is heavilly changed by this commit so thirdy parts modules needs
to be recompiled. Bump __FreeBSD_version in order to signal such
situation.
MAC_BOOLEAN -> MAC_POLICY_BOOLEAN
MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP
MAC_CHECK -> MAC_POLICY_CHECK
MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP
MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE
MAC_GRANT -> MAC_POLICY_GRANT
MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP
MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE
MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK
MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP
This frees up those macro names for use in wrapping calls into the MAC
Framework from the remainder of the kernel.
Obtained from: TrustedBSD Project
login(1) isn't quite ready for them yet on 64-bit systems as it continues
to use the conventions of the old version of the API.
Reported by: stas, Jakub Lach <jakub_lach at mailplus.pl>
- Add and use mapping of fcntl(2) commands to new BSM constant space.
- Adopt (int) rather than (long) arguments to a number of auditon(2)
commands, as has happened in Solaris, and add compatibility code to
handle the old comments.
Note that BSM_PF_IEEE80211 is partially but not fully removed, as the
userspace OpenBSM 1.1alpha5 code still depends on it. Once userspace
is updated, I'll GCC the kernel constant.
MFC after: 2 weeks
Sponsored by: Apple, Inc.
Obtained from: TrustedBSD Project
Portions submitted by: sson
audit_bsm_fcntl.c contain utility routines to map local fcntl
commands into BSM constants. Adaptation to the FreeBSD kernel
environment will follow in a future commit.
Sponsored by: Apple, Inc.
Obtained from: TrustedBSD Project
MFC after: 2 weeks
when someone is passing new rules, not when he only want to read them.
Because of this bug, even if the given rules were incorrect, they
ended up in rule_string.
- Add missing protection for rule_string when coping it.
Reviewed by: rwatson
MFC after: 1 week
improve performance:
- Eliminate custom reference count and condition variable to monitor
threads entering the framework, as this had both significant overhead
and behaved badly in the face of contention.
- Replace reference count with two locks: an rwlock and an sx lock,
which will be read-acquired by threads entering the framework
depending on whether a give policy entry point is permitted to sleep
or not.
- Replace previous mutex locking of the reference count for exclusive
access with write acquiring of both the policy list sx and rw locks,
which occurs only when policies are attached or detached.
- Do a lockless read of the dynamic policy list head before acquiring
any locks in order to reduce overhead when no dynamic policies are
loaded; this a race we can afford to lose.
- For every policy entry point invocation, decide whether sleeping is
permitted, and if not, use a _NOSLEEP() variant of the composition
macros, which will use the rwlock instead of the sxlock. In some
cases, we decide which to use based on allocation flags passed to the
MAC Framework entry point.
As with the move to rwlocks/rmlocks in pfil, this may trigger witness
warnings, but these should (generally) be false positives as all
acquisition of the locks is for read with two very narrow exceptions
for policy load/unload, and those code blocks should never acquire
other locks.
Sponsored by: Google, Inc.
Obtained from: TrustedBSD Project
Discussed with: csjp (idea, not specific patch)
not there is an audit record hung off of td_ar on the current thread.
Test this flag instead of td_ar when auditing syscall arguments or
checking for an audit record to commit on syscall return. Under
these circumstances, td_pflags is much more likely to be in the cache
(especially if there is no auditing of the current system call), so
this should help reduce cache misses in the system call return path.
MFC after: 1 week
Reported by: kris
Obtained from: TrustedBSD Project
extended attribute get/set; in the case of get an uninitialized user
buffer was passed before the EA was retrieved, making it of relatively
little use; the latter was simply unused by any policies.
Obtained from: TrustedBSD Project
Sponsored by: Google, Inc.
naming by renaming certain "proc" entry points to "cred" entry points,
reflecting their manipulation of credentials. For some entry points,
the process was passed into the framework but not into policies; in
these cases, stop passing in the process since we don't need it.
mac_proc_check_setaudit -> mac_cred_check_setaudit
mac_proc_check_setaudit_addr -> mac_cred_check_setaudit_addr
mac_proc_check_setauid -> mac_cred_check_setauid
mac_proc_check_setegid -> mac_cred_check_setegid
mac_proc_check_seteuid -> mac_cred_check_seteuid
mac_proc_check_setgid -> mac_cred_check_setgid
mac_proc_check_setgroups -> mac_cred_ceck_setgroups
mac_proc_check_setregid -> mac_cred_check_setregid
mac_proc_check_setresgid -> mac_cred_check_setresgid
mac_proc_check_setresuid -> mac_cred_check_setresuid
mac_proc_check_setreuid -> mac_cred_check_setreuid
mac_proc_check_setuid -> mac_cred_check_setuid
Obtained from: TrustedBSD Project
Sponsored by: Google, Inc.
privilege grants so that dtrace can be more easily used to monitor
the security decisions being generated by the MAC Framework following
policy invocation.
Successful access control checks will be reported by:
mac_framework:kernel:<entrypoint>:mac_check_ok
Failed access control checks will be reported by:
mac_framework:kernel:<entrypoint>:mac_check_err
Successful privilege grants will be reported by:
mac_framework:kernel:priv_grant:mac_grant_ok
Failed privilege grants will be reported by:
mac_framework:kernel:priv_grant:mac_grant_err
In all cases, the return value (always 0 for _ok, otherwise an errno
for _err) will be reported via arg0 on the probe, and subsequent
arguments will hold entrypoint-specific data, in a style similar to
privilege tracing.
Obtained from: TrustedBSD Project
Sponsored by: Google, Inc.
wrapper macros that allow trace points and arguments to be declared
using a single macro rather than several. This means a lot less
repetition and vertical space for each trace point.
Use these macros when defining privilege and MAC Framework trace points.
Reviewed by: jb
MFC after: 1 week
contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).
OpenBSM history for imported revision below for reference.
MFC after: 1 month
Sponsored by: Apple, Inc.
Obtained from: TrustedBSD Project
OpenBSM 1.1 beta 1
- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
For legacy support no suffix defaults to bytes.
- Audit trail log expiration support added. It is configured in
audit_control(5) with the expire-after parameter. If there is no
expire-after parameter in audit_control(5), the default, then the audit
trail files are not expired and removed. See audit_control(5) for
more information.
- Change defaults in audit_control: warn at 5% rather than 20% free for audit
partitions, rotate automatically at 2mb, and set the default policy to
cnt,argv rather than cnt so that execve(2) arguments are captured if
AUE_EXECVE events are audited. These may provide more usable defaults for
many users.
- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
au_to_socket_ex(3) arguments to BSM format.
- Fix error encoding AUT_IPC_PERM tokens.
contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge). Hook up bsm_domain.c and bsm_socket_type.c to the libbsm
build along with man pages, add audit_bsm_domain.c and
audit_bsm_socket_type.c to the kernel environment.
OpenBSM history for imported revisions below for reference.
MFC after: 1 month
Sponsored by: Apple Inc.
Obtained from: TrustedBSD Project
OpenBSM 1.1 alpha 5
- Stub libauditd(3) man page added.
- All BSM error number constants with BSM_ERRNO_.
- Interfaces to convert between local and BSM socket types and protocol
families have been added: au_bsm_to_domain(3), au_bsm_to_socket_type(3),
au_domain_to_bsm(3), and au_socket_type_to_bsm(3), along with definitions
of constants in audit_domain.h and audit_socket_type.h. This improves
interoperability by converting local constant spaces, which vary by OS, to
and from Solaris constants (where available) or OpenBSM constants for
protocol domains not present in Solaris (a fair number). These routines
should be used when generating and interpreting extended socket tokens.
- Fix build warnings with full gcc warnings enabled on most supported
platforms.
- Don't compile error strings into bsm_errno.c when building it in the kernel
environment.
- When started by launchd, use the label com.apple.auditd rather than
org.trustedbsd.auditd.
they label, derive that information implicitly from the set of label
initializers in their policy operations set. This avoids a possible
class of programmer errors, while retaining the structure that
allows us to avoid allocating labels for objects that don't need
them. As before, we regenerate a global mask of labeled objects
each time a policy is loaded or unloaded, stored in mac_labeled.
Discussed with: csjp
Suggested by: Jacques Vidrine <nectar at apple.com>
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
lock in order to avoid the lock acquire hit if the pipe list is very
likely empty.
Obtained from: TrustedBSD Project
MFC after: 3 weeks
Sponsored by: Apple, Inc.
record is active on the current thread--historically we may always
have wanted to enter the audit code if auditing was enabled, but now
we just commit the audit record so don't need to enter if there isn't
one.
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge). Add libauditd build parts and add to auditd's linkage;
force libbsm to build before libauditd.
OpenBSM history for imported revisions below for reference.
MFC after: 1 month
Sponsored by: Apple Inc.
Obtained from: TrustedBSD Project
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This buge.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
mac_proc_vm_revoke_recurse() requests a read lock on the vm map at the start
but does not handle failure by vm_map_lock_upgrade() when it seeks to modify
the vm map. At present, this works because all lock request on a vm map are
implemented as exclusive locks. Thus, vm_map_lock_upgrade() is a no-op that
always reports success. However, that is about to change, and
proc_vm_revoke_recurse() will require substantial modifications to handle
vm_map_lock_upgrade() failures. For the time being, I am changing
mac_proc_vm_revoke_recurse() to request a write lock on the vm map at the
start.
Approved by: rwatson
MFC after: 3 months
contrib/openbsm (svn merge) and sys/{bsm,security/audit} (manual merge).
- Add OpenBSM contrib tree to include paths for audit(8) and auditd(8).
- Merge support for new tokens, fixes to existing token generation to
audit_bsm_token.c.
- Synchronize bsm includes and definitions.
OpenBSM history for imported revisions below for reference.
MFC after: 1 month
Sponsored by: Apple Inc.
Obtained from: TrustedBSD Project
--
OpenBSM 1.1 alpha 2
- Include files in OpenBSM are now broken out into two parts: library builds
required solely for user space, and system includes, which may also be
required for use in the kernels of systems integrating OpenBSM. Submitted
by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
include for system includes, rather than the versions bundled with OpenBSM.
This is intended specifically for platforms that ship OpenBSM, have adapted
versions of the system includes in a kernel source tree, and will use the
OpenBSM build infrastructure with an unmodified OpenBSM distribution,
allowing the customized system includes to be used with the OpenBSM build.
Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
or asprintf(). Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
on the host generating the record.
- Add support for setting extended host information in the kernel, which is
used for setting host information in extended header tokens. The
audit_control file now supports a "host" parameter which can be used by
auditd to set the information; if not present, the kernel parameters won't
be set and auditd uses unextended headers for records that it generates.
OpenBSM 1.1 alpha 1
- Add option to auditreduce(1) which allows users to invert sense of
matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
event there is an error writing the subject token. This was submitted
by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not being arguments so
that const strings can be passed as arguments to tokens. This patch was
submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
by getaudit(2). Some applications such has su, id will interpret E2BIG as
requiring the use of getaudit_addr(2) to pull extended audit state (ip6)
from the kernel.
This change un-breaks the ABI when auditing has been activated on a system
and the users are logged in via ip6.
This is a RELENG_7_1 candidate.
MFC after: 1 day
Discussed with: rwatson
Bring in updated jail support from bz_jail branch.
This enhances the current jail implementation to permit multiple
addresses per jail. In addtion to IPv4, IPv6 is supported as well.
Due to updated checks it is even possible to have jails without
an IP address at all, which basically gives one a chroot with
restricted process view, no networking,..
SCTP support was updated and supports IPv6 in jails as well.
Cpuset support permits jails to be bound to specific processor
sets after creation.
Jails can have an unrestricted (no duplicate protection, etc.) name
in addition to the hostname. The jail name cannot be changed from
within a jail and is considered to be used for management purposes
or as audit-token in the future.
DDB 'show jails' command was added to aid debugging.
Proper compat support permits 32bit jail binaries to be used on 64bit
systems to manage jails. Also backward compatibility was preserved where
possible: for jail v1 syscalls, as well as with user space management
utilities.
Both jail as well as prison version were updated for the new features.
A gap was intentionally left as the intermediate versions had been
used by various patches floating around the last years.
Bump __FreeBSD_version for the afore mentioned and in kernel changes.
Special thanks to:
- Pawel Jakub Dawidek (pjd) for his multi-IPv4 patches
and Olivier Houchard (cognet) for initial single-IPv6 patches.
- Jeff Roberson (jeff) and Randall Stewart (rrs) for their
help, ideas and review on cpuset and SCTP support.
- Robert Watson (rwatson) for lots and lots of help, discussions,
suggestions and review of most of the patch at various stages.
- John Baldwin (jhb) for his help.
- Simon L. Nielsen (simon) as early adopter testing changes
on cluster machines as well as all the testers and people
who provided feedback the last months on freebsd-jail and
other channels.
- My employer, CK Software GmbH, for the support so I could work on this.
Reviewed by: (see above)
MFC after: 3 months (this is just so that I get the mail)
X-MFC Before: 7.2-RELEASE if possible
pointer in a local thread. While this is unlikely to significantly
improve performance given modern compiler behavior, it makes the code
more readable and reduces diffs to the Mac OS X version of the same
code (which stores things in creds in the same way, but where the
cred for a thread is reached quite differently).
Discussed with: sson
MFC after: 1 month
Sponsored by: Apple Inc.
Obtained from: TrustedBSD Project
queue length variables as well, avoiding storing the limit in a larger
type than the length.
Submitted by: sson
Sponsored by: Apple Inc.
MFC after: 1 week
regular header tokens. The extended header tokens contain an IP
or IPv6 address which makes it possible to identify which host an
audit record came from when audit records are centralized.
If the host information has not been specified, the system will
default to the old style headers. Otherwise, audit records that
are created as a result of system calls will contain host information.
This implemented has been designed to be consistent with the Solaris
implementation. Host information is set/retrieved using the A_GETKAUDIT
and A_SETKAUDIT auditon(2) commands. These commands require that a
pointer to a auditinfo_addr_t object is passed. Currently only IP and
IPv6 address families are supported.
The users pace bits associated with this change will follow in an
openbsm import.
Reviewed by: rwatson, (sson, wsalamon (older version))
MFC after: 1 month
record queue, so move the offset field from the per-record
audit_pipe_entry structure to the audit_pipe structure.
Now that we support reading more than one record at a time, add a
new summary field to audit_pipe, ap_qbyteslen, which tracks the
total number of bytes present in a pipe, and return that (minus
the current offset) via FIONREAD and kqueue's data variable for
the pending byte count rather than the number of bytes remaining
in only the first record.
Add a number of asserts to confirm that these counts and offsets
following the expected rules.
MFC after: 2 months
Sponsored by: Apple, Inc.
read(2), which meant that records longer than the buffer passed to read(2)
were dropped. Instead take the approach of allowing partial reads to be
continued across multiple system calls more in the style of streaming
character device.
This means retaining a record on the per-pipe queue in a partially read
state, so maintain a current offset into the record. Keep the record on
the queue during a read, so add a new lock, ap_sx, to serialize removal
of records from the queue by either read(2) or ioctl(2) requesting a pipe
flush. Modify the kqueue handler to return bytes left in the current
record rather than simply the size of the current record.
It is now possible to use praudit, which used the standard FILE * buffer
sizes, to track much larger record sizes from /dev/auditpipe, such as
very long command lines to execve(2).
MFC after: 2 months
Sponsored by: Apple, Inc.
pipe has overflowed, drop the newest, rather than oldest, record. This
makes overflow drop behavior consistent with memory allocation failure
leading to drop, avoids touching the consumer end of the queue from a
producer, and lowers the CPU overhead of dropping a record by dropping
before memory allocation and copying.
Obtained from: Apple, Inc.
MFC after: 2 months
protecting the list of audit pipes, and a per-pipe mutex protecting the
queue.
Likewise, replace the single global condition variable used to signal
delivery of a record to one or more pipes, and add a per-pipe condition
variable to avoid spurious wakeups when event subscriptions differ
across multiple pipes.
This slightly increases the cost of delivering to audit pipes, but should
reduce lock contention in the presence of multiple readers as only the
per-pipe lock is required to read from a pipe, as well as avoid
overheading when different pipes are used in different ways.
MFC after: 2 months
Sponsored by: Apple, Inc.
mutex, as it's rarely changed but frequently accessed read-only from
multiple threads, so a potentially significant source of contention.
MFC after: 1 month
Sponsored by: Apple, Inc.
access control checks in mac_bsdextended are not in the same
namespace as the MBI_ flags used in ugidfw policies, so add an
explicit conversion routine to get from one to the other.
Obtained from: TrustedBSD Project
to add more V* constants, and the variables changed by this patch were often
being assigned to mode_t variables, which is 16 bit.
Approved by: rwatson (mentor)
memory mappings when the MAC label on a process changes, to
mac_proc_vm_revoke(),
It now also acquires its own credential reference directly from the
affected process rather than accepting one passed by the the caller,
simplifying the API and consumer code.
Obtained from: TrustedBSD Project
that they operate directly on credentials: mac_proc_create_swapper(),
mac_proc_create_init(), and mac_proc_associate_nfsd(). Update policies.
Obtained from: TrustedBSD Project
be a no-op request, and why this might have to change if we want to allow
leaving a partition someday.
Obtained from: TrustedBSD Project
MFC after: 3 days
control logic and policy registration remaining in that file, and access
control checks broken out into other files by class of check.
Obtained from: TrustedBSD Project
fragment reassembly queues.
This allows policies to label reassembly queues, perform access
control checks when matching fragments to a queue, update a queue
label when fragments are matched, and label the resulting
reassembled datagram.
Obtained from: TrustedBSD Project
When I changed kern_conf.c three months ago I made device unit numbers
equal to (unneeded) device minor numbers. We used to require
bitshifting, because there were eight bits in the middle that were
reserved for a device major number. Not very long after I turned
dev2unit(), minor(), unit2minor() and minor2unit() into macro's.
The unit2minor() and minor2unit() macro's were no-ops.
We'd better not remove these four macro's from the kernel, because there
is a lot of (external) code that may still depend on them. For now it's
harmless to remove all invocations of unit2minor() and minor2unit().
Reviewed by: kib
years by the priv_check(9) interface and just very few places are left.
Note that compatibility stub with older FreeBSD version
(all above the 8 limit though) are left in order to reduce diffs against
old versions. It is responsibility of the maintainers for any module, if
they think it is the case, to axe out such cases.
This patch breaks KPI so __FreeBSD_version will be bumped into a later
commit.
This patch needs to be credited 50-50 with rwatson@ as he found time to
explain me how the priv_check() works in detail and to review patches.
Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
Reviewed by: rwatson
appropriate even if Solaris doesn't document it (E2BIG) or use it
(EOVERFLOW).
Submitted by: nectar at apple dot com
Sponsored by: Apple, Inc.
MFC after: 3 days
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
space provided by its argument structure, return EOVERFLOW instead of
E2BIG. The latter is documented in Solaris's man page, but the
former is implemented. In either case, the caller should use
getaudit_addr(2) to return the IPv6 address.
Submitted by: sson
Obtained from: Apple, Inc.
MFC after: 3 days
It is possible that the audit pipe(s) have different preselection configs
then the global preselection mask.
Spotted by: Vincenzo Iozzo
MFC after: 2 weeks
return success if the passed vnode pointer is NULL (rather than
panicking). This can occur if either audit or accounting are
disabled while the policy is running.
Since the swapoff control has no real relevance to this policy,
which is concerned about intent to write rather than water under the
bridge, remove it.
PR: kern/126100
Reported by: Alan Amesbury <amesbury at umn dot edu>
MFC after: 3 days
processes are not producing absolute pathname tokens. It is required
that audited pathnames are generated relative to the global root mount
point. This modification changes our implementation of audit_canon_path(9)
and introduces a new function: vn_fullpath_global(9) which performs a
vnode -> pathname translation relative to the global mount point based
on the contents of the name cache. Much like vn_fullpath,
vn_fullpath_global is a wrapper function which called vn_fullpath1.
Further, the string parsing routines have been converted to use the
sbuf(9) framework. This change also removes the conditional acquisition
of Giant, since the vn_fullpath1 method will not dip into file system
dependent code.
The vnode locking was modified to use vhold()/vdrop() instead the vref()
and vrele(). This will modify the hold count instead of modifying the
user count. This makes more sense since it's the kernel that requires
the reference to the vnode. This also makes sure that the vnode does not
get recycled we hold the reference to it. [1]
Discussed with: rwatson
Reviewed by: kib [1]
MFC after: 2 weeks
semaphores. Specifically, semaphores are now represented as new file
descriptor type that is set to close on exec. This removes the need for
all of the manual process reference counting (and fork, exec, and exit
event handlers) as the normal file descriptor operations handle all of
that for us nicely. It is also suggested as one possible implementation
in the spec and at least one other OS (OS X) uses this approach.
Some bugs that were fixed as a result include:
- References to a named semaphore whose name is removed still work after
the sem_unlink() operation. Prior to this patch, if a semaphore's name
was removed, valid handles from sem_open() would get EINVAL errors from
sem_getvalue(), sem_post(), etc. This fixes that.
- Unnamed semaphores created with sem_init() were not cleaned up when a
process exited or exec'd. They were only cleaned up if the process
did an explicit sem_destroy(). This could result in a leak of semaphore
objects that could never be cleaned up.
- On the other hand, if another process guessed the id (kernel pointer to
'struct ksem' of an unnamed semaphore (created via sem_init)) and had
write access to the semaphore based on UID/GID checks, then that other
process could manipulate the semaphore via sem_destroy(), sem_post(),
sem_wait(), etc.
- As part of the permission check (UID/GID), the umask of the proces
creating the semaphore was not honored. Thus if your umask denied group
read/write access but the explicit mode in the sem_init() call allowed
it, the semaphore would be readable/writable by other users in the
same group, for example. This includes access via the previous bug.
- If the module refused to unload because there were active semaphores,
then it might have deregistered one or more of the semaphore system
calls before it noticed that there was a problem. I'm not sure if
this actually happened as the order that modules are discovered by the
kernel linker depends on how the actual .ko file is linked. One can
make the order deterministic by using a single module with a mod_event
handler that explicitly registers syscalls (and deregisters during
unload after any checks). This also fixes a race where even if the
sem_module unloaded first it would have destroyed locks that the
syscalls might be trying to access if they are still executing when
they are unloaded.
XXX: By the way, deregistering system calls doesn't do any blocking
to drain any threads from the calls.
- Some minor fixes to errno values on error. For example, sem_init()
isn't documented to return ENFILE or EMFILE if we run out of semaphores
the way that sem_open() can. Instead, it should return ENOSPC in that
case.
Other changes:
- Kernel semaphores now use a hash table to manage the namespace of
named semaphores nearly in a similar fashion to the POSIX shared memory
object file descriptors. Kernel semaphores can now also have names
longer than 14 chars (up to MAXPATHLEN) and can include subdirectories
in their pathname.
- The UID/GID permission checks for access to a named semaphore are now
done via vaccess() rather than a home-rolled set of checks.
- Now that kernel semaphores have an associated file object, the various
MAC checks for POSIX semaphores accept both a file credential and an
active credential. There is also a new posixsem_check_stat() since it
is possible to fstat() a semaphore file descriptor.
- A small set of regression tests (using the ksem API directly) is present
in src/tools/regression/posixsem.
Reported by: kris (1)
Tested by: kris
Reviewed by: rwatson (lightly)
MFC after: 1 month
same as the global variable defined in ip_input.c. Instead, adopt the name
'q' as found in about 1/2 of uses in ip_input.c, preventing a collision on
the name. This is non-harmful, but means that search and replace on the
global works less well (as in the virtualization work), as well as indexing
tools.
MFC after: 1 week
Reported by: julian
Except for the case where we use the cloner library (clone_create() and
friends), there is no reason to enforce a unique device minor number
policy. There are various drivers in the source tree that allocate unr
pools and such to provide minor numbers, without using them themselves.
Because we still need to support unique device minor numbers for the
cloner library, introduce a new flag called D_NEEDMINOR. All cdevsw's
that are used in combination with the cloner library should be marked
with this flag to make the cloning work.
This means drivers can now freely use si_drv0 to store their own flags
and state, making it effectively the same as si_drv1 and si_drv2. We
still keep the minor() and dev2unit() routines around to make drivers
happy.
The NTFS code also used the minor number in its hash table. We should
not do this anymore. If the si_drv0 field would be changed, it would no
longer end up in the same list.
Approved by: philip (mentor)
which label mbufs. This leak can occur if one policy successfully allocates
label storage and subsequent allocations from other policies fail.
Spotted by: rwatson
MFC after: 1 week
than checking whether audit is enabled globally, instead check whether
the current thread has an audit record. This avoids entering the audit
code to collect argument data if auditing is enabled but the current
system call is not of interest to audit.
MFC after: 1 week
Sponsored by: Apple, Inc.
exit requires entering the audit code. The result is much the same,
but they mean different things.
MFC afer: 3 days
Submitted by: Diego Giagio <dgiagio at gmail dot com>
explicitly select write locking for all use of the inpcb mutex.
Update some pcbinfo lock assertions to assert locked rather than
write-locked, although in practice almost all uses of the pcbinfo
rwlock main exclusive, and all instances of inpcb lock acquisition
are exclusive.
This change should introduce (ideally) little functional change.
However, it lays the groundwork for significantly increased
parallelism in the TCP/IP code.
MFC after: 3 months
Tested by: kris (superset of committered patch)
after each SYSINIT() macro invocation. This makes a number of
lightweight C parsers much happier with the FreeBSD kernel
source, including cflow's prcc and lxr.
MFC after: 1 month
Discussed with: imp, rink
returns EINVAL. Right now we return 0 or success for invalid commands,
which could be quite problematic in certain conditions.
MFC after: 1 week
Discussed with: rwatson
a queue entry field, just copy out the unsigned int that is the trigger
message. In practice, auditd always requested sizeof(unsigned int), so
the extra bytes were ignored, but copying them out was not the intent.
MFC after: 1 month
global audit mutex and condition variables, with an sx lock which protects
the trail vnode and credential while in use, and is acquired by the system
call code when rotating the trail. Previously, a "message" would be sent
to the kernel audit worker, which did the rotation, but the new code is
simpler and (hopefully) less error-prone.
Obtained from: TrustedBSD Project
MFC after: 1 month
This makes sure that process tokens credentials with un-initialized
audit contexts are handled correctly. Currently, when invariants are
enabled, this change fixes a panic by ensuring that we have a valid
termid family. Also, this fixes token generation for process tokens
making sure that userspace is always getting a valid token.
This is consistent with what Solaris does when an audit context is
un-initialized.
Obtained from: TrustedBSD Project
MFC after: 1 week
relabel check for MLS rather than returning 0 directly.
This problem didn't result in a vulnerability currently as the central
implementation of ifnet relabeling also checks for UNIX privilege, and
we currently don't guarantee containment for the root user in mac_mls,
but we should be using the MLS definition of privilege as well as the
UNIX definition in anticipation of supporting root containment at some
point.
MFC after: 3 days
Submitted by: Zhouyi Zhou <zhouzhouyi at gmail dot com>
Sponsored by: Google SoC 2007
"BSM conversion requested for unknown event 43140"
It should be noted that we need to audit the fd argument for this system
call.
Obtained from: TrustedBSD Project
MFC after: 1 week
conjuction with 'thread' argument passing which is always curthread.
Remove the unuseful extra-argument and pass explicitly curthread to lower
layer functions, when necessary.
KPI results broken by this change, which should affect several ports, so
version bumping and manpage update will be further committed.
Tested by: kris, pho, Diego Sardina <siarodx at gmail dot com>
Remove this argument and pass curthread directly to underlying
VOP_LOCK1() VFS method. This modify makes the code cleaner and in
particular remove an annoying dependence helping next lockmgr() cleanup.
KPI results, obviously, changed.
Manpage and FreeBSD_version will be updated through further commits.
As a side note, would be valuable to say that next commits will address
a similar cleanup about VFS methods, in particular vop_lock1 and
vop_unlock.
Tested by: Diego Sardina <siarodx at gmail dot com>,
Andrea Di Pasquale <whyx dot it at gmail dot com>
implement shm_open(2) and shm_unlink(2) in the kernel:
- Each shared memory file descriptor is associated with a swap-backed vm
object which provides the backing store. Each descriptor starts off with
a size of zero, but the size can be altered via ftruncate(2). The shared
memory file descriptors also support fstat(2). read(2), write(2),
ioctl(2), select(2), poll(2), and kevent(2) are not supported on shared
memory file descriptors.
- shm_open(2) and shm_unlink(2) are now implemented as system calls that
manage shared memory file descriptors. The virtual namespace that maps
pathnames to shared memory file descriptors is implemented as a hash
table where the hash key is generated via the 32-bit Fowler/Noll/Vo hash
of the pathname.
- As an extension, the constant 'SHM_ANON' may be specified in place of the
path argument to shm_open(2). In this case, an unnamed shared memory
file descriptor will be created similar to the IPC_PRIVATE key for
shmget(2). Note that the shared memory object can still be shared among
processes by sharing the file descriptor via fork(2) or sendmsg(2), but
it is unnamed. This effectively serves to implement the getmemfd() idea
bandied about the lists several times over the years.
- The backing store for shared memory file descriptors are garbage
collected when they are not referenced by any open file descriptors or
the shm_open(2) virtual namespace.
Submitted by: dillon, peter (previous versions)
Submitted by: rwatson (I based this on his version)
Reviewed by: alc (suggested converting getmemfd() to shm_open())
for that argument. This will allow DDB to detect the broad category of
reason why the debugger has been entered, which it can use for the
purposes of deciding which DDB script to run.
Assign approximate why values to all current consumers of the
kdb_enter() interface.
would be properly disposed of, but the global label structure for the
semaphore wouldn't be freed.
MFC after: 3 days
Reported by: tanyong <tanyong at ercist dot iscas dot ac dot cn>,
zhouzhouyi
supports the removal of hard-coded audit class constants in OpenBSM
1.0. All audit classes are now dynamically configured via the
audit_class database.
Obtained from: TrustedBSD Project
entry point, which is no longer required now that we don't support
old-style multicast tunnels. This removes the last mbuf object class
entry point that isn't init/copy/destroy.
Obtained from: TrustedBSD Project
Framework by moving from mac_mbuf_create_netlayer() to more specific
entry points for specific network services:
- mac_netinet_firewall_reply() to be used when replying to in-bound TCP
segments in pf and ipfw (etc).
- Rename mac_netinet_icmp_reply() to mac_netinet_icmp_replyinplace() and
add mac_netinet_icmp_reply(), reflecting that in some cases we overwrite
a label in place, but in others we apply the label to a new mbuf.
Obtained from: TrustedBSD Project
in the TrustedBSD MAC Framework:
- Add mac_atalk.c and add explicit entry point mac_netatalk_aarp_send()
for AARP packet labeling, rather than using a generic link layer
entry point.
- Add mac_inet6.c and add explicit entry point mac_netinet6_nd6_send()
for ND6 packet labeling, rather than using a generic link layer entry
point.
- Add expliict entry point mac_netinet_arp_send() for ARP packet
labeling, and mac_netinet_igmp_send() for IGMP packet labeling,
rather than using a generic link layer entry point.
- Remove previous genering link layer entry point,
mac_mbuf_create_linklayer() as it is no longer used.
- Add implementations of new entry points to various policies, largely
by replicating the existing link layer entry point for them; remove
old link layer entry point implementation.
- Make MAC_IFNET_LOCK(), MAC_IFNET_UNLOCK(), and mac_ifnet_mtx global
to the MAC Framework rather than static to mac_net.c as it is now
needed outside of mac_net.c.
Obtained from: TrustedBSD Project
we move towards netinet as a pseudo-object for the MAC Framework.
Rename 'mac_create_mbuf_linklayer' to 'mac_mbuf_create_linklayer' to
reflect general object-first ordering preference.
Sponsored by: SPARTA (original patches against Mac OS X)
Obtained from: TrustedBSD Project, Apple Computer
This change introduces audit_proc_coredump() which is called by coredump(9)
to create an audit record for the coredump event. When a process
dumps a core, it could be security relevant. It could be an indicator that
a stack within the process has been overflowed with an incorrectly constructed
malicious payload or a number of other events.
The record that is generated looks like this:
header,111,10,process dumped core,0,Thu Oct 25 19:36:29 2007, + 179 msec
argument,0,0xb,signal
path,/usr/home/csjp/test.core
subject,csjp,csjp,staff,csjp,staff,1101,1095,50457,10.37.129.2
return,success,1
trailer,111
- We allocate a completely new record to make sure we arent clobbering
the audit data associated with the syscall that produced the core
(assuming the core is being generated in response to SIGABRT and not
an invalid memory access).
- Shuffle around expand_name() so we can use the coredump name at the very
beginning of the coredump call. Make sure we free the storage referenced
by "name" if we need to bail out early.
- Audit both successful and failed coredump creation efforts
Obtained from: TrustedBSD Project
Reviewed by: rwatson
MFC after: 1 month
primary object type, and then by secondarily by method name. This sorts
entry points relating to particular objects, such as pipes, sockets, and
vnodes together.
Sponsored by: SPARTA (original patches against Mac OS X)
Obtained from: TrustedBSD Project, Apple Computer
from mac_vfs.c to mac_process.c to join other functions that setup up
process labels for specific purposes. Unlike the two proc create calls,
this call is intended to run after creation when a process registers as
the NFS daemon, so remains an _associate_ call..
Obtained from: TrustedBSD Project
than mac_<policy>_whatever, as this shortens the names and makes the code
a bit easier to read.
When dealing with label structures, name variables 'mb', 'ml', 'mm rather
than the longer 'mac_biba', 'mac_lomac', and 'mac_mls', likewise making
the code a little easier to read.
Obtained from: TrustedBSD Project
from Mac OS X Leopard--rationalize naming for entry points to
the following general forms:
mac_<object>_<method/action>
mac_<object>_check_<method/action>
The previous naming scheme was inconsistent and mostly
reversed from the new scheme. Also, make object types more
consistent and remove spaces from object types that contain
multiple parts ("posix_sem" -> "posixsem") to make mechanical
parsing easier. Introduce a new "netinet" object type for
certain IPv4/IPv6-related methods. Also simplify, slightly,
some entry point names.
All MAC policy modules will need to be recompiled, and modules
not updates as part of this commit will need to be modified to
conform to the new KPI.
Sponsored by: SPARTA (original patches against Mac OS X)
Obtained from: TrustedBSD Project, Apple Computer
state is stored in an extended subject token now. Make sure
that we are using the extended data. This fixes the termID
for process tokens.
Obtained from: TrustedBSD Project
Discussed with: rwatson
MFC after: 1 week
to kproc_xxx as they actually make whole processes.
Thos makes way for us to add REAL kthread_create() and friends
that actually make theads. it turns out that most of these
calls actually end up being moved back to the thread version
when it's added. but we need to make this cosmetic change first.
I'd LOVE to do this rename in 7.0 so that we can eventually MFC the
new kthread_xxx() calls.
on multiple different audit pipes. The old method used cv_signal()
which would result in only one thread being woken up after we
appended a record to it's queue. This resulted in un-timely wake-ups
when processing audit records real-time.
- Assign PSOCK priority to threads that have been sleeping on a read(2).
This is the same priority threads are woken up with when they select(2)
or poll(2). This yields fairness between various forms of sleep on
the audit pipes.
Obtained from: TrustedBSD Project
Discussed with: rwatson
MFC after: 1 week
- p_sflag was mostly protected by PROC_LOCK rather than the PROC_SLOCK or
previously the sched_lock. These bugs have existed for some time.
- Allow swapout to try each thread in a process individually and then
swapin the whole process if any of these fail. This allows us to move
most scheduler related swap flags into td_flags.
- Keep ki_sflag for backwards compat but change all in source tools to
use the new and more correct location of P_INMEM.
Reported by: pho
Reviewed by: attilio, kib
Approved by: re (kensmith)
point to mac_check_vnode_unlink(), reflecting UNIX naming conventions.
This is the first of several commits to synchronize the MAC Framework
in FreeBSD 7.0 with the MAC Framework as it will appear in Mac OS X
Leopard.
Reveiwed by: csjp, Samy Bahra <sbahra at gwu dot edu>
Submitted by: Jacques Vidrine <nectar at apple dot com>
Obtained from: Apple Computer, Inc.
Sponsored by: SPARTA, SPAWAR
Approved by: re (bmah)
previously conditionally acquired Giant based on debug.mpsafenet. As that
has now been removed, they are no longer required. Removing them
significantly simplifies error-handling in the socket layer, eliminated
quite a bit of unwinding of locking in error cases.
While here clean up the now unneeded opt_net.h, which previously was used
for the NET_WITH_GIANT kernel option. Clean up some related gotos for
consistency.
Reviewed by: bz, csjp
Tested by: kris
Approved by: re (kensmith)
vnode label for a check rather than the directory vnode label a second
time.
MFC after: 3 days
Submitted by: Zhouyi ZHOU <zhouzhouyi at FreeBSD dot org>
Reviewed by: csjp
Sponsored by: Google Summer of Code 2007
Approved by: re (bmah)
- Sort copyrights by date.
- Re-wrap, and in some cases, fix comments.
- Fix tabbing, white space, remove extra blank lines.
- Remove commented out debugging printfs.
Approved by: re (kensmith)
and replace with software-testable sysctl node (security.audit) that
can be used to detect kernel audit support.
Obtained from: TrustedBSD Project
Approved by: re (kensmith)
- In audit_bsm.c, make sure all the arguments: ARG_AUID, ARG_ASID, ARG_AMASK,
and ARG_TERMID{_ADDR} are valid before auditing their arguments. (This is done
for both setaudit and setaudit_addr.
- Audit the arguments passed to setaudit_addr(2)
- AF_INET6 does not equate to AU_IPv6. Change this in au_to_in_addr_ex() so the
audit token is created with the correct type. This fixes the processing of the
in_addr_ex token in users pace.
- Change the size of the token (as generated by the kernel) from 5*4 bytes to
4*4 bytes (the correct size of an ip6 address)
- Correct regression from ucred work which resulted in getaudit() not returning
E2BIG if the subject had an ip6 termid
- Correct slight regression in getaudit(2) which resulted in the size of a pointer
being passed instead of the size of the structure. (This resulted in invalid
auditinfo data being returned via getaudit(2))
Reviewed by: rwatson
Approved by: re@ (kensmith)
Obtained from: TrustedBSD Project
MFC after: 1 month
mpo_check_proc_setaudit_addr to be used when controlling use of
setaudit_addr(), rather than mpo_check_proc_setaudit(), which takes a
different argument type.
Reviewed by: csjp
Approved by: re (kensmith)
some cases, move to priv_check() if it was an operation on a thread and
no other flags were present.
Eliminate caller-side jail exception checking (also now-unused); jail
privilege exception code now goes solely in kern_jail.c.
We can't yet eliminate suser() due to some cases in the KAME code where
a privilege check is performed and then used in many different deferred
paths. Do, however, move those prototypes to priv.h.
Reviewed by: csjp
Obtained from: TrustedBSD Project
embedded storage in struct ucred. This allows audit state to be cached
with the thread, avoiding locking operations with each system call, and
makes it available in asynchronous execution contexts, such as deep in
the network stack or VFS.
Reviewed by: csjp
Approved by: re (kensmith)
Obtained from: TrustedBSD Project
- Use thread_lock() rather than sched_lock for per-thread scheduling
sychronization.
- Use the per-process spinlock rather than the sched_lock for per-process
scheduling synchronization.
Tested by: kris, current@
Tested on: i386, amd64, ULE, 4BSD, libthr, libkse, PREEMPTION, etc.
Discussed with: kris, attilio, kmacy, jhb, julian, bde (small parts each)
argument from being file descriptor index into the pointer to struct file:
part 2. Convert calls missed in the first big commit.
Noted by: rwatson
Pointy hat to: kib
remove associated comments.
Slip audit_file_rotate_wait assignment in audit_rotate_vnode() before
the drop of the global audit mutex.
Obtained from: TrustedBSD Project
inline it when needed already, and the symbol is also required outside of
audit.c. This silences a new gcc warning on the topic of using __inline__
instead of __inline.
MFC after: 3 days