Commit Graph

366 Commits

Author SHA1 Message Date
csjp
be495bef58 Introduce a new MAC entry point for label initialization of the NFS daemon's
credential: mac_associate_nfsd_label()

This entry point can be utilized by various Mandatory Access Control policies
so they can properly initialize the label of files which get created
as a result of an NFS operation. This work will be useful for fixing kernel
panics associated with accessing un-initialized or invalid vnode labels.

The implementation of these entry points will come shortly.

Obtained from:	TrustedBSD
Requested by:	mdodd
MFC after:	3 weeks
2006-04-06 23:33:11 +00:00
tegge
6d1ce4168f Don't call vn_finished_write() if vn_start_write() failed. 2006-03-19 20:43:07 +00:00
rwatson
9c0a4e82f3 Merge Perforce change 93581 from TrustedBSD audit3 branch:
Mega-style patch.

Obtained from:	TrustedBSD Project
2006-03-19 17:34:00 +00:00
rwatson
6163ee5a7b Merge Perforce changes 93512, 93514, 93515 from TrustedBSD audit3
branch:

  Integrate audit.c to audit_worker.c, so as to migrate the worker
  thread implementation to its own .c file.

  Populate audit_worker.c using parts now removed from audit.c:

  - Move audit rotation global variables.
  - Move audit_record_write(), audit_worker_rotate(),
    audit_worker_drain(), audit_worker(), audit_rotate_vnode().
  - Create audit_worker_init() from relevant parts of audit_init(),
    which now calls this routine.
  - Recreate audit_free(), which wraps uma_zfree() so that
    audit_record_zone can be static to audit.c.
  - Unstaticize various types and variables relating to the audit
    record queue so that audit_worker can get to them.  We may want
    to wrap these in accessor methods at some point.
  - Move AUDIT_PRINTF() to audit_private.h.

  Addition of audit_worker.c to kernel configuration, missed in
  earlier submit.

Obtained from:	TrustedBSD Project
2006-03-19 16:03:43 +00:00
rwatson
bae874c2cb Merge Perforce change 93570 from TrustedBSD audit3 branch:
Add audit pipe ioctls to query minimum and maximum audit queue
  lengths.

Obtained from:	TrustedBSD Project
2006-03-19 15:39:03 +00:00
rwatson
2b1a7974d7 Merge Perforce change 93567 from TrustedBSD audit3 branch:
Bump default queue limit for audit pipes from 32 to 128, since 32 is
  pretty small.

Obtained from:	TrustedBSD Project
2006-03-19 15:38:03 +00:00
rwatson
4931de581d Merge Perforce change 93568 from TrustedBSD audit3 branch:
Normalize nested include guards.

Obtained from:	TrustedBSD Project
2006-03-19 15:37:04 +00:00
rwatson
a74ff4762f Merge Perforce change 93506 from TrustedBSD audit3 branch:
Add ioctls to audit pipes in order to allow querying of the current
  record queue state, setting of the queue limit, and querying of pipe
  statistics.

Obtained from:	TrustedBSD Project
2006-03-19 15:36:10 +00:00
rwatson
e07f710abc Merge perforce 93507:
Correct comment: this print is now from audit_record_write(), not
  audit_worker().

Obtained from:	TrustedBSD Project
2006-03-18 18:32:12 +00:00
rwatson
7c231dc685 Merge perforce change 93199:
Change send_trigger() prototype to return an int, so that user
  space callers can tell if the message was successfully placed
  in the trigger queue.  This isn't quite the same as it being
  successfully received, but is close enough that we can generate
  a more useful warning message in audit(8).

Obtained from:	TrustedBSD Project
2006-03-18 18:31:24 +00:00
dwmalone
38417d76b6 Create a mac_bsdextended_check_vp function that takes a cred, a
vnode and a mode and checks if a given access mode is permitted.
This centralises the mac_bsdextended_enabled check and the GETATTR
calls and makes the implementation of the mac policy methods simple.

This should make it easier for us to match vnodes on more complex
attributes than just uid and gid in the future, but for now there
should be no functional change.

Approved/Reviewed by:	rwatson, trhodes
MFC after:	1 month
2006-03-04 20:47:19 +00:00
rwatson
fb6445828e Count drops when the first of two pipe mallocs fails.
Obtained from:	TrustedBSD Project
2006-03-04 17:09:17 +00:00
rwatson
20bce94704 Update src/sys/security/audit for OpenBSM 1.0 alpha 5:
- Include audit_internal.h to get definition of internal audit record
  structures, as it's no longer in audit.h.  Forward declare au_record
  in audit_private.h as not all audit_private.h consumers care about
  it.

- Remove __APPLE__ compatibility bits that are subsumed by configure
  for user space.

- Don't expose in6_addr internals (non-portable, but also cleaner
  looking).

- Avoid nested include of audit.h in audit_private.h.

Obtained from:	TrustedBSD Project
2006-03-04 17:00:55 +00:00
tegge
774f51ad2c Eliminate a deadlock when creating snapshots. Blocking vn_start_write() must
be called without any vnode locks held.  Remove calls to vn_start_write() and
vn_finished_write() in vnode_pager_putpages() and add these calls before the
vnode lock is obtained to most of the callers that don't already have them.
2006-03-02 22:13:28 +00:00
rwatson
5bbcd52e55 Add stub AUE_EACCESS entry.
Obtained from:	TrustedBSD Project
2006-02-11 23:55:08 +00:00
rwatson
bf57809309 Initialize user process audit ID to AU_DEFAUDITID so that init and
its pre-authentication children are covered by naflags.

Obtained from:	TrustedBSD Project
2006-02-11 23:53:00 +00:00
rwatson
93a12ad07f Acquire vnode lock around call to VOP_GETATTR() in audit_record_write().
In the future, we may want to acquire the lock early in the function and
hold it across calls to vn_rdwr(), etc, to avoid multiple acquires.

Spotted by:	kris (bugmagnet)
Obtained from:	TrustedBSD Project
2006-02-07 23:44:31 +00:00
rwatson
bc3d3926ef Fix queue drop logic when the queue overflows: decrement queue length.
Obtained from:	TrustedBSD Project
2006-02-07 14:46:26 +00:00
rwatson
a1af4bcfbd Add support for audit pipe special devices, which allow user space
applications to insert a "tee" in the live audit event stream.  Records
are inserted into a per-clone queue so that user processes can pull
discreet records out of the queue.  Unlike delivery to disk, audit pipes
are "lossy", dropping records in low memory conditions or when the
process falls behind real-time events.  This mechanism is appropriate
for use by live monitoring systems, host-based intrusion detection, etc,
and avoids applications having to dig through active on-disk trails that
are owned by the audit daemon.

Obtained from:	TrustedBSD Project
2006-02-06 22:50:39 +00:00
rwatson
f29a000e6f Manage audit record memory with the slab allocator, turning
initialization routines into a ctor, tear-down to a dtor, cleaning
up, etc.  This will allow audit records to be allocated from
per-cpu caches.

On recent FreeBSD, dropping the audit_mtx around freeing to UMA is
no longer required (at one point it was possible to acquire Giant
on that path), so a mutex-free thread-local drain is no longer
required.

Obtained from:	TrustedBSD Project
2006-02-06 22:30:54 +00:00
rwatson
8b356bb2d7 When GC'ing a thread, assert that it has no active audit record.
This should not happen, but with this assert, brueffer and I would
not have spent 45 minutes trying to figure out why he wasn't
seeing audit records with the audit version in CVS.

Obtained from:	TrustedBSD Project
2006-02-05 21:06:09 +00:00
rwatson
2301c52905 Cast pointers to (uintptr_t) before down-casting to (int). This avoids
an incompatible conversion from a 64-bit pointer to a 32-bit integer on
64-bit platforms.  We will investigate whether Solaris uses a 64-bit
token here, or a new record here, in order to avoid truncating user
pointers that are 64-bit.  However, in the mean time, truncation is fine
as these are rarely/never used fields in audit records.

Obtained from:	TrustedBSD Project
2006-02-04 00:14:06 +00:00
rwatson
0bab7ecd73 Fix INVARIANTS build on amd64; (unsigned unsigned long) != u_int64_t.
Submitted by:	mlaier
2006-02-03 23:50:26 +00:00
rwatson
d0b8d11335 Remove user.h include in audit.h, it is unneeded, and also can cause
build problems for other components that include audit.h.
2006-02-03 15:49:07 +00:00
rwatson
36f0dbe4c4 Add new fields to process-related data structures:
- td_ar to struct thread, which holds the in-progress audit record during
  a system call.

- p_au to struct proc, which holds per-process audit state, such as the
  audit identifier, audit terminal, and process audit masks.

In the earlier implementation, td_ar was added to the zero'd section of
struct thread.  In order to facilitate merging to RELENG_6, it has been
moved to the end of the data structure, requiring explicit
initalization in the thread constructor.

Much help from:	wsalamon
Obtained from:	TrustedBSD Project
2006-02-02 00:37:05 +00:00
rwatson
e100506eaf Import kernel audit framework:
- Management of audit state on processes.
- Audit system calls to configure process and system audit state.
- Reliable audit record queue implementation, audit_worker kernel
  thread to asynchronously store records on disk.
- Audit event argument.
- Internal audit data structure -> BSM audit trail conversion library.
- Audit event pre-selection.
- Audit pseudo-device permitting kernel->user upcalls to notify auditd
  of kernel audit events.

Much work by:	wsalamon
Obtained from:	TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
csjp
d7fc1b7da4 Fix potential overrun of static stack allocated array which stores
the rules. If an array is N elements large, we can only access
elements 0..(N-1).

MFC after:	1 week
Found with:	Coverity Prevent(tm)
2006-01-15 01:02:20 +00:00
csjp
8db1bd7411 Introduce a new sysctl variable:
security.mac.biba.interfaces_equal

If non-zero, all network interfaces be created with the label:

biba/equal(equal-equal)

This is useful where programs which initialize network interfaces
do not have any labeling support. This includes dhclient and ppp. A
long term solution is to add labeling support into dhclient(8)
and ppp(8), and remove this variable.

It should be noted that this behavior is different then setting the:

security.mac.biba.trust_all_interfaces

sysctl variable, as this will create interfaces with a biba/high label.
Lower integrity processes are not able to write to the interface in this
event. The security.mac.biba.interfaces_equal will override
trust_all_interfaces.

The security.mac.biba.interfaces_equal variable will be set to zero
or disabled by default.

MFC after:	2 weeks
2005-12-31 05:06:59 +00:00
rwatson
be4f357149 Normalize a significant number of kernel malloc type names:
- Prefer '_' to ' ', as it results in more easily parsed results in
  memory monitoring tools such as vmstat.

- Remove punctuation that is incompatible with using memory type names
  as file names, such as '/' characters.

- Disambiguate some collisions by adding subsystem prefixes to some
  memory types.

- Generally prefer lower case to upper case.

- If the same type is defined in multiple architecture directories,
  attempt to use the same name in additional cases.

Not all instances were caught in this change, so more work is required to
finish this conversion.  Similar changes are required for UMA zone names.
2005-10-31 15:41:29 +00:00
csjp
63c5e35623 Lock object while we iterate through it's backing objects.
Discussed with:	alc
2005-10-09 02:37:27 +00:00
csjp
ac94e44f1f Use the correct object's backing_object_offset while calculating offsets.
While we are here, add a note that we need to lock the object before walking
the backing object list.

Pointed out by:	alc
Discussed with:	rwatson
2005-10-04 14:47:47 +00:00
csjp
390b4d50c1 Standard Giant push down operations for the Mandatory Access Control (MAC)
framework. This makes Giant protection around MAC operations which inter-
act with VFS conditional, based on the MPSAFE status of the file system.

Affected the following syscalls:

o __mac_get_fd
o __mac_get_file
o __mac_get_link
o __mac_set_fd
o __mac_set_file
o __mac_set_link

-Drop Giant all together in __mac_set_proc because the
 mac_cred_mmapped_drop_perms_recurse routine no longer requires it.
-Move conditional Giant aquisitions to after label allocation routines.
-Move the conditional release of Giant to before label de-allocation
 routines.

Discussed with:	rwatson
2005-10-04 14:32:58 +00:00
csjp
2c5fc25054 Conditionally pickup Giant in mac_cred_mmapped_drop_perms_recurse so
we can drop it all together in __mac_set_proc.

Reviewed by:	alc
Discussed with:	rwatson
2005-10-04 14:32:15 +00:00
rwatson
98b9a514bd Complete removal of mac_create_root_mount/mpo_create_root_mount MAC
interfaces.

Obtained from:	TrustedBSD Project
Submitted by:	Chris Vance <Christopher dot Vance at SPARTA dot com>
MFC after:	3 days
2005-10-02 09:53:00 +00:00
trhodes
b8a072188d Allow the root user to be aware of other credentials by virtue
of privilege.

Submitted by:	rwatson
2005-09-30 23:41:10 +00:00
phk
59a2d96944 Add #include <sys/sx.h>, devfs is going to require this shortly. 2005-09-19 18:52:51 +00:00
rwatson
583b25a64f Remove mac_create_root_mount() and mpo_create_root_mount(), which
provided access to the root file system before the start of the
init process.  This was used briefly by SEBSD before it knew about
preloading data in the loader, and using that method to gain
access to data earlier results in fewer inconsistencies in the
approach.  Policy modules still have access to the root file system
creation event through the mac_create_mount() entry point.

Removed now, and will be removed from RELENG_6, in order to gain
third party policy dependencies on the entry point for the lifetime
of the 6.x branch.

MFC after:	3 days
Submitted by:	Chris Vance <Christopher dot Vance at SPARTA dot com>
Sponsored by:	SPARTA
2005-09-19 13:59:57 +00:00
rwatson
76d2953e39 Insert a series of place-holder function pointers in mac_policy.h for
entry points that will be inserted over the life-time of the 6.x branch,
including for:

- New struct file labeling (void * already added to struct file), events,
  access control checks.
- Additional struct mount access control checks, internalization/
  externalization.
- mac_check_cap()
- System call enter/exit check and event.
- Socket and vnode ioctl entry points.

MFC after:	3 days
2005-08-08 16:09:33 +00:00
trhodes
0336212d34 If a "hole" opens up in the ruleset (i.e.: remove 5), do not return
unknown error.  Instead, just return error.

Submitted by:	avatar
Tested by:	trhodes
2005-07-28 13:55:12 +00:00
rwatson
371afb1eec Remove duplicate initialization of mpo_create_stub pointer.
PR:		83779
Submitted by:	Wojciech A. Koszek <dunstan at freebsd dot czest dot pl>
MFC after:	3 days
2005-07-21 17:17:51 +00:00
rwatson
0889b69634 Bump the module versions of the MAC Framework and MAC policy modules
from 2 (6.x) to 3 (7.x) to allow for future changes in the MAC policy
module ABI in 7.x.

Obtained from:	TrustedBSD Project
2005-07-14 10:46:03 +00:00
rwatson
79690d711b When devfs cloning takes place, provide access to the credential of the
process that caused the clone event to take place for the device driver
creating the device.  This allows cloned device drivers to adapt the
device node based on security aspects of the process, such as the uid,
gid, and MAC label.

- Add a cred reference to struct cdev, so that when a device node is
  instantiated as a vnode, the cloning credential can be exposed to
  MAC.

- Add make_dev_cred(), a version of make_dev() that additionally
  accepts the credential to stick in the struct cdev.  Implement it and
  make_dev() in terms of a back-end make_dev_credv().

- Add a new event handler, dev_clone_cred, which can be registered to
  receive the credential instead of dev_clone, if desired.

- Modify the MAC entry point mac_create_devfs_device() to accept an
  optional credential pointer (may be NULL), so that MAC policies can
  inspect and act on the label or other elements of the credential
  when initializing the skeleton device protections.

- Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(),
  so that the pty clone credential is exposed to the MAC Framework.

While currently primarily focussed on MAC policies, this change is also
a prerequisite for changes to allow ptys to be instantiated with the UID
of the process looking up the pty.  This requires further changes to the
pty driver -- in particular, to immediately recycle pty nodes on last
close so that the credential-related state can be recreated on next
lookup.

Submitted by:	Andrew Reisse <andrew.reisse@sparta.com>
Obtained from:	TrustedBSD Project
Sponsored by:	SPAWAR, SPARTA
MFC after:	1 week
MFC note:	Merge to 6.x, but not 5.x for ABI reasons
2005-07-14 10:22:09 +00:00
rwatson
5e71112509 Eliminate MAC entry point mac_create_mbuf_from_mbuf(), which is
redundant with respect to existing mbuf copy label routines.  Expose
a new mac_copy_mbuf() routine at the top end of the Framework and
use that; use the existing mpo_copy_mbuf_label() routine on the
bottom end.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, SPAWAR
Approved by:	re (scottl)
2005-07-05 23:39:51 +00:00
rwatson
efcac3d02e Add MAC Framework and MAC policy entry point mac_check_socket_create(),
which is invoked from socket() and socketpair(), permitting MAC
policy modules to control the creation of sockets by domain, type, and
protocol.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, SPAWAR
Approved by:	re (scottl)
Requested by:	SCC
2005-07-05 22:49:10 +00:00
csjp
949ce50a1c Correct grammar error in comment
MFC after:	3 days
2005-06-10 04:44:38 +00:00
rwatson
ee01c1bf47 Gratuitous renaming of four System V Semaphore MAC Framework entry
points to convert _sema() to _sem() for consistency purposes with
respect to the other semaphore-related entry points:

mac_init_sysv_sema() -> mac_init_sysv_sem()
mac_destroy_sysv_sem() -> mac_destroy_sysv_sem()
mac_create_sysv_sema() -> mac_create_sysv_sem()
mac_cleanup_sysv_sema() -> mac_cleanup_sysv_sem()

Congruent changes are made to the policy interface to support this.

Obtained from:	TrustedBSD Project
Sponsored by:	SPAWAR, SPARTA
2005-06-07 05:03:28 +00:00
rwatson
2197ab2d93 Introduce MAC Framework and MAC Policy entry points to label and control
access to POSIX Semaphores:

mac_init_posix_sem()            Initialize label for POSIX semaphore
mac_create_posix_sem()          Create POSIX semaphore
mac_destroy_posix_sem()         Destroy POSIX semaphore
mac_check_posix_sem_destroy()   Check whether semaphore may be destroyed
mac_check_posix_sem_getvalue()  Check whether semaphore may be queried
mac_check_possix_sem_open()     Check whether semaphore may be opened
mac_check_posix_sem_post()      Check whether semaphore may be posted to
mac_check_posix_sem_unlink()    Check whether semaphore may be unlinked
mac_check_posix_sem_wait()      Check whether may wait on semaphore

Update Biba, MLS, Stub, and Test policies to implement these entry points.
For information flow policies, most semaphore operations are effectively
read/write.

Submitted by:	Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Sponsored by:	DARPA, McAfee, SPARTA
Obtained from:	TrustedBSD Project
2005-05-04 10:39:15 +00:00
trhodes
f02068c038 Get the directory structure correct in a comment.
Submitted by:	Samy Al Bahra
2005-04-22 19:09:12 +00:00
trhodes
01f75275c6 Add locking support to mac_bsdextended:
- Introduce a global mutex, mac_bsdextended_mtx, to protect the rule
   array and hold this mutex over use and modification of the rule array
   and rules.
- Re-order and clean up sysctl_rule so that copyin/copyout/update happen
   in the right order (suggested by: jhb done by rwatson).
2005-04-22 18:49:30 +00:00
rwatson
75030e30f6 Introduce p_canwait() and MAC Framework and MAC Policy entry points
mac_check_proc_wait(), which control the ability to wait4() specific
processes.  This permits MAC policies to limit information flow from
children that have changed label, although has to be handled carefully
due to common programming expectations regarding the behavior of
wait4().  The cr_seeotheruids() check in p_canwait() is #if 0'd for
this reason.

The mac_stub and mac_test policies are updated to reflect these new
entry points.

Sponsored by:	SPAWAR, SPARTA
Obtained from:	TrustedBSD Project
2005-04-18 13:36:57 +00:00