Commit Graph

511 Commits

Author SHA1 Message Date
Robert Watson
45e0f3d63d Rename mac_check_vnode_delete() MAC Framework and MAC Policy entry
point to mac_check_vnode_unlink(), reflecting UNIX naming conventions.

This is the first of several commits to synchronize the MAC Framework
in FreeBSD 7.0 with the MAC Framework as it will appear in Mac OS X
Leopard.

Reveiwed by:    csjp, Samy Bahra <sbahra at gwu dot edu>
Submitted by:   Jacques Vidrine <nectar at apple dot com>
Obtained from:  Apple Computer, Inc.
Sponsored by:   SPARTA, SPAWAR
Approved by:    re (bmah)
2007-09-10 00:00:18 +00:00
Robert Watson
0bf686c125 Remove the now-unused NET_{LOCK,UNLOCK,ASSERT}_GIANT() macros, which
previously conditionally acquired Giant based on debug.mpsafenet.  As that
has now been removed, they are no longer required.  Removing them
significantly simplifies error-handling in the socket layer, eliminated
quite a bit of unwinding of locking in error cases.

While here clean up the now unneeded opt_net.h, which previously was used
for the NET_WITH_GIANT kernel option.  Clean up some related gotos for
consistency.

Reviewed by:	bz, csjp
Tested by:	kris
Approved by:	re (kensmith)
2007-08-06 14:26:03 +00:00
Robert Watson
7bb9c8a05b When checking labels during a vnode link operation in MLS, use the file
vnode label for a check rather than the directory vnode label a second
time.

MFC after:	3 days
Submitted by:	Zhouyi ZHOU <zhouzhouyi at FreeBSD dot org>
Reviewed by:	csjp
Sponsored by:	Google Summer of Code 2007
Approved by:	re (bmah)
2007-07-23 13:28:54 +00:00
Robert Watson
458f818f47 In preparation for 7.0 privilege cleanup, clean up style:
- Sort copyrights by date.
- Re-wrap, and in some cases, fix comments.
- Fix tabbing, white space, remove extra blank lines.
- Remove commented out debugging printfs.

Approved by:	re (kensmith)
2007-07-05 13:16:04 +00:00
Peter Wemm
343cc83e1b Fix a bunch of warnings due to a missing forward declaration of a struct.
Approved by: re (rwatson)
2007-07-05 06:45:37 +00:00
Robert Watson
536b405093 Remove two boot printfs generated by Audit to announce it's presence,
and replace with software-testable sysctl node (security.audit) that
can be used to detect kernel audit support.

Obtained from:	TrustedBSD Project
Approved by:	re (kensmith)
2007-07-01 20:51:30 +00:00
Christian S.J. Peron
cac465aa7f - Add audit_arg_audinfo_addr() for auditing the arguments for setaudit_addr(2)
- In audit_bsm.c, make sure all the arguments: ARG_AUID, ARG_ASID, ARG_AMASK,
  and ARG_TERMID{_ADDR} are valid before auditing their arguments. (This is done
  for both setaudit and setaudit_addr.
- Audit the arguments passed to setaudit_addr(2)
- AF_INET6 does not equate to AU_IPv6. Change this in au_to_in_addr_ex() so the
  audit token is created with the correct type. This fixes the processing of the
  in_addr_ex token in users pace.
- Change the size of the token (as generated by the kernel) from 5*4 bytes to
  4*4 bytes (the correct size of an ip6 address)
- Correct regression from ucred work which resulted in getaudit() not returning
  E2BIG if the subject had an ip6 termid
- Correct slight regression in getaudit(2) which resulted in the size of a pointer
  being passed instead of the size of the structure. (This resulted in invalid
  auditinfo data being returned via getaudit(2))

Reviewed by:	rwatson
Approved by:	re@ (kensmith)
Obtained from:	TrustedBSD Project
MFC after:	1 month
2007-06-27 17:01:15 +00:00
Robert Watson
f1e8bf6dd4 Add a new MAC framework and policy entry point,
mpo_check_proc_setaudit_addr to be used when controlling use of
setaudit_addr(), rather than mpo_check_proc_setaudit(), which takes a
different argument type.

Reviewed by:	csjp
Approved by:	re (kensmith)
2007-06-26 14:14:01 +00:00
Robert Watson
f640bf4767 In setaudit_addr(), drop the process lock in error cases.
Submitted by:	Peter Holm <peter@holm.cc> (BugMaster)
2007-06-15 15:20:56 +00:00
Robert Watson
3805385e3d Spell statistics more correctly in comments. 2007-06-14 03:02:33 +00:00
Robert Watson
c2259ba44f Include priv.h to pick up suser(9) definitions, missed in an earlier
commit.

Warnings spotted by:	kris
2007-06-13 22:42:43 +00:00
Robert Watson
6a9a600b49 Close a very narrow race that might cause a trigger allocation to be
leaked if a trigger is delivered as the trigger device is closed.

Obtained from:	TrustedBSD Project
2007-06-13 21:17:23 +00:00
Robert Watson
32f9753cfb Eliminate now-unused SUSER_ALLOWJAIL arguments to priv_check_cred(); in
some cases, move to priv_check() if it was an operation on a thread and
no other flags were present.

Eliminate caller-side jail exception checking (also now-unused); jail
privilege exception code now goes solely in kern_jail.c.

We can't yet eliminate suser() due to some cases in the KAME code where
a privilege check is performed and then used in many different deferred
paths.  Do, however, move those prototypes to priv.h.

Reviewed by:	csjp
Obtained from:	TrustedBSD Project
2007-06-12 00:12:01 +00:00
Robert Watson
3666798f15 Clean up, and sometimes remove, a number of audit-related implementation
comments.

Obtained from:	TrutstedBSD Project
2007-06-11 22:10:54 +00:00
Robert Watson
faef53711b Move per-process audit state from a pointer in the proc structure to
embedded storage in struct ucred.  This allows audit state to be cached
with the thread, avoiding locking operations with each system call, and
makes it available in asynchronous execution contexts, such as deep in
the network stack or VFS.

Reviewed by:	csjp
Approved by:	re (kensmith)
Obtained from:	TrustedBSD Project
2007-06-07 22:27:15 +00:00
Jeff Roberson
982d11f836 Commit 14/14 of sched_lock decomposition.
- Use thread_lock() rather than sched_lock for per-thread scheduling
   sychronization.
 - Use the per-process spinlock rather than the sched_lock for per-process
   scheduling synchronization.

Tested by:      kris, current@
Tested on:      i386, amd64, ULE, 4BSD, libthr, libkse, PREEMPTION, etc.
Discussed with: kris, attilio, kmacy, jhb, julian, bde (small parts each)
2007-06-05 00:00:57 +00:00
Robert Watson
d8c0f4dc21 Clean up audit comments--formatting, spelling, etc. 2007-06-01 21:58:59 +00:00
Konstantin Belousov
7a31868ed0 Change the VOP_OPEN(), vn_open() vnode operation and d_fdopen() cdev operation
argument from being file descriptor index into the pointer to struct file:
part 2. Convert calls missed in the first big commit.

Noted by:	rwatson
Pointy hat to:	kib
2007-06-01 14:33:11 +00:00
Robert Watson
e1070b644c Remove AUDIT_PRINTF() debugging statements and definition; clean up or
remove associated comments.

Slip audit_file_rotate_wait assignment in audit_rotate_vnode() before
the drop of the global audit mutex.

Obtained from:	TrustedBSD Project
2007-06-01 13:53:37 +00:00
Robert Watson
34bf2d2c18 Remove unused !AUDIT audit_proc_*() prototypes: unlike in Mac OS X, we
don't define or use these functions if AUDIT isn't configured.

Obtained from:	TrustedBSD Project
2007-05-30 11:41:28 +00:00
Robert Watson
1f84423bdf Synchronize white space to congruent user-space code in OpenBSM.
Obtained from:	TrustedBSD Project
2007-05-30 09:48:37 +00:00
Robert Watson
30474b7260 Remove unused ar_subj_comm field from in-kernel audit record; we never
export this via BSM, so don't pay space/time cost of maintaining it.

Obtained from:	TrustedBSD Project
2007-05-30 09:14:14 +00:00
Robert Watson
8f75133bdf Consistent white space after .'s in comments. 2007-05-30 08:39:16 +00:00
Robert Watson
a4a035fd3e No need to force __inline__ of currecord(), as the compiler will usefully
inline it when needed already, and the symbol is also required outside of
audit.c.  This silences a new gcc warning on the topic of using __inline__
instead of __inline.

MFC after:	3 days
2007-05-23 09:32:30 +00:00
Robert Watson
5a9f2d6c56 Short name of kernel audit worker thread from "audit_worker" to "audit".
MFC after:	3 days
2007-05-21 14:08:26 +00:00
Robert Watson
69c4d690b1 Don't expose #ifdef NOTYET parts to userspace via audit_ioctl.h, just
remove them, since the functionality they are associated with isn't there
yet.

MFC after:	3 days
2007-04-29 16:20:32 +00:00
Robert Watson
305759909e Rename mac*devfsdirent*() to mac*devfs*() to synchronize with SEDarwin,
where similar data structures exist to support devfs and the MAC
Framework, but are named differently.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, Inc.
2007-04-23 13:36:54 +00:00
Robert Watson
78007886c9 Apply variable name normalization to MAC policies: adopt global conventions
for the naming of variables associated with specific data structures.

Obtained from:	TrustedBSD Project
2007-04-23 13:15:23 +00:00
Robert Watson
26ae2b86b6 Normalize variable naming in the MAC Framework by adopting the normal
variable name conventions for arguments passed into the framework --
for example, name network interfaces 'ifp', sockets 'so', mounts 'mp',
mbufs 'm', processes 'p', etc, wherever possible.  Previously there
was significant variation in this regard.

Normalize copyright lists to ranges where sensible.
2007-04-22 19:55:56 +00:00
Robert Watson
eb542415c0 In the MAC Framework implementation, file systems have two per-mountpoint
labels: the mount label (label of the mountpoint) and the fs label (label
of the file system).  In practice, policies appear to only ever use one,
and the distinction is not helpful.

Combine mnt_mntlabel and mnt_fslabel into a single mnt_label, and
eliminate extra machinery required to maintain the additional label.
Update policies to reflect removal of extra entry points and label.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, Inc.
2007-04-22 16:18:10 +00:00
Robert Watson
c14d15ae3e Remove MAC Framework access control check entry points made redundant with
the introduction of priv(9) and MAC Framework entry points for privilege
checking/granting.  These entry points exactly aligned with privileges and
provided no additional security context:

- mac_check_sysarch_ioperm()
- mac_check_kld_unload()
- mac_check_settime()
- mac_check_system_nfsd()

Add mpo_priv_check() implementations to Biba and LOMAC policies, which,
for each privilege, determine if they can be granted to processes
considered unprivileged by those two policies.  These mostly, but not
entirely, align with the set of privileges granted in jails.

Obtained from:	TrustedBSD Project
2007-04-22 15:31:22 +00:00
Robert Watson
269ad13024 Further MAC test policy cleanup and enhancement:
- Redistribute counter declarations to where they are used, rather than at
  the file header, so it's more clear where we do (and don't) have
  counters.

- Add many more counters, one per policy entry point, so that many
  individual access controls and object life cycle events are tracked.

- Perform counter increments for label destruction explicitly in entry
  point functions rather than in LABEL_DESTROY().

- Use LABEL_INIT() instead of SLOT_SET() directly in label init functions
  to be symmetric with destruction.

- Align counter names more carefully with entry point names.

- More constant and variable name normalization.

Obtained from:	TrustedBSD Project
2007-04-22 13:29:37 +00:00
Robert Watson
6827d0294e Perform overdue clean up mac_test policy:
- Add a more detailed comment describing the mac_test policy.

- Add COUNTER_DECL() and COUNTER_INC() macros to declare and manage
  various test counters, reducing the verbosity of the test policy
  quite a bit.

- Add LABEL_CHECK() macro to abbreviate normal validation of labels.
  Unlike the previous check macros, this checks for a NULL label and
  doesn't test NULL labels.  This means that optionally passed labels
  will now be handled automatically, although in the case of optional
  credentials, NULL-checks are still required.

- Add LABEL_DESTROY() macro to abbreviate the handling of label
  validation and tear-down.

- Add LABEL_NOTFREE() macro to abbreviate check for non-free labels.

- Normalize the names of counters, magic values.

- Remove unused policy "enabled" flag.

Obtained from:	TrustedBSD Project
2007-04-22 11:35:15 +00:00
Robert Watson
18717f69b1 Allow MAC policy modules to control access to audit configuration system
calls.  Add MAC Framework entry points and MAC policy entry points for
audit(), auditctl(), auditon(), setaudit(), aud setauid().

MAC Framework entry points are only added for audit system calls where
additional argument context may be useful for policy decision-making; other
audit system calls without arguments may be controlled via the priv(9)
entry points.

Update various policy modules to implement audit-related checks, and in
some cases, other missing system-related checks.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, Inc.
2007-04-21 22:08:48 +00:00
Robert Watson
8b65d3135a Remove $P4$ that snuck into CVS from Perforce. 2007-04-17 12:24:18 +00:00
Robert Watson
0e92f0d7dd Merge OpenBSM 1.0 alpha 14 changes to src/sys/security/audit:
- au_to_attr64(), au_to_process64(), au_to_subject64(),
  au_to_subject64_ex(), au_to_zonename(), au_to_header64_tm().
- Extended address token fixes.

Obtained from:	TrustedBSD Project
2007-04-16 16:20:45 +00:00
Christian S.J. Peron
f0cbfcc468 Fix the handling of IPv6 addresses for subject and process BSM audit
tokens. Currently, we do not support the set{get}audit_addr(2) system
calls which allows processes like sshd to set extended or ip6
information for subject tokens.

The approach that was taken was to change the process audit state
slightly to use an extended terminal ID in the kernel. This allows
us to store both IPv4 IPv6 addresses. In the case that an IPv4 address
is in use, we convert the terminal ID from an struct auditinfo_addr to
a struct auditinfo.

If getaudit(2) is called when the subject is bound to an ip6 address,
we return E2BIG.

- Change the internal audit record to store an extended terminal ID
- Introduce ARG_TERMID_ADDR
- Change the kaudit <-> BSM conversion process so that we are using
  the appropriate subject token. If the address associated with the
  subject is IPv4, we use the standard subject32 token. If the subject
  has an IPv6 address associated with them, we use an extended subject32
  token.
- Fix a couple of endian issues where we do a couple of byte swaps when
  we shouldn't be. IP addresses are already in the correct byte order,
  so reading the ip6 address 4 bytes at a time and swapping them results
  in in-correct address data. It should be noted that the same issue was
  found in the openbsm library and it has been changed there too on the
  vendor branch
- Change A_GETPINFO to use the appropriate structures
- Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does,
  but can also handle ip6 addresses
- Adjust get{set}audit(2) syscalls to convert the data
  auditinfo <-> auditinfo_addr
- Fully implement set{get}audit_addr(2)

NOTE: This adds the ability for processes to correctly set extended subject
information. The appropriate userspace utilities still need to be updated.

MFC after:	1 month
Reviewed by:	rwatson
Obtained from:	TrustedBSD
2007-04-13 14:55:19 +00:00
Robert Watson
5e3f7694b1 Replace custom file descriptor array sleep lock constructed using a mutex
and flags with an sxlock.  This leads to a significant and measurable
performance improvement as a result of access to shared locking for
frequent lookup operations, reduced general overhead, and reduced overhead
in the event of contention.  All of these are imported for threaded
applications where simultaneous access to a shared file descriptor array
occurs frequently.  Kris has reported 2x-4x transaction rate improvements
on 8-core MySQL benchmarks; smaller improvements can be expected for many
workloads as a result of reduced overhead.

- Generally eliminate the distinction between "fast" and regular
  acquisisition of the filedesc lock; the plan is that they will now all
  be fast.  Change all locking instances to either shared or exclusive
  locks.

- Correct a bug (pointed out by kib) in fdfree() where previously msleep()
  was called without the mutex held; sx_sleep() is now always called with
  the sxlock held exclusively.

- Universally hold the struct file lock over changes to struct file,
  rather than the filedesc lock or no lock.  Always update the f_ops
  field last. A further memory barrier is required here in the future
  (discussed with jhb).

- Improve locking and reference management in linux_at(), which fails to
  properly acquire vnode references before using vnode pointers.  Annotate
  improper use of vn_fullpath(), which will be replaced at a future date.

In fcntl(), we conservatively acquire an exclusive lock, even though in
some cases a shared lock may be sufficient, which should be revisited.
The dropping of the filedesc lock in fdgrowtable() is no longer required
as the sxlock can be held over the sleep operation; we should consider
removing that (pointed out by attilio).

Tested by:	kris
Discussed with:	jhb, kris, attilio, jeff
2007-04-04 09:11:34 +00:00
Robert Watson
0c14ff0eb5 Remove 'MPSAFE' annotations from the comments above most system calls: all
system calls now enter without Giant held, and then in some cases, acquire
Giant explicitly.

Remove a number of other MPSAFE annotations in the credential code and
tweak one or two other adjacent comments.
2007-03-04 22:36:48 +00:00
Robert Watson
7405fcc338 More unnecessary include reduction. 2007-02-23 14:39:04 +00:00
Robert Watson
68cb865905 Remove many unneeded includes, update copyright. 2007-02-23 11:21:26 +00:00
Robert Watson
588ff6c0cc Remove empty entry point functions (init, destroy, syscall) from
policies that don't need them.
2007-02-23 11:15:35 +00:00
Robert Watson
faf00eecd4 mac_none sample policy has nothing to enforce, so remove sysctls.
mac_stub acts as a template policy and holds sample sysctls.
2007-02-23 11:08:45 +00:00
Robert Watson
a1f3b8390c Update auditing of socket information for the inpcb new world order:
so_pcb will always be non-NULL, and lock the inpcb while non-atomically
accessing address data.
2007-02-20 13:38:11 +00:00
Robert Watson
d24c76d1f5 Move mapping of MBI_APPEND to MBI_WRITE from inside the rule loop in
mac_bsdextended_check() to before the loop, as it needs to happen only
once.

MFC after:	1 week
2007-02-20 10:21:27 +00:00
Robert Watson
8bd5639f18 Do allow bypass of mac_seeotheruids in jail in order to be consistent
with other uses of PRIV_SEEOTHERUIDS.  This will automatically be
scoped to the jail by the jail policy.
2007-02-19 13:25:17 +00:00
Robert Watson
99535caa41 In mac_biba_check_system_swapoff(), don't extract the object label since
it isn't used in the access control decision.  This became visible to
Coverity with the change to a function call retrieving label values.

Coverity CID:	1723
2007-02-10 08:59:39 +00:00
Robert Watson
1ca8672907 Print intptr_t values by first casting to intmax_t and then printing with
%jd, as intptr_t may not be int-sized.

Assistance from:	jhb
Spotted by:		Mr Tinderbox
2007-02-06 17:22:36 +00:00
Robert Watson
0142affc77 Introduce accessor functions mac_label_get() and mac_label_set() to replace
LABEL_TO_SLOT() macro used by policy modules to query and set label data
in struct label.  Instead of using a union, store an intptr_t, simplifying
the API.

Update policies: in most cases this required only small tweaks to current
wrapper macros.  In two cases, a single wrapper macros had to be split into
separate get and set macros.

Move struct label definition from _label.h to mac_internal.h and remove
_label.h.  With this change, policies may now treat struct label * as
opaque, allowing us to change the layout of struct label without breaking
the policy module ABI.  For example, we could make the maximum number of
policies with labels modifiable at boot-time rather than just at
compile-time.

Obtained from:	TrustedBSD Project
2007-02-06 14:19:25 +00:00
Robert Watson
c96ae1968a Continue 7-CURRENT MAC Framework rearrangement and cleanup:
Don't perform a nested include of _label.h in mac.h, as mac.h now
describes only  the user API to MAC, and _label.h defines the in-kernel
representation of MAC labels.

Remove mac.h includes from policies and MAC framework components that do
not use userspace MAC API definitions.

Add _KERNEL inclusion checks to mac_internal.h and mac_policy.h, as these
are kernel-only include files

Obtained from:	TrustedBSD Project
2007-02-06 10:59:23 +00:00