2002-07-30 02:04:05 +00:00
|
|
|
/*-
|
2008-10-28 11:33:06 +00:00
|
|
|
* Copyright (c) 1999-2002, 2008 Robert N. M. Watson
|
2002-07-30 02:04:05 +00:00
|
|
|
* Copyright (c) 2001 Ilmar S. Habibulin
|
2004-02-22 00:33:12 +00:00
|
|
|
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
|
2005-04-16 13:29:15 +00:00
|
|
|
* Copyright (c) 2005 Samy Al Bahra
|
2007-10-24 19:04:04 +00:00
|
|
|
* Copyright (c) 2006 SPARTA, Inc.
|
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
2008-08-23 15:26:36 +00:00
|
|
|
* Copyright (c) 2008 Apple Inc.
|
2002-07-30 02:04:05 +00:00
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* This software was developed by Robert Watson and Ilmar Habibulin for the
|
|
|
|
* TrustedBSD Project.
|
|
|
|
*
|
2002-11-04 01:42:39 +00:00
|
|
|
* This software was developed for the FreeBSD Project in part by Network
|
|
|
|
* Associates Laboratories, the Security Research Division of Network
|
|
|
|
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
|
|
|
|
* as part of the DARPA CHATS research program.
|
2002-07-30 02:04:05 +00:00
|
|
|
*
|
2007-10-24 19:04:04 +00:00
|
|
|
* This software was enhanced by SPARTA ISSO under SPAWAR contract
|
|
|
|
* N66001-04-C-6019 ("SEFOS").
|
|
|
|
*
|
2002-07-30 02:04:05 +00:00
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*/
|
2003-06-11 00:56:59 +00:00
|
|
|
|
|
|
|
#include <sys/cdefs.h>
|
|
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
|
2002-07-30 02:04:05 +00:00
|
|
|
#include "opt_mac.h"
|
2002-08-01 17:47:56 +00:00
|
|
|
|
2002-07-30 02:04:05 +00:00
|
|
|
#include <sys/param.h>
|
2002-11-13 15:47:09 +00:00
|
|
|
#include <sys/condvar.h>
|
2002-11-05 17:51:56 +00:00
|
|
|
#include <sys/imgact.h>
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
kern_mac.c contains the body of the MAC framework. Kernel and
user APIs defined in mac.h are implemented here, providing a front end
to loaded security modules. This code implements a module registration
service, state (label) management, security configuration and policy
composition.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
|
|
|
#include <sys/kernel.h>
|
|
|
|
#include <sys/lock.h>
|
2002-09-05 07:02:43 +00:00
|
|
|
#include <sys/malloc.h>
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
kern_mac.c contains the body of the MAC framework. Kernel and
user APIs defined in mac.h are implemented here, providing a front end
to loaded security modules. This code implements a module registration
service, state (label) management, security configuration and policy
composition.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
|
|
|
#include <sys/mutex.h>
|
|
|
|
#include <sys/mac.h>
|
|
|
|
#include <sys/proc.h>
|
2003-06-23 01:26:34 +00:00
|
|
|
#include <sys/sbuf.h>
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
kern_mac.c contains the body of the MAC framework. Kernel and
user APIs defined in mac.h are implemented here, providing a front end
to loaded security modules. This code implements a module registration
service, state (label) management, security configuration and policy
composition.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
|
|
|
#include <sys/systm.h>
|
|
|
|
#include <sys/vnode.h>
|
|
|
|
#include <sys/mount.h>
|
|
|
|
#include <sys/file.h>
|
|
|
|
#include <sys/namei.h>
|
|
|
|
#include <sys/sysctl.h>
|
|
|
|
|
|
|
|
#include <vm/vm.h>
|
|
|
|
#include <vm/pmap.h>
|
|
|
|
#include <vm/vm_map.h>
|
|
|
|
#include <vm/vm_object.h>
|
|
|
|
|
2006-10-22 11:52:19 +00:00
|
|
|
#include <security/mac/mac_framework.h>
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
#include <security/mac/mac_internal.h>
|
2006-12-22 23:34:47 +00:00
|
|
|
#include <security/mac/mac_policy.h>
|
2002-09-18 02:00:19 +00:00
|
|
|
|
2002-09-09 17:12:24 +00:00
|
|
|
static int mac_mmap_revocation = 1;
|
|
|
|
SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW,
|
|
|
|
&mac_mmap_revocation, 0, "Revoke mmap access to files on subject "
|
|
|
|
"relabel");
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
|
2002-08-15 02:28:32 +00:00
|
|
|
static int mac_mmap_revocation_via_cow = 0;
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
kern_mac.c contains the body of the MAC framework. Kernel and
user APIs defined in mac.h are implemented here, providing a front end
to loaded security modules. This code implements a module registration
service, state (label) management, security configuration and policy
composition.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
|
|
|
SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW,
|
|
|
|
&mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
|
|
|
|
"copy-on-write semantics, or by removing all write access");
|
|
|
|
|
2008-10-28 12:49:07 +00:00
|
|
|
static void mac_proc_vm_revoke_recurse(struct thread *td,
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
kern_mac.c contains the body of the MAC framework. Kernel and
user APIs defined in mac.h are implemented here, providing a front end
to loaded security modules. This code implements a module registration
service, state (label) management, security configuration and policy
composition.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
|
|
|
struct ucred *cred, struct vm_map *map);
|
|
|
|
|
Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
|
|
|
static struct label *
|
|
|
|
mac_proc_label_alloc(void)
|
|
|
|
{
|
|
|
|
struct label *label;
|
|
|
|
|
|
|
|
label = mac_labelzone_alloc(M_WAITOK);
|
2007-10-24 19:04:04 +00:00
|
|
|
MAC_PERFORM(proc_init_label, label);
|
Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
|
|
|
return (label);
|
Clean up locking for the MAC Framework:
(1) Accept that we're now going to use mutexes, so don't attempt
to avoid treating them as mutexes. This cleans up locking
accessor function names some.
(2) Rename variables to _mtx, _cv, _count, simplifying the naming.
(3) Add a new form of the _busy() primitive that conditionally
makes the list busy: if there are entries on the list, bump
the busy count. If there are no entries, don't bump the busy
count. Return a boolean indicating whether or not the busy
count was bumped.
(4) Break mac_policy_list into two lists: one with the same name
holding dynamic policies, and a new list, mac_static_policy_list,
which holds policies loaded before mac_late and without the
unload flag set. The static list may be accessed without
holding the busy count, since it can't change at run-time.
(5) In general, prefer making the list busy conditionally, meaning
we pay only one mutex lock per entry point if all modules are
on the static list, rather than two (since we don't have to
lower the busy count when we're done with the framework). For
systems running just Biba or MLS, this will halve the mutex
accesses in the network stack, and may offer a substantial
performance benefits.
(6) Lay the groundwork for a dynamic-free kernel option which
eliminates all locking associated with dynamically loaded or
unloaded policies, for pre-configured systems requiring
maximum performance but less run-time flexibility.
These changes have been running for a few weeks on MAC development
branch systems.
Approved by: re (jhb)
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
|
|
|
}
|
|
|
|
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
void
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_proc_init(struct proc *p)
|
Clean up locking for the MAC Framework:
(1) Accept that we're now going to use mutexes, so don't attempt
to avoid treating them as mutexes. This cleans up locking
accessor function names some.
(2) Rename variables to _mtx, _cv, _count, simplifying the naming.
(3) Add a new form of the _busy() primitive that conditionally
makes the list busy: if there are entries on the list, bump
the busy count. If there are no entries, don't bump the busy
count. Return a boolean indicating whether or not the busy
count was bumped.
(4) Break mac_policy_list into two lists: one with the same name
holding dynamic policies, and a new list, mac_static_policy_list,
which holds policies loaded before mac_late and without the
unload flag set. The static list may be accessed without
holding the busy count, since it can't change at run-time.
(5) In general, prefer making the list busy conditionally, meaning
we pay only one mutex lock per entry point if all modules are
on the static list, rather than two (since we don't have to
lower the busy count when we're done with the framework). For
systems running just Biba or MLS, this will halve the mutex
accesses in the network stack, and may offer a substantial
performance benefits.
(6) Lay the groundwork for a dynamic-free kernel option which
eliminates all locking associated with dynamically loaded or
unloaded policies, for pre-configured systems requiring
maximum performance but less run-time flexibility.
These changes have been running for a few weeks on MAC development
branch systems.
Approved by: re (jhb)
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
|
|
|
{
|
|
|
|
|
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
2008-08-23 15:26:36 +00:00
|
|
|
if (mac_labeled & MPC_OBJECT_PROC)
|
|
|
|
p->p_label = mac_proc_label_alloc();
|
|
|
|
else
|
|
|
|
p->p_label = NULL;
|
Clean up locking for the MAC Framework:
(1) Accept that we're now going to use mutexes, so don't attempt
to avoid treating them as mutexes. This cleans up locking
accessor function names some.
(2) Rename variables to _mtx, _cv, _count, simplifying the naming.
(3) Add a new form of the _busy() primitive that conditionally
makes the list busy: if there are entries on the list, bump
the busy count. If there are no entries, don't bump the busy
count. Return a boolean indicating whether or not the busy
count was bumped.
(4) Break mac_policy_list into two lists: one with the same name
holding dynamic policies, and a new list, mac_static_policy_list,
which holds policies loaded before mac_late and without the
unload flag set. The static list may be accessed without
holding the busy count, since it can't change at run-time.
(5) In general, prefer making the list busy conditionally, meaning
we pay only one mutex lock per entry point if all modules are
on the static list, rather than two (since we don't have to
lower the busy count when we're done with the framework). For
systems running just Biba or MLS, this will halve the mutex
accesses in the network stack, and may offer a substantial
performance benefits.
(6) Lay the groundwork for a dynamic-free kernel option which
eliminates all locking associated with dynamically loaded or
unloaded policies, for pre-configured systems requiring
maximum performance but less run-time flexibility.
These changes have been running for a few weeks on MAC development
branch systems.
Approved by: re (jhb)
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
|
|
|
}
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
kern_mac.c contains the body of the MAC framework. Kernel and
user APIs defined in mac.h are implemented here, providing a front end
to loaded security modules. This code implements a module registration
service, state (label) management, security configuration and policy
composition.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
|
|
|
|
Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
|
|
|
static void
|
|
|
|
mac_proc_label_free(struct label *label)
|
|
|
|
{
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
MAC_PERFORM(proc_destroy_label, label);
|
Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
|
|
|
mac_labelzone_free(label);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
kern_mac.c contains the body of the MAC framework. Kernel and
user APIs defined in mac.h are implemented here, providing a front end
to loaded security modules. This code implements a module registration
service, state (label) management, security configuration and policy
composition.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
|
|
|
}
|
|
|
|
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
void
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_proc_destroy(struct proc *p)
|
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure,
returning some additional room in the first mbuf in a chain, and
avoiding feature-specific contents in the mbuf header. To do this:
- Modify mbuf_to_label() to extract the tag, returning NULL if not
found.
- Introduce mac_init_mbuf_tag() which does most of the work
mac_init_mbuf() used to do, except on an m_tag rather than an
mbuf.
- Scale back mac_init_mbuf() to perform m_tag allocation and invoke
mac_init_mbuf_tag().
- Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since
m_tag's are now GC'd deep in the m_tag/mbuf code rather than
at a higher level when mbufs are directly free()'d.
- Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related
notions.
- Generally change all references to mbuf labels so that they use
mbuf_to_label() rather than &mbuf->m_pkthdr.label. This
required no changes in the MAC policies (yay!).
- Tweak mbuf release routines to not call mac_destroy_mbuf(),
tag destruction takes care of it for us now.
- Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() --
the existing m_tag support does all this for us. Note that
we can no longer just zero the m_tag list on the target mbuf,
rather, we have to delete the chain because m_tag's will
already be hung off freshly allocated mbuf's.
- Tweak m_tag copying routines so that if we're copying a MAC
m_tag, we don't do a binary copy, rather, we initialize the
new storage and do a deep copy of the label.
- Remove use of MAC_FLAG_INITIALIZED in a few bizarre places
having to do with mbuf header copies previously.
- When an mbuf is copied in ip_input(), we no longer need to
explicitly copy the label because it will get handled by the
m_tag code now.
- No longer any weird handling of MAC labels in if_loop.c during
header copies.
- Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test.
In mac_test, handle the label==NULL case, since it can be
dynamically loaded.
In order to improve performance with this change, introduce the notion
of "lazy MAC label allocation" -- only allocate m_tag storage for MAC
labels if we're running with a policy that uses MAC labels on mbufs.
Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS
flag in their load-time flags field during declaration. Note: this
opens up the possibility of post-boot policy modules getting back NULL
slot entries even though they have policy invariants of non-NULL slot
entries, as the policy might have been loaded after the mbuf was
allocated, leaving the mbuf without label storage. Policies that cannot
handle this case must be declared as NOTLATE, or must be modified.
- mac_labelmbufs holds the current cumulative status as to whether
any policies require mbuf labeling or not. This is updated whenever
the active policy set changes by the function mac_policy_updateflags().
The function iterates the list and checks whether any have the
flag set. Write access to this variable is protected by the policy
list; read access is currently not protected for performance reasons.
This might change if it causes problems.
- Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update
function to assert appropriate locks.
- This makes allocation in mac_init_mbuf() conditional on the flag.
Reviewed by: sam
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
|
|
|
{
|
|
|
|
|
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
2008-08-23 15:26:36 +00:00
|
|
|
if (p->p_label != NULL) {
|
|
|
|
mac_proc_label_free(p->p_label);
|
|
|
|
p->p_label = NULL;
|
|
|
|
}
|
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure,
returning some additional room in the first mbuf in a chain, and
avoiding feature-specific contents in the mbuf header. To do this:
- Modify mbuf_to_label() to extract the tag, returning NULL if not
found.
- Introduce mac_init_mbuf_tag() which does most of the work
mac_init_mbuf() used to do, except on an m_tag rather than an
mbuf.
- Scale back mac_init_mbuf() to perform m_tag allocation and invoke
mac_init_mbuf_tag().
- Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since
m_tag's are now GC'd deep in the m_tag/mbuf code rather than
at a higher level when mbufs are directly free()'d.
- Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related
notions.
- Generally change all references to mbuf labels so that they use
mbuf_to_label() rather than &mbuf->m_pkthdr.label. This
required no changes in the MAC policies (yay!).
- Tweak mbuf release routines to not call mac_destroy_mbuf(),
tag destruction takes care of it for us now.
- Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() --
the existing m_tag support does all this for us. Note that
we can no longer just zero the m_tag list on the target mbuf,
rather, we have to delete the chain because m_tag's will
already be hung off freshly allocated mbuf's.
- Tweak m_tag copying routines so that if we're copying a MAC
m_tag, we don't do a binary copy, rather, we initialize the
new storage and do a deep copy of the label.
- Remove use of MAC_FLAG_INITIALIZED in a few bizarre places
having to do with mbuf header copies previously.
- When an mbuf is copied in ip_input(), we no longer need to
explicitly copy the label because it will get handled by the
m_tag code now.
- No longer any weird handling of MAC labels in if_loop.c during
header copies.
- Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test.
In mac_test, handle the label==NULL case, since it can be
dynamically loaded.
In order to improve performance with this change, introduce the notion
of "lazy MAC label allocation" -- only allocate m_tag storage for MAC
labels if we're running with a policy that uses MAC labels on mbufs.
Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS
flag in their load-time flags field during declaration. Note: this
opens up the possibility of post-boot policy modules getting back NULL
slot entries even though they have policy invariants of non-NULL slot
entries, as the policy might have been loaded after the mbuf was
allocated, leaving the mbuf without label storage. Policies that cannot
handle this case must be declared as NOTLATE, or must be modified.
- mac_labelmbufs holds the current cumulative status as to whether
any policies require mbuf labeling or not. This is updated whenever
the active policy set changes by the function mac_policy_updateflags().
The function iterates the list and checks whether any have the
flag set. Write access to this variable is protected by the policy
list; read access is currently not protected for performance reasons.
This might change if it causes problems.
- Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update
function to assert appropriate locks.
- This makes allocation in mac_init_mbuf() conditional on the flag.
Reviewed by: sam
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
|
|
|
}
|
|
|
|
|
2002-10-05 16:54:59 +00:00
|
|
|
void
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
mac_thread_userret(struct thread *td)
|
2002-10-05 16:54:59 +00:00
|
|
|
{
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
kern_mac.c contains the body of the MAC framework. Kernel and
user APIs defined in mac.h are implemented here, providing a front end
to loaded security modules. This code implements a module registration
service, state (label) management, security configuration and policy
composition.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
|
|
|
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
MAC_PERFORM(thread_userret, td);
|
2002-10-05 16:54:59 +00:00
|
|
|
}
|
|
|
|
|
2003-03-26 15:12:03 +00:00
|
|
|
int
|
Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
|
|
|
mac_execve_enter(struct image_params *imgp, struct mac *mac_p)
|
2002-10-05 16:54:59 +00:00
|
|
|
{
|
Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
|
|
|
struct label *label;
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
struct mac mac;
|
|
|
|
char *buffer;
|
2003-03-26 15:12:03 +00:00
|
|
|
int error;
|
2002-10-05 16:54:59 +00:00
|
|
|
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
if (mac_p == NULL)
|
|
|
|
return (0);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
kern_mac.c contains the body of the MAC framework. Kernel and
user APIs defined in mac.h are implemented here, providing a front end
to loaded security modules. This code implements a module registration
service, state (label) management, security configuration and policy
composition.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
|
|
|
|
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
2008-08-23 15:26:36 +00:00
|
|
|
if (!(mac_labeled & MPC_OBJECT_CRED))
|
|
|
|
return (EINVAL);
|
|
|
|
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
error = copyin(mac_p, &mac, sizeof(mac));
|
|
|
|
if (error)
|
|
|
|
return (error);
|
2002-10-05 17:38:45 +00:00
|
|
|
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
error = mac_check_structmac_consistent(&mac);
|
|
|
|
if (error)
|
|
|
|
return (error);
|
2002-10-05 17:38:45 +00:00
|
|
|
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
|
|
|
|
error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
|
2002-10-05 17:44:49 +00:00
|
|
|
if (error) {
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
free(buffer, M_MACTEMP);
|
|
|
|
return (error);
|
2002-10-05 17:44:49 +00:00
|
|
|
}
|
2002-10-05 17:38:45 +00:00
|
|
|
|
Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
|
|
|
label = mac_cred_label_alloc();
|
2007-10-24 19:04:04 +00:00
|
|
|
error = mac_cred_internalize_label(label, buffer);
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
free(buffer, M_MACTEMP);
|
2003-08-01 15:45:14 +00:00
|
|
|
if (error) {
|
Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
|
|
|
mac_cred_label_free(label);
|
2003-08-01 15:45:14 +00:00
|
|
|
return (error);
|
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure,
returning some additional room in the first mbuf in a chain, and
avoiding feature-specific contents in the mbuf header. To do this:
- Modify mbuf_to_label() to extract the tag, returning NULL if not
found.
- Introduce mac_init_mbuf_tag() which does most of the work
mac_init_mbuf() used to do, except on an m_tag rather than an
mbuf.
- Scale back mac_init_mbuf() to perform m_tag allocation and invoke
mac_init_mbuf_tag().
- Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since
m_tag's are now GC'd deep in the m_tag/mbuf code rather than
at a higher level when mbufs are directly free()'d.
- Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related
notions.
- Generally change all references to mbuf labels so that they use
mbuf_to_label() rather than &mbuf->m_pkthdr.label. This
required no changes in the MAC policies (yay!).
- Tweak mbuf release routines to not call mac_destroy_mbuf(),
tag destruction takes care of it for us now.
- Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() --
the existing m_tag support does all this for us. Note that
we can no longer just zero the m_tag list on the target mbuf,
rather, we have to delete the chain because m_tag's will
already be hung off freshly allocated mbuf's.
- Tweak m_tag copying routines so that if we're copying a MAC
m_tag, we don't do a binary copy, rather, we initialize the
new storage and do a deep copy of the label.
- Remove use of MAC_FLAG_INITIALIZED in a few bizarre places
having to do with mbuf header copies previously.
- When an mbuf is copied in ip_input(), we no longer need to
explicitly copy the label because it will get handled by the
m_tag code now.
- No longer any weird handling of MAC labels in if_loop.c during
header copies.
- Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test.
In mac_test, handle the label==NULL case, since it can be
dynamically loaded.
In order to improve performance with this change, introduce the notion
of "lazy MAC label allocation" -- only allocate m_tag storage for MAC
labels if we're running with a policy that uses MAC labels on mbufs.
Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS
flag in their load-time flags field during declaration. Note: this
opens up the possibility of post-boot policy modules getting back NULL
slot entries even though they have policy invariants of non-NULL slot
entries, as the policy might have been loaded after the mbuf was
allocated, leaving the mbuf without label storage. Policies that cannot
handle this case must be declared as NOTLATE, or must be modified.
- mac_labelmbufs holds the current cumulative status as to whether
any policies require mbuf labeling or not. This is updated whenever
the active policy set changes by the function mac_policy_updateflags().
The function iterates the list and checks whether any have the
flag set. Write access to this variable is protected by the policy
list; read access is currently not protected for performance reasons.
This might change if it causes problems.
- Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update
function to assert appropriate locks.
- This makes allocation in mac_init_mbuf() conditional on the flag.
Reviewed by: sam
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
|
|
|
}
|
Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
|
|
|
imgp->execlabel = label;
|
Move MAC label storage for mbufs into m_tags from the m_pkthdr structure,
returning some additional room in the first mbuf in a chain, and
avoiding feature-specific contents in the mbuf header. To do this:
- Modify mbuf_to_label() to extract the tag, returning NULL if not
found.
- Introduce mac_init_mbuf_tag() which does most of the work
mac_init_mbuf() used to do, except on an m_tag rather than an
mbuf.
- Scale back mac_init_mbuf() to perform m_tag allocation and invoke
mac_init_mbuf_tag().
- Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since
m_tag's are now GC'd deep in the m_tag/mbuf code rather than
at a higher level when mbufs are directly free()'d.
- Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related
notions.
- Generally change all references to mbuf labels so that they use
mbuf_to_label() rather than &mbuf->m_pkthdr.label. This
required no changes in the MAC policies (yay!).
- Tweak mbuf release routines to not call mac_destroy_mbuf(),
tag destruction takes care of it for us now.
- Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() --
the existing m_tag support does all this for us. Note that
we can no longer just zero the m_tag list on the target mbuf,
rather, we have to delete the chain because m_tag's will
already be hung off freshly allocated mbuf's.
- Tweak m_tag copying routines so that if we're copying a MAC
m_tag, we don't do a binary copy, rather, we initialize the
new storage and do a deep copy of the label.
- Remove use of MAC_FLAG_INITIALIZED in a few bizarre places
having to do with mbuf header copies previously.
- When an mbuf is copied in ip_input(), we no longer need to
explicitly copy the label because it will get handled by the
m_tag code now.
- No longer any weird handling of MAC labels in if_loop.c during
header copies.
- Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test.
In mac_test, handle the label==NULL case, since it can be
dynamically loaded.
In order to improve performance with this change, introduce the notion
of "lazy MAC label allocation" -- only allocate m_tag storage for MAC
labels if we're running with a policy that uses MAC labels on mbufs.
Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS
flag in their load-time flags field during declaration. Note: this
opens up the possibility of post-boot policy modules getting back NULL
slot entries even though they have policy invariants of non-NULL slot
entries, as the policy might have been loaded after the mbuf was
allocated, leaving the mbuf without label storage. Policies that cannot
handle this case must be declared as NOTLATE, or must be modified.
- mac_labelmbufs holds the current cumulative status as to whether
any policies require mbuf labeling or not. This is updated whenever
the active policy set changes by the function mac_policy_updateflags().
The function iterates the list and checks whether any have the
flag set. Write access to this variable is protected by the policy
list; read access is currently not protected for performance reasons.
This might change if it causes problems.
- Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update
function to assert appropriate locks.
- This makes allocation in mac_init_mbuf() conditional on the flag.
Reviewed by: sam
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2002-10-05 16:54:59 +00:00
|
|
|
void
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
mac_execve_exit(struct image_params *imgp)
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
kern_mac.c contains the body of the MAC framework. Kernel and
user APIs defined in mac.h are implemented here, providing a front end
to loaded security modules. This code implements a module registration
service, state (label) management, security configuration and policy
composition.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
|
|
|
{
|
Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
|
|
|
if (imgp->execlabel != NULL) {
|
|
|
|
mac_cred_label_free(imgp->execlabel);
|
|
|
|
imgp->execlabel = NULL;
|
|
|
|
}
|
2002-10-05 16:54:59 +00:00
|
|
|
}
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
kern_mac.c contains the body of the MAC framework. Kernel and
user APIs defined in mac.h are implemented here, providing a front end
to loaded security modules. This code implements a module registration
service, state (label) management, security configuration and policy
composition.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
|
|
|
|
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
2008-08-23 15:26:36 +00:00
|
|
|
void
|
|
|
|
mac_execve_interpreter_enter(struct vnode *interpvp,
|
|
|
|
struct label **interpvplabel)
|
|
|
|
{
|
|
|
|
|
|
|
|
if (mac_labeled & MPC_OBJECT_VNODE) {
|
|
|
|
*interpvplabel = mac_vnode_label_alloc();
|
|
|
|
mac_vnode_copy_label(interpvp->v_label, *interpvplabel);
|
|
|
|
} else
|
|
|
|
*interpvplabel = NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
mac_execve_interpreter_exit(struct label *interpvplabel)
|
|
|
|
{
|
|
|
|
|
|
|
|
if (interpvplabel != NULL)
|
|
|
|
mac_vnode_label_free(interpvplabel);
|
|
|
|
}
|
|
|
|
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
/*
|
|
|
|
* When relabeling a process, call out to the policies for the maximum
|
2006-12-20 23:16:01 +00:00
|
|
|
* permission allowed for each object type we know about in its memory space,
|
|
|
|
* and revoke access (in the least surprising ways we know) when necessary.
|
|
|
|
* The process lock is not held here.
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
*/
|
|
|
|
void
|
2008-10-28 12:49:07 +00:00
|
|
|
mac_proc_vm_revoke(struct thread *td)
|
2002-10-22 14:29:47 +00:00
|
|
|
{
|
2008-10-28 12:49:07 +00:00
|
|
|
struct ucred *cred;
|
|
|
|
|
|
|
|
PROC_LOCK(td->td_proc);
|
|
|
|
cred = crhold(td->td_proc->p_ucred);
|
|
|
|
PROC_UNLOCK(td->td_proc);
|
2002-10-22 14:29:47 +00:00
|
|
|
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
/* XXX freeze all other threads */
|
2008-10-28 12:49:07 +00:00
|
|
|
mac_proc_vm_revoke_recurse(td, cred,
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
&td->td_proc->p_vmspace->vm_map);
|
|
|
|
/* XXX allow other threads to continue */
|
2008-10-28 12:49:07 +00:00
|
|
|
|
|
|
|
crfree(cred);
|
2002-10-22 14:29:47 +00:00
|
|
|
}
|
|
|
|
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
static __inline const char *
|
|
|
|
prot2str(vm_prot_t prot)
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
kern_mac.c contains the body of the MAC framework. Kernel and
user APIs defined in mac.h are implemented here, providing a front end
to loaded security modules. This code implements a module registration
service, state (label) management, security configuration and policy
composition.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
|
|
|
{
|
2002-10-22 14:29:47 +00:00
|
|
|
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
switch (prot & VM_PROT_ALL) {
|
|
|
|
case VM_PROT_READ:
|
|
|
|
return ("r--");
|
|
|
|
case VM_PROT_READ | VM_PROT_WRITE:
|
|
|
|
return ("rw-");
|
|
|
|
case VM_PROT_READ | VM_PROT_EXECUTE:
|
|
|
|
return ("r-x");
|
|
|
|
case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE:
|
|
|
|
return ("rwx");
|
|
|
|
case VM_PROT_WRITE:
|
|
|
|
return ("-w-");
|
|
|
|
case VM_PROT_EXECUTE:
|
|
|
|
return ("--x");
|
|
|
|
case VM_PROT_WRITE | VM_PROT_EXECUTE:
|
|
|
|
return ("-wx");
|
|
|
|
default:
|
|
|
|
return ("---");
|
2002-10-22 14:29:47 +00:00
|
|
|
}
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
}
|
2002-10-22 14:29:47 +00:00
|
|
|
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
static void
|
2008-10-28 12:49:07 +00:00
|
|
|
mac_proc_vm_revoke_recurse(struct thread *td, struct ucred *cred,
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
struct vm_map *map)
|
|
|
|
{
|
|
|
|
struct vm_map_entry *vme;
|
2005-10-04 14:32:15 +00:00
|
|
|
int vfslocked, result;
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
vm_prot_t revokeperms;
|
2005-10-09 02:37:27 +00:00
|
|
|
vm_object_t backing_object, object;
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
vm_ooffset_t offset;
|
|
|
|
struct vnode *vp;
|
2006-03-02 22:13:28 +00:00
|
|
|
struct mount *mp;
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
kern_mac.c contains the body of the MAC framework. Kernel and
user APIs defined in mac.h are implemented here, providing a front end
to loaded security modules. This code implements a module registration
service, state (label) management, security configuration and policy
composition.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
|
|
|
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
if (!mac_mmap_revocation)
|
|
|
|
return;
|
2002-10-22 14:29:47 +00:00
|
|
|
|
2008-12-22 17:32:52 +00:00
|
|
|
vm_map_lock(map);
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
for (vme = map->header.next; vme != &map->header; vme = vme->next) {
|
|
|
|
if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) {
|
2008-10-28 12:49:07 +00:00
|
|
|
mac_proc_vm_revoke_recurse(td, cred,
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
vme->object.sub_map);
|
|
|
|
continue;
|
2002-10-22 14:29:47 +00:00
|
|
|
}
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
/*
|
|
|
|
* Skip over entries that obviously are not shared.
|
|
|
|
*/
|
|
|
|
if (vme->eflags & (MAP_ENTRY_COW | MAP_ENTRY_NOSYNC) ||
|
|
|
|
!vme->max_protection)
|
|
|
|
continue;
|
|
|
|
/*
|
|
|
|
* Drill down to the deepest backing object.
|
|
|
|
*/
|
|
|
|
offset = vme->offset;
|
|
|
|
object = vme->object.vm_object;
|
|
|
|
if (object == NULL)
|
|
|
|
continue;
|
2005-10-09 02:37:27 +00:00
|
|
|
VM_OBJECT_LOCK(object);
|
|
|
|
while ((backing_object = object->backing_object) != NULL) {
|
|
|
|
VM_OBJECT_LOCK(backing_object);
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
offset += object->backing_object_offset;
|
2005-10-09 02:37:27 +00:00
|
|
|
VM_OBJECT_UNLOCK(object);
|
|
|
|
object = backing_object;
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
}
|
2005-10-09 02:37:27 +00:00
|
|
|
VM_OBJECT_UNLOCK(object);
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
/*
|
2006-12-20 23:16:01 +00:00
|
|
|
* At the moment, vm_maps and objects aren't considered by
|
|
|
|
* the MAC system, so only things with backing by a normal
|
|
|
|
* object (read: vnodes) are checked.
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
*/
|
|
|
|
if (object->type != OBJT_VNODE)
|
|
|
|
continue;
|
|
|
|
vp = (struct vnode *)object->handle;
|
2005-10-04 14:32:15 +00:00
|
|
|
vfslocked = VFS_LOCK_GIANT(vp->v_mount);
|
2008-01-10 01:10:58 +00:00
|
|
|
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
result = vme->max_protection;
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_vnode_check_mmap_downgrade(cred, vp, &result);
|
2008-01-13 14:44:15 +00:00
|
|
|
VOP_UNLOCK(vp, 0);
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
/*
|
2006-12-20 23:16:01 +00:00
|
|
|
* Find out what maximum protection we may be allowing now
|
|
|
|
* but a policy needs to get removed.
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
*/
|
|
|
|
revokeperms = vme->max_protection & ~result;
|
2005-10-04 14:32:15 +00:00
|
|
|
if (!revokeperms) {
|
|
|
|
VFS_UNLOCK_GIANT(vfslocked);
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
continue;
|
2005-10-04 14:32:15 +00:00
|
|
|
}
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
printf("pid %ld: revoking %s perms from %#lx:%ld "
|
|
|
|
"(max %s/cur %s)\n", (long)td->td_proc->p_pid,
|
|
|
|
prot2str(revokeperms), (u_long)vme->start,
|
|
|
|
(long)(vme->end - vme->start),
|
|
|
|
prot2str(vme->max_protection), prot2str(vme->protection));
|
|
|
|
/*
|
|
|
|
* This is the really simple case: if a map has more
|
|
|
|
* max_protection than is allowed, but it's not being
|
2006-12-20 23:16:01 +00:00
|
|
|
* actually used (that is, the current protection is still
|
|
|
|
* allowed), we can just wipe it out and do nothing more.
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
*/
|
|
|
|
if ((vme->protection & revokeperms) == 0) {
|
|
|
|
vme->max_protection -= revokeperms;
|
|
|
|
} else {
|
|
|
|
if (revokeperms & VM_PROT_WRITE) {
|
|
|
|
/*
|
|
|
|
* In the more complicated case, flush out all
|
|
|
|
* pending changes to the object then turn it
|
|
|
|
* copy-on-write.
|
|
|
|
*/
|
|
|
|
vm_object_reference(object);
|
2006-03-02 22:13:28 +00:00
|
|
|
(void) vn_start_write(vp, &mp, V_WAIT);
|
2008-01-10 01:10:58 +00:00
|
|
|
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
VM_OBJECT_LOCK(object);
|
|
|
|
vm_object_page_clean(object,
|
|
|
|
OFF_TO_IDX(offset),
|
|
|
|
OFF_TO_IDX(offset + vme->end - vme->start +
|
|
|
|
PAGE_MASK),
|
|
|
|
OBJPC_SYNC);
|
|
|
|
VM_OBJECT_UNLOCK(object);
|
2008-01-13 14:44:15 +00:00
|
|
|
VOP_UNLOCK(vp, 0);
|
2006-03-02 22:13:28 +00:00
|
|
|
vn_finished_write(mp);
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
vm_object_deallocate(object);
|
|
|
|
/*
|
|
|
|
* Why bother if there's no read permissions
|
|
|
|
* anymore? For the rest, we need to leave
|
|
|
|
* the write permissions on for COW, or
|
|
|
|
* remove them entirely if configured to.
|
|
|
|
*/
|
|
|
|
if (!mac_mmap_revocation_via_cow) {
|
|
|
|
vme->max_protection &= ~VM_PROT_WRITE;
|
|
|
|
vme->protection &= ~VM_PROT_WRITE;
|
|
|
|
} if ((revokeperms & VM_PROT_READ) == 0)
|
|
|
|
vme->eflags |= MAP_ENTRY_COW |
|
|
|
|
MAP_ENTRY_NEEDS_COPY;
|
|
|
|
}
|
|
|
|
if (revokeperms & VM_PROT_EXECUTE) {
|
|
|
|
vme->max_protection &= ~VM_PROT_EXECUTE;
|
|
|
|
vme->protection &= ~VM_PROT_EXECUTE;
|
|
|
|
}
|
|
|
|
if (revokeperms & VM_PROT_READ) {
|
|
|
|
vme->max_protection = 0;
|
|
|
|
vme->protection = 0;
|
|
|
|
}
|
|
|
|
pmap_protect(map->pmap, vme->start, vme->end,
|
|
|
|
vme->protection & ~revokeperms);
|
|
|
|
vm_map_simplify_entry(map, vme);
|
2002-10-22 14:29:47 +00:00
|
|
|
}
|
2005-10-04 14:32:15 +00:00
|
|
|
VFS_UNLOCK_GIANT(vfslocked);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
kern_mac.c contains the body of the MAC framework. Kernel and
user APIs defined in mac.h are implemented here, providing a front end
to loaded security modules. This code implements a module registration
service, state (label) management, security configuration and policy
composition.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
|
|
|
}
|
2008-12-22 17:32:52 +00:00
|
|
|
vm_map_unlock(map);
|
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
kern_mac.c contains the body of the MAC framework. Kernel and
user APIs defined in mac.h are implemented here, providing a front end
to loaded security modules. This code implements a module registration
service, state (label) management, security configuration and policy
composition.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
|
|
|
}
|
|
|
|
|
2002-07-30 02:04:05 +00:00
|
|
|
int
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_proc_check_debug(struct ucred *cred, struct proc *p)
|
2002-07-30 02:04:05 +00:00
|
|
|
{
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
int error;
|
2002-07-30 02:04:05 +00:00
|
|
|
|
2007-04-22 19:55:56 +00:00
|
|
|
PROC_LOCK_ASSERT(p, MA_OWNED);
|
2002-07-30 02:04:05 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
MAC_CHECK(proc_check_debug, cred, p);
|
2002-07-30 02:04:05 +00:00
|
|
|
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
return (error);
|
2002-07-30 02:04:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_proc_check_sched(struct ucred *cred, struct proc *p)
|
2002-07-30 02:04:05 +00:00
|
|
|
{
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
int error;
|
2002-07-30 02:04:05 +00:00
|
|
|
|
2007-04-22 19:55:56 +00:00
|
|
|
PROC_LOCK_ASSERT(p, MA_OWNED);
|
2002-10-22 14:29:47 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
MAC_CHECK(proc_check_sched, cred, p);
|
2002-07-30 02:04:05 +00:00
|
|
|
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
return (error);
|
2002-07-30 02:04:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
|
2002-07-30 02:04:05 +00:00
|
|
|
{
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
int error;
|
2002-07-30 02:04:05 +00:00
|
|
|
|
2007-04-22 19:55:56 +00:00
|
|
|
PROC_LOCK_ASSERT(p, MA_OWNED);
|
2002-10-22 14:29:47 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
MAC_CHECK(proc_check_signal, cred, p, signum);
|
2002-08-19 17:59:48 +00:00
|
|
|
|
Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
|
|
|
return (error);
|
2002-08-19 17:59:48 +00:00
|
|
|
}
|
2005-04-16 13:29:15 +00:00
|
|
|
|
|
|
|
int
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_proc_check_setuid(struct proc *p, struct ucred *cred, uid_t uid)
|
2005-04-16 13:29:15 +00:00
|
|
|
{
|
|
|
|
int error;
|
|
|
|
|
2007-04-22 19:55:56 +00:00
|
|
|
PROC_LOCK_ASSERT(p, MA_OWNED);
|
2005-04-16 13:29:15 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
MAC_CHECK(proc_check_setuid, cred, uid);
|
2005-04-16 13:29:15 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_proc_check_seteuid(struct proc *p, struct ucred *cred, uid_t euid)
|
2005-04-16 13:29:15 +00:00
|
|
|
{
|
|
|
|
int error;
|
|
|
|
|
2007-04-22 19:55:56 +00:00
|
|
|
PROC_LOCK_ASSERT(p, MA_OWNED);
|
2005-04-16 13:29:15 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
MAC_CHECK(proc_check_seteuid, cred, euid);
|
2005-04-16 13:29:15 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_proc_check_setgid(struct proc *p, struct ucred *cred, gid_t gid)
|
2005-04-16 13:29:15 +00:00
|
|
|
{
|
|
|
|
int error;
|
|
|
|
|
2007-04-22 19:55:56 +00:00
|
|
|
PROC_LOCK_ASSERT(p, MA_OWNED);
|
2005-04-16 13:29:15 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
MAC_CHECK(proc_check_setgid, cred, gid);
|
2007-04-22 19:55:56 +00:00
|
|
|
|
2005-04-16 13:29:15 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_proc_check_setegid(struct proc *p, struct ucred *cred, gid_t egid)
|
2005-04-16 13:29:15 +00:00
|
|
|
{
|
|
|
|
int error;
|
|
|
|
|
2007-04-22 19:55:56 +00:00
|
|
|
PROC_LOCK_ASSERT(p, MA_OWNED);
|
2005-04-16 13:29:15 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
MAC_CHECK(proc_check_setegid, cred, egid);
|
2007-04-22 19:55:56 +00:00
|
|
|
|
2005-04-16 13:29:15 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_proc_check_setgroups(struct proc *p, struct ucred *cred, int ngroups,
|
2007-04-22 19:55:56 +00:00
|
|
|
gid_t *gidset)
|
2005-04-16 13:29:15 +00:00
|
|
|
{
|
|
|
|
int error;
|
|
|
|
|
2007-04-22 19:55:56 +00:00
|
|
|
PROC_LOCK_ASSERT(p, MA_OWNED);
|
2005-04-16 13:29:15 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
MAC_CHECK(proc_check_setgroups, cred, ngroups, gidset);
|
2005-04-16 13:29:15 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_proc_check_setreuid(struct proc *p, struct ucred *cred, uid_t ruid,
|
2007-04-22 19:55:56 +00:00
|
|
|
uid_t euid)
|
2005-04-16 13:29:15 +00:00
|
|
|
{
|
|
|
|
int error;
|
|
|
|
|
2007-04-22 19:55:56 +00:00
|
|
|
PROC_LOCK_ASSERT(p, MA_OWNED);
|
2005-04-16 13:29:15 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
MAC_CHECK(proc_check_setreuid, cred, ruid, euid);
|
2007-04-22 19:55:56 +00:00
|
|
|
|
2005-04-16 13:29:15 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_proc_check_setregid(struct proc *proc, struct ucred *cred, gid_t rgid,
|
2007-04-22 19:55:56 +00:00
|
|
|
gid_t egid)
|
2005-04-16 13:29:15 +00:00
|
|
|
{
|
|
|
|
int error;
|
|
|
|
|
|
|
|
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
MAC_CHECK(proc_check_setregid, cred, rgid, egid);
|
2007-04-22 19:55:56 +00:00
|
|
|
|
2005-04-16 13:29:15 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_proc_check_setresuid(struct proc *p, struct ucred *cred, uid_t ruid,
|
2007-04-22 19:55:56 +00:00
|
|
|
uid_t euid, uid_t suid)
|
2005-04-16 13:29:15 +00:00
|
|
|
{
|
|
|
|
int error;
|
|
|
|
|
2007-04-22 19:55:56 +00:00
|
|
|
PROC_LOCK_ASSERT(p, MA_OWNED);
|
2005-04-16 13:29:15 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
MAC_CHECK(proc_check_setresuid, cred, ruid, euid, suid);
|
2005-04-16 13:29:15 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_proc_check_setresgid(struct proc *p, struct ucred *cred, gid_t rgid,
|
2007-04-22 19:55:56 +00:00
|
|
|
gid_t egid, gid_t sgid)
|
2005-04-16 13:29:15 +00:00
|
|
|
{
|
|
|
|
int error;
|
|
|
|
|
2007-04-22 19:55:56 +00:00
|
|
|
PROC_LOCK_ASSERT(p, MA_OWNED);
|
2005-04-16 13:29:15 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
MAC_CHECK(proc_check_setresgid, cred, rgid, egid, sgid);
|
2007-04-22 19:55:56 +00:00
|
|
|
|
2005-04-16 13:29:15 +00:00
|
|
|
return (error);
|
|
|
|
}
|
2005-04-18 13:36:57 +00:00
|
|
|
|
|
|
|
int
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_proc_check_wait(struct ucred *cred, struct proc *p)
|
2005-04-18 13:36:57 +00:00
|
|
|
{
|
|
|
|
int error;
|
|
|
|
|
2007-04-22 19:55:56 +00:00
|
|
|
PROC_LOCK_ASSERT(p, MA_OWNED);
|
2005-04-18 13:36:57 +00:00
|
|
|
|
2007-10-24 19:04:04 +00:00
|
|
|
MAC_CHECK(proc_check_wait, cred, p);
|
2005-04-18 13:36:57 +00:00
|
|
|
|
|
|
|
return (error);
|
|
|
|
}
|