Commit Graph

596 Commits

Author SHA1 Message Date
rwatson
8a59ab518d Move mac_init_label() and mac_destroy_label() from mac_framework.c to
mac_label.c, and use these instead of replicated code in the label zone
constructor and destructor.

Obtained from:	TrustedBSD Project
2006-12-28 21:15:37 +00:00
rwatson
4289e30504 Trim unneeded includes. 2006-12-28 21:07:45 +00:00
rwatson
4a9f23955f Break contents of kern_mac.c out into two files following a repo-copy:
mac_framework.c   Contains basic MAC Framework functions, policy
                  registration, sysinits, etc.

mac_syscalls.c    Contains implementations of various MAC system calls,
                  including ENOSYS stubs when compiling without options
                  MAC.

Obtained from:	TrustedBSD Project
2006-12-28 20:52:02 +00:00
rwatson
e7f843dc94 Update MAC Framework general comments, referencing various interfaces it
consumes and implements, as well as the location of the framework and
policy modules.

Refactor MAC Framework versioning a bit so that the current ABI version can
be exported via a read-only sysctl.

Further update comments relating to locking/synchronization.

Update copyright to take into account these and other recent changes.

Obtained from:	TrustedBSD Project
2006-12-28 17:25:57 +00:00
rwatson
01a38eca27 Re-wrap comments following de-indentation. 2006-12-23 22:21:13 +00:00
rwatson
ae9ef07995 Move src/sys/sys/mac_policy.h, the kernel interface between the MAC
Framework and security modules, to src/sys/security/mac/mac_policy.h,
completing the removal of kernel-only MAC Framework include files from
src/sys/sys.  Update the MAC Framework and MAC policy modules.  Delete
the old mac_policy.h.

Third party policy modules will need similar updating.

Obtained from:	TrustedBSD Project
2006-12-22 23:34:47 +00:00
rwatson
e767bf8cfd Minor style fixes. 2006-12-21 09:58:02 +00:00
rwatson
6fa1425be4 Remove mac_enforce_subsystem debugging sysctls. Enforcement on
subsystems will be a property of policy modules, which may require
access control check entry points to be invoked even when not actively
enforcing (i.e., to track information flow without providing
protection).

Obtained from:	TrustedBSD Project
Suggested by:	Christopher dot Vance at sparta dot com
2006-12-21 09:51:34 +00:00
rwatson
9abf6b51e4 Comment LABEL_TO_SLOT() macro, including observing that we'd like to improve
this policy API to avoid encoding struct label binary layout in policy
modules.

Obtained from:	TrustedBSD Project
2006-12-20 23:41:59 +00:00
rwatson
00c95308bf Trim trailing white space, clean up comment line wrapping and formatting.
Document mac_associate_nfsd_label().

Obtained from:	TrustedBSD Project
2006-12-20 23:18:17 +00:00
rwatson
08ad649b5f Trim trailing white space. 2006-12-20 23:17:34 +00:00
rwatson
b8ec51a064 Document socket labeling model.
Clean up comment white space and wrapping.

Obtained from:	TrustedBSD Project
2006-12-20 23:16:41 +00:00
rwatson
cada726d8e Clean up comment white space and line wrapping. 2006-12-20 23:16:01 +00:00
rwatson
49509e92eb Additional comments regarding the interaction between the kernel privilege
model and the MAC Framework.

Obtained from:	TrustedBSD Project
2006-12-20 23:15:27 +00:00
rwatson
c77864165e Document that we could allocate the mbuf label as part of the tag rather
than from the slab, but don't.

Document mac_mbuf_to_label(), mac_copy_mbuf_tag().

Clean up white space/wrapping for other comments.

Obtained from:	TrustedBSD Project
2006-12-20 23:14:33 +00:00
rwatson
f30462f07d Staticize and comment zone_label.
Obtained from:	TrustedBSD Project
2006-12-20 23:13:04 +00:00
rwatson
65458541b7 Clean up comments, trailing white space.
Provide a comment describing MAC_EXTERNALIZE().

Obtained from:	TrustedBSD Project
2006-12-20 23:12:36 +00:00
rwatson
97c0fff7b2 Re-wrap comment at 77 character columns. 2006-12-20 23:11:01 +00:00
rwatson
abc0e2cde9 Comment and white space cleanup.
Exapnd comments on System V IPC labeling methods, which could use improved
consistency with respect to other object types.

Obtained from:	TrustedBSD Project
2006-12-20 20:43:19 +00:00
rwatson
8fb47d67d7 Externalize local stack copy of the ifnet label, rather than the copy on
the ifnet itself.  The stack copy has been made while holding the mutex
protecting ifnet labels, so copying from the ifnet copy could result in
an inconsistent version being copied out.

Reported by:	Todd.Miller@sparta.com
Obtained from:	TrustedBSD Project
MFC after:	3 weeks
2006-12-20 20:40:29 +00:00
rwatson
5749ecccba Expand commenting on label slots, justification for the MAC Framework locking
model, interactions between locking and policy init/destroy methods.

Rewrap some comments to 77 character line wrap.

Obtained from:	TrustedBSD Project
2006-12-20 20:38:44 +00:00
csjp
3193aa5601 Teach the MAC policies which utilize mbuf labeling the new syncache
entry points.  Properly initialize the mbuf label based on the label
we copy from the PCB. This fixes an LOR between the PCB and syncache
code.
2006-12-13 06:03:22 +00:00
csjp
7aaca1dfe1 Fix LOR between the syncache and inpcb locks when MAC is present in the
kernel.  This LOR snuck in with some of the recent syncache changes.  To
fix this, the inpcb handling was changed:

- Hang a MAC label off the syncache object
- When the syncache entry is initially created, we pickup the PCB lock
  is held because we extract information from it while initializing the
  syncache entry.  While we do this, copy the MAC label associated with
  the PCB and use it for the syncache entry.
- When the packet is transmitted, copy the label from the syncache entry
  to the mbuf so it can be processed by security policies which analyze
  mbuf labels.

This change required that the MAC framework be extended to support the
label copy operations from the PCB to the syncache entry, and then from
the syncache entry to the mbuf.

These functions really should be referencing the syncache structure instead
of the label.  However, due to some of the complexities associated with
exposing this syncache structure we operate directly on it's label pointer.
This should be OK since we aren't making any access control decisions within
this code directly, we are merely allocating and copying label storage so
we can properly initialize mbuf labels for any packets the syncache code
might create.

This also has a nice side effect of caching.  Prior to this change, the
PCB would be looked up/locked for each packet transmitted.  Now the label
is cached at the time the syncache entry is initialized.

Submitted by:	andre [1]
Discussed with:	rwatson

[1] andre submitted the tcp_syncache.c changes
2006-12-13 06:00:57 +00:00
trhodes
58cca8458a Merge posix4/* into normal kernel hierarchy.
Reviewed by:	glanced at by jhb
Approved by:	silence on -arch@ and -standards@
2006-11-11 16:26:58 +00:00
rwatson
13dc4f1b11 Add stub entry point implementations of mpo_priv_check and mpo_priv_grant to
the mac_stub policy.

Obtained from:	TrustedBSD Project
2006-11-06 13:45:45 +00:00
rwatson
10d0d9cf47 Sweep kernel replacing suser(9) calls with priv(9) calls, assigning
specific privilege names to a broad range of privileges.  These may
require some future tweaking.

Sponsored by:           nCircle Network Security, Inc.
Obtained from:          TrustedBSD Project
Discussed on:           arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
                        Alex Lyashkov <umka at sevcity dot net>,
                        Skip Ford <skip dot ford at verizon dot net>,
                        Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
rwatson
7288104e20 Add a new priv(9) kernel interface for checking the availability of
privilege for threads and credentials.  Unlike the existing suser(9)
interface, priv(9) exposes a named privilege identifier to the privilege
checking code, allowing more complex policies regarding the granting of
privilege to be expressed.  Two interfaces are provided, replacing the
existing suser(9) interface:

suser(td)                 ->   priv_check(td, priv)
suser_cred(cred, flags)   ->   priv_check_cred(cred, priv, flags)

A comprehensive list of currently available kernel privileges may be
found in priv.h.  New privileges are easily added as required, but the
comments on adding privileges found in priv.h and priv(9) should be read
before doing so.

The new privilege interface exposed sufficient information to the
privilege checking routine that it will now be possible for jail to
determine whether a particular privilege is granted in the check routine,
rather than relying on hints from the calling context via the
SUSER_ALLOWJAIL flag.  For now, the flag is maintained, but a new jail
check function, prison_priv_check(), is exposed from kern_jail.c and used
by the privilege check routine to determine if the privilege is permitted
in jail.  As a result, a centralized list of privileges permitted in jail
is now present in kern_jail.c.

The MAC Framework is now also able to instrument privilege checks, both
to deny privileges otherwise granted (mac_priv_check()), and to grant
privileges otherwise denied (mac_priv_grant()), permitting MAC Policy
modules to implement privilege models, as well as control a much broader
range of system behavior in order to constrain processes running with
root privilege.

The suser() and suser_cred() functions remain implemented, now in terms
of priv_check() and the PRIV_ROOT privilege, for use during the transition
and possibly continuing use by third party kernel modules that have not
been updated.  The PRIV_DRIVER privilege exists to allow device drivers to
check privilege without adopting a more specific privilege identifier.

This change does not modify the actual security policy, rather, it
modifies the interface for privilege checks so changes to the security
policy become more feasible.

Sponsored by:		nCircle Network Security, Inc.
Obtained from:		TrustedBSD Project
Discussed on:		arch@
Reviewed (at least in part) by:	mlaier, jmg, pjd, bde, ceri,
			Alex Lyashkov <umka at sevcity dot net>,
			Skip Ford <skip dot ford at verizon dot net>,
			Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:37:19 +00:00
csjp
cf1f0416d1 Change the type of ar_arg_sockaddr from struct sockaddr to struct
sockaddr_storage.  This structure is defined in RFC 2553 and is a more
semantically correct structure for holding IP and IP6 sockaddr information.
struct sockaddr is not big enough to hold all the required information for
IP6, resulting in truncated addresses et al when auditing IP6 sockaddr
information.

We also need to assume that the sa->sa_len has been validated before the call to
audit_arg_sockaddr() is made, otherwise it could result in a buffer overflow.
This is being done to accommodate auditing of network related arguments (like
connect, bind et al) that will be added soon.

Discussed with:	rwatson
Obtained from:	TrustedBSD Project
MFC after:	2 weeks
2006-11-06 00:15:44 +00:00
rwatson
0c409b5873 Forward declare struct cdev, since arguments of this type are used in
function prototypes.

Obtained from:	TrustedBSD Project
2006-10-30 15:20:49 +00:00
rwatson
430a6e6576 Remove extra _MAC_ from #ifdef guard. 2006-10-25 13:14:25 +00:00
rwatson
7beaaf5cd2 Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h
begun with a repo-copy of mac.h to mac_framework.h.  sys/mac.h now
contains the userspace and user<->kernel API and definitions, with all
in-kernel interfaces moved to mac_framework.h, which is now included
across most of the kernel instead.

This change is the first step in a larger cleanup and sweep of MAC
Framework interfaces in the kernel, and will not be MFC'd.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA
2006-10-22 11:52:19 +00:00
rwatson
10cc7e208a Do allow jailed superuser to override the port ACL.
MFC after:	3 days
Submitted by:	Michal Mertl <mime at traveller dot cz>
2006-10-10 17:04:19 +00:00
csjp
fde20b9adc Mark the audit system calls as being un-implemented in jails. Currently we do
not trust jails enough to execute audit related system calls. An example of
this is with su(1), or login(1) within prisons. So, if the syscall request
comes from a jail return ENOSYS. This will cause these utilities to operate
as if audit is not present in the kernel.

Looking forward, this problem will be remedied by allowing non privileged
users to maintain and their own audit streams, but the details on exactly how
this will be implemented needs to be worked out.

This change should fix situations when options AUDIT has been compiled into
the kernel, and utilities like su(1), or login(1) fail due to audit system
call failures within jails.

This is a RELENG_6 candidate.

Reported by:	Christian Brueffer
Discussed with:	rwatson
MFC after:	3 days
2006-10-10 15:49:10 +00:00
rwatson
b648628439 Add BSM conversion switch entries for a number of system calls, many
administrative, to prevent console warnings and enable basic event
auditing (generally without arguments).

MFC after:	3 days
Obtained from:	TrustedBSD Project
2006-10-03 20:43:48 +00:00
rwatson
c780781f97 Trim some no longer XXX comments.
Remove some commented out debugging printfs.

MFC after:	3  days
Obtained from:	TrustedBSD Project
2006-10-02 11:32:23 +00:00
rwatson
8e20187251 Audit path argument when changing audit trails.
Call NDFREE(), which while not currently strictly necessary, isn't a
bad idea.

MFC after:	3 days
Obtained from:	TrustedBSD Project
2006-10-02 06:56:10 +00:00
rwatson
d277f6ba71 Rework the way errors are handled with respect to how audit records are
written to the audit trail file:

- audit_record_write() now returns void, and all file system specific
  error handling occurs inside this function.  This pushes error handling
  complexity out of the record demux routine that hands off to both the
  trail and audit pipes, and makes trail behavior more consistent with
  pipes as a record destination.

- Rate limit kernel printfs associated with running low on space.  Rate
  limit audit triggers for low space.  Rate limit printfs for fail stop
  events.  Rate limit audit worker write error printfs.

- Document in detail the types of limits and space checks we perform, and
  combine common cases.

This improves the audit subsystems tolerance to low space conditions by
avoiding toasting the console with printfs are waking up the audit daemon
continuously.

MFC after:	3 days
Obtained from:	TrustedBSD Project
2006-09-24 13:35:58 +00:00
rwatson
8e2099e1ea Merge OpenBSM 1.0 alpha 11 changes into src/sys/bsm and src/sys/security;
primarily, add new event identifiers and update trigger names.

Obtained from:	TrustedBSD Project
2006-09-21 07:27:02 +00:00
rwatson
5cab05d889 Remove MAC_DEBUG label counters, which were used to debug leaks and
other problems while labels were first being added to various kernel
objects.  They have outlived their usefulness.

MFC after:	1 month
Suggested by:	Christopher dot Vance at SPARTA dot com
Obtained from:	TrustedBSD Project
2006-09-20 13:33:41 +00:00
rwatson
6061806b7a Rather than allocating all buffer memory for the completed BSM record
when allocating the record in the first place, allocate the final buffer
when closing the BSM record.  At that point, more size information is
available, so a sufficiently large buffer can be allocated.

This allows the kernel to generate audit records in excess of
MAXAUDITDATA bytes, but is consistent with Solaris's behavior.  This only
comes up when auditing command line arguments, in which case we presume
the administrator really does want the data as they have specified the
policy flag to gather them.

Obtained from:	TrustedBSD Project
MFC after:	3 days
2006-09-20 13:23:40 +00:00
rwatson
e63183ab3b Add missing white space in au_to_exec_{args,env}().
MFC after:	 3 days
2006-09-20 13:14:47 +00:00
csjp
bd41b31cc8 Make sure that lutimes(2) gets processed and converted into a BSM record.
Submitted by:	rwatson
MFC after:	1 day
2006-09-18 17:55:32 +00:00
rwatson
8b3f7ca1ce Declare security and security.bsd sysctl hierarchies in sysctl.h along
with other commonly used sysctl name spaces, rather than declaring them
all over the place.

MFC after:	1 month
Sponsored by:	nCircle Network Security, Inc.
2006-09-17 20:00:36 +00:00
csjp
d271a33920 Correct a slight regression which was introduced with the implementation of
audit pipes. If the kernel record was not selected for the trail or the pipe,
any user supplied record attached to it would be tossed away, resulting in
otherwise selected events being lost.

- Introduce two new masks: AR_PRESELECT_USER_TRAIL AR_PRESELECT_USER_PIPE,
  currently we have AR_PRESELECT_TRAIL and AR_PRESELECT_PIPE, which tells
  the audit worker that we are interested in the kernel record, with
  the additional masks we can determine if either the pipe or trail is
  interested in seeing the kernel or user record.

- In audit(2), we unconditionally set the AR_PRESELECT_USER_TRAIL and
  AR_PRESELECT_USER_PIPE masks under the assumption that userspace has
  done the preselection [1].

Currently, there is work being done that allows the kernel to parse and
preselect user supplied records, so in the future preselection could occur
in either layer. But there is still a few details to work out here.

[1] At some point we need to teach au_preselect(3) about the interests of
    all the individual audit pipes.

This is a RELENG_6 candidate.

Reviewed by:	rwatson
Obtained from:	TrustedBSD Project
MFC after:	1 week
2006-09-17 17:52:57 +00:00
rwatson
517cd09f4a Add AUE_SYSARCH to the list of audit events during BSM conversion to prevent
a console warning.  Eventually, we will capture more arguments for sysarch.

Obtained from:	TrustedBSD Project
MFC after:	3 days
2006-09-17 11:42:40 +00:00
csjp
63e89c05d2 Introduce a new entry point, mac_create_mbuf_from_firewall. This entry point
exists to allow the mandatory access control policy to properly initialize
mbufs generated by the firewall. An example where this might happen is keep
alive packets, or ICMP error packets in response to other packets.

This takes care of kernel panics associated with un-initialize mbuf labels
when the firewall generates packets.

[1] I modified this patch from it's original version, the initial patch
    introduced a number of entry points which were programmatically
    equivalent. So I introduced only one. Instead, we should leverage
    mac_create_mbuf_netlayer() which is used for similar situations,
    an example being icmp_error()

    This will minimize the impact associated with the MFC

Submitted by:	mlaier [1]
MFC after:	1 week

This is a RELENG_6 candidate
2006-09-12 04:25:13 +00:00
rwatson
b5865520e1 Add struct msg to the forwarded declared data structures in mac_policy.h.
Obtained from:	TrustedBSD Project
2006-09-09 16:35:44 +00:00
rwatson
a68eb47776 Add a BSM conversion switch case for AUE_GETCWD, so that a console
warning isn't generated when __getcwd() is invoked.

MFC after:	3 days
Obtained from:	TrustedBSD Project
2006-09-09 10:23:44 +00:00
rwatson
81d9ff8b37 Small style cleanup.
MFC after:	3 days
2006-09-09 10:23:00 +00:00
rwatson
9af04e1fec White space cleanup, no functional change. 2006-09-04 06:06:23 +00:00
wsalamon
c62317c442 Audit the argv and env vectors passed in on exec:
Add the argument auditing functions for argv and env.
  Add kernel-specific versions of the tokenizer functions for the
  arg and env represented as a char array.
  Implement the AUDIT_ARGV and AUDIT_ARGE audit policy commands to
  enable/disable argv/env auditing.
  Call the argument auditing from the exec system calls.

Obtained from: TrustedBSD Project
Approved by: rwatson (mentor)
2006-09-01 11:45:40 +00:00
csjp
d35597591e Fix panic associated with file creation via RPC/NFS when the MLS policy
is loaded. This problem stems from the fact that the policy is not properly
initializing the mac label associated with the NFS daemon.

Obtained from:	TrustedBSD Project
Discussed with:	rwatson
2006-08-26 20:13:35 +00:00
rwatson
c9215ad31e Allow the user process to query the kernel's notion of a maximum
audit record size at run-time, which can be used by the user
process to size the user space buffer it reads into from the audit
pipe.

Perforce change:	105098
Obtained from:		TrustedBSD Project
2006-08-26 17:59:31 +00:00
rwatson
0e87efb2f4 Update kernel OpenBSM parts, especially src/sys/bsm, for the OpenBSM
1.0 alpha 9 import.  See the OpenBSM import commit message for a
detailed summary of changes.

Obtained from:  TrustedBSD Project
2006-08-26 08:17:58 +00:00
rwatson
31d250192d Remove $P4$ from this file; other then temporarily P4-local work in
progress the kernel audit code in CVS is considered authoritative.
This will ease $P4$-related merging issues during the CVS loopback.

Obtained from:	TrustedBSD Project
2006-08-25 07:30:23 +00:00
rwatson
1e4f4abfce Add kqueue support to audit pipe pseudo-devices.
Obtained from:	TrustedBSD Project
2006-08-24 17:42:38 +00:00
rwatson
2e4df4a141 Make mpo_associate_nfsd_label() return void, not int, to match
mac_associate_nfsd_label().

Head nod:	csjp
2006-08-06 16:56:15 +00:00
phk
0f924547b0 Remove the NDEVFSINO and NDEVFSOVERFLOW options which no longer exists in
DEVFS.

Remove the opt_devfs.h file now that it is empty.
2006-07-17 09:07:02 +00:00
csjp
0baddf7a5b Implement mpo_associate_nfsd_label entry point for the BIBA security policy,
we will initialize the label to biba/low for files that have been created
through an NFS RPC. This is a safe default given the default nature of our
NFS implementation, there is not a whole lot of data integrity there by
default. This also fixes kernel panics associated with file creation over NFS
while creating files on filesystems which have multilabel enabled with BIBA
enabled.

MFC after:	2 weeks
Discussed with:	rwatson
2006-07-10 19:13:32 +00:00
wsalamon
3f67fc0a68 Audit the remaining parameters to the extattr system calls. Generate
the audit records for those calls.

Obtained from: TrustedBSD Project
Approved by: rwatson (mentor)
2006-07-06 19:33:38 +00:00
rwatson
981c1cc4c8 Correct a number of problems that were previously commented on:
- Correct audit_arg_socketaddr() argument name from so to sa.
- Assert arguments are non-NULL to many argument capture functions
  rather than testing them.  This may trip some bugs.
- Assert the process lock is held when auditing process
  information.
- Test currecord in several more places.
- Test validity of more arguments with kasserts, such as flag
  values when auditing vnode information.

Perforce change:	98825
Obtained from:		TrustedBSD Project
2006-07-03 14:55:55 +00:00
wsalamon
3a6d7ed2cf Make the size of the subject32_ex and process32_ex tokens depend on
whether we have an IPv6 address. Write the term ID as 4 or
16 bytes depending on address type. This change matches the recent
OpenBSM change, and what Solaris does.

Obtained from: TrustedBSD Project
Approved by: rwatson (mentor)
2006-06-17 13:53:04 +00:00
rwatson
276b52de67 Lock process when copying fields from process structure so as to
get a consistent snapshot, as well as get consistent values (i.e.,
that p_comm is properly nul-terminated).

Perforce CID:	98824
Obtained from:	TrustedBSD Project
2006-06-08 21:58:04 +00:00
rwatson
f0de47503d Prefer C to C++ comments per style(9).
Perforce CID:	98826
Obtained from:	TrustedBSD Project
2006-06-08 21:55:39 +00:00
rwatson
abd4afc6be Extract pointer value for mnt_stat from vp after the NULL check, not
before.

Coverity ID:	134394
Found with:	Coverity Prevent (tm)
2006-06-06 08:43:27 +00:00
rwatson
abd422e295 Remove use of Giant around vn_open() in audit trail setup.
Submitted by:	jhb, wsalamon
Obtained from:	TrustedBSD Project
2006-06-05 22:36:12 +00:00
rwatson
1063b3ddc4 When generating BSM tokens for mkfifo(), include mode argument.
Submitted by:	wsalamon
Obtained from:	TrustedBSD Project
2006-06-05 16:14:49 +00:00
rwatson
bc4af49415 When generating the process token, need to check whether the
process was sucessfully audited.  Otherwise, generate the PID
token. This change covers the pid < 0 cases, and pid lookup
failure cases.

Submitted by:	wsalamon
Obtained from:	TrustedBSD Project
2006-06-05 16:12:00 +00:00
rwatson
97c0c78df7 Consistently use audit_free() to free records, rather than
directly invoking uma_zfree().

Perforce change:	96652
Obtained from:		TrustedBSD Project
2006-06-05 15:38:12 +00:00
rwatson
4f317e1576 Introduce support for per-audit pipe preselection independent from the
global audit trail configuration.  This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present).  To implement this:

- Kernel audit records now carry a flag to indicate whether they have
  been selected by the global trail or by the audit pipe subsystem,
  set during record commit, so that this information is available
  after BSM conversion when delivering the BSM to the trail and audit
  pipes in the audit worker thread asynchronously.  Preselection by
  either record target will cause the record to be kept.

- Similar changes to preselection when the audit record is created
  when the system call is entering: consult both the global trail and
  pipes.

- au_preselect() now accepts the class in order to avoid repeatedly
  looking up the mask for each preselection test.

- Define a series of ioctls that allow applications to specify whether
  they want to track the global trail, or program their own
  preselection parameters: they may specify their own flags and naflags
  masks, similar to the global masks of the same name, as well as a set
  of per-auid masks.  They also set a per-pipe mode specifying whether
  they track the global trail, or user their own -- the door is left
  open for future additional modes.  A new ioctl is defined to allow a
  user process to flush the current audit pipe queue, which can be used
  after reprogramming pre-selection to make sure that only records of
  interest are received in future reads.

- Audit pipe data structures are extended to hold the additional fields
  necessary to support preselection.  By default, audit pipes track the
  global trail, so "praudit /dev/auditpipe" will track the global audit
  trail even though praudit doesn't program the audit pipe selection
  model.

- Comment about the complexities of potentially adding partial read
  support to audit pipes.

By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.

Obtained from:	TrustedBSD Project
2006-06-05 14:48:17 +00:00
rwatson
62baf512de Shorten audit record zone name.
Perforce change:	93598
Obtained from:	TrustedBSD Project
2006-06-05 14:11:28 +00:00
rwatson
805dfc4801 No longer unconditionally drain the audit record queue if there is
not an active audit trail: instead, continue to iterate through
each record in case an audit pipe is interested.

Obtained from:	TrustedBSD Project
2006-06-05 14:09:59 +00:00
rwatson
7ac842a4f9 Pull BSM conversion logic out of audit_record_write(), as well as
knowledge of user vs. kernel audit records into
audit_worker_process_record().  This largely confines vnode
knowledge to audit_record_write(), but avoids that logic knowing
about BSM as opposed to byte streams.  This will allow us to
improve our ability to support real-time audit stream processing
by audit pipe consumers while auditing is disabled, but this
support is not yet complete.

Obtained from:	TrustedBSD Project
2006-06-05 13:50:02 +00:00
rwatson
03ff784a40 Assert audit mtx in audit_worker_drain().
Break out logic to call audit_record_write() and handle error
conditions into audit_worker_process_record().  This will be the
future home of some logic now present in audit_record_write()
also.

Obtained from:	TrustedBSD Project
2006-06-05 13:46:55 +00:00
rwatson
9c450e4c02 Use struct kaudit_queue instead of a hand-crafted queue type for
audit records in the audit_worker thread.

Obtained from:	TrustedBSD Project
2006-06-05 13:45:05 +00:00
rwatson
4f92724562 Rename audit_cv to audit_worker_cv, as it wakes up the audit
worker.

Rename audit_commit_cv to audit_watermark_cv, since it is there to
wake up threads waiting on hitting the low watermark.  Describe
properly in comment.

Obtained from:	TrustedBSD Project
2006-06-05 13:43:57 +00:00
rwatson
bfd8acfedd Merge OpenBSM 1.0 alpha 6 changes for BSM token creation to
src/sys/security/audit:

- Clarify and clean up AUR_ types to match Solaris.
- Clean up use of host vs. network byte order for IP addresses.
- Remove combined user/kernel implementations of some token creation
  calls, such as au_to_file(), header calls, etc.

Obtained from:	TrustedBSD Project
2006-06-05 13:13:02 +00:00
csjp
65422bb622 Check to see if the rootdir is the same as the current working directory.
If it is, and the pathname was relative, do not separate the componenets
with a '/' character.

Obtained from:	TrustedBSD Project
2006-06-01 15:38:30 +00:00
rwatson
6b4573613f Reconstitute struct mac_policy_ops by breaking out individual function
pointer prototypes from it into their own typedefs.  No functional or
ABI change.  This allows policies to declare their own function
prototypes based on a common definition from mac_policy.h rather than
duplicating these definitions.

Obtained from:	SEDarwin, SPARTA
MFC after:	1 month
2006-04-26 14:18:55 +00:00
dwmalone
b6a2964430 Add some new options to mac_bsdestended. We can now match on:
subject: ranges of uid, ranges of gid, jail id
	objects: ranges of uid, ranges of gid, filesystem,
		object is suid, object is sgid, object matches subject uid/gid
		object type

We can also negate individual conditions. The ruleset language is
a superset of the previous language, so old rules should continue
to work.

These changes require a change to the API between libugidfw and the
mac_bsdextended module. Add a version number, so we can tell if
we're running mismatched versions.

Update man pages to reflect changes, add extra test cases to
test_ugidfw.c and add a shell script that checks that the the
module seems to do what we expect.

Suggestions from: rwatson, trhodes
Reviewed by: trhodes
MFC after: 2 months
2006-04-23 17:06:18 +00:00
csjp
be495bef58 Introduce a new MAC entry point for label initialization of the NFS daemon's
credential: mac_associate_nfsd_label()

This entry point can be utilized by various Mandatory Access Control policies
so they can properly initialize the label of files which get created
as a result of an NFS operation. This work will be useful for fixing kernel
panics associated with accessing un-initialized or invalid vnode labels.

The implementation of these entry points will come shortly.

Obtained from:	TrustedBSD
Requested by:	mdodd
MFC after:	3 weeks
2006-04-06 23:33:11 +00:00
tegge
6d1ce4168f Don't call vn_finished_write() if vn_start_write() failed. 2006-03-19 20:43:07 +00:00
rwatson
9c0a4e82f3 Merge Perforce change 93581 from TrustedBSD audit3 branch:
Mega-style patch.

Obtained from:	TrustedBSD Project
2006-03-19 17:34:00 +00:00
rwatson
6163ee5a7b Merge Perforce changes 93512, 93514, 93515 from TrustedBSD audit3
branch:

  Integrate audit.c to audit_worker.c, so as to migrate the worker
  thread implementation to its own .c file.

  Populate audit_worker.c using parts now removed from audit.c:

  - Move audit rotation global variables.
  - Move audit_record_write(), audit_worker_rotate(),
    audit_worker_drain(), audit_worker(), audit_rotate_vnode().
  - Create audit_worker_init() from relevant parts of audit_init(),
    which now calls this routine.
  - Recreate audit_free(), which wraps uma_zfree() so that
    audit_record_zone can be static to audit.c.
  - Unstaticize various types and variables relating to the audit
    record queue so that audit_worker can get to them.  We may want
    to wrap these in accessor methods at some point.
  - Move AUDIT_PRINTF() to audit_private.h.

  Addition of audit_worker.c to kernel configuration, missed in
  earlier submit.

Obtained from:	TrustedBSD Project
2006-03-19 16:03:43 +00:00
rwatson
bae874c2cb Merge Perforce change 93570 from TrustedBSD audit3 branch:
Add audit pipe ioctls to query minimum and maximum audit queue
  lengths.

Obtained from:	TrustedBSD Project
2006-03-19 15:39:03 +00:00
rwatson
2b1a7974d7 Merge Perforce change 93567 from TrustedBSD audit3 branch:
Bump default queue limit for audit pipes from 32 to 128, since 32 is
  pretty small.

Obtained from:	TrustedBSD Project
2006-03-19 15:38:03 +00:00
rwatson
4931de581d Merge Perforce change 93568 from TrustedBSD audit3 branch:
Normalize nested include guards.

Obtained from:	TrustedBSD Project
2006-03-19 15:37:04 +00:00
rwatson
a74ff4762f Merge Perforce change 93506 from TrustedBSD audit3 branch:
Add ioctls to audit pipes in order to allow querying of the current
  record queue state, setting of the queue limit, and querying of pipe
  statistics.

Obtained from:	TrustedBSD Project
2006-03-19 15:36:10 +00:00
rwatson
e07f710abc Merge perforce 93507:
Correct comment: this print is now from audit_record_write(), not
  audit_worker().

Obtained from:	TrustedBSD Project
2006-03-18 18:32:12 +00:00
rwatson
7c231dc685 Merge perforce change 93199:
Change send_trigger() prototype to return an int, so that user
  space callers can tell if the message was successfully placed
  in the trigger queue.  This isn't quite the same as it being
  successfully received, but is close enough that we can generate
  a more useful warning message in audit(8).

Obtained from:	TrustedBSD Project
2006-03-18 18:31:24 +00:00
dwmalone
38417d76b6 Create a mac_bsdextended_check_vp function that takes a cred, a
vnode and a mode and checks if a given access mode is permitted.
This centralises the mac_bsdextended_enabled check and the GETATTR
calls and makes the implementation of the mac policy methods simple.

This should make it easier for us to match vnodes on more complex
attributes than just uid and gid in the future, but for now there
should be no functional change.

Approved/Reviewed by:	rwatson, trhodes
MFC after:	1 month
2006-03-04 20:47:19 +00:00
rwatson
fb6445828e Count drops when the first of two pipe mallocs fails.
Obtained from:	TrustedBSD Project
2006-03-04 17:09:17 +00:00
rwatson
20bce94704 Update src/sys/security/audit for OpenBSM 1.0 alpha 5:
- Include audit_internal.h to get definition of internal audit record
  structures, as it's no longer in audit.h.  Forward declare au_record
  in audit_private.h as not all audit_private.h consumers care about
  it.

- Remove __APPLE__ compatibility bits that are subsumed by configure
  for user space.

- Don't expose in6_addr internals (non-portable, but also cleaner
  looking).

- Avoid nested include of audit.h in audit_private.h.

Obtained from:	TrustedBSD Project
2006-03-04 17:00:55 +00:00
tegge
774f51ad2c Eliminate a deadlock when creating snapshots. Blocking vn_start_write() must
be called without any vnode locks held.  Remove calls to vn_start_write() and
vn_finished_write() in vnode_pager_putpages() and add these calls before the
vnode lock is obtained to most of the callers that don't already have them.
2006-03-02 22:13:28 +00:00
rwatson
5bbcd52e55 Add stub AUE_EACCESS entry.
Obtained from:	TrustedBSD Project
2006-02-11 23:55:08 +00:00
rwatson
bf57809309 Initialize user process audit ID to AU_DEFAUDITID so that init and
its pre-authentication children are covered by naflags.

Obtained from:	TrustedBSD Project
2006-02-11 23:53:00 +00:00
rwatson
93a12ad07f Acquire vnode lock around call to VOP_GETATTR() in audit_record_write().
In the future, we may want to acquire the lock early in the function and
hold it across calls to vn_rdwr(), etc, to avoid multiple acquires.

Spotted by:	kris (bugmagnet)
Obtained from:	TrustedBSD Project
2006-02-07 23:44:31 +00:00
rwatson
bc3d3926ef Fix queue drop logic when the queue overflows: decrement queue length.
Obtained from:	TrustedBSD Project
2006-02-07 14:46:26 +00:00
rwatson
a1af4bcfbd Add support for audit pipe special devices, which allow user space
applications to insert a "tee" in the live audit event stream.  Records
are inserted into a per-clone queue so that user processes can pull
discreet records out of the queue.  Unlike delivery to disk, audit pipes
are "lossy", dropping records in low memory conditions or when the
process falls behind real-time events.  This mechanism is appropriate
for use by live monitoring systems, host-based intrusion detection, etc,
and avoids applications having to dig through active on-disk trails that
are owned by the audit daemon.

Obtained from:	TrustedBSD Project
2006-02-06 22:50:39 +00:00
rwatson
f29a000e6f Manage audit record memory with the slab allocator, turning
initialization routines into a ctor, tear-down to a dtor, cleaning
up, etc.  This will allow audit records to be allocated from
per-cpu caches.

On recent FreeBSD, dropping the audit_mtx around freeing to UMA is
no longer required (at one point it was possible to acquire Giant
on that path), so a mutex-free thread-local drain is no longer
required.

Obtained from:	TrustedBSD Project
2006-02-06 22:30:54 +00:00
rwatson
8b356bb2d7 When GC'ing a thread, assert that it has no active audit record.
This should not happen, but with this assert, brueffer and I would
not have spent 45 minutes trying to figure out why he wasn't
seeing audit records with the audit version in CVS.

Obtained from:	TrustedBSD Project
2006-02-05 21:06:09 +00:00
rwatson
2301c52905 Cast pointers to (uintptr_t) before down-casting to (int). This avoids
an incompatible conversion from a 64-bit pointer to a 32-bit integer on
64-bit platforms.  We will investigate whether Solaris uses a 64-bit
token here, or a new record here, in order to avoid truncating user
pointers that are 64-bit.  However, in the mean time, truncation is fine
as these are rarely/never used fields in audit records.

Obtained from:	TrustedBSD Project
2006-02-04 00:14:06 +00:00
rwatson
0bab7ecd73 Fix INVARIANTS build on amd64; (unsigned unsigned long) != u_int64_t.
Submitted by:	mlaier
2006-02-03 23:50:26 +00:00
rwatson
d0b8d11335 Remove user.h include in audit.h, it is unneeded, and also can cause
build problems for other components that include audit.h.
2006-02-03 15:49:07 +00:00
rwatson
36f0dbe4c4 Add new fields to process-related data structures:
- td_ar to struct thread, which holds the in-progress audit record during
  a system call.

- p_au to struct proc, which holds per-process audit state, such as the
  audit identifier, audit terminal, and process audit masks.

In the earlier implementation, td_ar was added to the zero'd section of
struct thread.  In order to facilitate merging to RELENG_6, it has been
moved to the end of the data structure, requiring explicit
initalization in the thread constructor.

Much help from:	wsalamon
Obtained from:	TrustedBSD Project
2006-02-02 00:37:05 +00:00
rwatson
e100506eaf Import kernel audit framework:
- Management of audit state on processes.
- Audit system calls to configure process and system audit state.
- Reliable audit record queue implementation, audit_worker kernel
  thread to asynchronously store records on disk.
- Audit event argument.
- Internal audit data structure -> BSM audit trail conversion library.
- Audit event pre-selection.
- Audit pseudo-device permitting kernel->user upcalls to notify auditd
  of kernel audit events.

Much work by:	wsalamon
Obtained from:	TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
csjp
d7fc1b7da4 Fix potential overrun of static stack allocated array which stores
the rules. If an array is N elements large, we can only access
elements 0..(N-1).

MFC after:	1 week
Found with:	Coverity Prevent(tm)
2006-01-15 01:02:20 +00:00
csjp
8db1bd7411 Introduce a new sysctl variable:
security.mac.biba.interfaces_equal

If non-zero, all network interfaces be created with the label:

biba/equal(equal-equal)

This is useful where programs which initialize network interfaces
do not have any labeling support. This includes dhclient and ppp. A
long term solution is to add labeling support into dhclient(8)
and ppp(8), and remove this variable.

It should be noted that this behavior is different then setting the:

security.mac.biba.trust_all_interfaces

sysctl variable, as this will create interfaces with a biba/high label.
Lower integrity processes are not able to write to the interface in this
event. The security.mac.biba.interfaces_equal will override
trust_all_interfaces.

The security.mac.biba.interfaces_equal variable will be set to zero
or disabled by default.

MFC after:	2 weeks
2005-12-31 05:06:59 +00:00
rwatson
be4f357149 Normalize a significant number of kernel malloc type names:
- Prefer '_' to ' ', as it results in more easily parsed results in
  memory monitoring tools such as vmstat.

- Remove punctuation that is incompatible with using memory type names
  as file names, such as '/' characters.

- Disambiguate some collisions by adding subsystem prefixes to some
  memory types.

- Generally prefer lower case to upper case.

- If the same type is defined in multiple architecture directories,
  attempt to use the same name in additional cases.

Not all instances were caught in this change, so more work is required to
finish this conversion.  Similar changes are required for UMA zone names.
2005-10-31 15:41:29 +00:00
csjp
63c5e35623 Lock object while we iterate through it's backing objects.
Discussed with:	alc
2005-10-09 02:37:27 +00:00
csjp
ac94e44f1f Use the correct object's backing_object_offset while calculating offsets.
While we are here, add a note that we need to lock the object before walking
the backing object list.

Pointed out by:	alc
Discussed with:	rwatson
2005-10-04 14:47:47 +00:00
csjp
390b4d50c1 Standard Giant push down operations for the Mandatory Access Control (MAC)
framework. This makes Giant protection around MAC operations which inter-
act with VFS conditional, based on the MPSAFE status of the file system.

Affected the following syscalls:

o __mac_get_fd
o __mac_get_file
o __mac_get_link
o __mac_set_fd
o __mac_set_file
o __mac_set_link

-Drop Giant all together in __mac_set_proc because the
 mac_cred_mmapped_drop_perms_recurse routine no longer requires it.
-Move conditional Giant aquisitions to after label allocation routines.
-Move the conditional release of Giant to before label de-allocation
 routines.

Discussed with:	rwatson
2005-10-04 14:32:58 +00:00
csjp
2c5fc25054 Conditionally pickup Giant in mac_cred_mmapped_drop_perms_recurse so
we can drop it all together in __mac_set_proc.

Reviewed by:	alc
Discussed with:	rwatson
2005-10-04 14:32:15 +00:00
rwatson
98b9a514bd Complete removal of mac_create_root_mount/mpo_create_root_mount MAC
interfaces.

Obtained from:	TrustedBSD Project
Submitted by:	Chris Vance <Christopher dot Vance at SPARTA dot com>
MFC after:	3 days
2005-10-02 09:53:00 +00:00
trhodes
b8a072188d Allow the root user to be aware of other credentials by virtue
of privilege.

Submitted by:	rwatson
2005-09-30 23:41:10 +00:00
phk
59a2d96944 Add #include <sys/sx.h>, devfs is going to require this shortly. 2005-09-19 18:52:51 +00:00
rwatson
583b25a64f Remove mac_create_root_mount() and mpo_create_root_mount(), which
provided access to the root file system before the start of the
init process.  This was used briefly by SEBSD before it knew about
preloading data in the loader, and using that method to gain
access to data earlier results in fewer inconsistencies in the
approach.  Policy modules still have access to the root file system
creation event through the mac_create_mount() entry point.

Removed now, and will be removed from RELENG_6, in order to gain
third party policy dependencies on the entry point for the lifetime
of the 6.x branch.

MFC after:	3 days
Submitted by:	Chris Vance <Christopher dot Vance at SPARTA dot com>
Sponsored by:	SPARTA
2005-09-19 13:59:57 +00:00
rwatson
76d2953e39 Insert a series of place-holder function pointers in mac_policy.h for
entry points that will be inserted over the life-time of the 6.x branch,
including for:

- New struct file labeling (void * already added to struct file), events,
  access control checks.
- Additional struct mount access control checks, internalization/
  externalization.
- mac_check_cap()
- System call enter/exit check and event.
- Socket and vnode ioctl entry points.

MFC after:	3 days
2005-08-08 16:09:33 +00:00
trhodes
0336212d34 If a "hole" opens up in the ruleset (i.e.: remove 5), do not return
unknown error.  Instead, just return error.

Submitted by:	avatar
Tested by:	trhodes
2005-07-28 13:55:12 +00:00
rwatson
371afb1eec Remove duplicate initialization of mpo_create_stub pointer.
PR:		83779
Submitted by:	Wojciech A. Koszek <dunstan at freebsd dot czest dot pl>
MFC after:	3 days
2005-07-21 17:17:51 +00:00
rwatson
0889b69634 Bump the module versions of the MAC Framework and MAC policy modules
from 2 (6.x) to 3 (7.x) to allow for future changes in the MAC policy
module ABI in 7.x.

Obtained from:	TrustedBSD Project
2005-07-14 10:46:03 +00:00
rwatson
79690d711b When devfs cloning takes place, provide access to the credential of the
process that caused the clone event to take place for the device driver
creating the device.  This allows cloned device drivers to adapt the
device node based on security aspects of the process, such as the uid,
gid, and MAC label.

- Add a cred reference to struct cdev, so that when a device node is
  instantiated as a vnode, the cloning credential can be exposed to
  MAC.

- Add make_dev_cred(), a version of make_dev() that additionally
  accepts the credential to stick in the struct cdev.  Implement it and
  make_dev() in terms of a back-end make_dev_credv().

- Add a new event handler, dev_clone_cred, which can be registered to
  receive the credential instead of dev_clone, if desired.

- Modify the MAC entry point mac_create_devfs_device() to accept an
  optional credential pointer (may be NULL), so that MAC policies can
  inspect and act on the label or other elements of the credential
  when initializing the skeleton device protections.

- Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(),
  so that the pty clone credential is exposed to the MAC Framework.

While currently primarily focussed on MAC policies, this change is also
a prerequisite for changes to allow ptys to be instantiated with the UID
of the process looking up the pty.  This requires further changes to the
pty driver -- in particular, to immediately recycle pty nodes on last
close so that the credential-related state can be recreated on next
lookup.

Submitted by:	Andrew Reisse <andrew.reisse@sparta.com>
Obtained from:	TrustedBSD Project
Sponsored by:	SPAWAR, SPARTA
MFC after:	1 week
MFC note:	Merge to 6.x, but not 5.x for ABI reasons
2005-07-14 10:22:09 +00:00
rwatson
5e71112509 Eliminate MAC entry point mac_create_mbuf_from_mbuf(), which is
redundant with respect to existing mbuf copy label routines.  Expose
a new mac_copy_mbuf() routine at the top end of the Framework and
use that; use the existing mpo_copy_mbuf_label() routine on the
bottom end.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, SPAWAR
Approved by:	re (scottl)
2005-07-05 23:39:51 +00:00
rwatson
efcac3d02e Add MAC Framework and MAC policy entry point mac_check_socket_create(),
which is invoked from socket() and socketpair(), permitting MAC
policy modules to control the creation of sockets by domain, type, and
protocol.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, SPAWAR
Approved by:	re (scottl)
Requested by:	SCC
2005-07-05 22:49:10 +00:00
csjp
949ce50a1c Correct grammar error in comment
MFC after:	3 days
2005-06-10 04:44:38 +00:00
rwatson
ee01c1bf47 Gratuitous renaming of four System V Semaphore MAC Framework entry
points to convert _sema() to _sem() for consistency purposes with
respect to the other semaphore-related entry points:

mac_init_sysv_sema() -> mac_init_sysv_sem()
mac_destroy_sysv_sem() -> mac_destroy_sysv_sem()
mac_create_sysv_sema() -> mac_create_sysv_sem()
mac_cleanup_sysv_sema() -> mac_cleanup_sysv_sem()

Congruent changes are made to the policy interface to support this.

Obtained from:	TrustedBSD Project
Sponsored by:	SPAWAR, SPARTA
2005-06-07 05:03:28 +00:00
rwatson
2197ab2d93 Introduce MAC Framework and MAC Policy entry points to label and control
access to POSIX Semaphores:

mac_init_posix_sem()            Initialize label for POSIX semaphore
mac_create_posix_sem()          Create POSIX semaphore
mac_destroy_posix_sem()         Destroy POSIX semaphore
mac_check_posix_sem_destroy()   Check whether semaphore may be destroyed
mac_check_posix_sem_getvalue()  Check whether semaphore may be queried
mac_check_possix_sem_open()     Check whether semaphore may be opened
mac_check_posix_sem_post()      Check whether semaphore may be posted to
mac_check_posix_sem_unlink()    Check whether semaphore may be unlinked
mac_check_posix_sem_wait()      Check whether may wait on semaphore

Update Biba, MLS, Stub, and Test policies to implement these entry points.
For information flow policies, most semaphore operations are effectively
read/write.

Submitted by:	Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Sponsored by:	DARPA, McAfee, SPARTA
Obtained from:	TrustedBSD Project
2005-05-04 10:39:15 +00:00
trhodes
f02068c038 Get the directory structure correct in a comment.
Submitted by:	Samy Al Bahra
2005-04-22 19:09:12 +00:00
trhodes
01f75275c6 Add locking support to mac_bsdextended:
- Introduce a global mutex, mac_bsdextended_mtx, to protect the rule
   array and hold this mutex over use and modification of the rule array
   and rules.
- Re-order and clean up sysctl_rule so that copyin/copyout/update happen
   in the right order (suggested by: jhb done by rwatson).
2005-04-22 18:49:30 +00:00
rwatson
75030e30f6 Introduce p_canwait() and MAC Framework and MAC Policy entry points
mac_check_proc_wait(), which control the ability to wait4() specific
processes.  This permits MAC policies to limit information flow from
children that have changed label, although has to be handled carefully
due to common programming expectations regarding the behavior of
wait4().  The cr_seeotheruids() check in p_canwait() is #if 0'd for
this reason.

The mac_stub and mac_test policies are updated to reflect these new
entry points.

Sponsored by:	SPAWAR, SPARTA
Obtained from:	TrustedBSD Project
2005-04-18 13:36:57 +00:00
rwatson
155bfd8789 Introduce three additional MAC Framework and MAC Policy entry points to
control socket poll() (select()), fstat(), and accept() operations,
required for some policies:

        poll()          mac_check_socket_poll()
        fstat()         mac_check_socket_stat()
        accept()        mac_check_socket_accept()

Update mac_stub and mac_test policies to be aware of these entry points.
While here, add missing entry point implementations for:

        mac_stub.c      stub_check_socket_receive()
        mac_stub.c      stub_check_socket_send()
        mac_test.c      mac_test_check_socket_send()
        mac_test.c      mac_test_check_socket_visible()

Obtained from:	TrustedBSD Project
Sponsored by:	SPAWAR, SPARTA
2005-04-16 18:46:29 +00:00
rwatson
76ab38319d In mac_get_fd(), remove unconditional acquisition of Giant around copying
of the socket label to thread-local storage, and replace it with
conditional acquisition based on debug.mpsafenet.  Acquire the socket
lock around the copy operation.

In mac_set_fd(), replace the unconditional acquisition of Giant with
the conditional acquisition of Giant based on debug.mpsafenet.  The socket
lock is acquired in mac_socket_label_set() so doesn't have to be
acquired here.

Obtained from:	TrustedBSD Project
Sponsored by:	SPAWAR, SPARTA
2005-04-16 18:33:13 +00:00
rwatson
51183f0f84 Introduce new MAC Framework and MAC Policy entry points to control the use
of system calls to manipulate elements of the process credential,
including:

        setuid()                mac_check_proc_setuid()
        seteuid()               mac_check_proc_seteuid()
        setgid()                mac_check_proc_setgid()
        setegid()               mac_check_proc_setegid()
        setgroups()             mac_check_proc_setgroups()
        setreuid()              mac_check_proc_setreuid()
        setregid()              mac_check_proc_setregid()
        setresuid()             mac_check_proc_setresuid()
        setresgid()             mac_check_rpoc_setresgid()

MAC checks are performed before other existing security checks; both
current credential and intended modifications are passed as arguments
to the entry points.  The mac_test and mac_stub policies are updated.

Submitted by:	Samy Al Bahra <samy@kerneled.org>
Obtained from:	TrustedBSD Project
2005-04-16 13:29:15 +00:00
csjp
e89e83d7fe Move MAC check_vnode_mmap entry point out from being exclusive to
MAP_SHARED so that the entry point gets executed un-conditionally.
This may be useful for security policies which want to perform access
control checks around run-time linking.

-add the mmap(2) flags argument to the check_vnode_mmap entry point
 so that we can make access control decisions based on the type of
 mapped object.
-update any dependent API around this parameter addition such as
 function prototype modifications, entry point parameter additions
 and the inclusion of sys/mman.h header file.
-Change the MLS, BIBA and LOMAC security policies so that subject
 domination routines are not executed unless the type of mapping is
 shared. This is done to maintain compatibility between the old
 vm_mmap_vnode(9) and these policies.

Reviewed by:	rwatson
MFC after:	1 month
2005-04-14 16:03:30 +00:00
rwatson
6dcf0684c3 Remove an accidental clearing of the new label pointer on a system V
message queue, which was introduced during the merge process.

Submitted by:	Andrew Reisse <areisse at nailabs dot com>
2005-02-24 16:08:41 +00:00
rwatson
7c5ed76d62 Synchronize HEAD copyright/license with RELENG_5 copyright/license:
McAfee instead of NETA.
2005-02-13 13:59:34 +00:00
rwatson
21699da7bd Update copyright for NETA->McAfee. 2005-01-30 12:38:47 +00:00
rwatson
42803593a2 Remove policy references to mpo_check_vnode_mprotect(), which is
currently unimplemented.

Update copyrights.

Pointed out by:	csjp
2005-01-26 23:43:32 +00:00
rwatson
a47343e8a2 Remove an obsoleted comment about struct versions.
MFC after:	3 days
Pointed out by:	trhodes
2005-01-23 14:26:09 +00:00
rwatson
d2fe79f728 Update mac_test for MAC Framework policy entry points System V IPC
objects (message queues, semaphores, shared memory), exercising and
validating MAC labels on these objects.

Submitted by:	Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, SPAWAR, McAfee Research
2005-01-22 20:31:29 +00:00
rwatson
1be78b7582 Update mac_stub for MAC Framework policy entry points System V IPC
objects (message queues, semaphores, shared memory).

Submitted by:   Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from:  TrustedBSD Project
Sponsored by:   DARPA, SPAWAR, McAfee Research
2005-01-22 20:26:43 +00:00
rwatson
37fb320c8f Implement MLS confidentiality protection for System V IPC objects
(message queues, semaphores, shared memory).

Submitted by:	Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, SPAWAR, McAfee Research
2005-01-22 20:11:16 +00:00
rwatson
75eae61520 Implement Biba integrity protection for System V IPC objects (message
queues, semaphores, shared memory).

Submitted by:	Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, SPAWAR, McAfee Research
2005-01-22 20:07:11 +00:00
rwatson
f35086bd6a Exempt the superuser from mac_seeotheruids checks.
Submitted by:	bkoenig at cs dot tu-berlin dot de
PR:		72238
MFC after:	2 weeks
2005-01-03 12:08:18 +00:00
rwatson
a8ea643607 Add a new sysctl/tunable to mac_portacl:
security.mac.portacl.autoport_exempt

This sysctl exempts to bind port '0' as long as IP_PORTRANGELOW hasn't
been set on the socket.  This is quite useful as it allows applications
to use automatic binding without adding overly broad rules for the
binding of port 0.  This sysctl defaults to enabled.

This is a slight variation on the patch submitted by the contributor.

MFC after:	2 weeks
Submitted by:	Michal Mertl <mime at traveller dot cz>
2004-12-08 11:46:44 +00:00
rwatson
892d4bfa16 Switch from using an sx lock to a mutex for the mac_portacl rule chain:
the sx lock was used previously because we might sleep allocating
additional memory by using auto-extending sbufs.  However, we no longer
do this, instead retaining the user-submitted rule string, so mutexes
can be used instead.  Annotate the reason for not using the sbuf-related
rule-to-string code with a comment.

Switch to using TAILQ_CONCAT() instead of manual list copying, as it's
O(1), reducing the rule replacement step under the mutex from O(2N) to
O(2).

Remove now uneeded vnode-related includes.

MFC after:	2 weeks
2004-12-06 19:43:45 +00:00
rwatson
eca95622d4 Implement MAC entry points relating to System V IPC, calling into the
MAC policies to perform object life cycle operations and access
control checks.

Submitted by:	Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, SPAWAR, McAfee Research
2004-11-17 13:14:24 +00:00
rwatson
bbe546d283 Define new MAC framework and policy entry points for System V IPC
objects and operations:

- System V IPC message, message queue, semaphore, and shared memory
  segment init, destroy, cleanup, create operations.

- System V IPC message, message queue, seamphore, and shared memory
  segment access control entry points, including rights to attach,
  destroy, and manipulate these IPC objects.

Submitted by:	Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, SPAWAR, McAfee Research
2004-11-17 13:10:16 +00:00
rwatson
bd4e6ffd55 Bump MAC Framework version to 2 in preparation for the upcoming API/ABI
changes associated with adding System V IPC support.  This will prevent
old modules from being used with the new kernel, and new modules from
being used with the old kernel.
2004-11-09 11:28:40 +00:00
rwatson
3cbfc41798 Disable use of synchronization early in the boot by the MAC Framework;
for modules linked into the kernel or loaded very early, panics will
result otherwise, as the CV code it calls will panic due to its use
of a mutex before it is initialized.
2004-10-30 14:20:59 +00:00
rwatson
c00410266c /%x/%s/ -- mismerged DEBUGGER() printf() format stirng from the
TrustedBSD branch.

Submitted by:	bde
2004-10-23 15:12:34 +00:00
rwatson
9ca72eac8f Expand comments on various sections of the MAC Framework Policy API,
as well as document the properties of the mac_policy_conf structure.
Warn about the ABI risks in changing the structure without careful
consideration.

Obtained from:	TrustedBSD Project
Sponsored by:	SPAWAR
2004-10-22 11:29:30 +00:00
rwatson
3da3030dca Replace direct reference to kdb_enter() with a DEBUGGER() macro that
will call printf() if KDB isn't compiled into the kernel.

Obtained from:	TrustedBSD Project
Sponsored by:	SPAWAR
2004-10-22 11:24:50 +00:00
rwatson
0bd499671d Minor white space synchronization and line wrapping. 2004-10-22 11:15:47 +00:00
rwatson
705746618b In the MAC label zone destructor, assert that the label is only
destroyed in an initialized state.
2004-10-22 11:08:52 +00:00
rwatson
730226a1f3 Remove extern declaration of mac_enforce_sysv, as it's not present in
the CVS version of the MAC Framework.
2004-10-22 11:07:18 +00:00
rwatson
bcd25c3901 Bump copyright dates for NETA on these files. 2004-10-21 11:29:56 +00:00
rwatson
7fdf6e4ca5 Modify mac_bsdextended policy so that it defines its own vnode access
right bits rather than piggy-backing on the V* rights defined in
vnode.h.  The mac_bsdextended bits are given the same values as the V*
bits to make the new kernel module binary compatible with the old
version of libugidfw that uses V* bits.  This avoids leaking kernel
API/ABI to user management tools, and in particular should remove the
need for libugidfw to include vnode.h.

Requested by:	phk
2004-10-21 11:19:02 +00:00
trhodes
44506a9b68 Remove the debugging tunable, it was not being used.
Enable first match by default.[1]

We should:	rwatson [1]
2004-09-10 15:14:50 +00:00
trhodes
e8f5fe7524 Allow mac_bsdextended(4) to log failed attempts to syslog's AUTHPRIV
facility.  This is disabled by default but may be turned on by using
the mac_bsdextended_logging sysctl.

Reviewed by:	re (jhb)
Approved by:	re (jhb)
2004-08-21 20:19:19 +00:00
trhodes
1e23f58a1d Give the mac_bsdextended(4) policy the ability to match and apply on a first
rule only in place of all rules match.  This is similar to how ipfw(8) works.

Provide a sysctl, mac_bsdextended_firstmatch_enabled, to enable this
feature.

Reviewed by:	re (jhb)
Aprroved by:	re (jhb)
2004-08-21 20:15:08 +00:00
green
9532ab7116 * Add a "how" argument to uma_zone constructors and initialization functions
so that they know whether the allocation is supposed to be able to sleep
  or not.
* Allow uma_zone constructors and initialation functions to return either
  success or error.  Almost all of the ones in the tree currently return
  success unconditionally, but mbuf is a notable exception: the packet
  zone constructor wants to be able to fail if it cannot suballocate an
  mbuf cluster, and the mbuf allocators want to be able to fail in general
  in a MAC kernel if the MAC mbuf initializer fails.  This fixes the
  panics people are seeing when they run out of memory for mbuf clusters.
* Allow debug.nosleepwithlocks on WITNESS to be disabled, without changing
  the default.

Both bmilekic and jeff have reviewed the changes made to make failable
zone allocations work.
2004-08-02 00:18:36 +00:00
kan
155eb2ef69 Introduce SLOT_SET macro and use it in place of casts as lvalues. 2004-07-28 07:01:33 +00:00
rwatson
2c07de53fe Allow an effective uid of root to bypass mac_bsdextended rules; the MAC
Framework can restrict the root user, but this policy is not intended
to support that.

Stylish Swiss footwear provided for:	trhodes
2004-07-23 01:53:28 +00:00
rwatson
b41025be85 Rename Biba and MLS _single label elements to _effective, which more
accurately represents the intention of the 'single' label element in
Biba and MLS labels.  It also approximates the use of 'effective' in
traditional UNIX credentials, and avoids confusion with 'singlelabel'
in the context of file systems.

Inspired by:	trhodes
2004-07-16 02:03:50 +00:00
phk
5c95d686a1 Do a pass over all modules in the kernel and make them return EOPNOTSUPP
for unknown events.

A number of modules return EINVAL in this instance, and I have left
those alone for now and instead taught MOD_QUIESCE to accept this
as "didn't do anything".
2004-07-15 08:26:07 +00:00
marcel
c20ced5cd2 Update for the KDB framework:
o  Call kdb_enter() instead of Debugger().
2004-07-10 21:47:53 +00:00
rwatson
bff787dba3 Introduce a temporary mutex, mac_ifnet_mtx, to lock MAC labels on
network interfaces.  This global mutex will protect all ifnet labels.
Acquire the mutex across various MAC activities on interfaces, such
as security checks, propagating interface labels to mbufs generated
from the interface, retrieving and setting the interface label.

Introduce mpo_copy_ifnet_label MAC policy entry point to copy the
value of an interface label from one label to another.  Use this
to avoid performing a label externalize while holding mac_ifnet_mtx;
copy the label to a temporary ifnet label and then externalize that.

Implement mpo_copy_ifnet_label for various MAC policies that
implement interface labeling using generic label copying routines.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research
2004-06-24 03:34:46 +00:00
phk
dfd1f7fd50 Do the dreaded s/dev_t/struct cdev */
Bump __FreeBSD_version accordingly.
2004-06-16 09:47:26 +00:00
rwatson
f1bc833e95 Socket MAC labels so_label and so_peerlabel are now protected by
SOCK_LOCK(so):

- Hold socket lock over calls to MAC entry points reading or
  manipulating socket labels.

- Assert socket lock in MAC entry point implementations.

- When externalizing the socket label, first make a thread-local
  copy while holding the socket lock, then release the socket lock
  to externalize to userspace.
2004-06-13 02:50:07 +00:00
phk
f43aa0c4bc add missing #include <sys/module.h> 2004-05-30 20:27:19 +00:00
cperciva
be93053d2f Remove dead code. (This loop counted the number of rules, but the count
was never used.)

Reported by:	pjd
Approved by:	rwatson
2004-05-15 20:55:19 +00:00
rwatson
15cc971bcf Improve consistency of include file guards in src/sys/sys by terminating
them with '_', as well as beginning with '_'.

Observed by:	bde
2004-05-10 18:38:07 +00:00
rwatson
f42c13d962 If the mbuf pointer passed to mac_mbuf_to_label() is NULL, or the tag
lookup for the label tag fails, return NULL rather than something close
to NULL.  This scenario occurs if mbuf header labeling is optional and
a policy requiring labeling is loaded, resulting in some mbufs having
labels and others not.  Previously, 0x14 would be returned because the
NULL from m_tag_find() was not treated specially.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research
2004-05-03 23:37:48 +00:00
rwatson
9ec8ab1c20 Add /* !MAC */ to final #endif. 2004-05-03 22:54:46 +00:00
rwatson
4876681621 Update copyright. 2004-05-03 21:38:42 +00:00
rwatson
02791e2fb1 When performing label assertions on an mbuf header label in mac_test,
test the label pointer for NULL before testing the label slot for
permitted values.  When loading mac_test dynamically with conditional
mbuf labels, the label pointer may be NULL if the mbuf was
instantiated while labels were not required on mbufs by any policy.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research
2004-05-03 21:38:23 +00:00
rwatson
16bb0e59b9 Bump copyright date for NETA to 2004. 2004-05-03 20:53:27 +00:00
rwatson
a857ce2f0a Add MAC_STATIC, a kernel option that disables internal MAC Framework
synchronization protecting against dynamic load and unload of MAC
policies, and instead simply blocks load and unload.  In a static
configuration, this allows you to avoid the synchronization costs
associated with introducing dynamicism.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research
2004-05-03 20:53:05 +00:00
rwatson
c1b863ca38 Define BPFD_LOCK_ASSERT() to assert the BPF descriptor lock.
Assert the BPF descriptor lock in the MAC calls referencing live
BPF descriptors.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research
2004-02-29 15:33:56 +00:00
rwatson
72bc38c826 Forward declare struct proc, struct sockaddr, and struct thread, which
are employed in entry points later in the same include file.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Air Force Research Laboratory, McAfee Research
2004-02-26 20:44:50 +00:00
rwatson
5dcb04ba23 Forward declare struct bpf_d, struct ifnet, struct image_params, and
struct vattr in mac_policy.h.  This permits policies not
implementing entry points using these types to compile without
including include files with these types.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Air Force Research Laboratory
2004-02-26 16:15:14 +00:00
rwatson
94f1c2c12e Move inet and inet6 related MAC Framework entry points from mac_net.c
to a new mac_inet.c.  This code is now conditionally compiled based
on inet support being compiled into the kernel.

Move socket related MAC Framework entry points from mac_net.c to a new
mac_socket.c.

To do this, some additional _enforce MIB variables are now non-static.
In addition, mbuf_to_label() is now mac_mbuf_to_label() and non-static.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research
2004-02-26 03:51:04 +00:00
pjd
01d59d6bbb Reimplement sysctls handling by MAC framework.
Now I believe it is done in the right way.

Removed some XXMAC cases, we now assume 'high' integrity level for all
sysctls, except those with CTLFLAG_ANYBODY flag set. No more magic.

Reviewed by:	rwatson
Approved by:	rwatson, scottl (mentor)
Tested with:	LINT (compilation), mac_biba(4) (functionality)
2004-02-22 12:31:44 +00:00
rwatson
90431761a2 Update my personal copyrights and NETA copyrights in the kernel
to use the "year1-year3" format, as opposed to "year1, year2, year3".
This seems to make lawyers more happy, but also prevents the
lines from getting excessively long as the years start to add up.

Suggested by:	imp
2004-02-22 00:33:12 +00:00
rwatson
178c27802a Commit file missed in last pass: MAC api uses 'struct pipepair', not
'struct pipe' now.
2004-02-01 21:52:09 +00:00
rwatson
b8e797cfe0 Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.

- Create a new "struct pipepair" object holding the two 'struct
  pipe' instances, struct mutex, and struct label reference.  Pipe
  structures now have a back-pointer to the pipe pair, and a
  'pipe_present' flag to indicate whether the half has been
  closed.

- Perform mutex init/destroy in zone init/destroy, avoiding
  reallocating the mutex for each pipe.  Perform most pipe structure
  setup in zone constructor.

- VM memory mappings for pageable buffers are still done outside of
  the UMA zone.

- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
  update many policies.  MAC labels are also handled outside of the
  UMA zone for now.  Label-only policy modules don't have to be
  recompiled, but if a module is recompiled, its pipe entry points
  will need to be updated.  If a module actually reached into the
  pipe structures (unlikely), that would also need to be modified.

These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.

On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place.  However, VM mapped buffers
are still released on half-close.

Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).

This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.

Reviewed by:	juli, tjr
Testing help:	dwhite, fenestro, scottl, et al
2004-02-01 05:56:51 +00:00
rwatson
63d4653d05 Pay attention to mac_portacl_enabled.
Submitted by:   simon
2004-01-20 18:33:02 +00:00
rwatson
8315bb904d Switch TCP over to using the inpcb label when responding in timed
wait, rather than the socket label.  This avoids reaching up to
the socket layer during connection close, which requires locking
changes.  To do this, introduce MAC Framework entry point
mac_create_mbuf_from_inpcb(), which is called from tcp_twrespond()
instead of calling mac_create_mbuf_from_socket() or
mac_create_mbuf_netlayer().  Introduce MAC Policy entry point
mpo_create_mbuf_from_inpcb(), and implementations for various
policies, which generally just copy label data from the inpcb to
the mbuf.  Assert the inpcb lock in the entry point since we
require consistency for the inpcb label reference.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-12-17 14:55:11 +00:00
rwatson
02297e8cb3 interpvnodelabel can be NULL in mac_test_execve_transition(). This
only turned up when running mac_test side by side with a transitioning
policy such as SEBSD.  Make the NULL testing match
mac_test_execve_will_transition(), which already tested the vnode
label pointer for NULL.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-12-10 18:48:05 +00:00
rwatson
08335c63bf Rename mac_create_cred() MAC Framework entry point to mac_copy_cred(),
and the mpo_create_cred() MAC policy entry point to
mpo_copy_cred_label().  This is more consistent with similar entry
points for creation and label copying, as mac_create_cred() was
called from crdup() as opposed to during process creation.  For
a number of policies, this removes the requirement for special
handling when copying credential labels, and improves consistency.

Approved by:	re (scottl)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-12-06 21:48:03 +00:00
rwatson
ebb0b7ecda Use UMA zone allocator for Biba and MLS labels rather than MALLOC(9).
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-18 04:11:52 +00:00
rwatson
9c969b771a Introduce a MAC label reference in 'struct inpcb', which caches
the   MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols.  This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.

This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.

For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks.  Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.

Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.

Reviewed by:	sam, bms
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
rwatson
aac8ea56d6 Don't implement mpo_destroy() for Biba, LOMAC, and MLS, as they
aren't allowed to be unloaded.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-17 01:04:07 +00:00
rwatson
7aa5c2497a Implement sockets support for __mac_get_fd() and __mac_set_fd()
system calls, and prefer these calls over getsockopt()/setsockopt()
for ABI reasons.  When addressing UNIX domain sockets, these calls
retrieve and modify the socket label, not the label of the
rendezvous vnode.

- Create mac_copy_socket_label() entry point based on
  mac_copy_pipe_label() entry point, intended to copy the socket
  label into temporary storage that doesn't require a socket lock
  to be held (currently Giant).

- Implement mac_copy_socket_label() for various policies.

- Expose socket label allocation, free, internalize, externalize
  entry points as non-static from mac_net.c.

- Use mac_socket_label_set() in __mac_set_fd().

MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and
mac_get_peer() to retrieve and set various socket labels without
directly invoking the getsockopt() interface.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-16 23:31:45 +00:00
rwatson
67feac6f9a Implement mac_get_peer(3) using getsockopt() with SOL_SOCKET and
SO_PEERLABEL.  This provides an interface to query the label of a
socket peer without embedding implementation details of mac_t in
the application.  Previously, sizeof(*mac_t) had to be specified
by an application when performing getsockopt().

Document mac_get_peer(3), and expand documentation of the other
mac_get(3) functions.  Note that it's possible to get EINVAL back
from mac_get_fd(3) when pointing it at an inappropriate object.

NOTE: mac_get_fd() and mac_set_fd() support for sockets will
follow shortly, so the documentation is slightly ahead of the
code.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-16 20:18:24 +00:00
rwatson
80614c45b2 Abstract the label checking and setting logic from
mac_setsockopt_label() into mac_socket_label_set(); make it non-static
so that it can be invoked from kern_mac.c for mac_set_fd().

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-16 20:01:50 +00:00
rwatson
03b5c2cee8 Implement mpo_copy_{mbuf,pipe,vnode}_label() entry points for
mac_stub and mac_test.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-16 18:28:58 +00:00
rwatson
f9ad21ec5d Reduce gratuitous redundancy and length in function names:
mac_setsockopt_label_set() -> mac_setsockopt_label()
  mac_getsockopt_label_get() -> mac_getsockopt_label()
  mac_getsockopt_peerlabel_get() -> mac_getsockopt_peerlabel()

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-16 18:25:20 +00:00
rwatson
09b9eba3c3 Whitespace fix. 2003-11-16 03:17:30 +00:00