Commit Graph

612 Commits

Author SHA1 Message Date
Robert Watson
048e1287fa Implement MAC policy support for IPv6 fragment reassembly queues,
modeled on IPv4 fragment reassembly queue support.

Obtained from:	TrustedBSD Project
2008-10-26 22:46:37 +00:00
Robert Watson
4b908c8bb4 Add a MAC label, MAC Framework, and MAC policy entry points for IPv6
fragment reassembly queues.

This allows policies to label reassembly queues, perform access
control checks when matching fragments to a queue, update a queue
label when fragments are matched, and label the resulting
reassembled datagram.

Obtained from:	TrustedBSD Project
2008-10-26 22:45:18 +00:00
Dag-Erling Smørgrav
e11e3f187d Fix a number of style issues in the MALLOC / FREE commit. I've tried to
be careful not to fix anything that was already broken; the NFSv4 code is
particularly bad in this respect.
2008-10-23 20:26:15 +00:00
Dag-Erling Smørgrav
1ede983cc9 Retire the MALLOC and FREE macros. They are an abomination unto style(9).
MFC after:	3 months
2008-10-23 15:53:51 +00:00
Bjoern A. Zeeb
7fb179ba7e Add a mac_inpcb_check_visible implementation to all MAC policies
that handle mac_socket_check_visible.

Reviewed by:	rwatson
MFC after:	3 months (set timer; decide then)
2008-10-17 15:11:12 +00:00
Bjoern A. Zeeb
37ee72936b Add mac_inpcb_check_visible MAC Framework entry point, which is similar
to mac_socket_check_visible but operates on the inpcb.

Reviewed by:	rwatson
MFC after:	3 months (set timer, decide then)
2008-10-17 12:54:28 +00:00
Bjoern A. Zeeb
4a5216a6dc Use the label from the socket credential rather than the
solabel which was not set by the mac_partition policy.

Spotted by:	rwatson
Reviewed by:	rwatson
MFC after:	3 days
2008-10-17 08:58:33 +00:00
Ed Schouten
d3ce832719 Remove unit2minor() use from kernel code.
When I changed kern_conf.c three months ago I made device unit numbers
equal to (unneeded) device minor numbers. We used to require
bitshifting, because there were eight bits in the middle that were
reserved for a device major number. Not very long after I turned
dev2unit(), minor(), unit2minor() and minor2unit() into macro's.
The unit2minor() and minor2unit() macro's were no-ops.

We'd better not remove these four macro's from the kernel, because there
is a lot of (external) code that may still depend on them. For now it's
harmless to remove all invocations of unit2minor() and minor2unit().

Reviewed by:	kib
2008-09-26 14:19:52 +00:00
Attilio Rao
cecd8edba5 Remove the suser(9) interface from the kernel. It has been replaced from
years by the priv_check(9) interface and just very few places are left.
Note that compatibility stub with older FreeBSD version
(all above the 8 limit though) are left in order to reduce diffs against
old versions. It is responsibility of the maintainers for any module, if
they think it is the case, to axe out such cases.

This patch breaks KPI so __FreeBSD_version will be bumped into a later
commit.

This patch needs to be credited 50-50 with rwatson@ as he found time to
explain me how the priv_check() works in detail and to review patches.

Tested by:      Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
Reviewed by:    rwatson
2008-09-17 15:49:44 +00:00
Edward Tomasz Napierala
dfa7fd1d70 Remove VSVTX, VSGID and VSUID. This should be a no-op,
as VSVTX == S_ISVTX, VSGID == S_ISGID and VSUID == S_ISUID.

Approved by:	rwatson (mentor)
2008-09-10 13:16:41 +00:00
Dag-Erling Smørgrav
19de3e9011 Unbreak the build.
Pointy hat to:	kevlo
2008-09-04 13:06:36 +00:00
Kevin Lo
f308bddd3f If the process id specified is invalid, the system call returns ESRCH 2008-09-04 10:44:33 +00:00
Attilio Rao
0359a12ead Decontextualize the couplet VOP_GETATTR / VOP_SETATTR as the passed thread
was always curthread and totally unuseful.

Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
2008-08-28 15:23:18 +00:00
Robert Watson
3f3978840e More fully audit fexecve(2) and its arguments.
Obtained from:	TrustedBSD Project
Sponsored by:	Google, Inc.
2008-08-25 13:50:01 +00:00
Robert Watson
e08f2b26f4 Use ERANGE instead of EOVERFLOW selected in r182059, this seems more
appropriate even if Solaris doesn't document it (E2BIG) or use it
(EOVERFLOW).

Submitted by:	nectar at apple dot com
Sponsored by:	Apple, Inc.
MFC after:	3 days
2008-08-24 19:55:10 +00:00
Christian S.J. Peron
db8502672e Use sbuf_putc instead of sbuf_cat. This makes more sense, since we are
appending a single character to the buffer.

MFC after:	2 weeks
2008-08-24 03:12:17 +00:00
Robert Watson
6356dba0b4 Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
    so that the general exec code isn't aware of the details of
    allocating, copying, and freeing labels, rather, simply passes in
    a void pointer to start and stop functions that will be used by
    the framework.  This change will be MFC'd.

(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
    allowing policies to declare which types of objects require label
    allocation, initialization, and destruction, and define a set of
    flags covering various supported object types (MPC_OBJECT_PROC,
    MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...).  This change reduces the
    overhead of compiling the MAC Framework into the kernel if policies
    aren't loaded, or if policies require labels on only a small number
    or even no object types.  Each time a policy is loaded or unloaded,
    we recalculate a mask of labeled object types across all policies
    present in the system.  Eliminate MAC_ALWAYS_LABEL_MBUF option as it
    is no longer required.

MFC after:	1 week ((1) only)
Reviewed by:	csjp
Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.
2008-08-23 15:26:36 +00:00
Robert Watson
cc10282298 When getaudit(2) is unable to fit the terminal IPv6 address into the
space provided by its argument structure, return EOVERFLOW instead of
E2BIG.  The latter is documented in Solaris's man page, but the
former is implemented.  In either case, the caller should use
getaudit_addr(2) to return the IPv6 address.

Submitted by:	sson
Obtained from:	Apple, Inc.
MFC after:	3 days
2008-08-23 14:39:01 +00:00
Christian S.J. Peron
40d288ba0c Make sure we check the preselection masks present for all audit pipes.
It is possible that the audit pipe(s) have different preselection configs
then the global preselection mask.

Spotted by:	Vincenzo Iozzo
MFC after:	2 weeks
2008-08-11 20:14:56 +00:00
Dag-Erling Smørgrav
2616144e43 Add sbuf_new_auto as a shortcut for the very common case of creating a
completely dynamic sbuf.

Obtained from:	Varnish
MFC after:	2 weeks
2008-08-09 11:14:05 +00:00
Robert Watson
95b85ca3a9 Minor style tweaks. 2008-08-02 22:30:51 +00:00
Robert Watson
f7c4bd95ba Rename mac_partition_enabled to partition_enabled to synchronize with
other policies that similarly now avoid the additional mac_ prefix on
variables.

MFC after:	soon
2008-08-02 20:53:59 +00:00
Robert Watson
80794edc05 In mac_bsdextended's auditctl and acct policy access control checks,
return success if the passed vnode pointer is NULL (rather than
panicking).  This can occur if either audit or accounting are
disabled while the policy is running.

Since the swapoff control has no real relevance to this policy,
which is concerned about intent to write rather than water under the
bridge, remove it.

PR:             kern/126100
Reported by:    Alan Amesbury <amesbury at umn dot edu>
MFC after:      3 days
2008-07-31 20:49:12 +00:00
Christian S.J. Peron
dfc714fba1 Currently, BSM audit pathname token generation for chrooted or jailed
processes are not producing absolute pathname tokens.  It is required
that audited pathnames are generated relative to the global root mount
point.  This modification changes our implementation of audit_canon_path(9)
and introduces a new function: vn_fullpath_global(9) which performs a
vnode -> pathname translation relative to the global mount point based
on the contents of the name cache.  Much like vn_fullpath,
vn_fullpath_global is a wrapper function which called vn_fullpath1.

Further, the string parsing routines have been converted to use the
sbuf(9) framework.  This change also removes the conditional acquisition
of Giant, since the vn_fullpath1 method will not dip into file system
dependent code.

The vnode locking was modified to use vhold()/vdrop() instead the vref()
and vrele().  This will modify the hold count instead of modifying the
user count.  This makes more sense since it's the kernel that requires
the reference to the vnode.  This also makes sure that the vnode does not
get recycled we hold the reference to it. [1]

Discussed with:	rwatson
Reviewed by:	kib [1]
MFC after:	2 weeks
2008-07-31 16:57:41 +00:00
Robert Watson
f6d4a8a77b Further synchronization of copyrights, licenses, white space, etc from
Apple and from the OpenBSM vendor tree.

Obtained from:	Apple Inc., TrustedBSD Project
MFC after:	3 days
2008-07-31 09:54:35 +00:00
Robert Watson
33f0efe6b0 Minor white space tweak.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-23 07:42:31 +00:00
Robert Watson
93536b495d If an AUE_SYSCTL_NONADMIN audit event is selected, generate a record
with equivilent content to AUE_SYSCTL.

Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:54:32 +00:00
Robert Watson
30d0721b59 Further minor style fixes to audit.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:49:30 +00:00
Robert Watson
1814e5b748 Remove unneeded \ at the end of a macro.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:08:27 +00:00
Robert Watson
3c4636a7d4 Further minor white space tweaks.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:06:49 +00:00
Robert Watson
fc1286c81d Generally avoid <space><tab> as a white space anomoly.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 16:44:48 +00:00
Robert Watson
0c0a142a52 Use #define<tab> rather than #define<space>.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 16:21:59 +00:00
Robert Watson
f1cb603072 Comment fix.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 16:02:21 +00:00
Robert Watson
98ee1b30aa Comment typo fix.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 15:54:10 +00:00
Robert Watson
c2f027ffb8 Minor white space synchronization to Apple version of security audit.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 15:49:19 +00:00
Robert Watson
bc9a43d698 In preparation to sync Apple and FreeBSD versions of security audit,
pick up the Apple Computer -> Apple change in their copyright and
license templates.

Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 15:29:48 +00:00
Robert Watson
59b622e6b3 Use unsigned int when iterating over groupsets in audit_arg_groupset().
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 15:17:21 +00:00
John Baldwin
6bc1e9cd84 Rework the lifetime management of the kernel implementation of POSIX
semaphores.  Specifically, semaphores are now represented as new file
descriptor type that is set to close on exec.  This removes the need for
all of the manual process reference counting (and fork, exec, and exit
event handlers) as the normal file descriptor operations handle all of
that for us nicely.  It is also suggested as one possible implementation
in the spec and at least one other OS (OS X) uses this approach.

Some bugs that were fixed as a result include:
- References to a named semaphore whose name is removed still work after
  the sem_unlink() operation.  Prior to this patch, if a semaphore's name
  was removed, valid handles from sem_open() would get EINVAL errors from
  sem_getvalue(), sem_post(), etc.  This fixes that.
- Unnamed semaphores created with sem_init() were not cleaned up when a
  process exited or exec'd.  They were only cleaned up if the process
  did an explicit sem_destroy().  This could result in a leak of semaphore
  objects that could never be cleaned up.
- On the other hand, if another process guessed the id (kernel pointer to
  'struct ksem' of an unnamed semaphore (created via sem_init)) and had
  write access to the semaphore based on UID/GID checks, then that other
  process could manipulate the semaphore via sem_destroy(), sem_post(),
  sem_wait(), etc.
- As part of the permission check (UID/GID), the umask of the proces
  creating the semaphore was not honored.  Thus if your umask denied group
  read/write access but the explicit mode in the sem_init() call allowed
  it, the semaphore would be readable/writable by other users in the
  same group, for example.  This includes access via the previous bug.
- If the module refused to unload because there were active semaphores,
  then it might have deregistered one or more of the semaphore system
  calls before it noticed that there was a problem.  I'm not sure if
  this actually happened as the order that modules are discovered by the
  kernel linker depends on how the actual .ko file is linked.  One can
  make the order deterministic by using a single module with a mod_event
  handler that explicitly registers syscalls (and deregisters during
  unload after any checks).  This also fixes a race where even if the
  sem_module unloaded first it would have destroyed locks that the
  syscalls might be trying to access if they are still executing when
  they are unloaded.

  XXX: By the way, deregistering system calls doesn't do any blocking
  to drain any threads from the calls.
- Some minor fixes to errno values on error.  For example, sem_init()
  isn't documented to return ENFILE or EMFILE if we run out of semaphores
  the way that sem_open() can.  Instead, it should return ENOSPC in that
  case.

Other changes:
- Kernel semaphores now use a hash table to manage the namespace of
  named semaphores nearly in a similar fashion to the POSIX shared memory
  object file descriptors.  Kernel semaphores can now also have names
  longer than 14 chars (up to MAXPATHLEN) and can include subdirectories
  in their pathname.
- The UID/GID permission checks for access to a named semaphore are now
  done via vaccess() rather than a home-rolled set of checks.
- Now that kernel semaphores have an associated file object, the various
  MAC checks for POSIX semaphores accept both a file credential and an
  active credential.  There is also a new posixsem_check_stat() since it
  is possible to fstat() a semaphore file descriptor.
- A small set of regression tests (using the ksem API directly) is present
  in src/tools/regression/posixsem.

Reported by:	kris (1)
Tested by:	kris
Reviewed by:	rwatson (lightly)
MFC after:	1 month
2008-06-27 05:39:04 +00:00
John Baldwin
127cc7673d Add missing counter increments for posix shm checks. 2008-06-26 13:49:32 +00:00
John Baldwin
c4f3a35a54 Remove the posixsem_check_destroy() MAC check. It is semantically identical
to doing a MAC check for close(), but no other types of close() (including
close(2) and ksem_close(2)) have MAC checks.

Discussed with:	rwatson
2008-06-23 21:37:53 +00:00
Robert Watson
37f44cb428 The TrustedBSD MAC Framework named struct ipq instances 'ipq', which is the
same as the global variable defined in ip_input.c.  Instead, adopt the name
'q' as found in about 1/2 of uses in ip_input.c, preventing a collision on
the name.  This is non-harmful, but means that search and replace on the
global works less well (as in the virtualization work), as well as indexing
tools.

MFC after:	1 week
Reported by:	julian
2008-06-13 22:14:15 +00:00
Ed Schouten
29d4cb241b Don't enforce unique device minor number policy anymore.
Except for the case where we use the cloner library (clone_create() and
friends), there is no reason to enforce a unique device minor number
policy. There are various drivers in the source tree that allocate unr
pools and such to provide minor numbers, without using them themselves.

Because we still need to support unique device minor numbers for the
cloner library, introduce a new flag called D_NEEDMINOR. All cdevsw's
that are used in combination with the cloner library should be marked
with this flag to make the cloning work.

This means drivers can now freely use si_drv0 to store their own flags
and state, making it effectively the same as si_drv1 and si_drv2. We
still keep the minor() and dev2unit() routines around to make drivers
happy.

The NTFS code also used the minor number in its hash table. We should
not do this anymore. If the si_drv0 field would be changed, it would no
longer end up in the same list.

Approved by:	philip (mentor)
2008-06-11 18:55:19 +00:00
Simon L. B. Nielsen
3bff0167b9 When the file-system containing the audit log file is running low on
disk space a warning is printed.  Make this warning a bit more
informative.

Approved by:	rwatson
2008-06-10 20:05:32 +00:00
Robert Watson
4e95375678 Add an XXX comment regarding a bug I introduced when modifying the behavior
of audit log vnode rotation: on shutdown, we may not properly drain all
pending records, which could lead to lost records during system shutdown.
2008-06-03 11:06:34 +00:00
Christian S.J. Peron
1f84ab0f2a Plug a memory leak which can occur when multiple MAC policies are loaded
which label mbufs.  This leak can occur if one policy successfully allocates
label storage and subsequent allocations from other policies fail.

Spotted by:	rwatson
MFC after:	1 week
2008-05-27 14:18:02 +00:00
Robert Watson
bcbd871a3f Don't use LK_DRAIN before calling VOP_FSYNC() in the two further
panic cases for audit trail failure -- this doesn't contribute
anything, and might arguably be wrong.

MFC after:	1 week
Requested by:	attilio
2008-05-21 13:59:05 +00:00
Robert Watson
bf7baa9eca Don't use LK_DRAIN before calling VOP_FSYNC() in the panic case for
audit trail failure -- this doesn't contribute anything, and might
arguably be wrong.

MFC after:	1 week
Requested by:	attilio
2008-05-21 13:05:06 +00:00
Robert Watson
7d8ab8bafb When testing whether to enter the audit argument gathering code, rather
than checking whether audit is enabled globally, instead check whether
the current thread has an audit record.  This avoids entering the audit
code to collect argument data if auditing is enabled but the current
system call is not of interest to audit.

MFC after:	1 week
Sponsored by:	Apple, Inc.
2008-05-06 00:32:23 +00:00
Robert Watson
fa9e0a18af Fix include guard spelling.
MFC after:	3 days
Submitted by:	diego
2008-04-27 15:51:49 +00:00
Robert Watson
81efe39deb Use logic or, not binary or, when deciding whether or not a system call
exit requires entering the audit code.  The result is much the same,
but they mean different things.

MFC afer:	3 days
Submitted by:	Diego Giagio <dgiagio at gmail dot com>
2008-04-24 12:23:31 +00:00