Commit Graph

312 Commits

Author SHA1 Message Date
Robert Watson
f6a4109212 Update my personal copyrights and NETA copyrights in the kernel
to use the "year1-year3" format, as opposed to "year1, year2, year3".
This seems to make lawyers more happy, but also prevents the
lines from getting excessively long as the years start to add up.

Suggested by:	imp
2004-02-22 00:33:12 +00:00
Robert Watson
91c2dc9478 Commit file missed in last pass: MAC api uses 'struct pipepair', not
'struct pipe' now.
2004-02-01 21:52:09 +00:00
Robert Watson
4795b82c13 Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.

- Create a new "struct pipepair" object holding the two 'struct
  pipe' instances, struct mutex, and struct label reference.  Pipe
  structures now have a back-pointer to the pipe pair, and a
  'pipe_present' flag to indicate whether the half has been
  closed.

- Perform mutex init/destroy in zone init/destroy, avoiding
  reallocating the mutex for each pipe.  Perform most pipe structure
  setup in zone constructor.

- VM memory mappings for pageable buffers are still done outside of
  the UMA zone.

- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
  update many policies.  MAC labels are also handled outside of the
  UMA zone for now.  Label-only policy modules don't have to be
  recompiled, but if a module is recompiled, its pipe entry points
  will need to be updated.  If a module actually reached into the
  pipe structures (unlikely), that would also need to be modified.

These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.

On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place.  However, VM mapped buffers
are still released on half-close.

Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).

This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.

Reviewed by:	juli, tjr
Testing help:	dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
Robert Watson
be05719004 Pay attention to mac_portacl_enabled.
Submitted by:   simon
2004-01-20 18:33:02 +00:00
Robert Watson
2d92ec9858 Switch TCP over to using the inpcb label when responding in timed
wait, rather than the socket label.  This avoids reaching up to
the socket layer during connection close, which requires locking
changes.  To do this, introduce MAC Framework entry point
mac_create_mbuf_from_inpcb(), which is called from tcp_twrespond()
instead of calling mac_create_mbuf_from_socket() or
mac_create_mbuf_netlayer().  Introduce MAC Policy entry point
mpo_create_mbuf_from_inpcb(), and implementations for various
policies, which generally just copy label data from the inpcb to
the mbuf.  Assert the inpcb lock in the entry point since we
require consistency for the inpcb label reference.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-12-17 14:55:11 +00:00
Robert Watson
7b9ed9a793 interpvnodelabel can be NULL in mac_test_execve_transition(). This
only turned up when running mac_test side by side with a transitioning
policy such as SEBSD.  Make the NULL testing match
mac_test_execve_will_transition(), which already tested the vnode
label pointer for NULL.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-12-10 18:48:05 +00:00
Robert Watson
56d9e93207 Rename mac_create_cred() MAC Framework entry point to mac_copy_cred(),
and the mpo_create_cred() MAC policy entry point to
mpo_copy_cred_label().  This is more consistent with similar entry
points for creation and label copying, as mac_create_cred() was
called from crdup() as opposed to during process creation.  For
a number of policies, this removes the requirement for special
handling when copying credential labels, and improves consistency.

Approved by:	re (scottl)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-12-06 21:48:03 +00:00
Robert Watson
2e8c6b2654 Use UMA zone allocator for Biba and MLS labels rather than MALLOC(9).
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-18 04:11:52 +00:00
Robert Watson
a557af222b Introduce a MAC label reference in 'struct inpcb', which caches
the   MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols.  This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.

This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.

For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks.  Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.

Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.

Reviewed by:	sam, bms
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
Robert Watson
6afba1a91f Don't implement mpo_destroy() for Biba, LOMAC, and MLS, as they
aren't allowed to be unloaded.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-17 01:04:07 +00:00
Robert Watson
b0323ea3aa Implement sockets support for __mac_get_fd() and __mac_set_fd()
system calls, and prefer these calls over getsockopt()/setsockopt()
for ABI reasons.  When addressing UNIX domain sockets, these calls
retrieve and modify the socket label, not the label of the
rendezvous vnode.

- Create mac_copy_socket_label() entry point based on
  mac_copy_pipe_label() entry point, intended to copy the socket
  label into temporary storage that doesn't require a socket lock
  to be held (currently Giant).

- Implement mac_copy_socket_label() for various policies.

- Expose socket label allocation, free, internalize, externalize
  entry points as non-static from mac_net.c.

- Use mac_socket_label_set() in __mac_set_fd().

MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and
mac_get_peer() to retrieve and set various socket labels without
directly invoking the getsockopt() interface.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-16 23:31:45 +00:00
Robert Watson
920325ee1d Implement mac_get_peer(3) using getsockopt() with SOL_SOCKET and
SO_PEERLABEL.  This provides an interface to query the label of a
socket peer without embedding implementation details of mac_t in
the application.  Previously, sizeof(*mac_t) had to be specified
by an application when performing getsockopt().

Document mac_get_peer(3), and expand documentation of the other
mac_get(3) functions.  Note that it's possible to get EINVAL back
from mac_get_fd(3) when pointing it at an inappropriate object.

NOTE: mac_get_fd() and mac_set_fd() support for sockets will
follow shortly, so the documentation is slightly ahead of the
code.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-16 20:18:24 +00:00
Robert Watson
c9ea2dcf62 Abstract the label checking and setting logic from
mac_setsockopt_label() into mac_socket_label_set(); make it non-static
so that it can be invoked from kern_mac.c for mac_set_fd().

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-16 20:01:50 +00:00
Robert Watson
0196273b2d Implement mpo_copy_{mbuf,pipe,vnode}_label() entry points for
mac_stub and mac_test.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-16 18:28:58 +00:00
Robert Watson
9e71dd0feb Reduce gratuitous redundancy and length in function names:
mac_setsockopt_label_set() -> mac_setsockopt_label()
  mac_getsockopt_label_get() -> mac_getsockopt_label()
  mac_getsockopt_peerlabel_get() -> mac_getsockopt_peerlabel()

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-16 18:25:20 +00:00
Robert Watson
5d9d409ca9 Whitespace fix. 2003-11-16 03:17:30 +00:00
Robert Watson
1862cd57cf mac_relabel_cred() accepts two cred labels, not a cred label and a
vnode label; update assertion.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-15 00:26:02 +00:00
Bruce Evans
57f253a4c6 Reduced prequisites by only using MALLOC_DECLARE() if it is defined.
This fixes a dependency of mac_label.c on namespace pollution in
<vm/uma.h>.

Similarly for SYSCTL_DECL() although I had no problems with it.  This
probably makes some includes of <sys/sysctl.h> bogus.
2003-11-14 21:18:04 +00:00
Robert Watson
f0ab044241 Mark __mac_get_pid() as MPSAFE in the comment, as it runs without
Giant and is also MPSAFE.

Push Giant further down into __mac_get_fd() and __mac_set_fd(),
grabbing it only for constrained regions dealing with VFS, and
dropping it entirely for operations related to labeling of pipes.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-12 22:19:15 +00:00
John Baldwin
e5bc4f1b34 Remove extraneous & to fix compile. 2003-11-12 17:21:57 +00:00
Robert Watson
4af32bd8a0 Remove extraneous fullpath variable, which broke lint build. This
extra argument to the devfs MAC policy entry points was accidentally
merged from the MAC branch during my earlier commit to these policies,
and is not scheduled to be merged just yet.
2003-11-12 15:09:39 +00:00
Robert Watson
39fc5d480d GC prototype for mac_destroy_vnode_label(), missed in last commit. 2003-11-12 03:33:43 +00:00
Robert Watson
eca8a663d4 Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c).  This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE.  This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time.  This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.

This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.

While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.

NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change.  Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.

Suggestions from:	bmilekic
Obtained from:		TrustedBSD Project
Sponsored by:		DARPA, Network Associates Laboratories
2003-11-12 03:14:31 +00:00
Robert Watson
c8e7bf92ad Whitespace sync to MAC branch, expand comment at the head of the file. 2003-11-11 03:40:04 +00:00
Robert Watson
8a4b86b9a4 Replace a '-' with a ')'. Update copyright.
PR:	53195
2003-11-08 00:21:20 +00:00
Robert Watson
bea2b56b26 When allocation of a socket peer label fails, scrub what was
successfully initialized in the label as a socket peer label, not a
socket label.  For current policy modules, this didn't make a
difference, but if a policy module had label data in the peer label
that was to be GC'd in a different way than the normal socket label,
it might have been a problem.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-07 22:31:27 +00:00
Robert Watson
55b13f8d2d Trim trailing whitespace. 2003-11-07 04:48:24 +00:00
Robert Watson
83b7b0edca Remove the flags argument from mac_externalize_*_label(), as it's not
passed into policies or used internally to the MAC Framework.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-06 03:42:43 +00:00
Brooks Davis
9bf40ede4a Replace the if_name and if_unit members of struct ifnet with new members
if_xname, if_dname, and if_dunit. if_xname is the name of the interface
and if_dname/unit are the driver name and instance.

This change paves the way for interface renaming and enhanced pseudo
device creation and configuration symantics.

Approved By:	re (in principle)
Reviewed By:	njl, imp
Tested On:	i386, amd64, sparc64
Obtained From:	NetBSD (if_xname)
2003-10-31 18:32:15 +00:00
Robert Watson
da77b2fa6b Make MAC_EXTERNALIZE() and MAC_INTERNALIZE() simply take the object
type, rather than "object_label" as the first argument.  This reduces
complexity a little for the consumer, and also makes it easier for
use to rename the underlying entry points in struct mac_policy_obj.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-25 15:28:20 +00:00
Robert Watson
138f64b698 Sort type declarations together.
Remove an excess carriage return.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-25 03:50:44 +00:00
Robert Watson
6fa0475d95 mac_Finish break-out of kern_mac.c into parts:
Include src/sys/security/mac/mac_internal.h in kern_mac.c.

  Remove redundant defines from the include: SYSCTL_DECL(), debug macros,
    composition macros.

  Unstaticize various bits now exposed to the remainder of the kernel:
    mac_init_label(), mac_destroy_label().

  Remove all the functions now implemented in mac_process/mac_vfs/mac_net/
    mac_pipe.  Also remove debug counters, sysctls exporting debug
    counters, enforcement flags, sysctls exporting enforcement flags.

  Leave module declaration, sysctl nodes, mactemp malloc type, system
    calls.

This should conclude MAC/LINT/NOTES breakage from the break-out process,
but I'm running builds now to make sure I caught everything.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-22 20:59:31 +00:00
Robert Watson
089c1bdac9 Variable cleanup following break-out of kern_mac.c into sys/security/mac:
Unstaticize mac_late.
  Remove ea_warn_once, now in mac_vfs.c.
  Unstaticisize mac_policy_list, mac_static_policy_list, use
    struct mac_policy_list_head instead of LIST_HEAD() directly.
  Unstaticize and un-inline MAC policy locking functions so they can
    be referenced from mac_*.c.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-22 20:47:41 +00:00
Robert Watson
9e7bf51ca8 Rename error_select() to mac_error_select(), and unstaticize so it
can be used from src/sys/security/mac/mac_*.c.

Obtained from:	TrustedBSD Project
Sponosred by:	DARPA, Network Associates Laboratories
2003-10-22 20:42:22 +00:00
Robert Watson
6cc24dcbb4 Remove non-VFS related code from mac_vfs.c. Leave:
Extended attribute transaction warning flag if transactions aren't
  supported on the EA implementation being used.

  Debug fallback flag to permit a less conservative fallback if reading
  an on-disk label fails.

  Enforce_fs toggle to enforce file systme access control.

  Debugging counters for file system objects: mounts, vnodes, devfs_dirents.

  Object initialization, destruction, copying, internalization,
  externalization, relabeling for file system objects.

  Life cycle operations for devfs entries.

  Generic extended attribute label implementation for use by UFS, UFS2 in
  multilabel mode.

  Generic single-level label implementation for use by all file systems
  when in singlelabel mode.

  Exec-time transition based on file label entry points.

  Vnode operation access control checks (many).

  Mount operation access control checks (few).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-22 20:29:41 +00:00
Robert Watson
6bd1173258 Remove non-system bits from mac_system.c. Leave:
Enforce_kld, enforce_system access control toggles.
  Access control checks for: kenv operation, kld operations,
    sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(),
    swapoff(), sysctl().

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-22 20:09:12 +00:00
Robert Watson
5a9c1aaac5 Remove non-credential/process-related bits from mac_process.c. Leave:
Enforce_process, enforce_vm access control enforcement twiddles.
  Credential, process label counters.
  VM revocation sysctls/tunables.
  Credential label management, internalization/externalization/relabel
    code.
  Process label management.
  Proc0, proc1 creation, cred creation.
  Thread userret.
  mac_execve_enter(), _exit(), transition at exec-time.
  VM revocation on process label change.
  Process-related access control checks (visibility, debug, signal, sched).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-22 20:02:04 +00:00
Robert Watson
73275908f7 Remove non-pipe code from mac_pipe.c. Leave:
Pipe enforcement flag.
  Pipe object debugging counters.
  MALLOC type for MAC label storage.
  Pipe MAC label management routines, externalize/internalization/change
    routines.
  Pipe MAC access control checks.

Un-staticize functions called from mac_set_fd() when operating on a
pipe.  Abstraction improvements in this space seem likely.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-22 19:31:57 +00:00
Robert Watson
28e65e3d2b Remove non-network related contents from mac_net.c. Leave:
Network and socket enforcement toggles.
  Counters for network objects (mbufs, ifnets, bpfdecs, sockets, and ipqs).
  Label management routines for network objects.
  Life cycle events for network objects.
  Label internalization/externalization/relabel for ifnets, sockets,
    including ioctl implementations for sockets, ifnets.
  Access control checks relating to network obejcts.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-22 19:15:34 +00:00
Robert Watson
86ea834c58 The following shared types/constants/interfaces/... are required
in mac_internal.h:

  Sysctl tree declarations.

  Policy list structure definition.

  Policy list variables (static, dynamic).

  mac_late flag.

  Enforcement flags for process, vm, which have checks in multiple files.

  mac_labelmbufs variable to drive conditional mbuf labeling.

  M_MACTEMP malloc type.

  Debugging counter macros.

  MAC Framework infrastructure primitives, including policy locking
    primitives, kernel label initialization/destruction, userland
    label consistency checks, policy slot allocation.

  Per-object interfaces for objects that are internalized and externalized
    using system calls that will remain centrally defined: credentials,
    pipes, vnodes.

  MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE,
    MAC_INTERNALIZE, MAC_PERFORM.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-10-22 18:49:29 +00:00
Robert Watson
aa6a0037e2 Line-break sync to the MAC development branch. 2003-10-21 15:18:26 +00:00
Robert Watson
6b66d5bb4b Use __BEGIN_DECLS and __END_DECLS around userland function prototypes
so that mac.h may be more safely included in userland C++ applications.

PR:		bin/56595
Submitted by:	"KONDOU, Kazuhiro" <kazuhiro@alib.jp>
2003-10-02 03:07:51 +00:00
Robert Watson
cc7b13bfe0 If the struct mac copied into the kernel has a negative length, return
EINVAL rather than failing the following malloc due to the value being
too large.
2003-09-29 18:35:17 +00:00
Robert Watson
953222e210 Remove extra tabs indenting MAC library calls; they were there to
line up the function names in an earlier generation of the API when
some of the functions returned structure pointers.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-29 02:43:57 +00:00
Robert Watson
a6a65b05d5 Fix a mac_policy_list reference to be a mac_static_policy_list
reference: this fixes mac_syscall() for static policies when using
optimized locking.

Obtained from:	TrustedBSD Project
Sponosred by:	DARPA, Network Associates Laboratories
2003-08-26 17:29:02 +00:00
Robert Watson
930d4ffa56 Make the elements argument to mac_prepare() be const.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-22 17:49:59 +00:00
Robert Watson
6139aaa8df Add prototype for new libc function mac_prepare_type().
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-22 17:39:39 +00:00
Robert Watson
2b6e83104c Correct typo introduced during manual merge: hook up the reflect_tcp
test to the reflect_tcp entry point, rather than the reflect_icmp
entry point.

Submitted by:	naddy
2003-08-22 12:32:07 +00:00
Robert Watson
eb8c7f9992 Introduce two new MAC Framework and MAC policy entry points:
mac_reflect_mbuf_icmp()
  mac_reflect_mbuf_tcp()

These entry points permit MAC policies to do "update in place"
changes to the labels on ICMP and TCP mbuf headers when an ICMP or
TCP response is generated to a packet outside of the context of
an existing socket.  For example, in respond to a ping or a RST
packet to a SYN on a closed port.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-21 18:21:22 +00:00
Robert Watson
84bdb0837a Correct logic for filling out a "new" label during a credential
change in mac_lomac: if both flags are set on the new label, we
may not need to always fill out the label (only if one flag is
set, not both).  Avoid stomping on a section of the label if we
are in fact modifying both elements.

Because we know that both flags will be set, we don't need to
test whether the range or single are set in later consistency
checks of the range and single -- just test them.

By checking the range of the new vs. the range of the old label
before testing the single against the new range, we implicitly
test that the new single is in the old range.  Document this
with a comment.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-21 18:07:52 +00:00
Robert Watson
250ee70636 Retrofit of mac_test regression and consistency test module for MAC
Framework labels:

- Re-work the label state assertions to use a set of central
  ASSERT_type_LABEL() assertions.

- Test to make sure labels passed to externalize/internalize calls haven't
  been destroyed.

- For access control checks, assert the condition of all labels passed in.

- For life cycle events, assert the condition of all labels passed in.

- Add new entry point implementations for new MAC Framework entry points:
  mac_test_reflect_mbuf_icmp(), mac_test_reflect_mbuf_tcp(),
  mac_test_check_vnode_deleteextattr(), mac_test_check_vnode_listextattr().

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-21 17:28:45 +00:00
Robert Watson
64f00af879 Add stub entries for new MAC framework entry points:
mpo_reflect_mbuf_icmp()
  mpo_reflect_mbuf_tcp()
  mpo_check_vnode_deletextattr()
  mpo_check_vnode_listextattr()

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-21 17:05:36 +00:00
Robert Watson
1c3f91cdc8 Generally rename things to represent the fact that this is now the
mac_stub policy and no longer mac_none (as found in the repocopy).
Add comment to this effect.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-21 16:22:52 +00:00
Robert Watson
0164a4992a mac_none is now the null policy, not a stub policy, so remove the
stubs.  Add a pointer to mac_stub, which is now the stub policy.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-21 16:19:17 +00:00
Robert Watson
54e2c147b1 Implementations of mpo_check_vnode_deleteextattr() and
mpo_check_vnode_listextattr() for Biba, MLS, and BSD Extended.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-21 14:34:54 +00:00
Robert Watson
c096756c00 Add mac_check_vnode_deleteextattr() and mac_check_vnode_listextattr():
explicit access control checks to delete and list extended attributes
on a vnode, rather than implicitly combining with the setextattr and
getextattr checks.  This reflects EA API changes in the kernel made
recently, including the move to explicit VOP's for both of these
operations.

Obtained from:	TrustedBSD PRoject
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-21 13:53:01 +00:00
Robert Watson
8d8d5ea8f2 Remove about 40 lines of #ifdef/#endif by using new macros
MAC_DEBUG_COUNTER_INC() and MAC_DEBUG_COUNTER_DEC() to maintain
debugging counter values rather than #ifdef'ing the atomic
operations to MAC_DEBUG.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-20 19:16:49 +00:00
Robert Watson
19c3e120f0 Attempt to simplify #ifdef logic for MAC_ALWAYS_LABEL_MBUF.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-08-01 15:45:14 +00:00
Robert Watson
130316479a Improve consistency with the Biba policy -- rename
mac_mls_subject_equal_ok() to mac_mls_subject_privileged(),
which more consistently reflects the fact that this is really
about our notion of privilege in the MLS policy.

Since we don't use suser() for privilege in MLS, remove
the suser check from the ifnet relabel ioctl, and replace it
with an MLS privilege check.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-07-31 20:00:06 +00:00
Robert Watson
18a25b6126 Remove a suser() check in the mac_biba policy: the MAC Framework itself
already checks suser on a network interface relabel, so don't dup it
here.  Rely solely on the Biba definition of privilege, which is
already tested.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
Submitted by:	Andrew Reisse <areisse@nailabs.com>
2003-07-31 18:35:43 +00:00
Robert Watson
de88922310 Remove trailing whitespace. 2003-07-05 01:24:36 +00:00
Robert Watson
f51e58036e Redesign the externalization APIs from the MAC Framework to
the MAC policy modules to improve robustness against C string
bugs and vulnerabilities.  Following these revisions, all
string construction of labels for export to userspace (or
elsewhere) is performed using the sbuf API, which prevents
the consumer from having to perform laborious and intricate
pointer and buffer checks.  This substantially simplifies
the externalization logic, both at the MAC Framework level,
and in individual policies; this becomes especially useful
when policies export more complex label data, such as with
compartments in Biba and MLS.

Bundled in here are some other minor fixes associated with
externalization: including avoiding malloc while holding the
process mutex in mac_lomac, and hence avoid a failure mode
when printing labels during a downgrade operation due to
the removal of the M_NOWAIT case.

This has been running in the MAC development tree for about
three weeks without problems.

Obtained from:	TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-06-23 01:26:34 +00:00
Robert Watson
16fd30bd2a Forward declare a boatload of structures referenced in the MAC
policy definition structure; this permits policies to reduce their
number of gratuitous includes for required for entry points they
don't implement.  This also facilitates building the MAC Framework
on Darwin.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-06-22 16:36:00 +00:00
Poul-Henning Kamp
3b6d965263 Add a f_vnode field to struct file.
Several of the subtypes have an associated vnode which is used for
stuff like the f*() functions.

By giving the vnode a speparate field, a number of checks for the specific
subtype can be replaced simply with a check for f_vnode != NULL, and
we can later free f_data up to subtype specific use.

At this point in time, f_data still points to the vnode, so any code I
might have overlooked will still work.
2003-06-22 08:41:43 +00:00
David E. O'Brien
677b542ea2 Use __FBSDID(). 2003-06-11 00:56:59 +00:00
Robert Watson
985a0d9735 Also implement mpo_copy_mbuf_label() for mac_lomac, or labels may
not be properly propagated across some mbuf copy operations.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-06-02 18:49:11 +00:00
Robert Watson
f32bb0529b Use mac_biba_label_copy() and mac_mls_label_copy() to implement the
mpo_copy_mbuf_label() entry point for Biba and MLS, respectively.
Otherwise, labels in m_tags may not be properly propagated across
some classes of mbuf operations.  This problem caused these policies
to fail-stop the system with a panic.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-06-02 17:21:38 +00:00
Poul-Henning Kamp
29382d1af7 Remove double return()
Found by:       FlexeLint
2003-05-31 19:55:32 +00:00
Robert Watson
05e830f1e7 Rewrite Biba and MLS label externalization code to use sbufs instead
of C strings internally; C strings require a lot of return value
checking that (a) takes a lot of space, and (b) is difficult to get
right.  Prior to the advent of compartment support, modeling APIs
for helper functions on snprintf worked fine; with the additional
complexity, the sbuf_printf() API makes a lot more sense.

While doing this, break out the printing of sequential compartment
lists into a helper function, mac_{biba,mls}_compartment_to_string().
This permits the main body of mac_{biba,mls}_element_to_string()
to be concerned only with identifying sequential ranges rather
than rendering.

At a less disruptive moment, we'll push the move from snprintf()-like
interface to sbuf()-like interface up into the MAC Framework layer.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-05-31 19:01:44 +00:00
Robert Watson
c2ea1fec5b Make sure all character pointers are properly initialized; this was
mismerged from the MAC tree, and didn't get picked up because warnings
are not normally fatal in per-module builds, only when they are linked
into a kernel (such as LINT).

Reported by:	des and the technicolor tinderbox
Approved by:	re (scottl)
2003-05-30 17:02:36 +00:00
Robert Watson
7792fe5719 Use strsep() in preference to manual string parsing for Biba and MLS
label internalization.  Use sensible variable names.  Include comments.
Doesn't fix any known bugs, but may fix unknown ones.

Approved by:	re (scottl)
2003-05-29 22:51:52 +00:00
Robert Watson
b2aef57123 Rename MAC_MAX_POLICIES to MAC_MAX_SLOTS, since the variables and
constants in question refer to the number of label slots, not the
maximum number of policies that may be loaded.  This should reduce
confusion regarding an element in the MAC sysctl MIB, as well as
make it more clear what the affect of changing the compile-time
constants is.

Approved by:	re (jhb)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-05-08 19:49:42 +00:00
Robert Watson
41a17fe326 Clean up locking for the MAC Framework:
(1) Accept that we're now going to use mutexes, so don't attempt
    to avoid treating them as mutexes.  This cleans up locking
    accessor function names some.

(2) Rename variables to _mtx, _cv, _count, simplifying the naming.

(3) Add a new form of the _busy() primitive that conditionally
    makes the list busy: if there are entries on the list, bump
    the busy count.  If there are no entries, don't bump the busy
    count.  Return a boolean indicating whether or not the busy
    count was bumped.

(4) Break mac_policy_list into two lists: one with the same name
    holding dynamic policies, and a new list, mac_static_policy_list,
    which holds policies loaded before mac_late and without the
    unload flag set.  The static list may be accessed without
    holding the busy count, since it can't change at run-time.

(5) In general, prefer making the list busy conditionally, meaning
    we pay only one mutex lock per entry point if all modules are
    on the static list, rather than two (since we don't have to
    lower the busy count when we're done with the framework).  For
    systems running just Biba or MLS, this will halve the mutex
    accesses in the network stack, and may offer a substantial
    performance benefits.

(6) Lay the groundwork for a dynamic-free kernel option which
    eliminates all locking associated with dynamically loaded or
    unloaded policies, for pre-configured systems requiring
    maximum performance but less run-time flexibility.

These changes have been running for a few weeks on MAC development
branch systems.

Approved by:	re (jhb)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-05-07 17:49:24 +00:00
Alan Cox
b6e48e0372 - Acquire the vm_object's lock when performing vm_object_page_clean().
- Add a parameter to vm_pageout_flush() that tells vm_pageout_flush()
   whether its caller has locked the vm_object.  (This is a temporary
   measure to bootstrap vm_object locking.)
2003-04-24 04:31:25 +00:00
Robert Watson
535cf73341 Rather than check for M_PKTHDR and conditionally perform access control,
simply assert that M_PKTHDR is set using M_ASSERTPKTHDR().

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-04-18 20:22:23 +00:00
Robert Watson
2d3db0b823 Update NAI copyright to 2003, missed in earlier commits and merges. 2003-04-18 19:57:37 +00:00
Robert Watson
0712b25402 Modify mac_test policy to invoke WITNESS_WARN() when a potentially
blocking allocation could occur as a result of a label
initialization.  This will simulate the behavior of allocated
label policies such as MLS and Biba when running mac_test from
the perspective of WITNESS lock and sleep warnings.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-04-15 21:20:34 +00:00
Robert Watson
9a1b0237a7 Enable the MAC_ALWAYS_LABEL_MBUF flag for the Biba, LOMAC, MLS, and Test
policies.  Missed in earlier merge.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-04-15 20:51:18 +00:00
Robert Watson
6d1a6a9a9a mac_init_mbuf_tag() accepts malloc flags, not mbuf allocator flags, so
don't try and convert the argument flags to malloc flags, or we risk
implicitly requesting blocking and generating witness warnings.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-04-15 19:33:23 +00:00
Robert Watson
225bff6f8b Move MAC label storage for mbufs into m_tags from the m_pkthdr structure,
returning some additional room in the first mbuf in a chain, and
avoiding feature-specific contents in the mbuf header.  To do this:

- Modify mbuf_to_label() to extract the tag, returning NULL if not
  found.

- Introduce mac_init_mbuf_tag() which does most of the work
  mac_init_mbuf() used to do, except on an m_tag rather than an
  mbuf.

- Scale back mac_init_mbuf() to perform m_tag allocation and invoke
  mac_init_mbuf_tag().

- Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since
  m_tag's are now GC'd deep in the m_tag/mbuf code rather than
  at a higher level when mbufs are directly free()'d.

- Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related
  notions.

- Generally change all references to mbuf labels so that they use
  mbuf_to_label() rather than &mbuf->m_pkthdr.label.  This
  required no changes in the MAC policies (yay!).

- Tweak mbuf release routines to not call mac_destroy_mbuf(),
  tag destruction takes care of it for us now.

- Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() --
  the existing m_tag support does all this for us.  Note that
  we can no longer just zero the m_tag list on the target mbuf,
  rather, we have to delete the chain because m_tag's will
  already be hung off freshly allocated mbuf's.

- Tweak m_tag copying routines so that if we're copying a MAC
  m_tag, we don't do a binary copy, rather, we initialize the
  new storage and do a deep copy of the label.

- Remove use of MAC_FLAG_INITIALIZED in a few bizarre places
  having to do with mbuf header copies previously.

- When an mbuf is copied in ip_input(), we no longer need to
  explicitly copy the label because it will get handled by the
  m_tag code now.

- No longer any weird handling of MAC labels in if_loop.c during
  header copies.

- Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test.
  In mac_test, handle the label==NULL case, since it can be
  dynamically loaded.

In order to improve performance with this change, introduce the notion
of "lazy MAC label allocation" -- only allocate m_tag storage for MAC
labels if we're running with a policy that uses MAC labels on mbufs.
Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS
flag in their load-time flags field during declaration.  Note: this
opens up the possibility of post-boot policy modules getting back NULL
slot entries even though they have policy invariants of non-NULL slot
entries, as the policy might have been loaded after the mbuf was
allocated, leaving the mbuf without label storage.  Policies that cannot
handle this case must be declared as NOTLATE, or must be modified.

- mac_labelmbufs holds the current cumulative status as to whether
  any policies require mbuf labeling or not.  This is updated whenever
  the active policy set changes by the function mac_policy_updateflags().
  The function iterates the list and checks whether any have the
  flag set.  Write access to this variable is protected by the policy
  list; read access is currently not protected for performance reasons.
  This might change if it causes problems.

- Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update
  function to assert appropriate locks.

- This makes allocation in mac_init_mbuf() conditional on the flag.

Reviewed by:	sam
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-04-14 20:39:06 +00:00
Robert Watson
10eeb10c63 Abstract access to the mbuf header label behind a new function,
mbuf_to_label().  This permits the vast majority of entry point code
to be unaware that labels are stored in m->m_pkthdr.label, such that
we can experiment storage of labels elsewhere (such as in m_tags).

Reviewed by:	sam
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-04-14 18:11:18 +00:00
Dag-Erling Smørgrav
fe58453891 Introduce an M_ASSERTPKTHDR() macro which performs the very common task
of asserting that an mbuf has a packet header.  Use it instead of hand-
rolled versions wherever applicable.

Submitted by:	Hiten Pandya <hiten@unixdaemons.com>
2003-04-08 14:25:47 +00:00
Robert Watson
78183ac2d2 Trim "trustedbsd_" from the front of the policy module "short names";
the vendor is only included in the long name currently, reducing
verbosity when modules are registered and unregistered.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-27 19:26:39 +00:00
Robert Watson
5e7ce4785f Modify the mac_init_ipq() MAC Framework entry point to accept an
additional flags argument to indicate blocking disposition, and
pass in M_NOWAIT from the IP reassembly code to indicate that
blocking is not OK when labeling a new IP fragment reassembly
queue.  This should eliminate some of the WITNESS warnings that
have started popping up since fine-grained IP stack locking
started going in; if memory allocation fails, the creation of
the fragment queue will be aborted.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-26 15:12:03 +00:00
Robert Watson
ca26e8ba85 Update the MAC regression test policy to include stubs and testing
functionality for the following entry pints:

  mac_test_init_proc_label()
  mac_test_destroy_proc_label()

For process labeling entry points, now also track the use of process
labels and test assertions about their integrity and life cycle.

  mac_test_thread_userret()
  mac_test_check_kenv_dump()
  mac_test_check_kenv_get()
  mac_test_check_kenv_set()
  mac_test_check_kenv_unset()
  mac_test_check_kld_load()
  mac_test_check_kld_stat()
  mac_test_check_kld_unload()
  mac_test_check_sysarch_ioperm()
  mac_test_check_system_acct()
  mac_test_check_system_reboot()
  mac_test_check_system_settime()
  mac_test_check_system_swapon()
  mac_test_check_system_swapoff()
  mac_test_check_system_sysctl()

For other entry points, just provide testing stubs.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-25 01:20:56 +00:00
Robert Watson
09de2dc22f Update MAC "none" stub policy to include stubs for the following
entry points:

  mac_none_thread_userret()
  mac_none_check_kenv_dump()
  mac_none_check_kenv_get()
  mac_none_check_kenv_set()
  mac_none_check_kenv_unset()
  mac_none_check_kld_load()
  mac_none_check_kld_stat()
  mac_none_check_kld_unload()
  mac_none_check_sysarch_ioperm()
  mac_none_check_system_acct()
  mac_none_check_system_settime()
  mac_none_check_system_swapoff()

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-25 01:18:06 +00:00
Robert Watson
4c64787a5b Expand scope of the MLS policy to include a new entry point available
for enforcement:

  mac_mls_check_system_swapon() - Require that the subject and the
  swapfile target vnode labels dominate one another.  An additional
  check is probably needed here to require that the swapfile target
  has a label of mls/high to prevent information leakage through
  swapfiles.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-25 01:16:10 +00:00
Robert Watson
96c33a0cea Expand scope of the BSD extended "file system firewall" policy to
include a new entry point available for enforcement:

  mac_bsdextended_check_system_swapon() - Apply extended access
  control checks to the file target of swap.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-25 01:14:03 +00:00
Robert Watson
2b03c68008 Expand scope of the Biba policy to include some of the new entry
points available for enforcement:

  mac_biba_check_sysarch_ioperm() - Require Biba privilege to make
  use of privileged machine-dependent interfaces, protecting against
  bypass of the policy via various mechanisms.

  mac_biba_check_system_swapoff() - Require Biba privilege to disable
  swapping against a vnode target.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-25 01:10:54 +00:00
Robert Watson
f09dbc4c57 Garbage collect FREEBSD_MAC_EXTATTR_NAME and FREEBSD_MAC_EXTATTR_NAMESPACE,
which are no longer required now that we have UFS2 with extended
attribute transactions.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-23 02:09:20 +00:00
Poul-Henning Kamp
b4b138c27f Including <sys/stdint.h> is (almost?) universally only to be able to use
%j in printfs, so put a newsted include in <sys/systm.h> where the printf
prototype lives and save everybody else the trouble.
2003-03-18 08:45:25 +00:00
Alexander Kabaev
46300030ec Do not depend on namespace pollution, explicitly include sys/sx.h 2003-03-12 02:55:20 +00:00
Robert Watson
9283578946 Instrument sysarch() MD privileged I/O access interfaces with a MAC
check, mac_check_sysarch_ioperm(), permitting MAC security policy
modules to control access to these interfaces.  Currently, they
protect access to IOPL on i386, and setting HAE on Alpha.
Additional checks might be required on other platforms to prevent
bypass of kernel security protections by unauthorized processes.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-06 04:47:47 +00:00
Robert Watson
1b2c2ab29a Provide a mac_check_system_swapoff() entry point, which permits MAC
modules to authorize disabling of swap against a particular vnode.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-05 23:50:15 +00:00
John Baldwin
263067951a Replace calls to WITNESS_SLEEP() and witness_list() with equivalent calls
to WITNESS_WARN().
2003-03-04 21:03:05 +00:00
Robert Watson
03d031626d A cute yet small MAC policy that provides a simple ACL mechanism to
permit users and groups to bind ports for TCP or UDP, and is intended
to be combined with the recently committed support for
net.inet.ip.portrange.reservedhigh.  The policy is twiddled using
sysctl(8).  To use this module, you will need to compile in MAC
support, and probably set reservedhigh to 0, then twiddle
security.mac.portacl.rules to set things as desired.  This policy
module only restricts ports explicitly bound using bind(), not
implicitly bound ports where the port number is selected by the
IP stack.  It appears to work properly in my local configuration,
but needs more broad testing.

A sample policy might be:

  # sysctl security.mac.portacl.rules="uid:425:tcp:80,uid:425:tcp:79"

This permits uid 425 to bind TCP sockets to ports 79 and 80.  Currently
no distinction is made for incoming vs. outgoing ports with TCP,
although that would probably be easy to add.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-02 23:01:42 +00:00
Warner Losh
a163d034fa Back out M_* changes, per decision of the TRB.
Approved by: trb
2003-02-19 05:47:46 +00:00
Julian Elischer
4a338afd7a Move a bunch of flags from the KSE to the thread.
I was in two minds as to where to put them in the first case..
I should have listenned to the other mind.

Submitted by:	 parts by davidxu@
Reviewed by:	jeff@ mini@
2003-02-17 09:55:10 +00:00
Robert Watson
793274cecf Implement mpo_check_kld_load() and mpo_check_kld_unload() for the Biba
MAC policy.  To load a KLD, require that the subject hold Biba privilege,
and the the kernel module be marked as high integrity.  To unload a
KLD, require that the subject hold Biba privilege.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-02-04 22:38:33 +00:00
Robert Watson
12613c76cc Place more stringent checks on process credential relabeling for the Biba
and MLS policies: as we support both an effective (single) element and
range (available) elements, require that the single be in the range if
both the single and range are defined in the update.  Remove comments
suggesting that such a check might be a good idea.

Don't introduce a similar check for network interfaces; due to different
interpretations of the single and range elements, it's not clear that
it's useful to do so.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-02-04 21:28:46 +00:00