Commit Graph

13 Commits

Author SHA1 Message Date
Robert Watson
96c33a0cea Expand scope of the BSD extended "file system firewall" policy to
include a new entry point available for enforcement:

  mac_bsdextended_check_system_swapon() - Apply extended access
  control checks to the file target of swap.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-25 01:14:03 +00:00
Warner Losh
a163d034fa Back out M_* changes, per decision of the TRB.
Approved by: trb
2003-02-19 05:47:46 +00:00
Alfred Perlstein
44956c9863 Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
2003-01-21 08:56:16 +00:00
Robert Watson
5bf93d2537 Map VAPPEND to VWRITE since the ugidfw rule syntax doesn't specifically
address the append access mode.

Reported by:	"Daniel C. Sobral" <dcs@newsguy.com>
Obtained from:	TrustedBSD Project
Sponosred by:	DARPA, Network Associates Laboratories

MFC Candidate.
2002-12-28 23:41:18 +00:00
Robert Watson
ef5def596d Update MAC modules for changes in arguments for exec MAC policy
entry points to include an explicit execlabel.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-08 18:04:36 +00:00
Robert Watson
939b97cba6 Update policy modules for changes in arguments associated with support
for label access on the interpreter, not just the shell script.  No
policies currently present in the system rely on the new labels.
2002-11-05 17:52:42 +00:00
Robert Watson
dc858fcabe License and wording updates: NAI has authorized the removal of clause
three from their BSD-style license.  Also, s/NAI Labs/Network Associates
Laboratories/.
2002-11-04 01:53:12 +00:00
Robert Watson
5c8dd34218 Move to C99 sparse structure initialization for the mac_policy_ops
structure definition, rather than using an operation vector
we translate into the structure.  Originally, we used a vector
for two reasons:

(1) We wanted to define the structure sparsely, which wasn't
    supported by the C compiler for structures.  For a policy
    with five entry points, you don't want to have to stick in
    a few hundred NULL function pointers.

(2) We thought it would improve ABI compatibility allowing modules
    to work with kernels that had a superset of the entry points
    defined in the module, even if the kernel had changed its
    entry point set.

Both of these no longer apply:

(1) C99 gives us a way to sparsely define a static structure.

(2) The ABI problems existed anyway, due to enumeration numbers,
    argument changes, and semantic mismatches.  Since the going
    rule for FreeBSD is that you really need your modules to
    pretty closely match your kernel, it's not worth the
    complexity.

This submit eliminates the operation vector, dynamic allocation
of the operation structure, copying of the vector to the
structure, and redoes the vectors in each policy to direct
structure definitions.  One enourmous benefit of this change
is that we now get decent type checking on policy entry point
implementation arguments.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-30 18:48:51 +00:00
Robert Watson
1979061b56 Various minor type, prototype tweaks -- clean up cruft due to lack of
type checking on entry points (to be introduced shortly).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-30 18:10:46 +00:00
Robert Watson
b914de36c0 While 'mode_t' seemed like a good idea for the access mode argument for
MAC access() and open() checks, the argument actually has an int type
where it becomes available.  Switch to using 'int' for the mode argument
throughout the MAC Framework and policy modules.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-30 17:56:57 +00:00
Robert Watson
c27b50f5b4 Merge implementation of mpo_check_vnode_link() for various appropriate
file-system aware MAC policies.  Sync to MAC tree.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 18:25:48 +00:00
Robert Watson
177142e458 Pass active_cred and file_cred into the MAC framework explicitly
for mac_check_vnode_{poll,read,stat,write}().  Pass in fp->f_cred
when calling these checks with a struct file available.  Otherwise,
pass NOCRED.  All currently MAC policies use active_cred, but
could now offer the cached credential semantic used for the base
system security model.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-19 19:04:53 +00:00
Robert Watson
d8a7b7a3cd Introduce support for Mandatory Access Control and extensible
kernel access control.

Provide implementations of some sample operating system security
policy extensions.  These are not yet hooked up to the build as
other infrastructure is still being committed.  Most of these
work fairly well and are in daily use in our development and (limited)
production environments.  Some are not yet in their final form,
and a number of the labeled policies waste a lot of kernel memory
and will be fixed over the next month or so to be more conservative.
They do give good examples of the flexibility of the MAC framework
for implementing a variety of security policies.

mac_biba:	Implementation of fixed-label Biba integrity policy,
		similar to those found in a number of commercial
		trusted operating systems.  All subjects and objects
		are assigned integrity levels, and information flow
		is controlled based on a read-up, write-down
		policy.  Currently, purely hierarchal.

mac_bsdextended:	Implementation of a "file system firewall",
		which allows the administrator to specify a series
		of rules limiting access by users and groups to
		objects owned by other users and groups.  This
		policy is unlabeled, relying on existing system
		security labeling (file permissions/ownership,
		process credentials).

mac_ifoff:	Secure interface silencing.  Special-purpose module
		to limit inappropriate out-going network traffic
		for silent monitoring scenarios.  Prevents the
		various network stacks from generating any output
		despite an interface being live for reception.

mac_mls:	Implementation of fixed-label Multi-Level Security
		confidentiality policy, similar to those found in
		a number of commercial trusted operating systems.
		All subjects and objects are assigned confidentiality
		levels, and information flow is controlled based on
		a write-up, read-down policy.  Currently, purely
		hiearchal, although non-hierarchal support is in the
		works.

mac_none:	Policy module implementing all MAC policy entry
		points with empty stubs.  A good place to start if
		you want all the prototypes types in for you, and
		don't mind a bit of pruning.  Can be loaded, but
		has no access control impact.  Useful also for
		performance measurements.

mac_seeotheruids:	Policy module implementing a security service
		similar to security.bsd.seeotheruids, only a slightly
		more detailed policy involving exceptions for members
		of specific groups, etc.  This policy is unlabeled,
		relying on existing system security labeling
		(process credentials).

mac_test:	Policy module implementing basic sanity tests for
		label handling.  Attempts to ensure that labels are
		not freed multiple times, etc, etc.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-07-31 18:07:45 +00:00