Commit Graph

44 Commits

Author SHA1 Message Date
Robert Watson
743d9c6a2d Implement mpo_check_system_acct and mpo_check_system_settime() for Biba:
require Biba privilege to configure either, and require that accounting
files be high integrity.  Note that this does allow implicit information
flow from low to high integrity, but it also protects the integrity
of accounting data.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-04 17:50:52 +00:00
Robert Watson
1980cf9b79 Correct use of mac_biba_subject_privileged() in swapon() code.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-04 17:36:47 +00:00
Robert Watson
dc858fcabe License and wording updates: NAI has authorized the removal of clause
three from their BSD-style license.  Also, s/NAI Labs/Network Associates
Laboratories/.
2002-11-04 01:53:12 +00:00
Maxime Henrion
e6faed4db0 Fix some warnings on 64 bit architectures. The vn_extattr_get()
function takes an int * parameter, not a size_t * parameter.

Arguably, it should rather take a size_t *, but that would
require changing the uio_resid field of struct uio to be a size_t
instead of an int, which I don't want to do that close to
5.0-RELEASE.

Reviewed by:	rwatson
2002-11-02 20:16:35 +00:00
Robert Watson
5c8dd34218 Move to C99 sparse structure initialization for the mac_policy_ops
structure definition, rather than using an operation vector
we translate into the structure.  Originally, we used a vector
for two reasons:

(1) We wanted to define the structure sparsely, which wasn't
    supported by the C compiler for structures.  For a policy
    with five entry points, you don't want to have to stick in
    a few hundred NULL function pointers.

(2) We thought it would improve ABI compatibility allowing modules
    to work with kernels that had a superset of the entry points
    defined in the module, even if the kernel had changed its
    entry point set.

Both of these no longer apply:

(1) C99 gives us a way to sparsely define a static structure.

(2) The ABI problems existed anyway, due to enumeration numbers,
    argument changes, and semantic mismatches.  Since the going
    rule for FreeBSD is that you really need your modules to
    pretty closely match your kernel, it's not worth the
    complexity.

This submit eliminates the operation vector, dynamic allocation
of the operation structure, copying of the vector to the
structure, and redoes the vectors in each policy to direct
structure definitions.  One enourmous benefit of this change
is that we now get decent type checking on policy entry point
implementation arguments.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-30 18:48:51 +00:00
Robert Watson
1979061b56 Various minor type, prototype tweaks -- clean up cruft due to lack of
type checking on entry points (to be introduced shortly).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-30 18:10:46 +00:00
Robert Watson
b914de36c0 While 'mode_t' seemed like a good idea for the access mode argument for
MAC access() and open() checks, the argument actually has an int type
where it becomes available.  Switch to using 'int' for the mode argument
throughout the MAC Framework and policy modules.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-30 17:56:57 +00:00
Robert Watson
26590ca793 Try again to fix the KASSERT. 2002-10-30 00:16:59 +00:00
Robert Watson
c7c2a7954a Fix a KASSERT bug that showed up only in the LINT build, not the
module build, so I missed it in the merge.

Pointed out by:	sam
2002-10-30 00:04:31 +00:00
Robert Watson
84c7715ec3 Implement Biba policy entry points for mac_check_system_swapon()
and mac_check_system_sysctl(), providing additional integrity
protections relating to swap target device selection and system
management via sysctl().  Require Biba privilege for both; also
require that the target of swap operations be a high integrity
object, since swap data is high integrity.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Asssociates Laboratories
2002-10-29 19:18:52 +00:00
Robert Watson
757db56952 Require Biba privilege to relabel a network interface.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-29 19:14:16 +00:00
Robert Watson
f30a9615fd Remove all reference to 'struct oldmac', since it's no longer required
with the new VFS/EA semantics in the MAC framework.  Move the per-policy
structures out to per-policy include files, removing all policy-specific
defines and structures out of the base framework includes and
implementation, making mac_biba and mac_mls entirely self-contained.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-28 19:44:05 +00:00
Robert Watson
6d65e3d4ca Add a return type for mac_biba_high_single(), apparently lost in an
earlier merge.  It's a 'static int'.
2002-10-28 19:18:29 +00:00
Robert Watson
566d99847b Rename mac_biba_subject_equal_ok() to mac_biba_subject_privileged()
to evolve the notion of Biba privilege a bit.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-28 19:17:39 +00:00
Robert Watson
ee3bf1710a Zero the trusted_interface buffer before starting parsing.
Print a warning if a requested interface name is longer than
IFNAMSIZ.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-28 19:16:44 +00:00
Robert Watson
763bbd2f4f Slightly change the semantics of vnode labels for MAC: rather than
"refreshing" the label on the vnode before use, just get the label
right from inception.  For single-label file systems, set the label
in the generic VFS getnewvnode() code; for multi-label file systems,
leave the labeling up to the file system.  With UFS1/2, this means
reading the extended attribute during vfs_vget() as the inode is
pulled off disk, rather than hitting the extended attributes
frequently during operations later, improving performance.  This
also corrects sematics for shared vnode locks, which were not
previously present in the system.  This chances the cache
coherrency properties WRT out-of-band access to label data, but in
an acceptable form.  With UFS1, there is a small race condition
during automatic extended attribute start -- this is not present
with UFS2, and occurs because EAs aren't available at vnode
inception.  We'll introduce a work around for this shortly.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
Robert Watson
103bcded1d Style fix: space between 'switch' and '('. 2002-10-22 19:01:49 +00:00
Robert Watson
f6f5401f61 Don't enforce MAC Biba policy for socket visibility if Biba is not
explicitly enabled.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-22 17:02:42 +00:00
Robert Watson
24e8d0d07b Adapt MAC policies for the new user API changes; teach policies how
to parse their own label elements (some cleanup to occur here in the
future to use the newly added kernel strsep()).  Policies now
entirely encapsulate their notion of label in the policy module.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-22 14:31:34 +00:00
Robert Watson
36cf29fd8d Introduce mac_biba_copy() and mac_mls_copy(), which conditionally
copy elements of one Biba or MLS label to another based on the flags
on the source label element.  Use this instead of
mac_{biba,mls}_{single,range}() to simplify the existing code, as
well as support partial label updates (we don't update if none is
requested).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-21 20:55:39 +00:00
Robert Watson
2a1c79af92 Add compartment support to Biba and MLS policies. The logic of the
policies remains the same: subjects and objects are labeled for
integrity or sensitivity, and a dominance operator determines whether
or not subject/object accesses are permitted to limit inappropriate
information flow.  Compartments are a non-hierarchal component to
the label, so add a bitfield to the label element for each, and a
set check as part of the dominance operator.  This permits the
implementation of "need to know" elements of MLS.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-21 18:42:01 +00:00
Robert Watson
2f7f04362b Demote sockets to single-label objects rather than maintaining a
range on them, leaving process credentials as the only kernel
objects with label ranges in the Biba and MLS policies.  We
weren't using the range in any access control decisions, so this
lets us garbage collect effectively unused code.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-21 18:05:12 +00:00
Robert Watson
6157bb02e8 Synchonize variable spelling with the MAC tree: we shortened some of
the names.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-21 17:05:48 +00:00
Robert Watson
b7c2a7f406 Since the Biba and MLS access checks are identical to the open checks,
collapse the two cases more cleanly: rather than wrapping an access
check around open, simply provide the open implementation for the
access vector entry.  No functional change.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-21 16:39:12 +00:00
Robert Watson
b5f072b5e1 Cleanup of relabel authorization checks -- almost identical logic,
we just break out some of the tests better.  Minor change in that
we now better support incremental update of labels.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-21 16:35:54 +00:00
Robert Watson
0b9b85b91d Add a twiddle to create PTY's with a biba/equal or mls/equal label
instead of the default biba/high, mls/low, making it easier to use
ptys with these policies.  This isn't the final solution, but does
help.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-21 04:15:40 +00:00
Robert Watson
82c6ef299e Trim accidentally introduced trailing whitespace. 2002-10-06 13:11:01 +00:00
Robert Watson
e183f80e54 Sync from MAC tree: break out the single mmap entry point into
seperate entry points for each occasion:

mac_check_vnode_mmap()		Check at initial mapping
mac_check_vnode_mprotect()	Check at mapping protection change
mac_check_vnode_mmap_downgrade()	Determine if a mapping downgrade
					should take place following
					subject relabel.

Implement mmap() and mprotect() entry points for labeled vnode
policies.  These entry points are currently not hooked up to the
VM system in the base tree.  These changes improve the consistency
of the access control interface and offer more flexibility regarding
limiting access to vnode mmaping.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-06 02:46:26 +00:00
Robert Watson
83985c267e Modify label allocation semantics for sockets: pass in soalloc's malloc
flags so that we can call malloc with M_NOWAIT if necessary, avoiding
potential sleeps while holding mutexes in the TCP syncache code.
Similar to the existing support for mbuf label allocation: if we can't
allocate all the necessary label store in each policy, we back out
the label allocation and fail the socket creation.  Sync from MAC tree.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
Robert Watson
eea8ea3108 Implement mac_create_devfs_symlink() for policies that interact with
vnode labels.  Sync from MAC tree.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 18:56:25 +00:00
Robert Watson
c27b50f5b4 Merge implementation of mpo_check_vnode_link() for various appropriate
file-system aware MAC policies.  Sync to MAC tree.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 18:25:48 +00:00
Robert Watson
96adb90996 Begin another merge from the TrustedBSD MAC branch:
- Change mpo_init_foo(obj, label) and mpo_destroy_foo(obj, label) policy
  entry points to mpo_init_foo_label(label) and
  mpo_destroy_foo_label(label).  This will permit the use of the same
  entry points for holding temporary type-specific label during
  internalization and externalization, as well as for caching purposes.
- Because of this, break out mpo_{init,destroy}_socket() and
  mpo_{init,destroy}_mount() into seperate entry points for socket
  main/peer labels and mount main/fs labels.
- Since the prototype for label initialization is the same across almost
  all entry points, implement these entry points using common
  implementations for Biba, MLS, and Test, reducing the number of
  almost identical looking functions.

This simplifies policy implementation, as well as preparing us for the
merge of the new flexible userland API for managing labels on objects.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 15:10:00 +00:00
Robert Watson
7678df4487 Remove another missed trailing space. 2002-09-21 19:50:28 +00:00
Robert Watson
5784b0a22d Trim trailing whitespace from the ends of lines. 2002-09-21 19:26:59 +00:00
Robert Watson
13763f5074 Continue cleanup and sync of mac_biba and mac_mls policies to the
TrustedBSD MAC Perforce tree.  Remove unused functions
mac_biba_equal_range and mac_mls_equal_range, which determined if the
ranges in two range-enabled labels were equal.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-09-21 19:20:01 +00:00
Robert Watson
164634351b Remove mac_biba_high_single() check for interface renaming: we now
use the notion that a subject range of (low-high) connotes Biba
privilege rather than a single of high.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-09-21 19:01:44 +00:00
Robert Watson
728fbeea52 As INVARIANTS isn't supported for code that loads only as a kernel
module and is not linked into the base system, two KASSERT's rotted.
Fix them by fixing variable names.  It would be really nice if
opt_global.h was used when building modules as part of a buildkernel.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-09-21 18:29:37 +00:00
Bruce Evans
cebf94317e Include <sys/malloc.h> instead of depending on namespace pollution 2
layers deep in <sys/proc.h> or <sys/vnode.h>.
2002-09-10 12:45:02 +00:00
Robert Watson
8768e441cd Re-insert TUNABLE() export of MAC Biba and MAC MLS module 'enabled'
sysctls.  Apparently lost during some or another merge.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-09-05 18:52:52 +00:00
Robert Watson
177142e458 Pass active_cred and file_cred into the MAC framework explicitly
for mac_check_vnode_{poll,read,stat,write}().  Pass in fp->f_cred
when calling these checks with a struct file available.  Otherwise,
pass NOCRED.  All currently MAC policies use active_cred, but
could now offer the cached credential semantic used for the base
system security model.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-19 19:04:53 +00:00
Robert Watson
c024c3eeb1 Break out mac_check_pipe_op() into component check entry points:
mac_check_pipe_poll(), mac_check_pipe_read(), mac_check_pipe_stat(),
and mac_check_pipe_write().  This is improves consistency with other
access control entry points and permits security modules to only
control the object methods that they are interested in, avoiding
switch statements.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-19 16:59:37 +00:00
Robert Watson
7f724f8b51 Break out mac_check_vnode_op() into three seperate checks:
mac_check_vnode_poll(), mac_check_vnode_read(), mac_check_vnode_write().
This improves the consistency with other existing vnode checks, and
allows policies to avoid implementing switch statements to determine
what operations they do and do not want to authorize.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-19 16:43:25 +00:00
Robert Watson
fb95b5d3c3 Rename mac_check_socket_receive() to mac_check_socket_deliver() so that
we can use the names _receive() and _send() for the receive() and send()
checks.  Rename related constants, policy implementations, etc.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-15 18:51:27 +00:00
Robert Watson
d8a7b7a3cd Introduce support for Mandatory Access Control and extensible
kernel access control.

Provide implementations of some sample operating system security
policy extensions.  These are not yet hooked up to the build as
other infrastructure is still being committed.  Most of these
work fairly well and are in daily use in our development and (limited)
production environments.  Some are not yet in their final form,
and a number of the labeled policies waste a lot of kernel memory
and will be fixed over the next month or so to be more conservative.
They do give good examples of the flexibility of the MAC framework
for implementing a variety of security policies.

mac_biba:	Implementation of fixed-label Biba integrity policy,
		similar to those found in a number of commercial
		trusted operating systems.  All subjects and objects
		are assigned integrity levels, and information flow
		is controlled based on a read-up, write-down
		policy.  Currently, purely hierarchal.

mac_bsdextended:	Implementation of a "file system firewall",
		which allows the administrator to specify a series
		of rules limiting access by users and groups to
		objects owned by other users and groups.  This
		policy is unlabeled, relying on existing system
		security labeling (file permissions/ownership,
		process credentials).

mac_ifoff:	Secure interface silencing.  Special-purpose module
		to limit inappropriate out-going network traffic
		for silent monitoring scenarios.  Prevents the
		various network stacks from generating any output
		despite an interface being live for reception.

mac_mls:	Implementation of fixed-label Multi-Level Security
		confidentiality policy, similar to those found in
		a number of commercial trusted operating systems.
		All subjects and objects are assigned confidentiality
		levels, and information flow is controlled based on
		a write-up, read-down policy.  Currently, purely
		hiearchal, although non-hierarchal support is in the
		works.

mac_none:	Policy module implementing all MAC policy entry
		points with empty stubs.  A good place to start if
		you want all the prototypes types in for you, and
		don't mind a bit of pruning.  Can be loaded, but
		has no access control impact.  Useful also for
		performance measurements.

mac_seeotheruids:	Policy module implementing a security service
		similar to security.bsd.seeotheruids, only a slightly
		more detailed policy involving exceptions for members
		of specific groups, etc.  This policy is unlabeled,
		relying on existing system security labeling
		(process credentials).

mac_test:	Policy module implementing basic sanity tests for
		label handling.  Attempts to ensure that labels are
		not freed multiple times, etc, etc.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-07-31 18:07:45 +00:00