Commit Graph

461 Commits

Author SHA1 Message Date
rwatson
6ac99f7113 When returning early from audit_arg_file() due to so->so_pcb being NULL
(due to an early reset or the like), remember to unlock the socket lock.
This will not occur in 7-CURRENT, but could in theory occur in 6-STABLE.

MFC after:	1 week
2007-01-06 22:28:28 +00:00
csjp
c394e563bc Teach the stub policy about some of the more recent entry points that have
been introduced to the MAC framework:

mpo_associate_nfsd_label
mpo_create_mbuf_from_firewall
mpo_check_system_nfsd
mpo_check_vnode_mmap_downgrade
mpo_check_vnode_mprotect
mpo_init_syncache_label
mpo_destroy_syncache_label
mpo_init_syncache_from_inpcb
mpo_create_mbuf_from_syncache

MFC after:	2 weeks [1]

[1] The syncache related entry points will NOT be MFCed as the changes in
    the syncache subsystem are not present in RELENG_6 yet.
2007-01-01 01:47:18 +00:00
csjp
dac8fa36f8 Remove conditional return of 1. For the MAC_STATIC case at this point in
the code, one being returned is invariant.

Discussed with:	rwatson
MFC after:	1 week
2007-01-01 01:40:29 +00:00
rwatson
b790270fcf Only signal the CV indicating that the MAC Framework is available for
exclusive access if there is at least one thread waiting for it to
become available.  This may significantly reduce overhead by reducing
the number of unnecessary wakeups issued whenever the framework becomes
idle.

Annotate that we still signal the CV more than necessary and should
fix this.

Obtained from:	TrustedBSD Project
Reviewed by:	csjp
Tested by:	csjp
2006-12-31 20:26:20 +00:00
rwatson
c2bdc9dc5c Slightly resort functions in file so that no forward function prototypes
are required.

Obtained from:	TrustedBSD Project
2006-12-29 20:21:21 +00:00
rwatson
468e5443ba Re-add include of opt_mac.h in mac_framework.c, which was improperly
removed from this file.  It is required to pick up the definition of
MAC_STATIC.
2006-12-29 20:16:29 +00:00
rwatson
b35ac7f09b Remove two XXX comments that no longer apply.
Obtained from:	TrustedBSD Project
2006-12-29 11:03:44 +00:00
rwatson
accf7ddf5a Use p_cansee() to check that a target process for an audit state
manipulation is visible to the subject process.  Remove XXX comments
suggesting this.

Convert one XXX on a difference from Darwin into a note: it's not a
bug, it's a feature.

Obtained from:	TrustedBSD Project
2006-12-29 10:49:13 +00:00
rwatson
46f7cb9d3b Add a witness sleep warning to canon_path(), which invokes vput() and hence
may perform an unbounded sleep.  Remove an XXX comment suggesting that one
be added.

Obtained from:	TrustedBSD Project
2006-12-29 10:37:32 +00:00
rwatson
1828ce8b9a Add missing include guards to mac_internal.h, update include guards in
mac_policy.h following move to new location in src/sys/security/mac.

Obtained from:	TrustedBSD Project
2006-12-28 23:23:35 +00:00
rwatson
ecb6fa46c8 Update a number of comments:
- Replace XXX with Note: in several cases where observations are made about
  future functionality rather than problems or bugs.

- Remove an XXX comment about byte order and au_to_ip() -- IP headers must
  be submitted in network byte order.  Add a comment to this effect.

- Mention that we don't implement select/poll for /dev/audit.

Obtained from:	TrustedBSD Project
2006-12-28 22:18:43 +00:00
rwatson
687cc5fe5c Remove XXX comments about EA transaction support and provide a more
general and detailed comment on the topic of EA transactions and kernel
warnings.

Obtained from:	TrustedBSD Project
2006-12-28 22:02:59 +00:00
rwatson
59b306db83 Remove an inaccurate comment I added regarding storage for mbuf tag
labels: they are in fact stored in the tag directly.

Obtained from:	TrustedBSD Project
2006-12-28 21:57:59 +00:00
rwatson
f1bd870753 In mac_inpcb_sosetlabel(), assert the socket lock rather than commenting
that we should assert the socket lock.

Obtained from:	TrustedBSD Project
2006-12-28 21:56:39 +00:00
rwatson
d4e941ae59 Centralize definition of MAC_VERSION in mac_policy.h, as it defines the
kernel<->policy ABI version.  Add a comment to the definition describing
it and listing known versions.  Modify MAC_POLICY_SET() to reference the
current kernel version by name rather than by number.

Staticize mac_late, which is used only in mac_framework.c.

Obtained from:	TrustedBSD Project
2006-12-28 21:48:38 +00:00
rwatson
8a59ab518d Move mac_init_label() and mac_destroy_label() from mac_framework.c to
mac_label.c, and use these instead of replicated code in the label zone
constructor and destructor.

Obtained from:	TrustedBSD Project
2006-12-28 21:15:37 +00:00
rwatson
4289e30504 Trim unneeded includes. 2006-12-28 21:07:45 +00:00
rwatson
4a9f23955f Break contents of kern_mac.c out into two files following a repo-copy:
mac_framework.c   Contains basic MAC Framework functions, policy
                  registration, sysinits, etc.

mac_syscalls.c    Contains implementations of various MAC system calls,
                  including ENOSYS stubs when compiling without options
                  MAC.

Obtained from:	TrustedBSD Project
2006-12-28 20:52:02 +00:00
rwatson
e7f843dc94 Update MAC Framework general comments, referencing various interfaces it
consumes and implements, as well as the location of the framework and
policy modules.

Refactor MAC Framework versioning a bit so that the current ABI version can
be exported via a read-only sysctl.

Further update comments relating to locking/synchronization.

Update copyright to take into account these and other recent changes.

Obtained from:	TrustedBSD Project
2006-12-28 17:25:57 +00:00
rwatson
01a38eca27 Re-wrap comments following de-indentation. 2006-12-23 22:21:13 +00:00
rwatson
ae9ef07995 Move src/sys/sys/mac_policy.h, the kernel interface between the MAC
Framework and security modules, to src/sys/security/mac/mac_policy.h,
completing the removal of kernel-only MAC Framework include files from
src/sys/sys.  Update the MAC Framework and MAC policy modules.  Delete
the old mac_policy.h.

Third party policy modules will need similar updating.

Obtained from:	TrustedBSD Project
2006-12-22 23:34:47 +00:00
rwatson
e767bf8cfd Minor style fixes. 2006-12-21 09:58:02 +00:00
rwatson
6fa1425be4 Remove mac_enforce_subsystem debugging sysctls. Enforcement on
subsystems will be a property of policy modules, which may require
access control check entry points to be invoked even when not actively
enforcing (i.e., to track information flow without providing
protection).

Obtained from:	TrustedBSD Project
Suggested by:	Christopher dot Vance at sparta dot com
2006-12-21 09:51:34 +00:00
rwatson
9abf6b51e4 Comment LABEL_TO_SLOT() macro, including observing that we'd like to improve
this policy API to avoid encoding struct label binary layout in policy
modules.

Obtained from:	TrustedBSD Project
2006-12-20 23:41:59 +00:00
rwatson
00c95308bf Trim trailing white space, clean up comment line wrapping and formatting.
Document mac_associate_nfsd_label().

Obtained from:	TrustedBSD Project
2006-12-20 23:18:17 +00:00
rwatson
08ad649b5f Trim trailing white space. 2006-12-20 23:17:34 +00:00
rwatson
b8ec51a064 Document socket labeling model.
Clean up comment white space and wrapping.

Obtained from:	TrustedBSD Project
2006-12-20 23:16:41 +00:00
rwatson
cada726d8e Clean up comment white space and line wrapping. 2006-12-20 23:16:01 +00:00
rwatson
49509e92eb Additional comments regarding the interaction between the kernel privilege
model and the MAC Framework.

Obtained from:	TrustedBSD Project
2006-12-20 23:15:27 +00:00
rwatson
c77864165e Document that we could allocate the mbuf label as part of the tag rather
than from the slab, but don't.

Document mac_mbuf_to_label(), mac_copy_mbuf_tag().

Clean up white space/wrapping for other comments.

Obtained from:	TrustedBSD Project
2006-12-20 23:14:33 +00:00
rwatson
f30462f07d Staticize and comment zone_label.
Obtained from:	TrustedBSD Project
2006-12-20 23:13:04 +00:00
rwatson
65458541b7 Clean up comments, trailing white space.
Provide a comment describing MAC_EXTERNALIZE().

Obtained from:	TrustedBSD Project
2006-12-20 23:12:36 +00:00
rwatson
97c0fff7b2 Re-wrap comment at 77 character columns. 2006-12-20 23:11:01 +00:00
rwatson
abc0e2cde9 Comment and white space cleanup.
Exapnd comments on System V IPC labeling methods, which could use improved
consistency with respect to other object types.

Obtained from:	TrustedBSD Project
2006-12-20 20:43:19 +00:00
rwatson
8fb47d67d7 Externalize local stack copy of the ifnet label, rather than the copy on
the ifnet itself.  The stack copy has been made while holding the mutex
protecting ifnet labels, so copying from the ifnet copy could result in
an inconsistent version being copied out.

Reported by:	Todd.Miller@sparta.com
Obtained from:	TrustedBSD Project
MFC after:	3 weeks
2006-12-20 20:40:29 +00:00
rwatson
5749ecccba Expand commenting on label slots, justification for the MAC Framework locking
model, interactions between locking and policy init/destroy methods.

Rewrap some comments to 77 character line wrap.

Obtained from:	TrustedBSD Project
2006-12-20 20:38:44 +00:00
csjp
3193aa5601 Teach the MAC policies which utilize mbuf labeling the new syncache
entry points.  Properly initialize the mbuf label based on the label
we copy from the PCB. This fixes an LOR between the PCB and syncache
code.
2006-12-13 06:03:22 +00:00
csjp
7aaca1dfe1 Fix LOR between the syncache and inpcb locks when MAC is present in the
kernel.  This LOR snuck in with some of the recent syncache changes.  To
fix this, the inpcb handling was changed:

- Hang a MAC label off the syncache object
- When the syncache entry is initially created, we pickup the PCB lock
  is held because we extract information from it while initializing the
  syncache entry.  While we do this, copy the MAC label associated with
  the PCB and use it for the syncache entry.
- When the packet is transmitted, copy the label from the syncache entry
  to the mbuf so it can be processed by security policies which analyze
  mbuf labels.

This change required that the MAC framework be extended to support the
label copy operations from the PCB to the syncache entry, and then from
the syncache entry to the mbuf.

These functions really should be referencing the syncache structure instead
of the label.  However, due to some of the complexities associated with
exposing this syncache structure we operate directly on it's label pointer.
This should be OK since we aren't making any access control decisions within
this code directly, we are merely allocating and copying label storage so
we can properly initialize mbuf labels for any packets the syncache code
might create.

This also has a nice side effect of caching.  Prior to this change, the
PCB would be looked up/locked for each packet transmitted.  Now the label
is cached at the time the syncache entry is initialized.

Submitted by:	andre [1]
Discussed with:	rwatson

[1] andre submitted the tcp_syncache.c changes
2006-12-13 06:00:57 +00:00
trhodes
58cca8458a Merge posix4/* into normal kernel hierarchy.
Reviewed by:	glanced at by jhb
Approved by:	silence on -arch@ and -standards@
2006-11-11 16:26:58 +00:00
rwatson
13dc4f1b11 Add stub entry point implementations of mpo_priv_check and mpo_priv_grant to
the mac_stub policy.

Obtained from:	TrustedBSD Project
2006-11-06 13:45:45 +00:00
rwatson
10d0d9cf47 Sweep kernel replacing suser(9) calls with priv(9) calls, assigning
specific privilege names to a broad range of privileges.  These may
require some future tweaking.

Sponsored by:           nCircle Network Security, Inc.
Obtained from:          TrustedBSD Project
Discussed on:           arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
                        Alex Lyashkov <umka at sevcity dot net>,
                        Skip Ford <skip dot ford at verizon dot net>,
                        Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
rwatson
7288104e20 Add a new priv(9) kernel interface for checking the availability of
privilege for threads and credentials.  Unlike the existing suser(9)
interface, priv(9) exposes a named privilege identifier to the privilege
checking code, allowing more complex policies regarding the granting of
privilege to be expressed.  Two interfaces are provided, replacing the
existing suser(9) interface:

suser(td)                 ->   priv_check(td, priv)
suser_cred(cred, flags)   ->   priv_check_cred(cred, priv, flags)

A comprehensive list of currently available kernel privileges may be
found in priv.h.  New privileges are easily added as required, but the
comments on adding privileges found in priv.h and priv(9) should be read
before doing so.

The new privilege interface exposed sufficient information to the
privilege checking routine that it will now be possible for jail to
determine whether a particular privilege is granted in the check routine,
rather than relying on hints from the calling context via the
SUSER_ALLOWJAIL flag.  For now, the flag is maintained, but a new jail
check function, prison_priv_check(), is exposed from kern_jail.c and used
by the privilege check routine to determine if the privilege is permitted
in jail.  As a result, a centralized list of privileges permitted in jail
is now present in kern_jail.c.

The MAC Framework is now also able to instrument privilege checks, both
to deny privileges otherwise granted (mac_priv_check()), and to grant
privileges otherwise denied (mac_priv_grant()), permitting MAC Policy
modules to implement privilege models, as well as control a much broader
range of system behavior in order to constrain processes running with
root privilege.

The suser() and suser_cred() functions remain implemented, now in terms
of priv_check() and the PRIV_ROOT privilege, for use during the transition
and possibly continuing use by third party kernel modules that have not
been updated.  The PRIV_DRIVER privilege exists to allow device drivers to
check privilege without adopting a more specific privilege identifier.

This change does not modify the actual security policy, rather, it
modifies the interface for privilege checks so changes to the security
policy become more feasible.

Sponsored by:		nCircle Network Security, Inc.
Obtained from:		TrustedBSD Project
Discussed on:		arch@
Reviewed (at least in part) by:	mlaier, jmg, pjd, bde, ceri,
			Alex Lyashkov <umka at sevcity dot net>,
			Skip Ford <skip dot ford at verizon dot net>,
			Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:37:19 +00:00
csjp
cf1f0416d1 Change the type of ar_arg_sockaddr from struct sockaddr to struct
sockaddr_storage.  This structure is defined in RFC 2553 and is a more
semantically correct structure for holding IP and IP6 sockaddr information.
struct sockaddr is not big enough to hold all the required information for
IP6, resulting in truncated addresses et al when auditing IP6 sockaddr
information.

We also need to assume that the sa->sa_len has been validated before the call to
audit_arg_sockaddr() is made, otherwise it could result in a buffer overflow.
This is being done to accommodate auditing of network related arguments (like
connect, bind et al) that will be added soon.

Discussed with:	rwatson
Obtained from:	TrustedBSD Project
MFC after:	2 weeks
2006-11-06 00:15:44 +00:00
rwatson
0c409b5873 Forward declare struct cdev, since arguments of this type are used in
function prototypes.

Obtained from:	TrustedBSD Project
2006-10-30 15:20:49 +00:00
rwatson
430a6e6576 Remove extra _MAC_ from #ifdef guard. 2006-10-25 13:14:25 +00:00
rwatson
7beaaf5cd2 Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h
begun with a repo-copy of mac.h to mac_framework.h.  sys/mac.h now
contains the userspace and user<->kernel API and definitions, with all
in-kernel interfaces moved to mac_framework.h, which is now included
across most of the kernel instead.

This change is the first step in a larger cleanup and sweep of MAC
Framework interfaces in the kernel, and will not be MFC'd.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA
2006-10-22 11:52:19 +00:00
rwatson
10cc7e208a Do allow jailed superuser to override the port ACL.
MFC after:	3 days
Submitted by:	Michal Mertl <mime at traveller dot cz>
2006-10-10 17:04:19 +00:00
csjp
fde20b9adc Mark the audit system calls as being un-implemented in jails. Currently we do
not trust jails enough to execute audit related system calls. An example of
this is with su(1), or login(1) within prisons. So, if the syscall request
comes from a jail return ENOSYS. This will cause these utilities to operate
as if audit is not present in the kernel.

Looking forward, this problem will be remedied by allowing non privileged
users to maintain and their own audit streams, but the details on exactly how
this will be implemented needs to be worked out.

This change should fix situations when options AUDIT has been compiled into
the kernel, and utilities like su(1), or login(1) fail due to audit system
call failures within jails.

This is a RELENG_6 candidate.

Reported by:	Christian Brueffer
Discussed with:	rwatson
MFC after:	3 days
2006-10-10 15:49:10 +00:00
rwatson
b648628439 Add BSM conversion switch entries for a number of system calls, many
administrative, to prevent console warnings and enable basic event
auditing (generally without arguments).

MFC after:	3 days
Obtained from:	TrustedBSD Project
2006-10-03 20:43:48 +00:00
rwatson
c780781f97 Trim some no longer XXX comments.
Remove some commented out debugging printfs.

MFC after:	3  days
Obtained from:	TrustedBSD Project
2006-10-02 11:32:23 +00:00