Commit Graph

789 Commits

Author SHA1 Message Date
csjp
91a570b2e4 Add support for extended header BSM tokens. Currently we use the
regular header tokens.  The extended header tokens contain an IP
or IPv6 address which makes it possible to identify which host an
audit record came from when audit records are centralized.

If the host information has not been specified, the system will
default to the old style headers.  Otherwise, audit records that
are created as a result of system calls will contain host information.

This implemented has been designed to be consistent with the Solaris
implementation.  Host information is set/retrieved using the A_GETKAUDIT
and A_SETKAUDIT auditon(2) commands.  These commands require that a
pointer to a auditinfo_addr_t object is passed.  Currently only IP and
IPv6 address families are supported.

The users pace bits associated with this change will follow in an
openbsm import.

Reviewed by:	rwatson, (sson, wsalamon (older version))
MFC after:	1 month
2008-11-11 21:57:03 +00:00
rwatson
1e366119d6 Wrap sx locking of the audit worker sleep lock in macros, update comments.
MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-11-10 22:06:24 +00:00
jhb
fb34cedca4 Use shared vnode locks for auditing vnode arguments as auditing only
does a VOP_GETATTR() which does not require an exclusive lock.

Reviewed by:	csjp, rwatson
2008-11-04 22:31:04 +00:00
jhb
d4ebbe30ce Don't lock the vnode around calls to vn_fullpath().
Reviewed by:	csjp, rwatson
2008-11-04 22:30:24 +00:00
rwatson
20831b1f86 Update introductory comment for audit pipes.
MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-11-02 00:25:48 +00:00
rwatson
368cc5044a Remove stale comment about filtering in audit pipe ioctl routine: we do
support filtering now, although we may want to make it more interesting
in the future.

MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-11-02 00:18:19 +00:00
rwatson
3f0f3e5028 Add comment for per-pipe stats.
MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-11-01 23:05:49 +00:00
rwatson
64f6525f93 We only allow a partial read of the first record in an audit pipe
record queue, so move the offset field from the per-record
audit_pipe_entry structure to the audit_pipe structure.

Now that we support reading more than one record at a time, add a
new summary field to audit_pipe, ap_qbyteslen, which tracks the
total number of bytes present in a pipe, and return that (minus
the current offset) via FIONREAD and kqueue's data variable for
the pending byte count rather than the number of bytes remaining
in only the first record.

Add a number of asserts to confirm that these counts and offsets
following the expected rules.

MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-11-01 21:56:45 +00:00
rwatson
f8873b326d Allow a single read(2) system call on an audit pipe to retrieve data from
more than one audit record at a time in order to improve efficiency.

MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-11-01 21:16:09 +00:00
rwatson
efc5b661a1 Since there is no longer the opportunity for record truncation, just
return 0 if the truncation counter is queried on an audit pipe.

MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-10-31 15:11:01 +00:00
rwatson
6f79887fc5 Historically, /dev/auditpipe has allows only whole records to be read via
read(2), which meant that records longer than the buffer passed to read(2)
were dropped.  Instead take the approach of allowing partial reads to be
continued across multiple system calls more in the style of streaming
character device.

This means retaining a record on the per-pipe queue in a partially read
state, so maintain a current offset into the record.  Keep the record on
the queue during a read, so add a new lock, ap_sx, to serialize removal
of records from the queue by either read(2) or ioctl(2) requesting a pipe
flush.  Modify the kqueue handler to return bytes left in the current
record rather than simply the size of the current record.

It is now possible to use praudit, which used the standard FILE * buffer
sizes, to track much larger record sizes from /dev/auditpipe, such as
very long command lines to execve(2).

MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-10-31 14:40:21 +00:00
rwatson
81bbfda754 When we drop an audit record going to and audit pipe because the audit
pipe has overflowed, drop the newest, rather than oldest, record.  This
makes overflow drop behavior consistent with memory allocation failure
leading to drop, avoids touching the consumer end of the queue from a
producer, and lowers the CPU overhead of dropping a record by dropping
before memory allocation and copying.

Obtained from:	Apple, Inc.
MFC after:	2 months
2008-10-30 23:09:19 +00:00
rwatson
7e2b08356c Break out single audit_pipe_mtx into two types of locks: a global rwlock
protecting the list of audit pipes, and a per-pipe mutex protecting the
queue.

Likewise, replace the single global condition variable used to signal
delivery of a record to one or more pipes, and add a per-pipe condition
variable to avoid spurious wakeups when event subscriptions differ
across multiple pipes.

This slightly increases the cost of delivering to audit pipes, but should
reduce lock contention in the presence of multiple readers as only the
per-pipe lock is required to read from a pipe, as well as avoid
overheading when different pipes are used in different ways.

MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-10-30 21:58:39 +00:00
rwatson
c2d297d449 Protect the event->class lookup database using an rwlock instead of a
mutex, as it's rarely changed but frequently accessed read-only from
multiple threads, so a potentially significant source of contention.

MFC after:	1 month
Sponsored by:	Apple, Inc.
2008-10-30 17:47:57 +00:00
rwatson
fbca48f8d5 The V* flags passed using an accmode_t to the access() and open()
access control checks in mac_bsdextended are not in the same
namespace as the MBI_ flags used in ugidfw policies, so add an
explicit conversion routine to get from one to the other.

Obtained from:	TrustedBSD Project
2008-10-30 10:13:53 +00:00
trasz
21b7d783c9 Commit part of accmode_t changes that I missed in previous commit.
Approved by:	rwatson (mentor)
2008-10-28 21:57:32 +00:00
rwatson
f29a8ec282 Break out strictly credential-related portions of mac_process.c into a
new file, mac_cred.c.

Obtained from:	TrustedBSD Project
2008-10-28 21:53:10 +00:00
trasz
0ad8692247 Introduce accmode_t. This is required for NFSv4 ACLs - it will be neccessary
to add more V* constants, and the variables changed by this patch were often
being assigned to mode_t variables, which is 16 bit.

Approved by:	rwatson (mentor)
2008-10-28 13:44:11 +00:00
rwatson
bc67134909 Rename mac_cred_mmapped_drop_perms(), which revokes access to virtual
memory mappings when the MAC label on a process changes, to
mac_proc_vm_revoke(),

It now also acquires its own credential reference directly from the
affected process rather than accepting one passed by the the caller,
simplifying the API and consumer code.

Obtained from:	TrustedBSD Project
2008-10-28 12:49:07 +00:00
rwatson
a2129bd144 Rename three MAC entry points from _proc_ to _cred_ to reflect the fact
that they operate directly on credentials: mac_proc_create_swapper(),
mac_proc_create_init(), and mac_proc_associate_nfsd().  Update policies.

Obtained from:	TrustedBSD Project
2008-10-28 11:33:06 +00:00
rwatson
4d410d139b Extended comment on why we consider a partition relabel request of "0" to
be a no-op request, and why this might have to change if we want to allow
leaving a partition someday.

Obtained from:	TrustedBSD Project
MFC after:	3 days
2008-10-28 09:16:34 +00:00
rwatson
fde7dde174 Rename label_on_label() to partition_check(), which is far more
suggestive as to its actual function.

Obtained from:	TrustedBSD Project
MFC after:	3 days
2008-10-28 09:12:13 +00:00
rwatson
14f91d091b Improve alphabetical sort order of stub entry points. 2008-10-28 08:50:09 +00:00
rwatson
e7cc073f03 When the mac_bsdextended policy is unloaded, free rule memory.
Obtained from:	TrustedBSD Project
MFC after:	3 days
2008-10-27 18:08:12 +00:00
rwatson
49799059b1 Add TrustedBSD credit to new ugidfw_internal.h file. 2008-10-27 12:12:23 +00:00
rwatson
3adba7f0f0 Break mac_bsdextended.c out into multiple .c files, with the base access
control logic and policy registration remaining in that file, and access
control checks broken out into other files by class of check.

Obtained from:	TrustedBSD Project
2008-10-27 12:09:15 +00:00
rwatson
af744391b6 Copy mac_bsdextended.c to two object-specific files as a prototype for how
modularize MAC policy layout.

Obtained from:	TrustedBSD Project
2008-10-27 11:46:19 +00:00
rwatson
432d006bae Implement MAC policy support for IPv6 fragment reassembly queues,
modeled on IPv4 fragment reassembly queue support.

Obtained from:	TrustedBSD Project
2008-10-26 22:46:37 +00:00
rwatson
0db6d4519c Add a MAC label, MAC Framework, and MAC policy entry points for IPv6
fragment reassembly queues.

This allows policies to label reassembly queues, perform access
control checks when matching fragments to a queue, update a queue
label when fragments are matched, and label the resulting
reassembled datagram.

Obtained from:	TrustedBSD Project
2008-10-26 22:45:18 +00:00
des
a1e1ad22e0 Fix a number of style issues in the MALLOC / FREE commit. I've tried to
be careful not to fix anything that was already broken; the NFSv4 code is
particularly bad in this respect.
2008-10-23 20:26:15 +00:00
des
66f807ed8b Retire the MALLOC and FREE macros. They are an abomination unto style(9).
MFC after:	3 months
2008-10-23 15:53:51 +00:00
bz
def7b5012b Add a mac_inpcb_check_visible implementation to all MAC policies
that handle mac_socket_check_visible.

Reviewed by:	rwatson
MFC after:	3 months (set timer; decide then)
2008-10-17 15:11:12 +00:00
bz
14874ad4f1 Add mac_inpcb_check_visible MAC Framework entry point, which is similar
to mac_socket_check_visible but operates on the inpcb.

Reviewed by:	rwatson
MFC after:	3 months (set timer, decide then)
2008-10-17 12:54:28 +00:00
bz
8e885f7f2d Use the label from the socket credential rather than the
solabel which was not set by the mac_partition policy.

Spotted by:	rwatson
Reviewed by:	rwatson
MFC after:	3 days
2008-10-17 08:58:33 +00:00
ed
4212d51a7d Remove unit2minor() use from kernel code.
When I changed kern_conf.c three months ago I made device unit numbers
equal to (unneeded) device minor numbers. We used to require
bitshifting, because there were eight bits in the middle that were
reserved for a device major number. Not very long after I turned
dev2unit(), minor(), unit2minor() and minor2unit() into macro's.
The unit2minor() and minor2unit() macro's were no-ops.

We'd better not remove these four macro's from the kernel, because there
is a lot of (external) code that may still depend on them. For now it's
harmless to remove all invocations of unit2minor() and minor2unit().

Reviewed by:	kib
2008-09-26 14:19:52 +00:00
attilio
23ff3dbeb8 Remove the suser(9) interface from the kernel. It has been replaced from
years by the priv_check(9) interface and just very few places are left.
Note that compatibility stub with older FreeBSD version
(all above the 8 limit though) are left in order to reduce diffs against
old versions. It is responsibility of the maintainers for any module, if
they think it is the case, to axe out such cases.

This patch breaks KPI so __FreeBSD_version will be bumped into a later
commit.

This patch needs to be credited 50-50 with rwatson@ as he found time to
explain me how the priv_check() works in detail and to review patches.

Tested by:      Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
Reviewed by:    rwatson
2008-09-17 15:49:44 +00:00
trasz
9303940ffe Remove VSVTX, VSGID and VSUID. This should be a no-op,
as VSVTX == S_ISVTX, VSGID == S_ISGID and VSUID == S_ISUID.

Approved by:	rwatson (mentor)
2008-09-10 13:16:41 +00:00
des
b5bc5d965b Unbreak the build.
Pointy hat to:	kevlo
2008-09-04 13:06:36 +00:00
kevlo
9f7bbf786b If the process id specified is invalid, the system call returns ESRCH 2008-09-04 10:44:33 +00:00
attilio
dbf35e279f Decontextualize the couplet VOP_GETATTR / VOP_SETATTR as the passed thread
was always curthread and totally unuseful.

Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
2008-08-28 15:23:18 +00:00
rwatson
acf5da1d35 More fully audit fexecve(2) and its arguments.
Obtained from:	TrustedBSD Project
Sponsored by:	Google, Inc.
2008-08-25 13:50:01 +00:00
rwatson
7815fba39c Use ERANGE instead of EOVERFLOW selected in r182059, this seems more
appropriate even if Solaris doesn't document it (E2BIG) or use it
(EOVERFLOW).

Submitted by:	nectar at apple dot com
Sponsored by:	Apple, Inc.
MFC after:	3 days
2008-08-24 19:55:10 +00:00
csjp
5419874562 Use sbuf_putc instead of sbuf_cat. This makes more sense, since we are
appending a single character to the buffer.

MFC after:	2 weeks
2008-08-24 03:12:17 +00:00
rwatson
78a117e6fa Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
    so that the general exec code isn't aware of the details of
    allocating, copying, and freeing labels, rather, simply passes in
    a void pointer to start and stop functions that will be used by
    the framework.  This change will be MFC'd.

(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
    allowing policies to declare which types of objects require label
    allocation, initialization, and destruction, and define a set of
    flags covering various supported object types (MPC_OBJECT_PROC,
    MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...).  This change reduces the
    overhead of compiling the MAC Framework into the kernel if policies
    aren't loaded, or if policies require labels on only a small number
    or even no object types.  Each time a policy is loaded or unloaded,
    we recalculate a mask of labeled object types across all policies
    present in the system.  Eliminate MAC_ALWAYS_LABEL_MBUF option as it
    is no longer required.

MFC after:	1 week ((1) only)
Reviewed by:	csjp
Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.
2008-08-23 15:26:36 +00:00
rwatson
74fdf0ae73 When getaudit(2) is unable to fit the terminal IPv6 address into the
space provided by its argument structure, return EOVERFLOW instead of
E2BIG.  The latter is documented in Solaris's man page, but the
former is implemented.  In either case, the caller should use
getaudit_addr(2) to return the IPv6 address.

Submitted by:	sson
Obtained from:	Apple, Inc.
MFC after:	3 days
2008-08-23 14:39:01 +00:00
csjp
4c2ecbd8bd Make sure we check the preselection masks present for all audit pipes.
It is possible that the audit pipe(s) have different preselection configs
then the global preselection mask.

Spotted by:	Vincenzo Iozzo
MFC after:	2 weeks
2008-08-11 20:14:56 +00:00
des
c2c1c946ae Add sbuf_new_auto as a shortcut for the very common case of creating a
completely dynamic sbuf.

Obtained from:	Varnish
MFC after:	2 weeks
2008-08-09 11:14:05 +00:00
rwatson
e6f6fc88e2 Minor style tweaks. 2008-08-02 22:30:51 +00:00
rwatson
7b3a18a595 Rename mac_partition_enabled to partition_enabled to synchronize with
other policies that similarly now avoid the additional mac_ prefix on
variables.

MFC after:	soon
2008-08-02 20:53:59 +00:00
rwatson
e3839f1499 In mac_bsdextended's auditctl and acct policy access control checks,
return success if the passed vnode pointer is NULL (rather than
panicking).  This can occur if either audit or accounting are
disabled while the policy is running.

Since the swapoff control has no real relevance to this policy,
which is concerned about intent to write rather than water under the
bridge, remove it.

PR:             kern/126100
Reported by:    Alan Amesbury <amesbury at umn dot edu>
MFC after:      3 days
2008-07-31 20:49:12 +00:00
csjp
743d0edd92 Currently, BSM audit pathname token generation for chrooted or jailed
processes are not producing absolute pathname tokens.  It is required
that audited pathnames are generated relative to the global root mount
point.  This modification changes our implementation of audit_canon_path(9)
and introduces a new function: vn_fullpath_global(9) which performs a
vnode -> pathname translation relative to the global mount point based
on the contents of the name cache.  Much like vn_fullpath,
vn_fullpath_global is a wrapper function which called vn_fullpath1.

Further, the string parsing routines have been converted to use the
sbuf(9) framework.  This change also removes the conditional acquisition
of Giant, since the vn_fullpath1 method will not dip into file system
dependent code.

The vnode locking was modified to use vhold()/vdrop() instead the vref()
and vrele().  This will modify the hold count instead of modifying the
user count.  This makes more sense since it's the kernel that requires
the reference to the vnode.  This also makes sure that the vnode does not
get recycled we hold the reference to it. [1]

Discussed with:	rwatson
Reviewed by:	kib [1]
MFC after:	2 weeks
2008-07-31 16:57:41 +00:00
rwatson
b8596e4794 Further synchronization of copyrights, licenses, white space, etc from
Apple and from the OpenBSM vendor tree.

Obtained from:	Apple Inc., TrustedBSD Project
MFC after:	3 days
2008-07-31 09:54:35 +00:00
rwatson
5a7f32b6bb Minor white space tweak.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-23 07:42:31 +00:00
rwatson
cd2c5f1658 If an AUE_SYSCTL_NONADMIN audit event is selected, generate a record
with equivilent content to AUE_SYSCTL.

Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:54:32 +00:00
rwatson
08b4415065 Further minor style fixes to audit.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:49:30 +00:00
rwatson
127019df41 Remove unneeded \ at the end of a macro.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:08:27 +00:00
rwatson
50a48758fb Further minor white space tweaks.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:06:49 +00:00
rwatson
979e045da6 Generally avoid <space><tab> as a white space anomoly.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 16:44:48 +00:00
rwatson
e116c89c78 Use #define<tab> rather than #define<space>.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 16:21:59 +00:00
rwatson
91cafa1d13 Comment fix.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 16:02:21 +00:00
rwatson
1c685378bd Comment typo fix.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 15:54:10 +00:00
rwatson
01de8b976c Minor white space synchronization to Apple version of security audit.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 15:49:19 +00:00
rwatson
6a481435b2 In preparation to sync Apple and FreeBSD versions of security audit,
pick up the Apple Computer -> Apple change in their copyright and
license templates.

Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 15:29:48 +00:00
rwatson
c3ca4b7705 Use unsigned int when iterating over groupsets in audit_arg_groupset().
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 15:17:21 +00:00
jhb
411d068395 Rework the lifetime management of the kernel implementation of POSIX
semaphores.  Specifically, semaphores are now represented as new file
descriptor type that is set to close on exec.  This removes the need for
all of the manual process reference counting (and fork, exec, and exit
event handlers) as the normal file descriptor operations handle all of
that for us nicely.  It is also suggested as one possible implementation
in the spec and at least one other OS (OS X) uses this approach.

Some bugs that were fixed as a result include:
- References to a named semaphore whose name is removed still work after
  the sem_unlink() operation.  Prior to this patch, if a semaphore's name
  was removed, valid handles from sem_open() would get EINVAL errors from
  sem_getvalue(), sem_post(), etc.  This fixes that.
- Unnamed semaphores created with sem_init() were not cleaned up when a
  process exited or exec'd.  They were only cleaned up if the process
  did an explicit sem_destroy().  This could result in a leak of semaphore
  objects that could never be cleaned up.
- On the other hand, if another process guessed the id (kernel pointer to
  'struct ksem' of an unnamed semaphore (created via sem_init)) and had
  write access to the semaphore based on UID/GID checks, then that other
  process could manipulate the semaphore via sem_destroy(), sem_post(),
  sem_wait(), etc.
- As part of the permission check (UID/GID), the umask of the proces
  creating the semaphore was not honored.  Thus if your umask denied group
  read/write access but the explicit mode in the sem_init() call allowed
  it, the semaphore would be readable/writable by other users in the
  same group, for example.  This includes access via the previous bug.
- If the module refused to unload because there were active semaphores,
  then it might have deregistered one or more of the semaphore system
  calls before it noticed that there was a problem.  I'm not sure if
  this actually happened as the order that modules are discovered by the
  kernel linker depends on how the actual .ko file is linked.  One can
  make the order deterministic by using a single module with a mod_event
  handler that explicitly registers syscalls (and deregisters during
  unload after any checks).  This also fixes a race where even if the
  sem_module unloaded first it would have destroyed locks that the
  syscalls might be trying to access if they are still executing when
  they are unloaded.

  XXX: By the way, deregistering system calls doesn't do any blocking
  to drain any threads from the calls.
- Some minor fixes to errno values on error.  For example, sem_init()
  isn't documented to return ENFILE or EMFILE if we run out of semaphores
  the way that sem_open() can.  Instead, it should return ENOSPC in that
  case.

Other changes:
- Kernel semaphores now use a hash table to manage the namespace of
  named semaphores nearly in a similar fashion to the POSIX shared memory
  object file descriptors.  Kernel semaphores can now also have names
  longer than 14 chars (up to MAXPATHLEN) and can include subdirectories
  in their pathname.
- The UID/GID permission checks for access to a named semaphore are now
  done via vaccess() rather than a home-rolled set of checks.
- Now that kernel semaphores have an associated file object, the various
  MAC checks for POSIX semaphores accept both a file credential and an
  active credential.  There is also a new posixsem_check_stat() since it
  is possible to fstat() a semaphore file descriptor.
- A small set of regression tests (using the ksem API directly) is present
  in src/tools/regression/posixsem.

Reported by:	kris (1)
Tested by:	kris
Reviewed by:	rwatson (lightly)
MFC after:	1 month
2008-06-27 05:39:04 +00:00
jhb
fd5bd912ed Add missing counter increments for posix shm checks. 2008-06-26 13:49:32 +00:00
jhb
437891381c Remove the posixsem_check_destroy() MAC check. It is semantically identical
to doing a MAC check for close(), but no other types of close() (including
close(2) and ksem_close(2)) have MAC checks.

Discussed with:	rwatson
2008-06-23 21:37:53 +00:00
rwatson
f07c38e84a The TrustedBSD MAC Framework named struct ipq instances 'ipq', which is the
same as the global variable defined in ip_input.c.  Instead, adopt the name
'q' as found in about 1/2 of uses in ip_input.c, preventing a collision on
the name.  This is non-harmful, but means that search and replace on the
global works less well (as in the virtualization work), as well as indexing
tools.

MFC after:	1 week
Reported by:	julian
2008-06-13 22:14:15 +00:00
ed
1bfc292986 Don't enforce unique device minor number policy anymore.
Except for the case where we use the cloner library (clone_create() and
friends), there is no reason to enforce a unique device minor number
policy. There are various drivers in the source tree that allocate unr
pools and such to provide minor numbers, without using them themselves.

Because we still need to support unique device minor numbers for the
cloner library, introduce a new flag called D_NEEDMINOR. All cdevsw's
that are used in combination with the cloner library should be marked
with this flag to make the cloning work.

This means drivers can now freely use si_drv0 to store their own flags
and state, making it effectively the same as si_drv1 and si_drv2. We
still keep the minor() and dev2unit() routines around to make drivers
happy.

The NTFS code also used the minor number in its hash table. We should
not do this anymore. If the si_drv0 field would be changed, it would no
longer end up in the same list.

Approved by:	philip (mentor)
2008-06-11 18:55:19 +00:00
simon
8f581f70ee When the file-system containing the audit log file is running low on
disk space a warning is printed.  Make this warning a bit more
informative.

Approved by:	rwatson
2008-06-10 20:05:32 +00:00
rwatson
0b6c9d6ea7 Add an XXX comment regarding a bug I introduced when modifying the behavior
of audit log vnode rotation: on shutdown, we may not properly drain all
pending records, which could lead to lost records during system shutdown.
2008-06-03 11:06:34 +00:00
csjp
6ccab77b96 Plug a memory leak which can occur when multiple MAC policies are loaded
which label mbufs.  This leak can occur if one policy successfully allocates
label storage and subsequent allocations from other policies fail.

Spotted by:	rwatson
MFC after:	1 week
2008-05-27 14:18:02 +00:00
rwatson
16646c6d68 Don't use LK_DRAIN before calling VOP_FSYNC() in the two further
panic cases for audit trail failure -- this doesn't contribute
anything, and might arguably be wrong.

MFC after:	1 week
Requested by:	attilio
2008-05-21 13:59:05 +00:00
rwatson
375312ef89 Don't use LK_DRAIN before calling VOP_FSYNC() in the panic case for
audit trail failure -- this doesn't contribute anything, and might
arguably be wrong.

MFC after:	1 week
Requested by:	attilio
2008-05-21 13:05:06 +00:00
rwatson
3b1946ec17 When testing whether to enter the audit argument gathering code, rather
than checking whether audit is enabled globally, instead check whether
the current thread has an audit record.  This avoids entering the audit
code to collect argument data if auditing is enabled but the current
system call is not of interest to audit.

MFC after:	1 week
Sponsored by:	Apple, Inc.
2008-05-06 00:32:23 +00:00
rwatson
88f4417272 Fix include guard spelling.
MFC after:	3 days
Submitted by:	diego
2008-04-27 15:51:49 +00:00
rwatson
71caf14a53 Use logic or, not binary or, when deciding whether or not a system call
exit requires entering the audit code.  The result is much the same,
but they mean different things.

MFC afer:	3 days
Submitted by:	Diego Giagio <dgiagio at gmail dot com>
2008-04-24 12:23:31 +00:00
rwatson
c7094ab9ab When auditing state from an IPv4 or IPv6 socket, use read locks on the
inpcb rather than write locks.

MFC after:	3 months
2008-04-19 18:37:08 +00:00
rwatson
1a186b0eb9 When propagating a MAC label from an inpcb to an mbuf, allow read and
write locks on the inpcb, not just write locks.

MFC after:	3 months
2008-04-19 18:35:27 +00:00
rwatson
ca47fccd6b Convert pcbinfo and inpcb mutexes to rwlocks, and modify macros to
explicitly select write locking for all use of the inpcb mutex.
Update some pcbinfo lock assertions to assert locked rather than
write-locked, although in practice almost all uses of the pcbinfo
rwlock main exclusive, and all instances of inpcb lock acquisition
are exclusive.

This change should introduce (ideally) little functional change.
However, it lays the groundwork for significantly increased
parallelism in the TCP/IP code.

MFC after:	3 months
Tested by:	kris (superset of committered patch)
2008-04-17 21:38:18 +00:00
rwatson
780b65a710 Use __FBSDID() for $FreeBSD$ IDs in the audit code.
MFC after:	3 days
2008-04-13 22:06:56 +00:00
rwatson
cb6449b749 Make naming of include guards for MAC Framework include files more
consistent with other kernel include guards (don't start with _SYS).

MFC after:	3 days
2008-04-13 21:45:52 +00:00
kib
eff8c6d35e Add the support for the AT_FDCWD and fd-relative name lookups to the
namei(9).

Based on the submission by rdivacky,
	sponsored by Google Summer of Code 2007
Reviewed by:	rwatson, rdivacky
Tested by:	pho
2008-03-31 12:01:21 +00:00
rwatson
877d7c65ba In keeping with style(9)'s recommendations on macros, use a ';'
after each SYSINIT() macro invocation.  This makes a number of
lightweight C parsers much happier with the FreeBSD kernel
source, including cflow's prcc and lxr.

MFC after:	1 month
Discussed with:	imp, rink
2008-03-16 10:58:09 +00:00
rwatson
baba1ffed6 Remove XXX to remind me to check the free space calculation, which to my
eyes appears right following a check.

MFC after:	3 days
2008-03-10 18:15:02 +00:00
csjp
af9b2bc27f Change auditon(2) so that if somebody supplies an invalid command, it
returns EINVAL. Right now we return 0 or success for invalid commands,
which could be quite problematic in certain conditions.

MFC after:	1 week
Discussed with:	rwatson
2008-03-06 22:57:03 +00:00
rwatson
db38a25102 Rather than copying out the full audit trigger record, which includes
a queue entry field, just copy out the unsigned int that is the trigger
message.  In practice, auditd always requested sizeof(unsigned int), so
the extra bytes were ignored, but copying them out was not the intent.

MFC after:	1 month
2008-03-02 21:34:17 +00:00
rwatson
5461383352 Add audit_prefixes to two more globally visible functions in the Audit
implementation.

MFC after:	1 month
2008-03-01 11:40:49 +00:00
rwatson
ac01550a5d Rename globally exposed symbol send_trigger() to audit_send_trigger().
MFC after:	1 month
2008-03-01 11:04:04 +00:00
rwatson
76461e66bc Replace somewhat awkward audit trail rotation scheme, which involved the
global audit mutex and condition variables, with an sx lock which protects
the trail vnode and credential while in use, and is acquired by the system
call code when rotating the trail.  Previously, a "message" would be sent
to the kernel audit worker, which did the rotation, but the new code is
simpler and (hopefully) less error-prone.

Obtained from:	TrustedBSD Project
MFC after:	1 month
2008-02-27 17:12:22 +00:00
rwatson
2cf50b2daa Rename several audit functions in the global kernel symbol namespace to
have audit_ on the front:

- canon_path -> audit_canon_path
- msgctl_to_event -> audit_msgctl_to_event
- semctl_to_event -> audit_semctl_to_event

MFC after:	1 month
2008-02-25 20:28:00 +00:00
csjp
03cdec7669 Make sure that the termid type is initialized to AU_IPv4 by default.
This makes sure that process tokens credentials with un-initialized
audit contexts are handled correctly.  Currently, when invariants are
enabled, this change fixes a panic by ensuring that we have a valid
termid family.  Also, this fixes token generation for process tokens
making sure that userspace is always getting a valid token.

This is consistent with what Solaris does when an audit context is
un-initialized.

Obtained from:	TrustedBSD Project
MFC after:	1 week
2008-01-28 17:33:46 +00:00
rwatson
3043fa2dca Properly return the error from mls_subject_privileged() in the ifnet
relabel check for MLS rather than returning 0 directly.

This problem didn't result in a vulnerability currently as the central
implementation of ifnet relabeling also checks for UNIX privilege, and
we currently don't guarantee containment for the root user in mac_mls,
but we should be using the MLS definition of privilege as well as the
UNIX definition in anticipation of supporting root containment at some
point.

MFC after:	3 days
Submitted by:	Zhouyi Zhou <zhouzhouyi at gmail dot com>
Sponsored by:	Google SoC 2007
2008-01-28 10:20:18 +00:00
csjp
6f5423890a Fix gratuitous whitespace bug
MFC after:	1 week
Obtained from:	TrustedBSD Project
2008-01-18 19:57:21 +00:00
csjp
ad1f18f4a9 Add a case for AUE_LISTEN. This removes the following console error message:
"BSM conversion requested for unknown event 43140"

It should be noted that we need to audit the fd argument for this system
call.

Obtained from:	TrustedBSD Project
MFC after:	1 week
2008-01-18 19:50:34 +00:00
attilio
71b7824213 VOP_LOCK1() (and so VOP_LOCK()) and VOP_UNLOCK() are only used in
conjuction with 'thread' argument passing which is always curthread.
Remove the unuseful extra-argument and pass explicitly curthread to lower
layer functions, when necessary.

KPI results broken by this change, which should affect several ports, so
version bumping and manpage update will be further committed.

Tested by: kris, pho, Diego Sardina <siarodx at gmail dot com>
2008-01-13 14:44:15 +00:00
attilio
18d0a0dd51 vn_lock() is currently only used with the 'curthread' passed as argument.
Remove this argument and pass curthread directly to underlying
VOP_LOCK1() VFS method. This modify makes the code cleaner and in
particular remove an annoying dependence helping next lockmgr() cleanup.
KPI results, obviously, changed.

Manpage and FreeBSD_version will be updated through further commits.

As a side note, would be valuable to say that next commits will address
a similar cleanup about VFS methods, in particular vop_lock1 and
vop_unlock.

Tested by:	Diego Sardina <siarodx at gmail dot com>,
		Andrea Di Pasquale <whyx dot it at gmail dot com>
2008-01-10 01:10:58 +00:00
jhb
8cd9437636 Add a new file descriptor type for IPC shared memory objects and use it to
implement shm_open(2) and shm_unlink(2) in the kernel:
- Each shared memory file descriptor is associated with a swap-backed vm
  object which provides the backing store.  Each descriptor starts off with
  a size of zero, but the size can be altered via ftruncate(2).  The shared
  memory file descriptors also support fstat(2).  read(2), write(2),
  ioctl(2), select(2), poll(2), and kevent(2) are not supported on shared
  memory file descriptors.
- shm_open(2) and shm_unlink(2) are now implemented as system calls that
  manage shared memory file descriptors.  The virtual namespace that maps
  pathnames to shared memory file descriptors is implemented as a hash
  table where the hash key is generated via the 32-bit Fowler/Noll/Vo hash
  of the pathname.
- As an extension, the constant 'SHM_ANON' may be specified in place of the
  path argument to shm_open(2).  In this case, an unnamed shared memory
  file descriptor will be created similar to the IPC_PRIVATE key for
  shmget(2).  Note that the shared memory object can still be shared among
  processes by sharing the file descriptor via fork(2) or sendmsg(2), but
  it is unnamed.  This effectively serves to implement the getmemfd() idea
  bandied about the lists several times over the years.
- The backing store for shared memory file descriptors are garbage
  collected when they are not referenced by any open file descriptors or
  the shm_open(2) virtual namespace.

Submitted by:	dillon, peter (previous versions)
Submitted by:	rwatson (I based this on his version)
Reviewed by:	alc (suggested converting getmemfd() to shm_open())
2008-01-08 21:58:16 +00:00
rwatson
bdee30611d Add a new 'why' argument to kdb_enter(), and a set of constants to use
for that argument.  This will allow DDB to detect the broad category of
reason why the debugger has been entered, which it can use for the
purposes of deciding which DDB script to run.

Assign approximate why values to all current consumers of the
kdb_enter() interface.
2007-12-25 17:52:02 +00:00
wkoszek
a8e6c33502 Change "audit_pipe_preselect" to "audit_pipe_presel" to make it print
with proper alignment in ddb(4) and vmstat(8).

Reviewed by:	rwatson@
2007-12-25 13:23:19 +00:00
rwatson
658a0a8d45 Fix a MAC label leak for POSIX semaphores, in which per-policy labels
would be properly disposed of, but the global label structure for the
semaphore wouldn't be freed.

MFC after:	3 days
Reported by:	tanyong <tanyong at ercist dot iscas dot ac dot cn>,
		zhouzhouyi
2007-12-17 17:26:32 +00:00
wkoszek
354f6f4c2e Explicitly initialize 'ret' to 0'. It lets one to build tmpfs from the
latest source tree with older compiler--gcc3.

Approved by:	cognet (mentor)
2007-12-04 20:20:59 +00:00
rwatson
aaad69006f Implement per-object type consistency checks for labels passed to
'internalize' operations rather than using a single common check.

Obtained from:	TrustedBSD Project
2007-10-30 00:01:28 +00:00
rwatson
21a7ea24a4 Replace use of AU_NULL with 0 when no audit classes are in use; this
supports the removal of hard-coded audit class constants in OpenBSM
1.0.  All audit classes are now dynamically configured via the
audit_class database.

Obtained from:	TrustedBSD Project
2007-10-29 18:07:48 +00:00
rwatson
d0482ebdae Canonicalize names of local variables.
Add some missing label checks in mac_test.

Obtained from:	TrustedBSD Project
2007-10-29 15:30:47 +00:00
rwatson
a426571905 Resort TrustedBSD MAC Framework policy entry point implementations and
declarations to match the object, operation sort order in the framework
itself.

Obtained from:	TrustedBSD Project
2007-10-29 13:33:06 +00:00
rwatson
80e186726f Add missing mac_test labeling and sleep checks for the syncache.
Discussed with:	csjp
Obtained from:	TrustedBSD Project
2007-10-28 18:33:31 +00:00
rwatson
54102acdd3 Garbage collect mac_mbuf_create_multicast_encap TrustedBSD MAC Framework
entry point, which is no longer required now that we don't support
old-style multicast tunnels.  This removes the last mbuf object class
entry point that isn't init/copy/destroy.

Obtained from:	TrustedBSD Project
2007-10-28 17:55:57 +00:00
rwatson
369fd04f48 Continue to move from generic network entry points in the TrustedBSD MAC
Framework by moving from mac_mbuf_create_netlayer() to more specific
entry points for specific network services:

- mac_netinet_firewall_reply() to be used when replying to in-bound TCP
  segments in pf and ipfw (etc).

- Rename mac_netinet_icmp_reply() to mac_netinet_icmp_replyinplace() and
  add mac_netinet_icmp_reply(), reflecting that in some cases we overwrite
  a label in place, but in others we apply the label to a new mbuf.

Obtained from:	TrustedBSD Project
2007-10-28 17:12:48 +00:00
rwatson
2bca3d4001 Move towards more explicit support for various network protocol stacks
in the TrustedBSD MAC Framework:

- Add mac_atalk.c and add explicit entry point mac_netatalk_aarp_send()
  for AARP packet labeling, rather than using a generic link layer
  entry point.

- Add mac_inet6.c and add explicit entry point mac_netinet6_nd6_send()
  for ND6 packet labeling, rather than using a generic link layer entry
  point.

- Add expliict entry point mac_netinet_arp_send() for ARP packet
  labeling, and mac_netinet_igmp_send() for IGMP packet labeling,
  rather than using a generic link layer entry point.

- Remove previous genering link layer entry point,
  mac_mbuf_create_linklayer() as it is no longer used.

- Add implementations of new entry points to various policies, largely
  by replicating the existing link layer entry point for them; remove
  old link layer entry point implementation.

- Make MAC_IFNET_LOCK(), MAC_IFNET_UNLOCK(), and mac_ifnet_mtx global
  to the MAC Framework rather than static to mac_net.c as it is now
  needed outside of mac_net.c.

Obtained from:	TrustedBSD Project
2007-10-28 15:55:23 +00:00
rwatson
5b4c0a83ff Perform explicit label type checks for externalize entry points, rather than
a generic initialized test.

Obtained from:	TrustedBSD Project
2007-10-28 14:28:33 +00:00
csjp
eaecf9354f Make sure we are incrementing the read count for each audit pipe read.
MFC after:	1 week
2007-10-27 22:28:01 +00:00
rwatson
744e5dbc97 Give each posixsem MAC Framework entry point its own counter and test case
in the mac_test policy, rather than sharing a single function for all of
the access control checks.

Obtained from:	TrustedBSD Project
2007-10-27 10:38:57 +00:00
rwatson
5c16f69bcc Update comment following MAC Framework entry point renaming and
reorganization.

Obtained from:	TrustedBSD Project
2007-10-26 21:16:34 +00:00
rwatson
a3b8fc4866 Rename 'mac_mbuf_create_from_firewall' to 'mac_netinet_firewall_send' as
we move towards netinet as a pseudo-object for the MAC Framework.

Rename 'mac_create_mbuf_linklayer' to 'mac_mbuf_create_linklayer' to
reflect general object-first ordering preference.

Sponsored by:	SPARTA (original patches against Mac OS X)
Obtained from:	TrustedBSD Project, Apple Computer
2007-10-26 13:18:38 +00:00
csjp
a16bb8381d Implement AUE_CORE, which adds process core dump support into the kernel.
This change introduces audit_proc_coredump() which is called by coredump(9)
to create an audit record for the coredump event.  When a process
dumps a core, it could be security relevant.  It could be an indicator that
a stack within the process has been overflowed with an incorrectly constructed
malicious payload or a number of other events.

The record that is generated looks like this:

header,111,10,process dumped core,0,Thu Oct 25 19:36:29 2007, + 179 msec
argument,0,0xb,signal
path,/usr/home/csjp/test.core
subject,csjp,csjp,staff,csjp,staff,1101,1095,50457,10.37.129.2
return,success,1
trailer,111

- We allocate a completely new record to make sure we arent clobbering
  the audit data associated with the syscall that produced the core
  (assuming the core is being generated in response to SIGABRT  and not
  an invalid memory access).
- Shuffle around expand_name() so we can use the coredump name at the very
  beginning of the coredump call.  Make sure we free the storage referenced
  by "name" if we need to bail out early.
- Audit both successful and failed coredump creation efforts

Obtained from:	TrustedBSD Project
Reviewed by:	rwatson
MFC after:	1 month
2007-10-26 01:23:07 +00:00
rwatson
d27f567131 Sort entry points in mac_framework.h and mac_policy.h alphabetically by
primary object type, and then by secondarily by method name.  This sorts
entry points relating to particular objects, such as pipes, sockets, and
vnodes together.

Sponsored by:	SPARTA (original patches against Mac OS X)
Obtained from:	TrustedBSD Project, Apple Computer
2007-10-25 22:45:25 +00:00
rwatson
ad62572aa2 Normalize TCP syncache-related MAC Framework entry points to match most
other entry points in the form mac_<object>_method().

Discussed with:	csjp
Obtained from:	TrustedBSD Project
2007-10-25 14:37:37 +00:00
rwatson
8756317538 Rename mac_associate_nfsd_label() to mac_proc_associate_nfsd(), and move
from mac_vfs.c to mac_process.c to join other functions that setup up
process labels for specific purposes.  Unlike the two proc create calls,
this call is intended to run after creation when a process registers as
the NFS daemon, so remains an _associate_ call..

Obtained from:	TrustedBSD Project
2007-10-25 12:34:14 +00:00
rwatson
2fd98af619 Consistently name functions for mac_<policy> as <policy>_whatever rather
than mac_<policy>_whatever, as this shortens the names and makes the code
a bit easier to read.

When dealing with label structures, name variables 'mb', 'ml', 'mm rather
than the longer 'mac_biba', 'mac_lomac', and 'mac_mls', likewise making
the code a little easier to read.

Obtained from:	TrustedBSD Project
2007-10-25 11:31:11 +00:00
rwatson
94fbc001c8 Further MAC Framework cleanup: normalize some local variable names and
clean up some comments.

Obtained from:	TrustedBSD Project
2007-10-25 07:49:47 +00:00
rwatson
60570a92bf Merge first in a series of TrustedBSD MAC Framework KPI changes
from Mac OS X Leopard--rationalize naming for entry points to
the following general forms:

  mac_<object>_<method/action>
  mac_<object>_check_<method/action>

The previous naming scheme was inconsistent and mostly
reversed from the new scheme.  Also, make object types more
consistent and remove spaces from object types that contain
multiple parts ("posix_sem" -> "posixsem") to make mechanical
parsing easier.  Introduce a new "netinet" object type for
certain IPv4/IPv6-related methods.  Also simplify, slightly,
some entry point names.

All MAC policy modules will need to be recompiled, and modules
not updates as part of this commit will need to be modified to
conform to the new KPI.

Sponsored by:	SPARTA (original patches against Mac OS X)
Obtained from:	TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
csjp
34260afd90 Use extended process token. The in kernel process audit
state is stored in an extended subject token now.  Make sure
that we are using the extended data.  This fixes the termID
for process tokens.

Obtained from:	TrustedBSD Project
Discussed with:	rwatson
MFC after:	1 week
2007-10-24 00:05:52 +00:00
rwatson
019b6cfbf0 Bump MAC_VERSION to 4 and add an 8.x line in the version table. Version 4
will include significant synchronization to the Mac OS X Leopard version
of the MAC Framework.

Obtained from:	TrustedBSD Project
2007-10-23 14:12:16 +00:00
rwatson
9916bac030 Canonicalize naming of local variables for struct ksem and associated
labels to 'ks' and 'kslabel' to reflect the convention in posix_sem.c.

MFC after:	3 days
Obtained from:	TrustedBSD Project
2007-10-21 11:11:07 +00:00
julian
51d643caa6 Rename the kthread_xxx (e.g. kthread_create()) calls
to kproc_xxx as they actually make whole processes.
Thos makes way for us to add REAL kthread_create() and friends
that actually make theads. it turns out that most of these
calls actually end up being moved back to the thread version
when it's added. but we need to make this cosmetic change first.

I'd LOVE to do this rename in 7.0  so that we can eventually MFC the
new kthread_xxx() calls.
2007-10-20 23:23:23 +00:00
csjp
d250020a68 - Change the wakeup logic associated with having multiple sleepers
on multiple different audit pipes.  The old method used cv_signal()
  which would result in only one thread being woken up after we
  appended a record to it's queue.  This resulted in un-timely wake-ups
  when processing audit records real-time.

- Assign PSOCK priority to threads that have been sleeping on a read(2).
  This is the same priority threads are woken up with when they select(2)
  or poll(2).  This yields fairness between various forms of sleep on
  the audit pipes.

Obtained from:	TrustedBSD Project
Discussed with:	rwatson
MFC after:	1 week
2007-10-12 15:09:02 +00:00
jeff
3fc0f8b973 - Move all of the PS_ flags into either p_flag or td_flags.
- p_sflag was mostly protected by PROC_LOCK rather than the PROC_SLOCK or
   previously the sched_lock.  These bugs have existed for some time.
 - Allow swapout to try each thread in a process individually and then
   swapin the whole process if any of these fail.  This allows us to move
   most scheduler related swap flags into td_flags.
 - Keep ki_sflag for backwards compat but change all in source tools to
   use the new and more correct location of P_INMEM.

Reported by:	pho
Reviewed by:	attilio, kib
Approved by:	re (kensmith)
2007-09-17 05:31:39 +00:00
rwatson
198c38400a Rename mac_check_vnode_delete() MAC Framework and MAC Policy entry
point to mac_check_vnode_unlink(), reflecting UNIX naming conventions.

This is the first of several commits to synchronize the MAC Framework
in FreeBSD 7.0 with the MAC Framework as it will appear in Mac OS X
Leopard.

Reveiwed by:    csjp, Samy Bahra <sbahra at gwu dot edu>
Submitted by:   Jacques Vidrine <nectar at apple dot com>
Obtained from:  Apple Computer, Inc.
Sponsored by:   SPARTA, SPAWAR
Approved by:    re (bmah)
2007-09-10 00:00:18 +00:00
rwatson
23574c8673 Remove the now-unused NET_{LOCK,UNLOCK,ASSERT}_GIANT() macros, which
previously conditionally acquired Giant based on debug.mpsafenet.  As that
has now been removed, they are no longer required.  Removing them
significantly simplifies error-handling in the socket layer, eliminated
quite a bit of unwinding of locking in error cases.

While here clean up the now unneeded opt_net.h, which previously was used
for the NET_WITH_GIANT kernel option.  Clean up some related gotos for
consistency.

Reviewed by:	bz, csjp
Tested by:	kris
Approved by:	re (kensmith)
2007-08-06 14:26:03 +00:00
rwatson
4d894bfc82 When checking labels during a vnode link operation in MLS, use the file
vnode label for a check rather than the directory vnode label a second
time.

MFC after:	3 days
Submitted by:	Zhouyi ZHOU <zhouzhouyi at FreeBSD dot org>
Reviewed by:	csjp
Sponsored by:	Google Summer of Code 2007
Approved by:	re (bmah)
2007-07-23 13:28:54 +00:00
rwatson
f6b06699b2 In preparation for 7.0 privilege cleanup, clean up style:
- Sort copyrights by date.
- Re-wrap, and in some cases, fix comments.
- Fix tabbing, white space, remove extra blank lines.
- Remove commented out debugging printfs.

Approved by:	re (kensmith)
2007-07-05 13:16:04 +00:00
peter
f84e4f38b6 Fix a bunch of warnings due to a missing forward declaration of a struct.
Approved by: re (rwatson)
2007-07-05 06:45:37 +00:00
rwatson
f4cc305d06 Remove two boot printfs generated by Audit to announce it's presence,
and replace with software-testable sysctl node (security.audit) that
can be used to detect kernel audit support.

Obtained from:	TrustedBSD Project
Approved by:	re (kensmith)
2007-07-01 20:51:30 +00:00
csjp
94aa9c0f8b - Add audit_arg_audinfo_addr() for auditing the arguments for setaudit_addr(2)
- In audit_bsm.c, make sure all the arguments: ARG_AUID, ARG_ASID, ARG_AMASK,
  and ARG_TERMID{_ADDR} are valid before auditing their arguments. (This is done
  for both setaudit and setaudit_addr.
- Audit the arguments passed to setaudit_addr(2)
- AF_INET6 does not equate to AU_IPv6. Change this in au_to_in_addr_ex() so the
  audit token is created with the correct type. This fixes the processing of the
  in_addr_ex token in users pace.
- Change the size of the token (as generated by the kernel) from 5*4 bytes to
  4*4 bytes (the correct size of an ip6 address)
- Correct regression from ucred work which resulted in getaudit() not returning
  E2BIG if the subject had an ip6 termid
- Correct slight regression in getaudit(2) which resulted in the size of a pointer
  being passed instead of the size of the structure. (This resulted in invalid
  auditinfo data being returned via getaudit(2))

Reviewed by:	rwatson
Approved by:	re@ (kensmith)
Obtained from:	TrustedBSD Project
MFC after:	1 month
2007-06-27 17:01:15 +00:00
rwatson
4d365126c5 Add a new MAC framework and policy entry point,
mpo_check_proc_setaudit_addr to be used when controlling use of
setaudit_addr(), rather than mpo_check_proc_setaudit(), which takes a
different argument type.

Reviewed by:	csjp
Approved by:	re (kensmith)
2007-06-26 14:14:01 +00:00
rwatson
b1995f0f15 In setaudit_addr(), drop the process lock in error cases.
Submitted by:	Peter Holm <peter@holm.cc> (BugMaster)
2007-06-15 15:20:56 +00:00
rwatson
680f293154 Spell statistics more correctly in comments. 2007-06-14 03:02:33 +00:00
rwatson
f938c62f4e Include priv.h to pick up suser(9) definitions, missed in an earlier
commit.

Warnings spotted by:	kris
2007-06-13 22:42:43 +00:00
rwatson
aa30311010 Close a very narrow race that might cause a trigger allocation to be
leaked if a trigger is delivered as the trigger device is closed.

Obtained from:	TrustedBSD Project
2007-06-13 21:17:23 +00:00
rwatson
00b02345d4 Eliminate now-unused SUSER_ALLOWJAIL arguments to priv_check_cred(); in
some cases, move to priv_check() if it was an operation on a thread and
no other flags were present.

Eliminate caller-side jail exception checking (also now-unused); jail
privilege exception code now goes solely in kern_jail.c.

We can't yet eliminate suser() due to some cases in the KAME code where
a privilege check is performed and then used in many different deferred
paths.  Do, however, move those prototypes to priv.h.

Reviewed by:	csjp
Obtained from:	TrustedBSD Project
2007-06-12 00:12:01 +00:00
rwatson
65d74ebe28 Clean up, and sometimes remove, a number of audit-related implementation
comments.

Obtained from:	TrutstedBSD Project
2007-06-11 22:10:54 +00:00
rwatson
9f332c91ef Move per-process audit state from a pointer in the proc structure to
embedded storage in struct ucred.  This allows audit state to be cached
with the thread, avoiding locking operations with each system call, and
makes it available in asynchronous execution contexts, such as deep in
the network stack or VFS.

Reviewed by:	csjp
Approved by:	re (kensmith)
Obtained from:	TrustedBSD Project
2007-06-07 22:27:15 +00:00
jeff
91d1501790 Commit 14/14 of sched_lock decomposition.
- Use thread_lock() rather than sched_lock for per-thread scheduling
   sychronization.
 - Use the per-process spinlock rather than the sched_lock for per-process
   scheduling synchronization.

Tested by:      kris, current@
Tested on:      i386, amd64, ULE, 4BSD, libthr, libkse, PREEMPTION, etc.
Discussed with: kris, attilio, kmacy, jhb, julian, bde (small parts each)
2007-06-05 00:00:57 +00:00
rwatson
0d42b093e7 Clean up audit comments--formatting, spelling, etc. 2007-06-01 21:58:59 +00:00
kib
17260ba6f1 Change the VOP_OPEN(), vn_open() vnode operation and d_fdopen() cdev operation
argument from being file descriptor index into the pointer to struct file:
part 2. Convert calls missed in the first big commit.

Noted by:	rwatson
Pointy hat to:	kib
2007-06-01 14:33:11 +00:00
rwatson
e62312b692 Remove AUDIT_PRINTF() debugging statements and definition; clean up or
remove associated comments.

Slip audit_file_rotate_wait assignment in audit_rotate_vnode() before
the drop of the global audit mutex.

Obtained from:	TrustedBSD Project
2007-06-01 13:53:37 +00:00
rwatson
8abaa44b8f Remove unused !AUDIT audit_proc_*() prototypes: unlike in Mac OS X, we
don't define or use these functions if AUDIT isn't configured.

Obtained from:	TrustedBSD Project
2007-05-30 11:41:28 +00:00
rwatson
66b95b8855 Synchronize white space to congruent user-space code in OpenBSM.
Obtained from:	TrustedBSD Project
2007-05-30 09:48:37 +00:00
rwatson
a846d9ed4d Remove unused ar_subj_comm field from in-kernel audit record; we never
export this via BSM, so don't pay space/time cost of maintaining it.

Obtained from:	TrustedBSD Project
2007-05-30 09:14:14 +00:00
rwatson
bbc6212f21 Consistent white space after .'s in comments. 2007-05-30 08:39:16 +00:00
rwatson
799e37dd6b No need to force __inline__ of currecord(), as the compiler will usefully
inline it when needed already, and the symbol is also required outside of
audit.c.  This silences a new gcc warning on the topic of using __inline__
instead of __inline.

MFC after:	3 days
2007-05-23 09:32:30 +00:00
rwatson
41c6ca714f Short name of kernel audit worker thread from "audit_worker" to "audit".
MFC after:	3 days
2007-05-21 14:08:26 +00:00
rwatson
6f35138769 Don't expose #ifdef NOTYET parts to userspace via audit_ioctl.h, just
remove them, since the functionality they are associated with isn't there
yet.

MFC after:	3 days
2007-04-29 16:20:32 +00:00
rwatson
62d2d15116 Rename mac*devfsdirent*() to mac*devfs*() to synchronize with SEDarwin,
where similar data structures exist to support devfs and the MAC
Framework, but are named differently.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, Inc.
2007-04-23 13:36:54 +00:00
rwatson
7ffc2492ae Apply variable name normalization to MAC policies: adopt global conventions
for the naming of variables associated with specific data structures.

Obtained from:	TrustedBSD Project
2007-04-23 13:15:23 +00:00
rwatson
48ef639907 Normalize variable naming in the MAC Framework by adopting the normal
variable name conventions for arguments passed into the framework --
for example, name network interfaces 'ifp', sockets 'so', mounts 'mp',
mbufs 'm', processes 'p', etc, wherever possible.  Previously there
was significant variation in this regard.

Normalize copyright lists to ranges where sensible.
2007-04-22 19:55:56 +00:00
rwatson
1c94b6d3ee In the MAC Framework implementation, file systems have two per-mountpoint
labels: the mount label (label of the mountpoint) and the fs label (label
of the file system).  In practice, policies appear to only ever use one,
and the distinction is not helpful.

Combine mnt_mntlabel and mnt_fslabel into a single mnt_label, and
eliminate extra machinery required to maintain the additional label.
Update policies to reflect removal of extra entry points and label.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, Inc.
2007-04-22 16:18:10 +00:00
rwatson
d1196975a0 Remove MAC Framework access control check entry points made redundant with
the introduction of priv(9) and MAC Framework entry points for privilege
checking/granting.  These entry points exactly aligned with privileges and
provided no additional security context:

- mac_check_sysarch_ioperm()
- mac_check_kld_unload()
- mac_check_settime()
- mac_check_system_nfsd()

Add mpo_priv_check() implementations to Biba and LOMAC policies, which,
for each privilege, determine if they can be granted to processes
considered unprivileged by those two policies.  These mostly, but not
entirely, align with the set of privileges granted in jails.

Obtained from:	TrustedBSD Project
2007-04-22 15:31:22 +00:00
rwatson
7851a71064 Further MAC test policy cleanup and enhancement:
- Redistribute counter declarations to where they are used, rather than at
  the file header, so it's more clear where we do (and don't) have
  counters.

- Add many more counters, one per policy entry point, so that many
  individual access controls and object life cycle events are tracked.

- Perform counter increments for label destruction explicitly in entry
  point functions rather than in LABEL_DESTROY().

- Use LABEL_INIT() instead of SLOT_SET() directly in label init functions
  to be symmetric with destruction.

- Align counter names more carefully with entry point names.

- More constant and variable name normalization.

Obtained from:	TrustedBSD Project
2007-04-22 13:29:37 +00:00
rwatson
27da76ec29 Perform overdue clean up mac_test policy:
- Add a more detailed comment describing the mac_test policy.

- Add COUNTER_DECL() and COUNTER_INC() macros to declare and manage
  various test counters, reducing the verbosity of the test policy
  quite a bit.

- Add LABEL_CHECK() macro to abbreviate normal validation of labels.
  Unlike the previous check macros, this checks for a NULL label and
  doesn't test NULL labels.  This means that optionally passed labels
  will now be handled automatically, although in the case of optional
  credentials, NULL-checks are still required.

- Add LABEL_DESTROY() macro to abbreviate the handling of label
  validation and tear-down.

- Add LABEL_NOTFREE() macro to abbreviate check for non-free labels.

- Normalize the names of counters, magic values.

- Remove unused policy "enabled" flag.

Obtained from:	TrustedBSD Project
2007-04-22 11:35:15 +00:00
rwatson
9792022e80 Allow MAC policy modules to control access to audit configuration system
calls.  Add MAC Framework entry points and MAC policy entry points for
audit(), auditctl(), auditon(), setaudit(), aud setauid().

MAC Framework entry points are only added for audit system calls where
additional argument context may be useful for policy decision-making; other
audit system calls without arguments may be controlled via the priv(9)
entry points.

Update various policy modules to implement audit-related checks, and in
some cases, other missing system-related checks.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, Inc.
2007-04-21 22:08:48 +00:00
rwatson
7ea3197c4f Remove $P4$ that snuck into CVS from Perforce. 2007-04-17 12:24:18 +00:00
rwatson
dd6ab6dfe7 Merge OpenBSM 1.0 alpha 14 changes to src/sys/security/audit:
- au_to_attr64(), au_to_process64(), au_to_subject64(),
  au_to_subject64_ex(), au_to_zonename(), au_to_header64_tm().
- Extended address token fixes.

Obtained from:	TrustedBSD Project
2007-04-16 16:20:45 +00:00
csjp
118c82a5e3 Fix the handling of IPv6 addresses for subject and process BSM audit
tokens. Currently, we do not support the set{get}audit_addr(2) system
calls which allows processes like sshd to set extended or ip6
information for subject tokens.

The approach that was taken was to change the process audit state
slightly to use an extended terminal ID in the kernel. This allows
us to store both IPv4 IPv6 addresses. In the case that an IPv4 address
is in use, we convert the terminal ID from an struct auditinfo_addr to
a struct auditinfo.

If getaudit(2) is called when the subject is bound to an ip6 address,
we return E2BIG.

- Change the internal audit record to store an extended terminal ID
- Introduce ARG_TERMID_ADDR
- Change the kaudit <-> BSM conversion process so that we are using
  the appropriate subject token. If the address associated with the
  subject is IPv4, we use the standard subject32 token. If the subject
  has an IPv6 address associated with them, we use an extended subject32
  token.
- Fix a couple of endian issues where we do a couple of byte swaps when
  we shouldn't be. IP addresses are already in the correct byte order,
  so reading the ip6 address 4 bytes at a time and swapping them results
  in in-correct address data. It should be noted that the same issue was
  found in the openbsm library and it has been changed there too on the
  vendor branch
- Change A_GETPINFO to use the appropriate structures
- Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does,
  but can also handle ip6 addresses
- Adjust get{set}audit(2) syscalls to convert the data
  auditinfo <-> auditinfo_addr
- Fully implement set{get}audit_addr(2)

NOTE: This adds the ability for processes to correctly set extended subject
information. The appropriate userspace utilities still need to be updated.

MFC after:	1 month
Reviewed by:	rwatson
Obtained from:	TrustedBSD
2007-04-13 14:55:19 +00:00
rwatson
765a83fd79 Replace custom file descriptor array sleep lock constructed using a mutex
and flags with an sxlock.  This leads to a significant and measurable
performance improvement as a result of access to shared locking for
frequent lookup operations, reduced general overhead, and reduced overhead
in the event of contention.  All of these are imported for threaded
applications where simultaneous access to a shared file descriptor array
occurs frequently.  Kris has reported 2x-4x transaction rate improvements
on 8-core MySQL benchmarks; smaller improvements can be expected for many
workloads as a result of reduced overhead.

- Generally eliminate the distinction between "fast" and regular
  acquisisition of the filedesc lock; the plan is that they will now all
  be fast.  Change all locking instances to either shared or exclusive
  locks.

- Correct a bug (pointed out by kib) in fdfree() where previously msleep()
  was called without the mutex held; sx_sleep() is now always called with
  the sxlock held exclusively.

- Universally hold the struct file lock over changes to struct file,
  rather than the filedesc lock or no lock.  Always update the f_ops
  field last. A further memory barrier is required here in the future
  (discussed with jhb).

- Improve locking and reference management in linux_at(), which fails to
  properly acquire vnode references before using vnode pointers.  Annotate
  improper use of vn_fullpath(), which will be replaced at a future date.

In fcntl(), we conservatively acquire an exclusive lock, even though in
some cases a shared lock may be sufficient, which should be revisited.
The dropping of the filedesc lock in fdgrowtable() is no longer required
as the sxlock can be held over the sleep operation; we should consider
removing that (pointed out by attilio).

Tested by:	kris
Discussed with:	jhb, kris, attilio, jeff
2007-04-04 09:11:34 +00:00
rwatson
300d4098cf Remove 'MPSAFE' annotations from the comments above most system calls: all
system calls now enter without Giant held, and then in some cases, acquire
Giant explicitly.

Remove a number of other MPSAFE annotations in the credential code and
tweak one or two other adjacent comments.
2007-03-04 22:36:48 +00:00
rwatson
a29076f446 More unnecessary include reduction. 2007-02-23 14:39:04 +00:00
rwatson
7b48c9d783 Remove many unneeded includes, update copyright. 2007-02-23 11:21:26 +00:00
rwatson
3f41cc3fee Remove empty entry point functions (init, destroy, syscall) from
policies that don't need them.
2007-02-23 11:15:35 +00:00
rwatson
becd6b211a mac_none sample policy has nothing to enforce, so remove sysctls.
mac_stub acts as a template policy and holds sample sysctls.
2007-02-23 11:08:45 +00:00
rwatson
c208b1a04f Update auditing of socket information for the inpcb new world order:
so_pcb will always be non-NULL, and lock the inpcb while non-atomically
accessing address data.
2007-02-20 13:38:11 +00:00
rwatson
4904133d3c Move mapping of MBI_APPEND to MBI_WRITE from inside the rule loop in
mac_bsdextended_check() to before the loop, as it needs to happen only
once.

MFC after:	1 week
2007-02-20 10:21:27 +00:00
rwatson
07f6768e54 Do allow bypass of mac_seeotheruids in jail in order to be consistent
with other uses of PRIV_SEEOTHERUIDS.  This will automatically be
scoped to the jail by the jail policy.
2007-02-19 13:25:17 +00:00
rwatson
8f30a62d60 In mac_biba_check_system_swapoff(), don't extract the object label since
it isn't used in the access control decision.  This became visible to
Coverity with the change to a function call retrieving label values.

Coverity CID:	1723
2007-02-10 08:59:39 +00:00
rwatson
477d310a8e Print intptr_t values by first casting to intmax_t and then printing with
%jd, as intptr_t may not be int-sized.

Assistance from:	jhb
Spotted by:		Mr Tinderbox
2007-02-06 17:22:36 +00:00
rwatson
19777f0802 Introduce accessor functions mac_label_get() and mac_label_set() to replace
LABEL_TO_SLOT() macro used by policy modules to query and set label data
in struct label.  Instead of using a union, store an intptr_t, simplifying
the API.

Update policies: in most cases this required only small tweaks to current
wrapper macros.  In two cases, a single wrapper macros had to be split into
separate get and set macros.

Move struct label definition from _label.h to mac_internal.h and remove
_label.h.  With this change, policies may now treat struct label * as
opaque, allowing us to change the layout of struct label without breaking
the policy module ABI.  For example, we could make the maximum number of
policies with labels modifiable at boot-time rather than just at
compile-time.

Obtained from:	TrustedBSD Project
2007-02-06 14:19:25 +00:00
rwatson
d945a8c499 Continue 7-CURRENT MAC Framework rearrangement and cleanup:
Don't perform a nested include of _label.h in mac.h, as mac.h now
describes only  the user API to MAC, and _label.h defines the in-kernel
representation of MAC labels.

Remove mac.h includes from policies and MAC framework components that do
not use userspace MAC API definitions.

Add _KERNEL inclusion checks to mac_internal.h and mac_policy.h, as these
are kernel-only include files

Obtained from:	TrustedBSD Project
2007-02-06 10:59:23 +00:00
rwatson
6ac99f7113 When returning early from audit_arg_file() due to so->so_pcb being NULL
(due to an early reset or the like), remember to unlock the socket lock.
This will not occur in 7-CURRENT, but could in theory occur in 6-STABLE.

MFC after:	1 week
2007-01-06 22:28:28 +00:00
csjp
c394e563bc Teach the stub policy about some of the more recent entry points that have
been introduced to the MAC framework:

mpo_associate_nfsd_label
mpo_create_mbuf_from_firewall
mpo_check_system_nfsd
mpo_check_vnode_mmap_downgrade
mpo_check_vnode_mprotect
mpo_init_syncache_label
mpo_destroy_syncache_label
mpo_init_syncache_from_inpcb
mpo_create_mbuf_from_syncache

MFC after:	2 weeks [1]

[1] The syncache related entry points will NOT be MFCed as the changes in
    the syncache subsystem are not present in RELENG_6 yet.
2007-01-01 01:47:18 +00:00
csjp
dac8fa36f8 Remove conditional return of 1. For the MAC_STATIC case at this point in
the code, one being returned is invariant.

Discussed with:	rwatson
MFC after:	1 week
2007-01-01 01:40:29 +00:00
rwatson
b790270fcf Only signal the CV indicating that the MAC Framework is available for
exclusive access if there is at least one thread waiting for it to
become available.  This may significantly reduce overhead by reducing
the number of unnecessary wakeups issued whenever the framework becomes
idle.

Annotate that we still signal the CV more than necessary and should
fix this.

Obtained from:	TrustedBSD Project
Reviewed by:	csjp
Tested by:	csjp
2006-12-31 20:26:20 +00:00
rwatson
c2bdc9dc5c Slightly resort functions in file so that no forward function prototypes
are required.

Obtained from:	TrustedBSD Project
2006-12-29 20:21:21 +00:00
rwatson
468e5443ba Re-add include of opt_mac.h in mac_framework.c, which was improperly
removed from this file.  It is required to pick up the definition of
MAC_STATIC.
2006-12-29 20:16:29 +00:00
rwatson
b35ac7f09b Remove two XXX comments that no longer apply.
Obtained from:	TrustedBSD Project
2006-12-29 11:03:44 +00:00
rwatson
accf7ddf5a Use p_cansee() to check that a target process for an audit state
manipulation is visible to the subject process.  Remove XXX comments
suggesting this.

Convert one XXX on a difference from Darwin into a note: it's not a
bug, it's a feature.

Obtained from:	TrustedBSD Project
2006-12-29 10:49:13 +00:00
rwatson
46f7cb9d3b Add a witness sleep warning to canon_path(), which invokes vput() and hence
may perform an unbounded sleep.  Remove an XXX comment suggesting that one
be added.

Obtained from:	TrustedBSD Project
2006-12-29 10:37:32 +00:00
rwatson
1828ce8b9a Add missing include guards to mac_internal.h, update include guards in
mac_policy.h following move to new location in src/sys/security/mac.

Obtained from:	TrustedBSD Project
2006-12-28 23:23:35 +00:00
rwatson
ecb6fa46c8 Update a number of comments:
- Replace XXX with Note: in several cases where observations are made about
  future functionality rather than problems or bugs.

- Remove an XXX comment about byte order and au_to_ip() -- IP headers must
  be submitted in network byte order.  Add a comment to this effect.

- Mention that we don't implement select/poll for /dev/audit.

Obtained from:	TrustedBSD Project
2006-12-28 22:18:43 +00:00
rwatson
687cc5fe5c Remove XXX comments about EA transaction support and provide a more
general and detailed comment on the topic of EA transactions and kernel
warnings.

Obtained from:	TrustedBSD Project
2006-12-28 22:02:59 +00:00
rwatson
59b306db83 Remove an inaccurate comment I added regarding storage for mbuf tag
labels: they are in fact stored in the tag directly.

Obtained from:	TrustedBSD Project
2006-12-28 21:57:59 +00:00
rwatson
f1bd870753 In mac_inpcb_sosetlabel(), assert the socket lock rather than commenting
that we should assert the socket lock.

Obtained from:	TrustedBSD Project
2006-12-28 21:56:39 +00:00
rwatson
d4e941ae59 Centralize definition of MAC_VERSION in mac_policy.h, as it defines the
kernel<->policy ABI version.  Add a comment to the definition describing
it and listing known versions.  Modify MAC_POLICY_SET() to reference the
current kernel version by name rather than by number.

Staticize mac_late, which is used only in mac_framework.c.

Obtained from:	TrustedBSD Project
2006-12-28 21:48:38 +00:00
rwatson
8a59ab518d Move mac_init_label() and mac_destroy_label() from mac_framework.c to
mac_label.c, and use these instead of replicated code in the label zone
constructor and destructor.

Obtained from:	TrustedBSD Project
2006-12-28 21:15:37 +00:00
rwatson
4289e30504 Trim unneeded includes. 2006-12-28 21:07:45 +00:00
rwatson
4a9f23955f Break contents of kern_mac.c out into two files following a repo-copy:
mac_framework.c   Contains basic MAC Framework functions, policy
                  registration, sysinits, etc.

mac_syscalls.c    Contains implementations of various MAC system calls,
                  including ENOSYS stubs when compiling without options
                  MAC.

Obtained from:	TrustedBSD Project
2006-12-28 20:52:02 +00:00
rwatson
e7f843dc94 Update MAC Framework general comments, referencing various interfaces it
consumes and implements, as well as the location of the framework and
policy modules.

Refactor MAC Framework versioning a bit so that the current ABI version can
be exported via a read-only sysctl.

Further update comments relating to locking/synchronization.

Update copyright to take into account these and other recent changes.

Obtained from:	TrustedBSD Project
2006-12-28 17:25:57 +00:00
rwatson
01a38eca27 Re-wrap comments following de-indentation. 2006-12-23 22:21:13 +00:00
rwatson
ae9ef07995 Move src/sys/sys/mac_policy.h, the kernel interface between the MAC
Framework and security modules, to src/sys/security/mac/mac_policy.h,
completing the removal of kernel-only MAC Framework include files from
src/sys/sys.  Update the MAC Framework and MAC policy modules.  Delete
the old mac_policy.h.

Third party policy modules will need similar updating.

Obtained from:	TrustedBSD Project
2006-12-22 23:34:47 +00:00
rwatson
e767bf8cfd Minor style fixes. 2006-12-21 09:58:02 +00:00