Commit Graph

157 Commits

Author SHA1 Message Date
Robert Watson
5bf93d2537 Map VAPPEND to VWRITE since the ugidfw rule syntax doesn't specifically
address the append access mode.

Reported by:	"Daniel C. Sobral" <dcs@newsguy.com>
Obtained from:	TrustedBSD Project
Sponosred by:	DARPA, Network Associates Laboratories

MFC Candidate.
2002-12-28 23:41:18 +00:00
Alfred Perlstein
d1e405c5ce SCARGS removal take II. 2002-12-14 01:56:26 +00:00
Alfred Perlstein
bc9e75d7ca Backout removal SCARGS, the code freeze is only "selectively" over. 2002-12-13 22:41:47 +00:00
Alfred Perlstein
0bbe7292e1 Remove SCARGS.
Reviewed by: md5
2002-12-13 22:27:25 +00:00
Robert Watson
eba0370d90 Default policies to on: if you load them or compile them into your
kernel, you should expect them to do something, so now they do.  This
doesn't affect users who don't load or explicitly compile in the
policies.

Approved by:	re (jhb)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-12-10 16:20:34 +00:00
Robert Watson
990b4b2dc5 Remove dm_root entry from struct devfs_mount. It's never set, and is
unused.  Replace it with a dm_mount back-pointer to the struct mount
that the devfs_mount is associated with.  Export that pointer to MAC
Framework entry points, where all current policies don't use the
pointer.  This permits the SEBSD port of SELinux's FLASK/TE to compile
out-of-the-box on 5.0-CURRENT with full file system labeling support.

Approved by:	re (murray)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-12-09 03:44:28 +00:00
Robert Watson
e7cba1c7dd Remove a const that generates a warning: the const isn't strictly
wrong, since we don't want the variable changed, but since we assign
it to variables that may also refer to other non-const strings,
warnings were generated that could break LINT.

Approved by:	re
Spotted by:	sam
2002-12-04 22:01:03 +00:00
Robert Watson
52ac2d6442 License tweak: remove clause 3 per permission of NAI.
Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-12-03 15:26:01 +00:00
Robert Watson
c3a04e1ea4 Unhook the old LOMAC module, now replaced with mac_lomac.
Approved by:	re (jhb)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-12-03 15:12:36 +00:00
Robert Watson
7496ed81c3 Correct two warnings by staticizing a function and removing an unused
function.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-26 17:38:25 +00:00
Robert Watson
db2661ce96 Import an implementation of LOMAC (Low-Watermark Mandatory Access
Control) as a MAC Framework policy module.  Unlike the existing
src/sys/security/lomac implementation, this one has its fingers out
of the kernel lock order and doesn't make use of flags in existing
kernel structures.  This greatly reduces the quantity of replicated
code with src/sys/kern, simplifies the implementation (3000 vs 8500
lines), and correctes a number of known stability problems with
the existing LOMAC implementation, which will be removed.  A bit
more hooking up to do here.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-26 17:26:06 +00:00
Robert Watson
4d10c0ce5f Un-staticize mac_cred_mmapped_drop_perms() so that it may be used
by policy modules making use of downgrades in the MAC AST event.  This
is required by the mac_lomac port of LOMAC to the MAC Framework.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-26 17:11:57 +00:00
Robert Watson
2555374c4f Introduce p_label, extensible security label storage for the MAC framework
in struct proc.  While the process label is actually stored in the
struct ucred pointed to by p_ucred, there is a need for transient
storage that may be used when asynchronous (deferred) updates need to
be performed on the "real" label for locking reasons.  Unlike other
label storage, this label has no locking semantics, relying on policies
to provide their own protection for the label contents, meaning that
a policy leaf mutex may be used, avoiding lock order issues.  This
permits policies that act based on historical process behavior (such
as audit policies, the MAC Framework port of LOMAC, etc) can update
process properties even when many existing locks are held without
violating the lock order.  No currently committed policies implement use
of this label storage.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-20 15:41:25 +00:00
Robert Watson
a3df768b04 Merge kld access control checks from the MAC tree: these access control
checks permit policy modules to augment the system policy for permitting
kld operations.  This permits policies to limit access to kld operations
based on credential (and other) properties, as well as to perform checks
on the kld being loaded (integrity, etc).

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-19 22:12:42 +00:00
Robert Watson
a96acd1ace Introduce a condition variable to avoid returning EBUSY when
the MAC policy list is busy during a load or unload attempt.
We assert no locks held during the cv wait, meaning we should
be fairly deadlock-safe.  Because of the cv model and busy
count, it's possible for a cv waiter waiting for exclusive
access to the policy list to be starved by active and
long-lived access control/labeling events.  For now, we
accept that as a necessary tradeoff.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-13 15:47:09 +00:00
Robert Watson
63b6f478ec Garbage collect mac_create_devfs_vnode() -- it hasn't been used since
we brought in the new cache and locking model for vnode labels.  We
now rely on mac_associate_devfs_vnode().

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-12 04:20:36 +00:00
Robert Watson
2d43d24ed4 Garbage collect definition of M_MACOPVEC -- we no longer perform a
dynamic mapping of an operation vector into an operation structure,
rather, we rely on C99 sparse structure initialization.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-11 14:15:58 +00:00
Robert Watson
ef5def596d Update MAC modules for changes in arguments for exec MAC policy
entry points to include an explicit execlabel.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-08 18:04:36 +00:00
Robert Watson
9fa3506ecd Add an explicit execlabel argument to exec-related MAC policy entry
points, rather than relying on policies to grub around in the
image activator instance structure.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-08 18:04:00 +00:00
Robert Watson
939b97cba6 Update policy modules for changes in arguments associated with support
for label access on the interpreter, not just the shell script.  No
policies currently present in the system rely on the new labels.
2002-11-05 17:52:42 +00:00
Robert Watson
670cb89bf4 Bring in two sets of changes:
(1) Permit userland applications to request a change of label atomic
    with an execve() via mac_execve().  This is required for the
    SEBSD port of SELinux/FLASK.  Attempts to invoke this without
    MAC compiled in result in ENOSYS, as with all other MAC system
    calls.  Complexity, if desired, is present in policy modules,
    rather than the framework.

(2) Permit policies to have access to both the label of the vnode
    being executed as well as the interpreter if it's a shell
    script or related UNIX nonsense.  Because we can't hold both
    vnode locks at the same time, cache the interpreter label.
    SEBSD relies on this because it supports secure transitioning
    via shell script executables.  Other policies might want to
    take both labels into account during an integrity or
    confidentiality decision at execve()-time.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-05 17:51:56 +00:00
Robert Watson
b317d6f0aa Since neither the Biba policy nor the MLS policy make use of
transitioning, remove their transition entry points.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-05 16:44:29 +00:00
Robert Watson
4443e9ff4a Assert that appropriate vnodes are locked in mac_execve_will_transition().
Allow transitioning to be twiddled off using the process and fs enforcement
flags, although at some point this should probably be its own flag.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-05 15:11:33 +00:00
Robert Watson
743d9c6a2d Implement mpo_check_system_acct and mpo_check_system_settime() for Biba:
require Biba privilege to configure either, and require that accounting
files be high integrity.  Note that this does allow implicit information
flow from low to high integrity, but it also protects the integrity
of accounting data.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-04 17:50:52 +00:00
Robert Watson
1980cf9b79 Correct use of mac_biba_subject_privileged() in swapon() code.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-04 17:36:47 +00:00
Robert Watson
e5e820fd1f Permit MAC policies to instrument the access control decisions for
system accounting configuration and for nfsd server thread attach.
Policies might use this to protect the integrity or confidentiality
of accounting data, limit the ability to turn on or off accounting,
as well as to prevent inappropriately labeled threads from becoming nfs
server threads.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-04 15:13:36 +00:00
Robert Watson
3da87a65c7 Remove mac_cache_fslabel_in_vnode sysctl -- with the new VFS/MAC
construction, labels are always cached.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-04 14:55:14 +00:00
Robert Watson
dc858fcabe License and wording updates: NAI has authorized the removal of clause
three from their BSD-style license.  Also, s/NAI Labs/Network Associates
Laboratories/.
2002-11-04 01:53:12 +00:00
Robert Watson
6201265be7 License clarification and wording changes: NAI has approved removal of
clause three, and NAI Labs now goes by the name Network Associates
Laboratories.
2002-11-04 01:42:39 +00:00
Robert Watson
4b8d5f2d97 Introduce mac_check_system_settime(), a MAC check allowing policies to
augment the system policy for changing the system time.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-03 02:39:42 +00:00
Robert Watson
0d89ccd7d5 Change privilege model for mac_partition such that BSD superuser can change
the partition once a partition has been set.  This is required for correct
operation of sendmail between partitions.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-03 00:53:03 +00:00
Maxime Henrion
e6faed4db0 Fix some warnings on 64 bit architectures. The vn_extattr_get()
function takes an int * parameter, not a size_t * parameter.

Arguably, it should rather take a size_t *, but that would
require changing the uio_resid field of struct uio to be a size_t
instead of an int, which I don't want to do that close to
5.0-RELEASE.

Reviewed by:	rwatson
2002-11-02 20:16:35 +00:00
Robert Watson
e686e5ae91 Add MAC checks for various kenv() operations: dump, get, set, unset,
permitting MAC policies to limit access to the kernel environment.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-01 20:46:53 +00:00
Robert Watson
5c8dd34218 Move to C99 sparse structure initialization for the mac_policy_ops
structure definition, rather than using an operation vector
we translate into the structure.  Originally, we used a vector
for two reasons:

(1) We wanted to define the structure sparsely, which wasn't
    supported by the C compiler for structures.  For a policy
    with five entry points, you don't want to have to stick in
    a few hundred NULL function pointers.

(2) We thought it would improve ABI compatibility allowing modules
    to work with kernels that had a superset of the entry points
    defined in the module, even if the kernel had changed its
    entry point set.

Both of these no longer apply:

(1) C99 gives us a way to sparsely define a static structure.

(2) The ABI problems existed anyway, due to enumeration numbers,
    argument changes, and semantic mismatches.  Since the going
    rule for FreeBSD is that you really need your modules to
    pretty closely match your kernel, it's not worth the
    complexity.

This submit eliminates the operation vector, dynamic allocation
of the operation structure, copying of the vector to the
structure, and redoes the vectors in each policy to direct
structure definitions.  One enourmous benefit of this change
is that we now get decent type checking on policy entry point
implementation arguments.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-30 18:48:51 +00:00
Robert Watson
1979061b56 Various minor type, prototype tweaks -- clean up cruft due to lack of
type checking on entry points (to be introduced shortly).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-30 18:10:46 +00:00
Robert Watson
b914de36c0 While 'mode_t' seemed like a good idea for the access mode argument for
MAC access() and open() checks, the argument actually has an int type
where it becomes available.  Switch to using 'int' for the mode argument
throughout the MAC Framework and policy modules.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-30 17:56:57 +00:00
Robert Watson
26590ca793 Try again to fix the KASSERT. 2002-10-30 00:16:59 +00:00
Robert Watson
c7c2a7954a Fix a KASSERT bug that showed up only in the LINT build, not the
module build, so I missed it in the merge.

Pointed out by:	sam
2002-10-30 00:04:31 +00:00
Robert Watson
927f6069ac Hook up no-op stubs for reboot, swapon, sysctl entry points.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-29 19:57:28 +00:00
Robert Watson
84c7715ec3 Implement Biba policy entry points for mac_check_system_swapon()
and mac_check_system_sysctl(), providing additional integrity
protections relating to swap target device selection and system
management via sysctl().  Require Biba privilege for both; also
require that the target of swap operations be a high integrity
object, since swap data is high integrity.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Asssociates Laboratories
2002-10-29 19:18:52 +00:00
Robert Watson
757db56952 Require Biba privilege to relabel a network interface.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-29 19:14:16 +00:00
Robert Watson
c4c30e32ac Correct a typo in a previously commented include entry that was made
visible in the recent commit.
2002-10-28 19:50:06 +00:00
Robert Watson
f30a9615fd Remove all reference to 'struct oldmac', since it's no longer required
with the new VFS/EA semantics in the MAC framework.  Move the per-policy
structures out to per-policy include files, removing all policy-specific
defines and structures out of the base framework includes and
implementation, making mac_biba and mac_mls entirely self-contained.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-28 19:44:05 +00:00
Robert Watson
6d65e3d4ca Add a return type for mac_biba_high_single(), apparently lost in an
earlier merge.  It's a 'static int'.
2002-10-28 19:18:29 +00:00
Robert Watson
566d99847b Rename mac_biba_subject_equal_ok() to mac_biba_subject_privileged()
to evolve the notion of Biba privilege a bit.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-28 19:17:39 +00:00
Robert Watson
ee3bf1710a Zero the trusted_interface buffer before starting parsing.
Print a warning if a requested interface name is longer than
IFNAMSIZ.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-28 19:16:44 +00:00
Robert Watson
8b3a843438 An inappropriate ASSERT slipped in during the recent merge of the
reboot checking; remove.
2002-10-28 18:53:53 +00:00
Robert Watson
9e913ebd0a Centrally manage enforcement of {reboot,swapon,sysctl} using the
mac_enforce_system toggle, rather than several separate toggles.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-27 15:50:49 +00:00
Robert Watson
d3fc69ee6a Implement mac_check_system_sysctl(), a MAC Framework entry point to
permit MAC policies to augment the security protections on sysctl()
operations.  This is not really a wonderful entry point, as we
only have access to the MIB of the target sysctl entry, rather than
the more useful entry name, but this is sufficient for policies
like Biba that wish to use their notions of privilege or integrity
to prevent inappropriate sysctl modification.  Affects MAC kernels
only.  Since SYSCTL_LOCK isn't in sysctl.h, just kern_sysctl.c,
we can't assert the SYSCTL subsystem lockin the MAC Framework.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-27 07:12:34 +00:00
Robert Watson
a2ecb9b790 Hook up mac_check_system_reboot(), a MAC Framework entry point that
permits MAC modules to augment system security decisions regarding
the reboot() system call, if MAC is compiled into the kernel.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-27 07:03:29 +00:00