Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
/*-
|
2004-02-22 00:33:12 +00:00
|
|
|
* Copyright (c) 1999-2002 Robert N. M. Watson
|
2005-04-16 18:46:29 +00:00
|
|
|
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
|
2006-04-26 14:18:55 +00:00
|
|
|
* Copyright (c) 2005-2006 SPARTA, Inc.
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* This software was developed by Robert Watson for the TrustedBSD Project.
|
|
|
|
*
|
2002-11-04 01:42:39 +00:00
|
|
|
* This software was developed for the FreeBSD Project in part by Network
|
|
|
|
* Associates Laboratories, the Security Research Division of Network
|
|
|
|
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
|
|
|
|
* as part of the DARPA CHATS research program.
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
*
|
When devfs cloning takes place, provide access to the credential of the
process that caused the clone event to take place for the device driver
creating the device. This allows cloned device drivers to adapt the
device node based on security aspects of the process, such as the uid,
gid, and MAC label.
- Add a cred reference to struct cdev, so that when a device node is
instantiated as a vnode, the cloning credential can be exposed to
MAC.
- Add make_dev_cred(), a version of make_dev() that additionally
accepts the credential to stick in the struct cdev. Implement it and
make_dev() in terms of a back-end make_dev_credv().
- Add a new event handler, dev_clone_cred, which can be registered to
receive the credential instead of dev_clone, if desired.
- Modify the MAC entry point mac_create_devfs_device() to accept an
optional credential pointer (may be NULL), so that MAC policies can
inspect and act on the label or other elements of the credential
when initializing the skeleton device protections.
- Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(),
so that the pty clone credential is exposed to the MAC Framework.
While currently primarily focussed on MAC policies, this change is also
a prerequisite for changes to allow ptys to be instantiated with the UID
of the process looking up the pty. This requires further changes to the
pty driver -- in particular, to immediately recycle pty nodes on last
close so that the credential-related state can be recreated on next
lookup.
Submitted by: Andrew Reisse <andrew.reisse@sparta.com>
Obtained from: TrustedBSD Project
Sponsored by: SPAWAR, SPARTA
MFC after: 1 week
MFC note: Merge to 6.x, but not 5.x for ABI reasons
2005-07-14 10:22:09 +00:00
|
|
|
* This software was enhanced by SPARTA ISSO under SPAWAR contract
|
|
|
|
* N66001-04-C-6019 ("SEFOS").
|
|
|
|
*
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*
|
|
|
|
* $FreeBSD$
|
|
|
|
*/
|
|
|
|
/*
|
|
|
|
* Kernel interface for MAC policy modules.
|
|
|
|
*/
|
2004-05-10 18:38:07 +00:00
|
|
|
#ifndef _SYS_MAC_POLICY_H_
|
|
|
|
#define _SYS_MAC_POLICY_H_
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
|
|
|
/*-
|
|
|
|
* Pluggable access control policy definition structure.
|
|
|
|
*
|
|
|
|
* List of operations that are performed as part of the implementation
|
|
|
|
* of a MAC policy. Policy implementors declare operations with a
|
|
|
|
* mac_policy_ops structure, and using the MAC_POLICY_SET() macro.
|
|
|
|
* If an entry point is not declared, then then the policy will be ignored
|
|
|
|
* during evaluation of that event or check.
|
|
|
|
*
|
|
|
|
* Operations are sorted first by general class of operation, then
|
|
|
|
* alphabetically.
|
|
|
|
*/
|
2006-10-22 11:52:19 +00:00
|
|
|
#include <sys/acl.h> /* XXX acl_type_t */
|
|
|
|
|
2003-06-22 16:36:00 +00:00
|
|
|
struct acl;
|
2004-02-26 16:15:14 +00:00
|
|
|
struct bpf_d;
|
2006-10-30 15:20:49 +00:00
|
|
|
struct cdev;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct componentname;
|
|
|
|
struct devfs_dirent;
|
2004-02-26 16:15:14 +00:00
|
|
|
struct ifnet;
|
|
|
|
struct image_params;
|
Introduce a MAC label reference in 'struct inpcb', which caches
the MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols. This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.
For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks. Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.
Reviewed by: sam, bms
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
|
|
|
struct inpcb;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct ipq;
|
2005-05-04 10:39:15 +00:00
|
|
|
struct ksem;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct label;
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct mac_policy_conf;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct mbuf;
|
|
|
|
struct mount;
|
2006-09-09 16:35:44 +00:00
|
|
|
struct msg;
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct msqid_kernel;
|
Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.
- Create a new "struct pipepair" object holding the two 'struct
pipe' instances, struct mutex, and struct label reference. Pipe
structures now have a back-pointer to the pipe pair, and a
'pipe_present' flag to indicate whether the half has been
closed.
- Perform mutex init/destroy in zone init/destroy, avoiding
reallocating the mutex for each pipe. Perform most pipe structure
setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of
the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
update many policies. MAC labels are also handled outside of the
UMA zone for now. Label-only policy modules don't have to be
recompiled, but if a module is recompiled, its pipe entry points
will need to be updated. If a module actually reached into the
pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place. However, VM mapped buffers
are still released on half-close.
Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.
Reviewed by: juli, tjr
Testing help: dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
|
|
|
struct pipepair;
|
2004-02-26 20:44:50 +00:00
|
|
|
struct proc;
|
2003-06-23 01:26:34 +00:00
|
|
|
struct sbuf;
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct semid_kernel;
|
|
|
|
struct shmid_kernel;
|
2004-02-26 20:44:50 +00:00
|
|
|
struct sockaddr;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct socket;
|
2004-02-22 12:31:44 +00:00
|
|
|
struct sysctl_oid;
|
|
|
|
struct sysctl_req;
|
2004-02-26 20:44:50 +00:00
|
|
|
struct thread;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct ucred;
|
|
|
|
struct uio;
|
2004-02-26 16:15:14 +00:00
|
|
|
struct vattr;
|
2003-06-22 16:36:00 +00:00
|
|
|
struct vnode;
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
2006-04-26 14:18:55 +00:00
|
|
|
/*
|
|
|
|
* Policy module operations.
|
|
|
|
*/
|
|
|
|
typedef void (*mpo_destroy_t)(struct mac_policy_conf *mpc);
|
|
|
|
typedef void (*mpo_init_t)(struct mac_policy_conf *mpc);
|
2002-08-19 17:59:48 +00:00
|
|
|
|
2006-04-26 14:18:55 +00:00
|
|
|
/*
|
|
|
|
* General policy-directed security system call so that policies may
|
|
|
|
* implement new services without reserving explicit system call
|
|
|
|
* numbers.
|
|
|
|
*/
|
|
|
|
typedef int (*mpo_syscall_t)(struct thread *td, int call, void *arg);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Place-holder function pointers for ABI-compatibility purposes.
|
|
|
|
*/
|
|
|
|
typedef void (*mpo_placeholder_t)(void);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Label operations. Initialize label storage, destroy label
|
|
|
|
* storage, recycle for re-use without init/destroy, copy a label to
|
|
|
|
* initialized storage, and externalize/internalize from/to
|
|
|
|
* initialized storage.
|
|
|
|
*/
|
|
|
|
typedef void (*mpo_init_bpfdesc_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_init_cred_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_init_devfsdirent_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_init_ifnet_label_t)(struct label *label);
|
|
|
|
typedef int (*mpo_init_inpcb_label_t)(struct label *label, int flag);
|
|
|
|
typedef void (*mpo_init_sysv_msgmsg_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_init_sysv_msgqueue_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_init_sysv_sem_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_init_sysv_shm_label_t)(struct label *label);
|
|
|
|
typedef int (*mpo_init_ipq_label_t)(struct label *label, int flag);
|
|
|
|
typedef int (*mpo_init_mbuf_label_t)(struct label *label, int flag);
|
|
|
|
typedef void (*mpo_init_mount_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_init_mount_fs_label_t)(struct label *label);
|
|
|
|
typedef int (*mpo_init_socket_label_t)(struct label *label, int flag);
|
|
|
|
typedef int (*mpo_init_socket_peer_label_t)(struct label *label,
|
|
|
|
int flag);
|
|
|
|
typedef void (*mpo_init_pipe_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_init_posix_sem_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_init_proc_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_init_vnode_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_bpfdesc_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_cred_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_devfsdirent_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_ifnet_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_inpcb_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_sysv_msgmsg_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_sysv_msgqueue_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_sysv_sem_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_sysv_shm_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_ipq_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_mbuf_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_mount_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_mount_fs_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_socket_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_socket_peer_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_pipe_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_posix_sem_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_proc_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_destroy_vnode_label_t)(struct label *label);
|
|
|
|
typedef void (*mpo_cleanup_sysv_msgmsg_t)(struct label *msglabel);
|
|
|
|
typedef void (*mpo_cleanup_sysv_msgqueue_t)(struct label *msqlabel);
|
|
|
|
typedef void (*mpo_cleanup_sysv_sem_t)(struct label *semalabel);
|
|
|
|
typedef void (*mpo_cleanup_sysv_shm_t)(struct label *shmlabel);
|
|
|
|
typedef void (*mpo_copy_cred_label_t)(struct label *src,
|
2003-12-06 21:48:03 +00:00
|
|
|
struct label *dest);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_copy_ifnet_label_t)(struct label *src,
|
2004-06-24 03:34:46 +00:00
|
|
|
struct label *dest);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_copy_mbuf_label_t)(struct label *src,
|
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure,
returning some additional room in the first mbuf in a chain, and
avoiding feature-specific contents in the mbuf header. To do this:
- Modify mbuf_to_label() to extract the tag, returning NULL if not
found.
- Introduce mac_init_mbuf_tag() which does most of the work
mac_init_mbuf() used to do, except on an m_tag rather than an
mbuf.
- Scale back mac_init_mbuf() to perform m_tag allocation and invoke
mac_init_mbuf_tag().
- Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since
m_tag's are now GC'd deep in the m_tag/mbuf code rather than
at a higher level when mbufs are directly free()'d.
- Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related
notions.
- Generally change all references to mbuf labels so that they use
mbuf_to_label() rather than &mbuf->m_pkthdr.label. This
required no changes in the MAC policies (yay!).
- Tweak mbuf release routines to not call mac_destroy_mbuf(),
tag destruction takes care of it for us now.
- Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() --
the existing m_tag support does all this for us. Note that
we can no longer just zero the m_tag list on the target mbuf,
rather, we have to delete the chain because m_tag's will
already be hung off freshly allocated mbuf's.
- Tweak m_tag copying routines so that if we're copying a MAC
m_tag, we don't do a binary copy, rather, we initialize the
new storage and do a deep copy of the label.
- Remove use of MAC_FLAG_INITIALIZED in a few bizarre places
having to do with mbuf header copies previously.
- When an mbuf is copied in ip_input(), we no longer need to
explicitly copy the label because it will get handled by the
m_tag code now.
- No longer any weird handling of MAC labels in if_loop.c during
header copies.
- Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test.
In mac_test, handle the label==NULL case, since it can be
dynamically loaded.
In order to improve performance with this change, introduce the notion
of "lazy MAC label allocation" -- only allocate m_tag storage for MAC
labels if we're running with a policy that uses MAC labels on mbufs.
Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS
flag in their load-time flags field during declaration. Note: this
opens up the possibility of post-boot policy modules getting back NULL
slot entries even though they have policy invariants of non-NULL slot
entries, as the policy might have been loaded after the mbuf was
allocated, leaving the mbuf without label storage. Policies that cannot
handle this case must be declared as NOTLATE, or must be modified.
- mac_labelmbufs holds the current cumulative status as to whether
any policies require mbuf labeling or not. This is updated whenever
the active policy set changes by the function mac_policy_updateflags().
The function iterates the list and checks whether any have the
flag set. Write access to this variable is protected by the policy
list; read access is currently not protected for performance reasons.
This might change if it causes problems.
- Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update
function to assert appropriate locks.
- This makes allocation in mac_init_mbuf() conditional on the flag.
Reviewed by: sam
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
|
|
|
struct label *dest);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_copy_pipe_label_t)(struct label *src,
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
struct label *dest);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_copy_socket_label_t)(struct label *src,
|
Implement sockets support for __mac_get_fd() and __mac_set_fd()
system calls, and prefer these calls over getsockopt()/setsockopt()
for ABI reasons. When addressing UNIX domain sockets, these calls
retrieve and modify the socket label, not the label of the
rendezvous vnode.
- Create mac_copy_socket_label() entry point based on
mac_copy_pipe_label() entry point, intended to copy the socket
label into temporary storage that doesn't require a socket lock
to be held (currently Giant).
- Implement mac_copy_socket_label() for various policies.
- Expose socket label allocation, free, internalize, externalize
entry points as non-static from mac_net.c.
- Use mac_socket_label_set() in __mac_set_fd().
MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and
mac_get_peer() to retrieve and set various socket labels without
directly invoking the getsockopt() interface.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-16 23:31:45 +00:00
|
|
|
struct label *dest);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_copy_vnode_label_t)(struct label *src,
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
struct label *dest);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_externalize_cred_label_t)(struct label *label,
|
2003-06-23 01:26:34 +00:00
|
|
|
char *element_name, struct sbuf *sb, int *claimed);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_externalize_ifnet_label_t)(struct label *label,
|
2003-06-23 01:26:34 +00:00
|
|
|
char *element_name, struct sbuf *sb, int *claimed);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_externalize_pipe_label_t)(struct label *label,
|
2003-06-23 01:26:34 +00:00
|
|
|
char *element_name, struct sbuf *sb, int *claimed);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_externalize_socket_label_t)(struct label *label,
|
2003-06-23 01:26:34 +00:00
|
|
|
char *element_name, struct sbuf *sb, int *claimed);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_externalize_socket_peer_label_t)(struct label *label,
|
2003-06-23 01:26:34 +00:00
|
|
|
char *element_name, struct sbuf *sb, int *claimed);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_externalize_vnode_label_t)(struct label *label,
|
2003-06-23 01:26:34 +00:00
|
|
|
char *element_name, struct sbuf *sb, int *claimed);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_internalize_cred_label_t)(struct label *label,
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
char *element_name, char *element_data, int *claimed);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_internalize_ifnet_label_t)(struct label *label,
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
char *element_name, char *element_data, int *claimed);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_internalize_pipe_label_t)(struct label *label,
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
char *element_name, char *element_data, int *claimed);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_internalize_socket_label_t)(struct label *label,
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
char *element_name, char *element_data, int *claimed);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_internalize_vnode_label_t)(struct label *label,
|
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
|
|
|
char *element_name, char *element_data, int *claimed);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
2006-04-26 14:18:55 +00:00
|
|
|
/*
|
|
|
|
* Labeling event operations: file system objects, and things that
|
|
|
|
* look a lot like file system objects.
|
|
|
|
*/
|
|
|
|
typedef void (*mpo_associate_vnode_devfs_t)(struct mount *mp,
|
Slightly change the semantics of vnode labels for MAC: rather than
"refreshing" the label on the vnode before use, just get the label
right from inception. For single-label file systems, set the label
in the generic VFS getnewvnode() code; for multi-label file systems,
leave the labeling up to the file system. With UFS1/2, this means
reading the extended attribute during vfs_vget() as the inode is
pulled off disk, rather than hitting the extended attributes
frequently during operations later, improving performance. This
also corrects sematics for shared vnode locks, which were not
previously present in the system. This chances the cache
coherrency properties WRT out-of-band access to label data, but in
an acceptable form. With UFS1, there is a small race condition
during automatic extended attribute start -- this is not present
with UFS2, and occurs because EAs aren't available at vnode
inception. We'll introduce a work around for this shortly.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
|
|
|
struct label *fslabel, struct devfs_dirent *de,
|
|
|
|
struct label *delabel, struct vnode *vp,
|
|
|
|
struct label *vlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_associate_vnode_extattr_t)(struct mount *mp,
|
Slightly change the semantics of vnode labels for MAC: rather than
"refreshing" the label on the vnode before use, just get the label
right from inception. For single-label file systems, set the label
in the generic VFS getnewvnode() code; for multi-label file systems,
leave the labeling up to the file system. With UFS1/2, this means
reading the extended attribute during vfs_vget() as the inode is
pulled off disk, rather than hitting the extended attributes
frequently during operations later, improving performance. This
also corrects sematics for shared vnode locks, which were not
previously present in the system. This chances the cache
coherrency properties WRT out-of-band access to label data, but in
an acceptable form. With UFS1, there is a small race condition
during automatic extended attribute start -- this is not present
with UFS2, and occurs because EAs aren't available at vnode
inception. We'll introduce a work around for this shortly.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
|
|
|
struct label *fslabel, struct vnode *vp,
|
|
|
|
struct label *vlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_associate_vnode_singlelabel_t)(struct mount *mp,
|
Slightly change the semantics of vnode labels for MAC: rather than
"refreshing" the label on the vnode before use, just get the label
right from inception. For single-label file systems, set the label
in the generic VFS getnewvnode() code; for multi-label file systems,
leave the labeling up to the file system. With UFS1/2, this means
reading the extended attribute during vfs_vget() as the inode is
pulled off disk, rather than hitting the extended attributes
frequently during operations later, improving performance. This
also corrects sematics for shared vnode locks, which were not
previously present in the system. This chances the cache
coherrency properties WRT out-of-band access to label data, but in
an acceptable form. With UFS1, there is a small race condition
during automatic extended attribute start -- this is not present
with UFS2, and occurs because EAs aren't available at vnode
inception. We'll introduce a work around for this shortly.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
|
|
|
struct label *fslabel, struct vnode *vp,
|
|
|
|
struct label *vlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_devfs_device_t)(struct ucred *cred,
|
When devfs cloning takes place, provide access to the credential of the
process that caused the clone event to take place for the device driver
creating the device. This allows cloned device drivers to adapt the
device node based on security aspects of the process, such as the uid,
gid, and MAC label.
- Add a cred reference to struct cdev, so that when a device node is
instantiated as a vnode, the cloning credential can be exposed to
MAC.
- Add make_dev_cred(), a version of make_dev() that additionally
accepts the credential to stick in the struct cdev. Implement it and
make_dev() in terms of a back-end make_dev_credv().
- Add a new event handler, dev_clone_cred, which can be registered to
receive the credential instead of dev_clone, if desired.
- Modify the MAC entry point mac_create_devfs_device() to accept an
optional credential pointer (may be NULL), so that MAC policies can
inspect and act on the label or other elements of the credential
when initializing the skeleton device protections.
- Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(),
so that the pty clone credential is exposed to the MAC Framework.
While currently primarily focussed on MAC policies, this change is also
a prerequisite for changes to allow ptys to be instantiated with the UID
of the process looking up the pty. This requires further changes to the
pty driver -- in particular, to immediately recycle pty nodes on last
close so that the credential-related state can be recreated on next
lookup.
Submitted by: Andrew Reisse <andrew.reisse@sparta.com>
Obtained from: TrustedBSD Project
Sponsored by: SPAWAR, SPARTA
MFC after: 1 week
MFC note: Merge to 6.x, but not 5.x for ABI reasons
2005-07-14 10:22:09 +00:00
|
|
|
struct mount *mp, struct cdev *dev,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct devfs_dirent *de, struct label *label);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_devfs_directory_t)(struct mount *mp,
|
|
|
|
char *dirname, int dirnamelen, struct devfs_dirent *de,
|
2002-12-09 03:44:28 +00:00
|
|
|
struct label *label);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_devfs_symlink_t)(struct ucred *cred,
|
2002-12-09 03:44:28 +00:00
|
|
|
struct mount *mp, struct devfs_dirent *dd,
|
|
|
|
struct label *ddlabel, struct devfs_dirent *de,
|
|
|
|
struct label *delabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_create_vnode_extattr_t)(struct ucred *cred,
|
Slightly change the semantics of vnode labels for MAC: rather than
"refreshing" the label on the vnode before use, just get the label
right from inception. For single-label file systems, set the label
in the generic VFS getnewvnode() code; for multi-label file systems,
leave the labeling up to the file system. With UFS1/2, this means
reading the extended attribute during vfs_vget() as the inode is
pulled off disk, rather than hitting the extended attributes
frequently during operations later, improving performance. This
also corrects sematics for shared vnode locks, which were not
previously present in the system. This chances the cache
coherrency properties WRT out-of-band access to label data, but in
an acceptable form. With UFS1, there is a small race condition
during automatic extended attribute start -- this is not present
with UFS2, and occurs because EAs aren't available at vnode
inception. We'll introduce a work around for this shortly.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
|
|
|
struct mount *mp, struct label *fslabel,
|
|
|
|
struct vnode *dvp, struct label *dlabel,
|
|
|
|
struct vnode *vp, struct label *vlabel,
|
|
|
|
struct componentname *cnp);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_mount_t)(struct ucred *cred, struct mount *mp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *mntlabel, struct label *fslabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_relabel_vnode_t)(struct ucred *cred, struct vnode *vp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *vnodelabel, struct label *label);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_setlabel_vnode_extattr_t)(struct ucred *cred,
|
Slightly change the semantics of vnode labels for MAC: rather than
"refreshing" the label on the vnode before use, just get the label
right from inception. For single-label file systems, set the label
in the generic VFS getnewvnode() code; for multi-label file systems,
leave the labeling up to the file system. With UFS1/2, this means
reading the extended attribute during vfs_vget() as the inode is
pulled off disk, rather than hitting the extended attributes
frequently during operations later, improving performance. This
also corrects sematics for shared vnode locks, which were not
previously present in the system. This chances the cache
coherrency properties WRT out-of-band access to label data, but in
an acceptable form. With UFS1, there is a small race condition
during automatic extended attribute start -- this is not present
with UFS2, and occurs because EAs aren't available at vnode
inception. We'll introduce a work around for this shortly.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
|
|
|
struct vnode *vp, struct label *vlabel,
|
|
|
|
struct label *intlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_update_devfsdirent_t)(struct mount *mp,
|
2002-12-09 03:44:28 +00:00
|
|
|
struct devfs_dirent *devfs_dirent,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *direntlabel, struct vnode *vp,
|
|
|
|
struct label *vnodelabel);
|
|
|
|
|
2006-04-26 14:18:55 +00:00
|
|
|
/*
|
|
|
|
* Labeling event operations: IPC objects.
|
|
|
|
*/
|
|
|
|
typedef void (*mpo_create_mbuf_from_socket_t)(struct socket *so,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *socketlabel, struct mbuf *m,
|
|
|
|
struct label *mbuflabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_socket_t)(struct ucred *cred, struct socket *so,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *socketlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_socket_from_socket_t)(struct socket *oldsocket,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *oldsocketlabel, struct socket *newsocket,
|
|
|
|
struct label *newsocketlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_relabel_socket_t)(struct ucred *cred, struct socket *so,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *oldlabel, struct label *newlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_relabel_pipe_t)(struct ucred *cred, struct pipepair *pp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *oldlabel, struct label *newlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_set_socket_peer_from_mbuf_t)(struct mbuf *mbuf,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *mbuflabel, struct socket *so,
|
|
|
|
struct label *socketpeerlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_set_socket_peer_from_socket_t)(struct socket *oldsocket,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *oldsocketlabel, struct socket *newsocket,
|
|
|
|
struct label *newsocketpeerlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_pipe_t)(struct ucred *cred, struct pipepair *pp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *pipelabel);
|
|
|
|
|
2006-04-26 14:18:55 +00:00
|
|
|
/*
|
|
|
|
* Labeling event operations: System V IPC primitives.
|
|
|
|
*/
|
|
|
|
typedef void (*mpo_create_sysv_msgmsg_t)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct msqid_kernel *msqkptr, struct label *msqlabel,
|
|
|
|
struct msg *msgptr, struct label *msglabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_sysv_msgqueue_t)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct msqid_kernel *msqkptr, struct label *msqlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_sysv_sem_t)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct semid_kernel *semakptr, struct label *semalabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_sysv_shm_t)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct shmid_kernel *shmsegptr, struct label *shmlabel);
|
|
|
|
|
2006-04-26 14:18:55 +00:00
|
|
|
/*
|
|
|
|
* Labeling event operations: POSIX (global/inter-process) semaphores.
|
|
|
|
*/
|
|
|
|
typedef void (*mpo_create_posix_sem_t)(struct ucred *cred,
|
2005-05-04 10:39:15 +00:00
|
|
|
struct ksem *ksemptr, struct label *ks_label);
|
|
|
|
|
2006-04-26 14:18:55 +00:00
|
|
|
/*
|
|
|
|
* Labeling event operations: network objects.
|
|
|
|
*/
|
|
|
|
typedef void (*mpo_create_bpfdesc_t)(struct ucred *cred,
|
|
|
|
struct bpf_d *bpf_d, struct label *bpflabel);
|
|
|
|
typedef void (*mpo_create_ifnet_t)(struct ifnet *ifnet,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *ifnetlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_inpcb_from_socket_t)(struct socket *so,
|
Introduce a MAC label reference in 'struct inpcb', which caches
the MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols. This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.
For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks. Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.
Reviewed by: sam, bms
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
|
|
|
struct label *solabel, struct inpcb *inp,
|
|
|
|
struct label *inplabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_ipq_t)(struct mbuf *fragment,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *fragmentlabel, struct ipq *ipq,
|
|
|
|
struct label *ipqlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_datagram_from_ipq)
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
(struct ipq *ipq, struct label *ipqlabel,
|
|
|
|
struct mbuf *datagram, struct label *datagramlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_fragment_t)(struct mbuf *datagram,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *datagramlabel, struct mbuf *fragment,
|
|
|
|
struct label *fragmentlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_mbuf_from_inpcb_t)(struct inpcb *inp,
|
2003-12-17 14:55:11 +00:00
|
|
|
struct label *inplabel, struct mbuf *m,
|
|
|
|
struct label *mlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_mbuf_linklayer_t)(struct ifnet *ifnet,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *ifnetlabel, struct mbuf *mbuf,
|
|
|
|
struct label *mbuflabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_mbuf_from_bpfdesc_t)(struct bpf_d *bpf_d,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *bpflabel, struct mbuf *mbuf,
|
|
|
|
struct label *mbuflabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_mbuf_from_ifnet_t)(struct ifnet *ifnet,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *ifnetlabel, struct mbuf *mbuf,
|
|
|
|
struct label *mbuflabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_mbuf_multicast_encap_t)(struct mbuf *oldmbuf,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *oldmbuflabel, struct ifnet *ifnet,
|
|
|
|
struct label *ifnetlabel, struct mbuf *newmbuf,
|
|
|
|
struct label *newmbuflabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_mbuf_netlayer_t)(struct mbuf *oldmbuf,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *oldmbuflabel, struct mbuf *newmbuf,
|
|
|
|
struct label *newmbuflabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_fragment_match_t)(struct mbuf *fragment,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *fragmentlabel, struct ipq *ipq,
|
|
|
|
struct label *ipqlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_reflect_mbuf_icmp_t)(struct mbuf *m,
|
|
|
|
struct label *mlabel);
|
|
|
|
typedef void (*mpo_reflect_mbuf_tcp_t)(struct mbuf *m,
|
2003-08-21 18:21:22 +00:00
|
|
|
struct label *mlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_relabel_ifnet_t)(struct ucred *cred,
|
|
|
|
struct ifnet *ifnet, struct label *ifnetlabel,
|
|
|
|
struct label *newlabel);
|
|
|
|
typedef void (*mpo_update_ipq_t)(struct mbuf *fragment,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *fragmentlabel, struct ipq *ipq,
|
|
|
|
struct label *ipqlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_inpcb_sosetlabel_t)(struct socket *so,
|
Introduce a MAC label reference in 'struct inpcb', which caches
the MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols. This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.
For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks. Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.
Reviewed by: sam, bms
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
|
|
|
struct label *label, struct inpcb *inp,
|
|
|
|
struct label *inplabel);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
2006-09-12 04:25:13 +00:00
|
|
|
typedef void (*mpo_create_mbuf_from_firewall_t)(struct mbuf *m,
|
|
|
|
struct label *label);
|
2006-04-26 14:18:55 +00:00
|
|
|
/*
|
|
|
|
* Labeling event operations: processes.
|
|
|
|
*/
|
|
|
|
typedef void (*mpo_execve_transition_t)(struct ucred *old,
|
|
|
|
struct ucred *new, struct vnode *vp,
|
|
|
|
struct label *vnodelabel, struct label *interpvnodelabel,
|
2002-11-08 18:04:00 +00:00
|
|
|
struct image_params *imgp, struct label *execlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_execve_will_transition_t)(struct ucred *old,
|
2002-11-05 17:51:56 +00:00
|
|
|
struct vnode *vp, struct label *vnodelabel,
|
|
|
|
struct label *interpvnodelabel,
|
2002-11-08 18:04:00 +00:00
|
|
|
struct image_params *imgp, struct label *execlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_create_proc0_t)(struct ucred *cred);
|
|
|
|
typedef void (*mpo_create_proc1_t)(struct ucred *cred);
|
|
|
|
typedef void (*mpo_relabel_cred_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *newlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef void (*mpo_thread_userret_t)(struct thread *thread);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
2006-04-26 14:18:55 +00:00
|
|
|
/*
|
|
|
|
* Access control checks.
|
|
|
|
*/
|
|
|
|
typedef int (*mpo_check_bpfdesc_receive_t)(struct bpf_d *bpf_d,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *bpflabel, struct ifnet *ifnet,
|
|
|
|
struct label *ifnetlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_cred_relabel_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *newlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_cred_visible_t)(struct ucred *u1,
|
|
|
|
struct ucred *u2);
|
|
|
|
typedef int (*mpo_check_ifnet_relabel_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct ifnet *ifnet, struct label *ifnetlabel,
|
|
|
|
struct label *newlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_ifnet_transmit_t)(struct ifnet *ifnet,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *ifnetlabel, struct mbuf *m,
|
|
|
|
struct label *mbuflabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_inpcb_deliver_t)(struct inpcb *inp,
|
Introduce a MAC label reference in 'struct inpcb', which caches
the MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols. This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.
For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks. Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.
Reviewed by: sam, bms
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
|
|
|
struct label *inplabel, struct mbuf *m,
|
|
|
|
struct label *mlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_sysv_msgmsq_t)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct msg *msgptr, struct label *msglabel,
|
|
|
|
struct msqid_kernel *msqkptr, struct label *msqklabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_sysv_msgrcv_t)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct msg *msgptr, struct label *msglabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_sysv_msgrmid_t)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct msg *msgptr, struct label *msglabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_sysv_msqget_t)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct msqid_kernel *msqkptr, struct label *msqklabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_sysv_msqsnd_t)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct msqid_kernel *msqkptr, struct label *msqklabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_sysv_msqrcv_t)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct msqid_kernel *msqkptr, struct label *msqklabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_sysv_msqctl_t)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct msqid_kernel *msqkptr, struct label *msqklabel,
|
|
|
|
int cmd);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_sysv_semctl_t)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct semid_kernel *semakptr, struct label *semaklabel,
|
|
|
|
int cmd);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_sysv_semget_t)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct semid_kernel *semakptr, struct label *semaklabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_sysv_semop_t)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct semid_kernel *semakptr, struct label *semaklabel,
|
|
|
|
size_t accesstype);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_sysv_shmat_t)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct shmid_kernel *shmsegptr,
|
|
|
|
struct label *shmseglabel, int shmflg);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_sysv_shmctl_t)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct shmid_kernel *shmsegptr,
|
|
|
|
struct label *shmseglabel, int cmd);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_sysv_shmdt_t)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct shmid_kernel *shmsegptr,
|
|
|
|
struct label *shmseglabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_sysv_shmget_t)(struct ucred *cred,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
struct shmid_kernel *shmsegptr,
|
|
|
|
struct label *shmseglabel, int shmflg);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_kenv_dump_t)(struct ucred *cred);
|
|
|
|
typedef int (*mpo_check_kenv_get_t)(struct ucred *cred, char *name);
|
|
|
|
typedef int (*mpo_check_kenv_set_t)(struct ucred *cred, char *name,
|
2002-11-01 20:46:53 +00:00
|
|
|
char *value);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_kenv_unset_t)(struct ucred *cred, char *name);
|
|
|
|
typedef int (*mpo_check_kld_load_t)(struct ucred *cred, struct vnode *vp,
|
2002-11-19 22:12:42 +00:00
|
|
|
struct label *vlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_kld_stat_t)(struct ucred *cred);
|
|
|
|
typedef int (*mpo_check_kld_unload_t)(struct ucred *cred);
|
|
|
|
typedef int (*mpo_mpo_placeholder19_t)(void);
|
|
|
|
typedef int (*mpo_mpo_placeholder20_t)(void);
|
|
|
|
typedef int (*mpo_check_mount_stat_t)(struct ucred *cred,
|
|
|
|
struct mount *mp, struct label *mntlabel);
|
|
|
|
typedef int (*mpo_mpo_placeholder21_t)(void);
|
|
|
|
typedef int (*mpo_check_pipe_ioctl_t)(struct ucred *cred,
|
Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.
- Create a new "struct pipepair" object holding the two 'struct
pipe' instances, struct mutex, and struct label reference. Pipe
structures now have a back-pointer to the pipe pair, and a
'pipe_present' flag to indicate whether the half has been
closed.
- Perform mutex init/destroy in zone init/destroy, avoiding
reallocating the mutex for each pipe. Perform most pipe structure
setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of
the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
update many policies. MAC labels are also handled outside of the
UMA zone for now. Label-only policy modules don't have to be
recompiled, but if a module is recompiled, its pipe entry points
will need to be updated. If a module actually reached into the
pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place. However, VM mapped buffers
are still released on half-close.
Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.
Reviewed by: juli, tjr
Testing help: dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
|
|
|
struct pipepair *pp, struct label *pipelabel,
|
Define new MAC framework and policy entry points for System V IPC
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
|
|
|
unsigned long cmd, void *data);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_pipe_poll_t)(struct ucred *cred,
|
Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.
- Create a new "struct pipepair" object holding the two 'struct
pipe' instances, struct mutex, and struct label reference. Pipe
structures now have a back-pointer to the pipe pair, and a
'pipe_present' flag to indicate whether the half has been
closed.
- Perform mutex init/destroy in zone init/destroy, avoiding
reallocating the mutex for each pipe. Perform most pipe structure
setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of
the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
update many policies. MAC labels are also handled outside of the
UMA zone for now. Label-only policy modules don't have to be
recompiled, but if a module is recompiled, its pipe entry points
will need to be updated. If a module actually reached into the
pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place. However, VM mapped buffers
are still released on half-close.
Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.
Reviewed by: juli, tjr
Testing help: dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
|
|
|
struct pipepair *pp, struct label *pipelabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_pipe_read_t)(struct ucred *cred,
|
Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.
- Create a new "struct pipepair" object holding the two 'struct
pipe' instances, struct mutex, and struct label reference. Pipe
structures now have a back-pointer to the pipe pair, and a
'pipe_present' flag to indicate whether the half has been
closed.
- Perform mutex init/destroy in zone init/destroy, avoiding
reallocating the mutex for each pipe. Perform most pipe structure
setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of
the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
update many policies. MAC labels are also handled outside of the
UMA zone for now. Label-only policy modules don't have to be
recompiled, but if a module is recompiled, its pipe entry points
will need to be updated. If a module actually reached into the
pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place. However, VM mapped buffers
are still released on half-close.
Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.
Reviewed by: juli, tjr
Testing help: dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
|
|
|
struct pipepair *pp, struct label *pipelabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_pipe_relabel_t)(struct ucred *cred,
|
Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.
- Create a new "struct pipepair" object holding the two 'struct
pipe' instances, struct mutex, and struct label reference. Pipe
structures now have a back-pointer to the pipe pair, and a
'pipe_present' flag to indicate whether the half has been
closed.
- Perform mutex init/destroy in zone init/destroy, avoiding
reallocating the mutex for each pipe. Perform most pipe structure
setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of
the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
update many policies. MAC labels are also handled outside of the
UMA zone for now. Label-only policy modules don't have to be
recompiled, but if a module is recompiled, its pipe entry points
will need to be updated. If a module actually reached into the
pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place. However, VM mapped buffers
are still released on half-close.
Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.
Reviewed by: juli, tjr
Testing help: dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
|
|
|
struct pipepair *pp, struct label *pipelabel,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *newlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_pipe_stat_t)(struct ucred *cred,
|
Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.
- Create a new "struct pipepair" object holding the two 'struct
pipe' instances, struct mutex, and struct label reference. Pipe
structures now have a back-pointer to the pipe pair, and a
'pipe_present' flag to indicate whether the half has been
closed.
- Perform mutex init/destroy in zone init/destroy, avoiding
reallocating the mutex for each pipe. Perform most pipe structure
setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of
the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
update many policies. MAC labels are also handled outside of the
UMA zone for now. Label-only policy modules don't have to be
recompiled, but if a module is recompiled, its pipe entry points
will need to be updated. If a module actually reached into the
pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place. However, VM mapped buffers
are still released on half-close.
Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.
Reviewed by: juli, tjr
Testing help: dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
|
|
|
struct pipepair *pp, struct label *pipelabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_pipe_write_t)(struct ucred *cred,
|
Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.
- Create a new "struct pipepair" object holding the two 'struct
pipe' instances, struct mutex, and struct label reference. Pipe
structures now have a back-pointer to the pipe pair, and a
'pipe_present' flag to indicate whether the half has been
closed.
- Perform mutex init/destroy in zone init/destroy, avoiding
reallocating the mutex for each pipe. Perform most pipe structure
setup in zone constructor.
- VM memory mappings for pageable buffers are still done outside of
the UMA zone.
- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
update many policies. MAC labels are also handled outside of the
UMA zone for now. Label-only policy modules don't have to be
recompiled, but if a module is recompiled, its pipe entry points
will need to be updated. If a module actually reached into the
pipe structures (unlikely), that would also need to be modified.
These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.
On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place. However, VM mapped buffers
are still released on half-close.
Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).
This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.
Reviewed by: juli, tjr
Testing help: dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
|
|
|
struct pipepair *pp, struct label *pipelabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_posix_sem_destroy_t)(struct ucred *cred,
|
2005-05-04 10:39:15 +00:00
|
|
|
struct ksem *ksemptr, struct label *ks_label);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_posix_sem_getvalue_t)(struct ucred *cred,
|
2005-05-04 10:39:15 +00:00
|
|
|
struct ksem *ksemptr, struct label *ks_label);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_posix_sem_open_t)(struct ucred *cred,
|
2005-05-04 10:39:15 +00:00
|
|
|
struct ksem *ksemptr, struct label *ks_label);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_posix_sem_post_t)(struct ucred *cred,
|
2005-05-04 10:39:15 +00:00
|
|
|
struct ksem *ksemptr, struct label *ks_label);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_posix_sem_unlink_t)(struct ucred *cred,
|
2005-05-04 10:39:15 +00:00
|
|
|
struct ksem *ksemptr, struct label *ks_label);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_posix_sem_wait_t)(struct ucred *cred,
|
2005-05-04 10:39:15 +00:00
|
|
|
struct ksem *ksemptr, struct label *ks_label);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_proc_debug_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct proc *proc);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_proc_sched_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct proc *proc);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_proc_setuid_t)(struct ucred *cred, uid_t uid);
|
|
|
|
typedef int (*mpo_check_proc_seteuid_t)(struct ucred *cred, uid_t euid);
|
|
|
|
typedef int (*mpo_check_proc_setgid_t)(struct ucred *cred, gid_t gid);
|
|
|
|
typedef int (*mpo_check_proc_setegid_t)(struct ucred *cred, gid_t egid);
|
|
|
|
typedef int (*mpo_check_proc_setgroups_t)(struct ucred *cred, int ngroups,
|
2005-04-16 13:29:15 +00:00
|
|
|
gid_t *gidset);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_proc_setreuid_t)(struct ucred *cred, uid_t ruid,
|
2005-04-16 13:29:15 +00:00
|
|
|
uid_t euid);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_proc_setregid_t)(struct ucred *cred, gid_t rgid,
|
2005-04-16 13:29:15 +00:00
|
|
|
gid_t egid);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_proc_setresuid_t)(struct ucred *cred, uid_t ruid,
|
2005-04-16 13:29:15 +00:00
|
|
|
uid_t euid, uid_t suid);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_proc_setresgid_t)(struct ucred *cred, gid_t rgid,
|
2005-04-16 13:29:15 +00:00
|
|
|
gid_t egid, gid_t sgid);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_proc_signal_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct proc *proc, int signum);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_proc_wait_t)(struct ucred *cred,
|
2005-04-18 13:36:57 +00:00
|
|
|
struct proc *proc);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_socket_accept_t)(struct ucred *cred,
|
2005-04-16 18:46:29 +00:00
|
|
|
struct socket *so, struct label *socketlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_socket_bind_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct socket *so, struct label *socketlabel,
|
|
|
|
struct sockaddr *sockaddr);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_socket_connect_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct socket *so, struct label *socketlabel,
|
|
|
|
struct sockaddr *sockaddr);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_socket_create_t)(struct ucred *cred, int domain,
|
2005-07-05 22:49:10 +00:00
|
|
|
int type, int protocol);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_socket_deliver_t)(struct socket *so,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *socketlabel, struct mbuf *m,
|
|
|
|
struct label *mbuflabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_socket_listen_t)(struct ucred *cred,
|
2002-08-15 18:51:27 +00:00
|
|
|
struct socket *so, struct label *socketlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_socket_poll_t)(struct ucred *cred,
|
2005-04-16 18:46:29 +00:00
|
|
|
struct socket *so, struct label *socketlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_socket_receive_t)(struct ucred *cred,
|
2002-10-06 14:39:15 +00:00
|
|
|
struct socket *so, struct label *socketlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_socket_relabel_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct socket *so, struct label *socketlabel,
|
|
|
|
struct label *newlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_socket_send_t)(struct ucred *cred,
|
2002-10-06 14:39:15 +00:00
|
|
|
struct socket *so, struct label *socketlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_socket_stat_t)(struct ucred *cred,
|
2005-04-16 18:46:29 +00:00
|
|
|
struct socket *so, struct label *socketlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_socket_visible_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct socket *so, struct label *socketlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_sysarch_ioperm_t)(struct ucred *cred);
|
|
|
|
typedef int (*mpo_check_system_acct_t)(struct ucred *cred,
|
2002-11-04 15:13:36 +00:00
|
|
|
struct vnode *vp, struct label *vlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_system_nfsd_t)(struct ucred *cred);
|
|
|
|
typedef int (*mpo_check_system_reboot_t)(struct ucred *cred, int howto);
|
|
|
|
typedef int (*mpo_check_system_settime_t)(struct ucred *cred);
|
|
|
|
typedef int (*mpo_check_system_swapon_t)(struct ucred *cred,
|
2002-10-27 06:54:06 +00:00
|
|
|
struct vnode *vp, struct label *label);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_system_swapoff_t)(struct ucred *cred,
|
2003-03-05 23:50:15 +00:00
|
|
|
struct vnode *vp, struct label *label);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_system_sysctl_t)(struct ucred *cred,
|
2004-02-22 12:31:44 +00:00
|
|
|
struct sysctl_oid *oidp, void *arg1, int arg2,
|
|
|
|
struct sysctl_req *req);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_access_t)(struct ucred *cred,
|
2002-10-30 17:56:57 +00:00
|
|
|
struct vnode *vp, struct label *label, int acc_mode);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_chdir_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *dvp, struct label *dlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_chroot_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *dvp, struct label *dlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_create_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *dvp, struct label *dlabel,
|
|
|
|
struct componentname *cnp, struct vattr *vap);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_delete_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *dvp, struct label *dlabel,
|
Move to C99 sparse structure initialization for the mac_policy_ops
structure definition, rather than using an operation vector
we translate into the structure. Originally, we used a vector
for two reasons:
(1) We wanted to define the structure sparsely, which wasn't
supported by the C compiler for structures. For a policy
with five entry points, you don't want to have to stick in
a few hundred NULL function pointers.
(2) We thought it would improve ABI compatibility allowing modules
to work with kernels that had a superset of the entry points
defined in the module, even if the kernel had changed its
entry point set.
Both of these no longer apply:
(1) C99 gives us a way to sparsely define a static structure.
(2) The ABI problems existed anyway, due to enumeration numbers,
argument changes, and semantic mismatches. Since the going
rule for FreeBSD is that you really need your modules to
pretty closely match your kernel, it's not worth the
complexity.
This submit eliminates the operation vector, dynamic allocation
of the operation structure, copying of the vector to the
structure, and redoes the vectors in each policy to direct
structure definitions. One enourmous benefit of this change
is that we now get decent type checking on policy entry point
implementation arguments.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-30 18:48:51 +00:00
|
|
|
struct vnode *vp, struct label *label,
|
|
|
|
struct componentname *cnp);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_deleteacl_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *vp, struct label *label, acl_type_t type);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_deleteextattr_t)(struct ucred *cred,
|
2003-08-21 13:53:01 +00:00
|
|
|
struct vnode *vp, struct label *label, int attrnamespace,
|
|
|
|
const char *name);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_exec_t)(struct ucred *cred,
|
|
|
|
struct vnode *vp, struct label *label,
|
|
|
|
struct image_params *imgp, struct label *execlabel);
|
|
|
|
typedef int (*mpo_check_vnode_getacl_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *vp, struct label *label, acl_type_t type);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_getextattr_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *vp, struct label *label, int attrnamespace,
|
|
|
|
const char *name, struct uio *uio);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_link_t)(struct ucred *cred,
|
|
|
|
struct vnode *dvp, struct label *dlabel, struct vnode *vp,
|
2002-10-05 18:11:36 +00:00
|
|
|
struct label *label, struct componentname *cnp);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_listextattr_t)(struct ucred *cred,
|
|
|
|
struct vnode *vp, struct label *label,
|
|
|
|
int attrnamespace);
|
|
|
|
typedef int (*mpo_check_vnode_lookup_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *dvp, struct label *dlabel,
|
|
|
|
struct componentname *cnp);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_mmap_t)(struct ucred *cred,
|
|
|
|
struct vnode *vp, struct label *label, int prot,
|
|
|
|
int flags);
|
|
|
|
typedef void (*mpo_check_vnode_mmap_downgrade_t)(struct ucred *cred,
|
2002-10-06 02:46:26 +00:00
|
|
|
struct vnode *vp, struct label *label, int *prot);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_mprotect_t)(struct ucred *cred,
|
2002-10-06 02:46:26 +00:00
|
|
|
struct vnode *vp, struct label *label, int prot);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_open_t)(struct ucred *cred,
|
|
|
|
struct vnode *vp, struct label *label, int acc_mode);
|
|
|
|
typedef int (*mpo_check_vnode_poll_t)(struct ucred *active_cred,
|
2002-08-19 19:04:53 +00:00
|
|
|
struct ucred *file_cred, struct vnode *vp,
|
2002-08-19 16:43:25 +00:00
|
|
|
struct label *label);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_read_t)(struct ucred *active_cred,
|
2002-08-19 19:04:53 +00:00
|
|
|
struct ucred *file_cred, struct vnode *vp,
|
2002-08-19 16:43:25 +00:00
|
|
|
struct label *label);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_readdir_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *dvp, struct label *dlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_readlink_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *vp, struct label *label);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_relabel_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *vp, struct label *vnodelabel,
|
|
|
|
struct label *newlabel);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_rename_from_t)(struct ucred *cred,
|
|
|
|
struct vnode *dvp, struct label *dlabel,
|
|
|
|
struct vnode *vp, struct label *label,
|
|
|
|
struct componentname *cnp);
|
|
|
|
typedef int (*mpo_check_vnode_rename_to_t)(struct ucred *cred,
|
|
|
|
struct vnode *dvp, struct label *dlabel,
|
|
|
|
struct vnode *vp, struct label *label, int samedir,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct componentname *cnp);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_revoke_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *vp, struct label *label);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_setacl_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *vp, struct label *label, acl_type_t type,
|
|
|
|
struct acl *acl);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_setextattr_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *vp, struct label *label, int attrnamespace,
|
|
|
|
const char *name, struct uio *uio);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_setflags_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *vp, struct label *label, u_long flags);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_setmode_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *vp, struct label *label, mode_t mode);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_setowner_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *vp, struct label *label, uid_t uid,
|
|
|
|
gid_t gid);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_setutimes_t)(struct ucred *cred,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct vnode *vp, struct label *label,
|
|
|
|
struct timespec atime, struct timespec mtime);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_stat_t)(struct ucred *active_cred,
|
2002-08-19 19:04:53 +00:00
|
|
|
struct ucred *file_cred, struct vnode *vp,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct label *label);
|
2006-04-26 14:18:55 +00:00
|
|
|
typedef int (*mpo_check_vnode_write_t)(struct ucred *active_cred,
|
2002-08-19 19:04:53 +00:00
|
|
|
struct ucred *file_cred, struct vnode *vp,
|
2002-08-19 16:43:25 +00:00
|
|
|
struct label *label);
|
2006-08-06 16:56:15 +00:00
|
|
|
typedef void (*mpo_associate_nfsd_label_t)(struct ucred *cred);
|
2006-11-06 13:42:10 +00:00
|
|
|
typedef int (*mpo_priv_check_t)(struct ucred *cred, int priv);
|
|
|
|
typedef int (*mpo_priv_grant_t)(struct ucred *cred, int priv);
|
2006-04-26 14:18:55 +00:00
|
|
|
|
|
|
|
struct mac_policy_ops {
|
|
|
|
/*
|
|
|
|
* Policy module operations.
|
|
|
|
*/
|
|
|
|
mpo_destroy_t mpo_destroy;
|
|
|
|
mpo_init_t mpo_init;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* General policy-directed security system call so that policies may
|
|
|
|
* implement new services without reserving explicit system call
|
|
|
|
* numbers.
|
|
|
|
*/
|
|
|
|
mpo_syscall_t mpo_syscall;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Label operations. Initialize label storage, destroy label
|
|
|
|
* storage, recycle for re-use without init/destroy, copy a label to
|
|
|
|
* initialized storage, and externalize/internalize from/to
|
|
|
|
* initialized storage.
|
|
|
|
*/
|
|
|
|
mpo_init_bpfdesc_label_t mpo_init_bpfdesc_label;
|
|
|
|
mpo_init_cred_label_t mpo_init_cred_label;
|
|
|
|
mpo_init_devfsdirent_label_t mpo_init_devfsdirent_label;
|
|
|
|
mpo_placeholder_t _mpo_placeholder0;
|
|
|
|
mpo_init_ifnet_label_t mpo_init_ifnet_label;
|
|
|
|
mpo_init_inpcb_label_t mpo_init_inpcb_label;
|
|
|
|
mpo_init_sysv_msgmsg_label_t mpo_init_sysv_msgmsg_label;
|
|
|
|
mpo_init_sysv_msgqueue_label_t mpo_init_sysv_msgqueue_label;
|
|
|
|
mpo_init_sysv_sem_label_t mpo_init_sysv_sem_label;
|
|
|
|
mpo_init_sysv_shm_label_t mpo_init_sysv_shm_label;
|
|
|
|
mpo_init_ipq_label_t mpo_init_ipq_label;
|
|
|
|
mpo_init_mbuf_label_t mpo_init_mbuf_label;
|
|
|
|
mpo_init_mount_label_t mpo_init_mount_label;
|
|
|
|
mpo_init_mount_fs_label_t mpo_init_mount_fs_label;
|
|
|
|
mpo_init_socket_label_t mpo_init_socket_label;
|
|
|
|
mpo_init_socket_peer_label_t mpo_init_socket_peer_label;
|
|
|
|
mpo_init_pipe_label_t mpo_init_pipe_label;
|
|
|
|
mpo_init_posix_sem_label_t mpo_init_posix_sem_label;
|
|
|
|
mpo_init_proc_label_t mpo_init_proc_label;
|
|
|
|
mpo_init_vnode_label_t mpo_init_vnode_label;
|
|
|
|
mpo_destroy_bpfdesc_label_t mpo_destroy_bpfdesc_label;
|
|
|
|
mpo_destroy_cred_label_t mpo_destroy_cred_label;
|
|
|
|
mpo_destroy_devfsdirent_label_t mpo_destroy_devfsdirent_label;
|
|
|
|
mpo_placeholder_t _mpo_placeholder1;
|
|
|
|
mpo_destroy_ifnet_label_t mpo_destroy_ifnet_label;
|
|
|
|
mpo_destroy_inpcb_label_t mpo_destroy_inpcb_label;
|
|
|
|
mpo_destroy_sysv_msgmsg_label_t mpo_destroy_sysv_msgmsg_label;
|
|
|
|
mpo_destroy_sysv_msgqueue_label_t mpo_destroy_sysv_msgqueue_label;
|
|
|
|
mpo_destroy_sysv_sem_label_t mpo_destroy_sysv_sem_label;
|
|
|
|
mpo_destroy_sysv_shm_label_t mpo_destroy_sysv_shm_label;
|
|
|
|
mpo_destroy_ipq_label_t mpo_destroy_ipq_label;
|
|
|
|
mpo_destroy_mbuf_label_t mpo_destroy_mbuf_label;
|
|
|
|
mpo_destroy_mount_label_t mpo_destroy_mount_label;
|
|
|
|
mpo_destroy_mount_fs_label_t mpo_destroy_mount_fs_label;
|
|
|
|
mpo_destroy_socket_label_t mpo_destroy_socket_label;
|
|
|
|
mpo_destroy_socket_peer_label_t mpo_destroy_socket_peer_label;
|
|
|
|
mpo_destroy_pipe_label_t mpo_destroy_pipe_label;
|
|
|
|
mpo_destroy_posix_sem_label_t mpo_destroy_posix_sem_label;
|
|
|
|
mpo_destroy_proc_label_t mpo_destroy_proc_label;
|
|
|
|
mpo_destroy_vnode_label_t mpo_destroy_vnode_label;
|
|
|
|
mpo_cleanup_sysv_msgmsg_t mpo_cleanup_sysv_msgmsg;
|
|
|
|
mpo_cleanup_sysv_msgqueue_t mpo_cleanup_sysv_msgqueue;
|
|
|
|
mpo_cleanup_sysv_sem_t mpo_cleanup_sysv_sem;
|
|
|
|
mpo_cleanup_sysv_shm_t mpo_cleanup_sysv_shm;
|
|
|
|
mpo_copy_cred_label_t mpo_copy_cred_label;
|
|
|
|
mpo_copy_ifnet_label_t mpo_copy_ifnet_label;
|
|
|
|
mpo_copy_mbuf_label_t mpo_copy_mbuf_label;
|
|
|
|
mpo_placeholder_t _mpo_placeholder2;
|
|
|
|
mpo_copy_pipe_label_t mpo_copy_pipe_label;
|
|
|
|
mpo_copy_socket_label_t mpo_copy_socket_label;
|
|
|
|
mpo_copy_vnode_label_t mpo_copy_vnode_label;
|
|
|
|
mpo_externalize_cred_label_t mpo_externalize_cred_label;
|
|
|
|
mpo_externalize_ifnet_label_t mpo_externalize_ifnet_label;
|
|
|
|
mpo_placeholder_t _mpo_placeholder3;
|
|
|
|
mpo_externalize_pipe_label_t mpo_externalize_pipe_label;
|
|
|
|
mpo_externalize_socket_label_t mpo_externalize_socket_label;
|
|
|
|
mpo_externalize_socket_peer_label_t mpo_externalize_socket_peer_label;
|
|
|
|
mpo_externalize_vnode_label_t mpo_externalize_vnode_label;
|
|
|
|
mpo_internalize_cred_label_t mpo_internalize_cred_label;
|
|
|
|
mpo_internalize_ifnet_label_t mpo_internalize_ifnet_label;
|
|
|
|
mpo_placeholder_t _mpo_placeholder4;
|
|
|
|
mpo_internalize_pipe_label_t mpo_internalize_pipe_label;
|
|
|
|
mpo_internalize_socket_label_t mpo_internalize_socket_label;
|
|
|
|
mpo_internalize_vnode_label_t mpo_internalize_vnode_label;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Labeling event operations: file system objects, and things that
|
|
|
|
* look a lot like file system objects.
|
|
|
|
*/
|
|
|
|
mpo_associate_vnode_devfs_t mpo_associate_vnode_devfs;
|
|
|
|
mpo_associate_vnode_extattr_t mpo_associate_vnode_extattr;
|
|
|
|
mpo_associate_vnode_singlelabel_t mpo_associate_vnode_singlelabel;
|
|
|
|
mpo_create_devfs_device_t mpo_create_devfs_device;
|
|
|
|
mpo_create_devfs_directory_t mpo_create_devfs_directory;
|
|
|
|
mpo_create_devfs_symlink_t mpo_create_devfs_symlink;
|
|
|
|
mpo_placeholder_t _mpo_placeholder5;
|
|
|
|
mpo_create_vnode_extattr_t mpo_create_vnode_extattr;
|
|
|
|
mpo_create_mount_t mpo_create_mount;
|
|
|
|
mpo_relabel_vnode_t mpo_relabel_vnode;
|
|
|
|
mpo_setlabel_vnode_extattr_t mpo_setlabel_vnode_extattr;
|
|
|
|
mpo_update_devfsdirent_t mpo_update_devfsdirent;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Labeling event operations: IPC objects.
|
|
|
|
*/
|
|
|
|
mpo_create_mbuf_from_socket_t mpo_create_mbuf_from_socket;
|
|
|
|
mpo_create_socket_t mpo_create_socket;
|
|
|
|
mpo_create_socket_from_socket_t mpo_create_socket_from_socket;
|
|
|
|
mpo_relabel_socket_t mpo_relabel_socket;
|
|
|
|
mpo_relabel_pipe_t mpo_relabel_pipe;
|
|
|
|
mpo_set_socket_peer_from_mbuf_t mpo_set_socket_peer_from_mbuf;
|
|
|
|
mpo_set_socket_peer_from_socket_t mpo_set_socket_peer_from_socket;
|
|
|
|
mpo_create_pipe_t mpo_create_pipe;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Labeling event operations: System V IPC primitives.
|
|
|
|
*/
|
|
|
|
mpo_create_sysv_msgmsg_t mpo_create_sysv_msgmsg;
|
|
|
|
mpo_create_sysv_msgqueue_t mpo_create_sysv_msgqueue;
|
|
|
|
mpo_create_sysv_sem_t mpo_create_sysv_sem;
|
|
|
|
mpo_create_sysv_shm_t mpo_create_sysv_shm;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Labeling event operations: POSIX (global/inter-process) semaphores.
|
|
|
|
*/
|
|
|
|
mpo_create_posix_sem_t mpo_create_posix_sem;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Labeling event operations: network objects.
|
|
|
|
*/
|
|
|
|
mpo_create_bpfdesc_t mpo_create_bpfdesc;
|
|
|
|
mpo_create_ifnet_t mpo_create_ifnet;
|
|
|
|
mpo_create_inpcb_from_socket_t mpo_create_inpcb_from_socket;
|
|
|
|
mpo_create_ipq_t mpo_create_ipq;
|
|
|
|
mpo_create_datagram_from_ipq mpo_create_datagram_from_ipq;
|
|
|
|
mpo_create_fragment_t mpo_create_fragment;
|
|
|
|
mpo_create_mbuf_from_inpcb_t mpo_create_mbuf_from_inpcb;
|
|
|
|
mpo_create_mbuf_linklayer_t mpo_create_mbuf_linklayer;
|
|
|
|
mpo_create_mbuf_from_bpfdesc_t mpo_create_mbuf_from_bpfdesc;
|
|
|
|
mpo_create_mbuf_from_ifnet_t mpo_create_mbuf_from_ifnet;
|
|
|
|
mpo_create_mbuf_multicast_encap_t mpo_create_mbuf_multicast_encap;
|
|
|
|
mpo_create_mbuf_netlayer_t mpo_create_mbuf_netlayer;
|
|
|
|
mpo_fragment_match_t mpo_fragment_match;
|
|
|
|
mpo_reflect_mbuf_icmp_t mpo_reflect_mbuf_icmp;
|
|
|
|
mpo_reflect_mbuf_tcp_t mpo_reflect_mbuf_tcp;
|
|
|
|
mpo_relabel_ifnet_t mpo_relabel_ifnet;
|
|
|
|
mpo_update_ipq_t mpo_update_ipq;
|
|
|
|
mpo_inpcb_sosetlabel_t mpo_inpcb_sosetlabel;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Labeling event operations: processes.
|
|
|
|
*/
|
|
|
|
mpo_execve_transition_t mpo_execve_transition;
|
|
|
|
mpo_execve_will_transition_t mpo_execve_will_transition;
|
|
|
|
mpo_create_proc0_t mpo_create_proc0;
|
|
|
|
mpo_create_proc1_t mpo_create_proc1;
|
|
|
|
mpo_relabel_cred_t mpo_relabel_cred;
|
|
|
|
mpo_placeholder_t _mpo_placeholder6;
|
|
|
|
mpo_thread_userret_t mpo_thread_userret;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Access control checks.
|
|
|
|
*/
|
|
|
|
mpo_check_bpfdesc_receive_t mpo_check_bpfdesc_receive;
|
|
|
|
mpo_placeholder_t _mpo_placeholder7;
|
|
|
|
mpo_check_cred_relabel_t mpo_check_cred_relabel;
|
|
|
|
mpo_check_cred_visible_t mpo_check_cred_visible;
|
|
|
|
mpo_placeholder_t _mpo_placeholder8;
|
|
|
|
mpo_placeholder_t _mpo_placeholder9;
|
|
|
|
mpo_placeholder_t _mpo_placeholder10;
|
|
|
|
mpo_placeholder_t _mpo_placeholder11;
|
|
|
|
mpo_placeholder_t _mpo_placeholder12;
|
|
|
|
mpo_placeholder_t _mpo_placeholder13;
|
|
|
|
mpo_placeholder_t _mpo_placeholder14;
|
|
|
|
mpo_placeholder_t _mpo_placeholder15;
|
|
|
|
mpo_placeholder_t _mpo_placeholder16;
|
|
|
|
mpo_placeholder_t _mpo_placeholder17;
|
|
|
|
mpo_placeholder_t _mpo_placeholder18;
|
|
|
|
mpo_check_ifnet_relabel_t mpo_check_ifnet_relabel;
|
|
|
|
mpo_check_ifnet_transmit_t mpo_check_ifnet_transmit;
|
|
|
|
mpo_check_inpcb_deliver_t mpo_check_inpcb_deliver;
|
|
|
|
mpo_check_sysv_msgmsq_t mpo_check_sysv_msgmsq;
|
|
|
|
mpo_check_sysv_msgrcv_t mpo_check_sysv_msgrcv;
|
|
|
|
mpo_check_sysv_msgrmid_t mpo_check_sysv_msgrmid;
|
|
|
|
mpo_check_sysv_msqget_t mpo_check_sysv_msqget;
|
|
|
|
mpo_check_sysv_msqsnd_t mpo_check_sysv_msqsnd;
|
|
|
|
mpo_check_sysv_msqrcv_t mpo_check_sysv_msqrcv;
|
|
|
|
mpo_check_sysv_msqctl_t mpo_check_sysv_msqctl;
|
|
|
|
mpo_check_sysv_semctl_t mpo_check_sysv_semctl;
|
|
|
|
mpo_check_sysv_semget_t mpo_check_sysv_semget;
|
|
|
|
mpo_check_sysv_semop_t mpo_check_sysv_semop;
|
|
|
|
mpo_check_sysv_shmat_t mpo_check_sysv_shmat;
|
|
|
|
mpo_check_sysv_shmctl_t mpo_check_sysv_shmctl;
|
|
|
|
mpo_check_sysv_shmdt_t mpo_check_sysv_shmdt;
|
|
|
|
mpo_check_sysv_shmget_t mpo_check_sysv_shmget;
|
|
|
|
mpo_check_kenv_dump_t mpo_check_kenv_dump;
|
|
|
|
mpo_check_kenv_get_t mpo_check_kenv_get;
|
|
|
|
mpo_check_kenv_set_t mpo_check_kenv_set;
|
|
|
|
mpo_check_kenv_unset_t mpo_check_kenv_unset;
|
|
|
|
mpo_check_kld_load_t mpo_check_kld_load;
|
|
|
|
mpo_check_kld_stat_t mpo_check_kld_stat;
|
|
|
|
mpo_check_kld_unload_t mpo_check_kld_unload;
|
|
|
|
mpo_placeholder_t _mpo_placeholder19;
|
|
|
|
mpo_placeholder_t _mpo_placeholder20;
|
|
|
|
mpo_check_mount_stat_t mpo_check_mount_stat;
|
|
|
|
mpo_placeholder_t _mpo_placeholder_21;
|
|
|
|
mpo_check_pipe_ioctl_t mpo_check_pipe_ioctl;
|
|
|
|
mpo_check_pipe_poll_t mpo_check_pipe_poll;
|
|
|
|
mpo_check_pipe_read_t mpo_check_pipe_read;
|
|
|
|
mpo_check_pipe_relabel_t mpo_check_pipe_relabel;
|
|
|
|
mpo_check_pipe_stat_t mpo_check_pipe_stat;
|
|
|
|
mpo_check_pipe_write_t mpo_check_pipe_write;
|
|
|
|
mpo_check_posix_sem_destroy_t mpo_check_posix_sem_destroy;
|
|
|
|
mpo_check_posix_sem_getvalue_t mpo_check_posix_sem_getvalue;
|
|
|
|
mpo_check_posix_sem_open_t mpo_check_posix_sem_open;
|
|
|
|
mpo_check_posix_sem_post_t mpo_check_posix_sem_post;
|
|
|
|
mpo_check_posix_sem_unlink_t mpo_check_posix_sem_unlink;
|
|
|
|
mpo_check_posix_sem_wait_t mpo_check_posix_sem_wait;
|
|
|
|
mpo_check_proc_debug_t mpo_check_proc_debug;
|
|
|
|
mpo_check_proc_sched_t mpo_check_proc_sched;
|
|
|
|
mpo_check_proc_setuid_t mpo_check_proc_setuid;
|
|
|
|
mpo_check_proc_seteuid_t mpo_check_proc_seteuid;
|
|
|
|
mpo_check_proc_setgid_t mpo_check_proc_setgid;
|
|
|
|
mpo_check_proc_setegid_t mpo_check_proc_setegid;
|
|
|
|
mpo_check_proc_setgroups_t mpo_check_proc_setgroups;
|
|
|
|
mpo_check_proc_setreuid_t mpo_check_proc_setreuid;
|
|
|
|
mpo_check_proc_setregid_t mpo_check_proc_setregid;
|
|
|
|
mpo_check_proc_setresuid_t mpo_check_proc_setresuid;
|
|
|
|
mpo_check_proc_setresgid_t mpo_check_proc_setresgid;
|
|
|
|
mpo_check_proc_signal_t mpo_check_proc_signal;
|
|
|
|
mpo_check_proc_wait_t mpo_check_proc_wait;
|
|
|
|
mpo_check_socket_accept_t mpo_check_socket_accept;
|
|
|
|
mpo_check_socket_bind_t mpo_check_socket_bind;
|
|
|
|
mpo_check_socket_connect_t mpo_check_socket_connect;
|
|
|
|
mpo_check_socket_create_t mpo_check_socket_create;
|
|
|
|
mpo_check_socket_deliver_t mpo_check_socket_deliver;
|
|
|
|
mpo_placeholder_t _mpo_placeholder22;
|
|
|
|
mpo_check_socket_listen_t mpo_check_socket_listen;
|
|
|
|
mpo_check_socket_poll_t mpo_check_socket_poll;
|
|
|
|
mpo_check_socket_receive_t mpo_check_socket_receive;
|
|
|
|
mpo_check_socket_relabel_t mpo_check_socket_relabel;
|
|
|
|
mpo_check_socket_send_t mpo_check_socket_send;
|
|
|
|
mpo_check_socket_stat_t mpo_check_socket_stat;
|
|
|
|
mpo_check_socket_visible_t mpo_check_socket_visible;
|
|
|
|
mpo_check_sysarch_ioperm_t mpo_check_sysarch_ioperm;
|
|
|
|
mpo_check_system_acct_t mpo_check_system_acct;
|
|
|
|
mpo_check_system_nfsd_t mpo_check_system_nfsd;
|
|
|
|
mpo_check_system_reboot_t mpo_check_system_reboot;
|
|
|
|
mpo_check_system_settime_t mpo_check_system_settime;
|
|
|
|
mpo_check_system_swapon_t mpo_check_system_swapon;
|
|
|
|
mpo_check_system_swapoff_t mpo_check_system_swapoff;
|
|
|
|
mpo_check_system_sysctl_t mpo_check_system_sysctl;
|
|
|
|
mpo_placeholder_t _mpo_placeholder23;
|
|
|
|
mpo_check_vnode_access_t mpo_check_vnode_access;
|
|
|
|
mpo_check_vnode_chdir_t mpo_check_vnode_chdir;
|
|
|
|
mpo_check_vnode_chroot_t mpo_check_vnode_chroot;
|
|
|
|
mpo_check_vnode_create_t mpo_check_vnode_create;
|
|
|
|
mpo_check_vnode_delete_t mpo_check_vnode_delete;
|
|
|
|
mpo_check_vnode_deleteacl_t mpo_check_vnode_deleteacl;
|
|
|
|
mpo_check_vnode_deleteextattr_t mpo_check_vnode_deleteextattr;
|
|
|
|
mpo_check_vnode_exec_t mpo_check_vnode_exec;
|
|
|
|
mpo_check_vnode_getacl_t mpo_check_vnode_getacl;
|
|
|
|
mpo_check_vnode_getextattr_t mpo_check_vnode_getextattr;
|
|
|
|
mpo_placeholder_t _mpo_placeholder24;
|
|
|
|
mpo_check_vnode_link_t mpo_check_vnode_link;
|
|
|
|
mpo_check_vnode_listextattr_t mpo_check_vnode_listextattr;
|
|
|
|
mpo_check_vnode_lookup_t mpo_check_vnode_lookup;
|
|
|
|
mpo_check_vnode_mmap_t mpo_check_vnode_mmap;
|
|
|
|
mpo_check_vnode_mmap_downgrade_t mpo_check_vnode_mmap_downgrade;
|
|
|
|
mpo_check_vnode_mprotect_t mpo_check_vnode_mprotect;
|
|
|
|
mpo_check_vnode_open_t mpo_check_vnode_open;
|
|
|
|
mpo_check_vnode_poll_t mpo_check_vnode_poll;
|
|
|
|
mpo_check_vnode_read_t mpo_check_vnode_read;
|
|
|
|
mpo_check_vnode_readdir_t mpo_check_vnode_readdir;
|
|
|
|
mpo_check_vnode_readlink_t mpo_check_vnode_readlink;
|
|
|
|
mpo_check_vnode_relabel_t mpo_check_vnode_relabel;
|
|
|
|
mpo_check_vnode_rename_from_t mpo_check_vnode_rename_from;
|
|
|
|
mpo_check_vnode_rename_to_t mpo_check_vnode_rename_to;
|
|
|
|
mpo_check_vnode_revoke_t mpo_check_vnode_revoke;
|
|
|
|
mpo_check_vnode_setacl_t mpo_check_vnode_setacl;
|
|
|
|
mpo_check_vnode_setextattr_t mpo_check_vnode_setextattr;
|
|
|
|
mpo_check_vnode_setflags_t mpo_check_vnode_setflags;
|
|
|
|
mpo_check_vnode_setmode_t mpo_check_vnode_setmode;
|
|
|
|
mpo_check_vnode_setowner_t mpo_check_vnode_setowner;
|
|
|
|
mpo_check_vnode_setutimes_t mpo_check_vnode_setutimes;
|
|
|
|
mpo_check_vnode_stat_t mpo_check_vnode_stat;
|
|
|
|
mpo_check_vnode_write_t mpo_check_vnode_write;
|
|
|
|
mpo_associate_nfsd_label_t mpo_associate_nfsd_label;
|
2006-09-12 04:25:13 +00:00
|
|
|
mpo_create_mbuf_from_firewall_t mpo_create_mbuf_from_firewall;
|
2006-11-06 13:42:10 +00:00
|
|
|
mpo_priv_check_t mpo_priv_check;
|
|
|
|
mpo_priv_grant_t mpo_priv_grant;
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
};
|
|
|
|
|
2004-10-22 11:29:30 +00:00
|
|
|
/*
|
|
|
|
* struct mac_policy_conf is the registration structure for policies, and is
|
|
|
|
* provided to the MAC Framework using MAC_POLICY_SET() to invoke a SYSINIT
|
|
|
|
* to register the policy. In general, the fields are immutable, with the
|
|
|
|
* exception of the "security field", run-time flags, and policy list entry,
|
|
|
|
* which are managed by the MAC Framework. Be careful when modifying this
|
|
|
|
* structure, as its layout is statically compiled into all policies.
|
|
|
|
*/
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
struct mac_policy_conf {
|
|
|
|
char *mpc_name; /* policy name */
|
|
|
|
char *mpc_fullname; /* policy full name */
|
|
|
|
struct mac_policy_ops *mpc_ops; /* policy operations */
|
|
|
|
int mpc_loadtime_flags; /* flags */
|
|
|
|
int *mpc_field_off; /* security field */
|
|
|
|
int mpc_runtime_flags; /* flags */
|
|
|
|
LIST_ENTRY(mac_policy_conf) mpc_list; /* global list */
|
|
|
|
};
|
|
|
|
|
|
|
|
/* Flags for the mpc_loadtime_flags field. */
|
|
|
|
#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001
|
|
|
|
#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002
|
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure,
returning some additional room in the first mbuf in a chain, and
avoiding feature-specific contents in the mbuf header. To do this:
- Modify mbuf_to_label() to extract the tag, returning NULL if not
found.
- Introduce mac_init_mbuf_tag() which does most of the work
mac_init_mbuf() used to do, except on an m_tag rather than an
mbuf.
- Scale back mac_init_mbuf() to perform m_tag allocation and invoke
mac_init_mbuf_tag().
- Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since
m_tag's are now GC'd deep in the m_tag/mbuf code rather than
at a higher level when mbufs are directly free()'d.
- Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related
notions.
- Generally change all references to mbuf labels so that they use
mbuf_to_label() rather than &mbuf->m_pkthdr.label. This
required no changes in the MAC policies (yay!).
- Tweak mbuf release routines to not call mac_destroy_mbuf(),
tag destruction takes care of it for us now.
- Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() --
the existing m_tag support does all this for us. Note that
we can no longer just zero the m_tag list on the target mbuf,
rather, we have to delete the chain because m_tag's will
already be hung off freshly allocated mbuf's.
- Tweak m_tag copying routines so that if we're copying a MAC
m_tag, we don't do a binary copy, rather, we initialize the
new storage and do a deep copy of the label.
- Remove use of MAC_FLAG_INITIALIZED in a few bizarre places
having to do with mbuf header copies previously.
- When an mbuf is copied in ip_input(), we no longer need to
explicitly copy the label because it will get handled by the
m_tag code now.
- No longer any weird handling of MAC labels in if_loop.c during
header copies.
- Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test.
In mac_test, handle the label==NULL case, since it can be
dynamically loaded.
In order to improve performance with this change, introduce the notion
of "lazy MAC label allocation" -- only allocate m_tag storage for MAC
labels if we're running with a policy that uses MAC labels on mbufs.
Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS
flag in their load-time flags field during declaration. Note: this
opens up the possibility of post-boot policy modules getting back NULL
slot entries even though they have policy invariants of non-NULL slot
entries, as the policy might have been loaded after the mbuf was
allocated, leaving the mbuf without label storage. Policies that cannot
handle this case must be declared as NOTLATE, or must be modified.
- mac_labelmbufs holds the current cumulative status as to whether
any policies require mbuf labeling or not. This is updated whenever
the active policy set changes by the function mac_policy_updateflags().
The function iterates the list and checks whether any have the
flag set. Write access to this variable is protected by the policy
list; read access is currently not protected for performance reasons.
This might change if it causes problems.
- Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update
function to assert appropriate locks.
- This makes allocation in mac_init_mbuf() conditional on the flag.
Reviewed by: sam
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
|
|
|
#define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
|
|
|
|
/* Flags for the mpc_runtime_flags field. */
|
|
|
|
#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001
|
|
|
|
|
Move to C99 sparse structure initialization for the mac_policy_ops
structure definition, rather than using an operation vector
we translate into the structure. Originally, we used a vector
for two reasons:
(1) We wanted to define the structure sparsely, which wasn't
supported by the C compiler for structures. For a policy
with five entry points, you don't want to have to stick in
a few hundred NULL function pointers.
(2) We thought it would improve ABI compatibility allowing modules
to work with kernels that had a superset of the entry points
defined in the module, even if the kernel had changed its
entry point set.
Both of these no longer apply:
(1) C99 gives us a way to sparsely define a static structure.
(2) The ABI problems existed anyway, due to enumeration numbers,
argument changes, and semantic mismatches. Since the going
rule for FreeBSD is that you really need your modules to
pretty closely match your kernel, it's not worth the
complexity.
This submit eliminates the operation vector, dynamic allocation
of the operation structure, copying of the vector to the
structure, and redoes the vectors in each policy to direct
structure definitions. One enourmous benefit of this change
is that we now get decent type checking on policy entry point
implementation arguments.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-30 18:48:51 +00:00
|
|
|
#define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
static struct mac_policy_conf mpname##_mac_policy_conf = { \
|
|
|
|
#mpname, \
|
|
|
|
mpfullname, \
|
Move to C99 sparse structure initialization for the mac_policy_ops
structure definition, rather than using an operation vector
we translate into the structure. Originally, we used a vector
for two reasons:
(1) We wanted to define the structure sparsely, which wasn't
supported by the C compiler for structures. For a policy
with five entry points, you don't want to have to stick in
a few hundred NULL function pointers.
(2) We thought it would improve ABI compatibility allowing modules
to work with kernels that had a superset of the entry points
defined in the module, even if the kernel had changed its
entry point set.
Both of these no longer apply:
(1) C99 gives us a way to sparsely define a static structure.
(2) The ABI problems existed anyway, due to enumeration numbers,
argument changes, and semantic mismatches. Since the going
rule for FreeBSD is that you really need your modules to
pretty closely match your kernel, it's not worth the
complexity.
This submit eliminates the operation vector, dynamic allocation
of the operation structure, copying of the vector to the
structure, and redoes the vectors in each policy to direct
structure definitions. One enourmous benefit of this change
is that we now get decent type checking on policy entry point
implementation arguments.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2002-10-30 18:48:51 +00:00
|
|
|
mpops, \
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
mpflags, \
|
|
|
|
privdata_wanted, \
|
|
|
|
0, \
|
|
|
|
}; \
|
|
|
|
static moduledata_t mpname##_mod = { \
|
|
|
|
#mpname, \
|
|
|
|
mac_policy_modevent, \
|
|
|
|
&mpname##_mac_policy_conf \
|
|
|
|
}; \
|
2005-07-14 10:46:03 +00:00
|
|
|
MODULE_DEPEND(mpname, kernel_mac_support, 3, 3, 3); \
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
|
|
|
DECLARE_MODULE(mpname, mpname##_mod, SI_SUB_MAC_POLICY, \
|
|
|
|
SI_ORDER_MIDDLE)
|
|
|
|
|
|
|
|
int mac_policy_modevent(module_t mod, int type, void *data);
|
|
|
|
|
|
|
|
#define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s]
|
|
|
|
|
2004-05-10 18:38:07 +00:00
|
|
|
#endif /* !_SYS_MAC_POLICY_H_ */
|