Commit Graph

825 Commits

Author SHA1 Message Date
rwatson
fbca48f8d5 The V* flags passed using an accmode_t to the access() and open()
access control checks in mac_bsdextended are not in the same
namespace as the MBI_ flags used in ugidfw policies, so add an
explicit conversion routine to get from one to the other.

Obtained from:	TrustedBSD Project
2008-10-30 10:13:53 +00:00
trasz
21b7d783c9 Commit part of accmode_t changes that I missed in previous commit.
Approved by:	rwatson (mentor)
2008-10-28 21:57:32 +00:00
rwatson
f29a8ec282 Break out strictly credential-related portions of mac_process.c into a
new file, mac_cred.c.

Obtained from:	TrustedBSD Project
2008-10-28 21:53:10 +00:00
trasz
0ad8692247 Introduce accmode_t. This is required for NFSv4 ACLs - it will be neccessary
to add more V* constants, and the variables changed by this patch were often
being assigned to mode_t variables, which is 16 bit.

Approved by:	rwatson (mentor)
2008-10-28 13:44:11 +00:00
rwatson
bc67134909 Rename mac_cred_mmapped_drop_perms(), which revokes access to virtual
memory mappings when the MAC label on a process changes, to
mac_proc_vm_revoke(),

It now also acquires its own credential reference directly from the
affected process rather than accepting one passed by the the caller,
simplifying the API and consumer code.

Obtained from:	TrustedBSD Project
2008-10-28 12:49:07 +00:00
rwatson
a2129bd144 Rename three MAC entry points from _proc_ to _cred_ to reflect the fact
that they operate directly on credentials: mac_proc_create_swapper(),
mac_proc_create_init(), and mac_proc_associate_nfsd().  Update policies.

Obtained from:	TrustedBSD Project
2008-10-28 11:33:06 +00:00
rwatson
4d410d139b Extended comment on why we consider a partition relabel request of "0" to
be a no-op request, and why this might have to change if we want to allow
leaving a partition someday.

Obtained from:	TrustedBSD Project
MFC after:	3 days
2008-10-28 09:16:34 +00:00
rwatson
fde7dde174 Rename label_on_label() to partition_check(), which is far more
suggestive as to its actual function.

Obtained from:	TrustedBSD Project
MFC after:	3 days
2008-10-28 09:12:13 +00:00
rwatson
14f91d091b Improve alphabetical sort order of stub entry points. 2008-10-28 08:50:09 +00:00
rwatson
e7cc073f03 When the mac_bsdextended policy is unloaded, free rule memory.
Obtained from:	TrustedBSD Project
MFC after:	3 days
2008-10-27 18:08:12 +00:00
rwatson
49799059b1 Add TrustedBSD credit to new ugidfw_internal.h file. 2008-10-27 12:12:23 +00:00
rwatson
3adba7f0f0 Break mac_bsdextended.c out into multiple .c files, with the base access
control logic and policy registration remaining in that file, and access
control checks broken out into other files by class of check.

Obtained from:	TrustedBSD Project
2008-10-27 12:09:15 +00:00
rwatson
af744391b6 Copy mac_bsdextended.c to two object-specific files as a prototype for how
modularize MAC policy layout.

Obtained from:	TrustedBSD Project
2008-10-27 11:46:19 +00:00
rwatson
432d006bae Implement MAC policy support for IPv6 fragment reassembly queues,
modeled on IPv4 fragment reassembly queue support.

Obtained from:	TrustedBSD Project
2008-10-26 22:46:37 +00:00
rwatson
0db6d4519c Add a MAC label, MAC Framework, and MAC policy entry points for IPv6
fragment reassembly queues.

This allows policies to label reassembly queues, perform access
control checks when matching fragments to a queue, update a queue
label when fragments are matched, and label the resulting
reassembled datagram.

Obtained from:	TrustedBSD Project
2008-10-26 22:45:18 +00:00
des
a1e1ad22e0 Fix a number of style issues in the MALLOC / FREE commit. I've tried to
be careful not to fix anything that was already broken; the NFSv4 code is
particularly bad in this respect.
2008-10-23 20:26:15 +00:00
des
66f807ed8b Retire the MALLOC and FREE macros. They are an abomination unto style(9).
MFC after:	3 months
2008-10-23 15:53:51 +00:00
bz
def7b5012b Add a mac_inpcb_check_visible implementation to all MAC policies
that handle mac_socket_check_visible.

Reviewed by:	rwatson
MFC after:	3 months (set timer; decide then)
2008-10-17 15:11:12 +00:00
bz
14874ad4f1 Add mac_inpcb_check_visible MAC Framework entry point, which is similar
to mac_socket_check_visible but operates on the inpcb.

Reviewed by:	rwatson
MFC after:	3 months (set timer, decide then)
2008-10-17 12:54:28 +00:00
bz
8e885f7f2d Use the label from the socket credential rather than the
solabel which was not set by the mac_partition policy.

Spotted by:	rwatson
Reviewed by:	rwatson
MFC after:	3 days
2008-10-17 08:58:33 +00:00
ed
4212d51a7d Remove unit2minor() use from kernel code.
When I changed kern_conf.c three months ago I made device unit numbers
equal to (unneeded) device minor numbers. We used to require
bitshifting, because there were eight bits in the middle that were
reserved for a device major number. Not very long after I turned
dev2unit(), minor(), unit2minor() and minor2unit() into macro's.
The unit2minor() and minor2unit() macro's were no-ops.

We'd better not remove these four macro's from the kernel, because there
is a lot of (external) code that may still depend on them. For now it's
harmless to remove all invocations of unit2minor() and minor2unit().

Reviewed by:	kib
2008-09-26 14:19:52 +00:00
attilio
23ff3dbeb8 Remove the suser(9) interface from the kernel. It has been replaced from
years by the priv_check(9) interface and just very few places are left.
Note that compatibility stub with older FreeBSD version
(all above the 8 limit though) are left in order to reduce diffs against
old versions. It is responsibility of the maintainers for any module, if
they think it is the case, to axe out such cases.

This patch breaks KPI so __FreeBSD_version will be bumped into a later
commit.

This patch needs to be credited 50-50 with rwatson@ as he found time to
explain me how the priv_check() works in detail and to review patches.

Tested by:      Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
Reviewed by:    rwatson
2008-09-17 15:49:44 +00:00
trasz
9303940ffe Remove VSVTX, VSGID and VSUID. This should be a no-op,
as VSVTX == S_ISVTX, VSGID == S_ISGID and VSUID == S_ISUID.

Approved by:	rwatson (mentor)
2008-09-10 13:16:41 +00:00
des
b5bc5d965b Unbreak the build.
Pointy hat to:	kevlo
2008-09-04 13:06:36 +00:00
kevlo
9f7bbf786b If the process id specified is invalid, the system call returns ESRCH 2008-09-04 10:44:33 +00:00
attilio
dbf35e279f Decontextualize the couplet VOP_GETATTR / VOP_SETATTR as the passed thread
was always curthread and totally unuseful.

Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
2008-08-28 15:23:18 +00:00
rwatson
acf5da1d35 More fully audit fexecve(2) and its arguments.
Obtained from:	TrustedBSD Project
Sponsored by:	Google, Inc.
2008-08-25 13:50:01 +00:00
rwatson
7815fba39c Use ERANGE instead of EOVERFLOW selected in r182059, this seems more
appropriate even if Solaris doesn't document it (E2BIG) or use it
(EOVERFLOW).

Submitted by:	nectar at apple dot com
Sponsored by:	Apple, Inc.
MFC after:	3 days
2008-08-24 19:55:10 +00:00
csjp
5419874562 Use sbuf_putc instead of sbuf_cat. This makes more sense, since we are
appending a single character to the buffer.

MFC after:	2 weeks
2008-08-24 03:12:17 +00:00
rwatson
78a117e6fa Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
    so that the general exec code isn't aware of the details of
    allocating, copying, and freeing labels, rather, simply passes in
    a void pointer to start and stop functions that will be used by
    the framework.  This change will be MFC'd.

(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
    allowing policies to declare which types of objects require label
    allocation, initialization, and destruction, and define a set of
    flags covering various supported object types (MPC_OBJECT_PROC,
    MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...).  This change reduces the
    overhead of compiling the MAC Framework into the kernel if policies
    aren't loaded, or if policies require labels on only a small number
    or even no object types.  Each time a policy is loaded or unloaded,
    we recalculate a mask of labeled object types across all policies
    present in the system.  Eliminate MAC_ALWAYS_LABEL_MBUF option as it
    is no longer required.

MFC after:	1 week ((1) only)
Reviewed by:	csjp
Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.
2008-08-23 15:26:36 +00:00
rwatson
74fdf0ae73 When getaudit(2) is unable to fit the terminal IPv6 address into the
space provided by its argument structure, return EOVERFLOW instead of
E2BIG.  The latter is documented in Solaris's man page, but the
former is implemented.  In either case, the caller should use
getaudit_addr(2) to return the IPv6 address.

Submitted by:	sson
Obtained from:	Apple, Inc.
MFC after:	3 days
2008-08-23 14:39:01 +00:00
csjp
4c2ecbd8bd Make sure we check the preselection masks present for all audit pipes.
It is possible that the audit pipe(s) have different preselection configs
then the global preselection mask.

Spotted by:	Vincenzo Iozzo
MFC after:	2 weeks
2008-08-11 20:14:56 +00:00
des
c2c1c946ae Add sbuf_new_auto as a shortcut for the very common case of creating a
completely dynamic sbuf.

Obtained from:	Varnish
MFC after:	2 weeks
2008-08-09 11:14:05 +00:00
rwatson
e6f6fc88e2 Minor style tweaks. 2008-08-02 22:30:51 +00:00
rwatson
7b3a18a595 Rename mac_partition_enabled to partition_enabled to synchronize with
other policies that similarly now avoid the additional mac_ prefix on
variables.

MFC after:	soon
2008-08-02 20:53:59 +00:00
rwatson
e3839f1499 In mac_bsdextended's auditctl and acct policy access control checks,
return success if the passed vnode pointer is NULL (rather than
panicking).  This can occur if either audit or accounting are
disabled while the policy is running.

Since the swapoff control has no real relevance to this policy,
which is concerned about intent to write rather than water under the
bridge, remove it.

PR:             kern/126100
Reported by:    Alan Amesbury <amesbury at umn dot edu>
MFC after:      3 days
2008-07-31 20:49:12 +00:00
csjp
743d0edd92 Currently, BSM audit pathname token generation for chrooted or jailed
processes are not producing absolute pathname tokens.  It is required
that audited pathnames are generated relative to the global root mount
point.  This modification changes our implementation of audit_canon_path(9)
and introduces a new function: vn_fullpath_global(9) which performs a
vnode -> pathname translation relative to the global mount point based
on the contents of the name cache.  Much like vn_fullpath,
vn_fullpath_global is a wrapper function which called vn_fullpath1.

Further, the string parsing routines have been converted to use the
sbuf(9) framework.  This change also removes the conditional acquisition
of Giant, since the vn_fullpath1 method will not dip into file system
dependent code.

The vnode locking was modified to use vhold()/vdrop() instead the vref()
and vrele().  This will modify the hold count instead of modifying the
user count.  This makes more sense since it's the kernel that requires
the reference to the vnode.  This also makes sure that the vnode does not
get recycled we hold the reference to it. [1]

Discussed with:	rwatson
Reviewed by:	kib [1]
MFC after:	2 weeks
2008-07-31 16:57:41 +00:00
rwatson
b8596e4794 Further synchronization of copyrights, licenses, white space, etc from
Apple and from the OpenBSM vendor tree.

Obtained from:	Apple Inc., TrustedBSD Project
MFC after:	3 days
2008-07-31 09:54:35 +00:00
rwatson
5a7f32b6bb Minor white space tweak.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-23 07:42:31 +00:00
rwatson
cd2c5f1658 If an AUE_SYSCTL_NONADMIN audit event is selected, generate a record
with equivilent content to AUE_SYSCTL.

Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:54:32 +00:00
rwatson
08b4415065 Further minor style fixes to audit.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:49:30 +00:00
rwatson
127019df41 Remove unneeded \ at the end of a macro.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:08:27 +00:00
rwatson
50a48758fb Further minor white space tweaks.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:06:49 +00:00
rwatson
979e045da6 Generally avoid <space><tab> as a white space anomoly.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 16:44:48 +00:00
rwatson
e116c89c78 Use #define<tab> rather than #define<space>.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 16:21:59 +00:00
rwatson
91cafa1d13 Comment fix.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 16:02:21 +00:00
rwatson
1c685378bd Comment typo fix.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 15:54:10 +00:00
rwatson
01de8b976c Minor white space synchronization to Apple version of security audit.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 15:49:19 +00:00
rwatson
6a481435b2 In preparation to sync Apple and FreeBSD versions of security audit,
pick up the Apple Computer -> Apple change in their copyright and
license templates.

Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 15:29:48 +00:00
rwatson
c3ca4b7705 Use unsigned int when iterating over groupsets in audit_arg_groupset().
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 15:17:21 +00:00
jhb
411d068395 Rework the lifetime management of the kernel implementation of POSIX
semaphores.  Specifically, semaphores are now represented as new file
descriptor type that is set to close on exec.  This removes the need for
all of the manual process reference counting (and fork, exec, and exit
event handlers) as the normal file descriptor operations handle all of
that for us nicely.  It is also suggested as one possible implementation
in the spec and at least one other OS (OS X) uses this approach.

Some bugs that were fixed as a result include:
- References to a named semaphore whose name is removed still work after
  the sem_unlink() operation.  Prior to this patch, if a semaphore's name
  was removed, valid handles from sem_open() would get EINVAL errors from
  sem_getvalue(), sem_post(), etc.  This fixes that.
- Unnamed semaphores created with sem_init() were not cleaned up when a
  process exited or exec'd.  They were only cleaned up if the process
  did an explicit sem_destroy().  This could result in a leak of semaphore
  objects that could never be cleaned up.
- On the other hand, if another process guessed the id (kernel pointer to
  'struct ksem' of an unnamed semaphore (created via sem_init)) and had
  write access to the semaphore based on UID/GID checks, then that other
  process could manipulate the semaphore via sem_destroy(), sem_post(),
  sem_wait(), etc.
- As part of the permission check (UID/GID), the umask of the proces
  creating the semaphore was not honored.  Thus if your umask denied group
  read/write access but the explicit mode in the sem_init() call allowed
  it, the semaphore would be readable/writable by other users in the
  same group, for example.  This includes access via the previous bug.
- If the module refused to unload because there were active semaphores,
  then it might have deregistered one or more of the semaphore system
  calls before it noticed that there was a problem.  I'm not sure if
  this actually happened as the order that modules are discovered by the
  kernel linker depends on how the actual .ko file is linked.  One can
  make the order deterministic by using a single module with a mod_event
  handler that explicitly registers syscalls (and deregisters during
  unload after any checks).  This also fixes a race where even if the
  sem_module unloaded first it would have destroyed locks that the
  syscalls might be trying to access if they are still executing when
  they are unloaded.

  XXX: By the way, deregistering system calls doesn't do any blocking
  to drain any threads from the calls.
- Some minor fixes to errno values on error.  For example, sem_init()
  isn't documented to return ENFILE or EMFILE if we run out of semaphores
  the way that sem_open() can.  Instead, it should return ENOSPC in that
  case.

Other changes:
- Kernel semaphores now use a hash table to manage the namespace of
  named semaphores nearly in a similar fashion to the POSIX shared memory
  object file descriptors.  Kernel semaphores can now also have names
  longer than 14 chars (up to MAXPATHLEN) and can include subdirectories
  in their pathname.
- The UID/GID permission checks for access to a named semaphore are now
  done via vaccess() rather than a home-rolled set of checks.
- Now that kernel semaphores have an associated file object, the various
  MAC checks for POSIX semaphores accept both a file credential and an
  active credential.  There is also a new posixsem_check_stat() since it
  is possible to fstat() a semaphore file descriptor.
- A small set of regression tests (using the ksem API directly) is present
  in src/tools/regression/posixsem.

Reported by:	kris (1)
Tested by:	kris
Reviewed by:	rwatson (lightly)
MFC after:	1 month
2008-06-27 05:39:04 +00:00
jhb
fd5bd912ed Add missing counter increments for posix shm checks. 2008-06-26 13:49:32 +00:00
jhb
437891381c Remove the posixsem_check_destroy() MAC check. It is semantically identical
to doing a MAC check for close(), but no other types of close() (including
close(2) and ksem_close(2)) have MAC checks.

Discussed with:	rwatson
2008-06-23 21:37:53 +00:00
rwatson
f07c38e84a The TrustedBSD MAC Framework named struct ipq instances 'ipq', which is the
same as the global variable defined in ip_input.c.  Instead, adopt the name
'q' as found in about 1/2 of uses in ip_input.c, preventing a collision on
the name.  This is non-harmful, but means that search and replace on the
global works less well (as in the virtualization work), as well as indexing
tools.

MFC after:	1 week
Reported by:	julian
2008-06-13 22:14:15 +00:00
ed
1bfc292986 Don't enforce unique device minor number policy anymore.
Except for the case where we use the cloner library (clone_create() and
friends), there is no reason to enforce a unique device minor number
policy. There are various drivers in the source tree that allocate unr
pools and such to provide minor numbers, without using them themselves.

Because we still need to support unique device minor numbers for the
cloner library, introduce a new flag called D_NEEDMINOR. All cdevsw's
that are used in combination with the cloner library should be marked
with this flag to make the cloning work.

This means drivers can now freely use si_drv0 to store their own flags
and state, making it effectively the same as si_drv1 and si_drv2. We
still keep the minor() and dev2unit() routines around to make drivers
happy.

The NTFS code also used the minor number in its hash table. We should
not do this anymore. If the si_drv0 field would be changed, it would no
longer end up in the same list.

Approved by:	philip (mentor)
2008-06-11 18:55:19 +00:00
simon
8f581f70ee When the file-system containing the audit log file is running low on
disk space a warning is printed.  Make this warning a bit more
informative.

Approved by:	rwatson
2008-06-10 20:05:32 +00:00
rwatson
0b6c9d6ea7 Add an XXX comment regarding a bug I introduced when modifying the behavior
of audit log vnode rotation: on shutdown, we may not properly drain all
pending records, which could lead to lost records during system shutdown.
2008-06-03 11:06:34 +00:00
csjp
6ccab77b96 Plug a memory leak which can occur when multiple MAC policies are loaded
which label mbufs.  This leak can occur if one policy successfully allocates
label storage and subsequent allocations from other policies fail.

Spotted by:	rwatson
MFC after:	1 week
2008-05-27 14:18:02 +00:00
rwatson
16646c6d68 Don't use LK_DRAIN before calling VOP_FSYNC() in the two further
panic cases for audit trail failure -- this doesn't contribute
anything, and might arguably be wrong.

MFC after:	1 week
Requested by:	attilio
2008-05-21 13:59:05 +00:00
rwatson
375312ef89 Don't use LK_DRAIN before calling VOP_FSYNC() in the panic case for
audit trail failure -- this doesn't contribute anything, and might
arguably be wrong.

MFC after:	1 week
Requested by:	attilio
2008-05-21 13:05:06 +00:00
rwatson
3b1946ec17 When testing whether to enter the audit argument gathering code, rather
than checking whether audit is enabled globally, instead check whether
the current thread has an audit record.  This avoids entering the audit
code to collect argument data if auditing is enabled but the current
system call is not of interest to audit.

MFC after:	1 week
Sponsored by:	Apple, Inc.
2008-05-06 00:32:23 +00:00
rwatson
88f4417272 Fix include guard spelling.
MFC after:	3 days
Submitted by:	diego
2008-04-27 15:51:49 +00:00
rwatson
71caf14a53 Use logic or, not binary or, when deciding whether or not a system call
exit requires entering the audit code.  The result is much the same,
but they mean different things.

MFC afer:	3 days
Submitted by:	Diego Giagio <dgiagio at gmail dot com>
2008-04-24 12:23:31 +00:00
rwatson
c7094ab9ab When auditing state from an IPv4 or IPv6 socket, use read locks on the
inpcb rather than write locks.

MFC after:	3 months
2008-04-19 18:37:08 +00:00
rwatson
1a186b0eb9 When propagating a MAC label from an inpcb to an mbuf, allow read and
write locks on the inpcb, not just write locks.

MFC after:	3 months
2008-04-19 18:35:27 +00:00
rwatson
ca47fccd6b Convert pcbinfo and inpcb mutexes to rwlocks, and modify macros to
explicitly select write locking for all use of the inpcb mutex.
Update some pcbinfo lock assertions to assert locked rather than
write-locked, although in practice almost all uses of the pcbinfo
rwlock main exclusive, and all instances of inpcb lock acquisition
are exclusive.

This change should introduce (ideally) little functional change.
However, it lays the groundwork for significantly increased
parallelism in the TCP/IP code.

MFC after:	3 months
Tested by:	kris (superset of committered patch)
2008-04-17 21:38:18 +00:00
rwatson
780b65a710 Use __FBSDID() for $FreeBSD$ IDs in the audit code.
MFC after:	3 days
2008-04-13 22:06:56 +00:00
rwatson
cb6449b749 Make naming of include guards for MAC Framework include files more
consistent with other kernel include guards (don't start with _SYS).

MFC after:	3 days
2008-04-13 21:45:52 +00:00
kib
eff8c6d35e Add the support for the AT_FDCWD and fd-relative name lookups to the
namei(9).

Based on the submission by rdivacky,
	sponsored by Google Summer of Code 2007
Reviewed by:	rwatson, rdivacky
Tested by:	pho
2008-03-31 12:01:21 +00:00
rwatson
877d7c65ba In keeping with style(9)'s recommendations on macros, use a ';'
after each SYSINIT() macro invocation.  This makes a number of
lightweight C parsers much happier with the FreeBSD kernel
source, including cflow's prcc and lxr.

MFC after:	1 month
Discussed with:	imp, rink
2008-03-16 10:58:09 +00:00
rwatson
baba1ffed6 Remove XXX to remind me to check the free space calculation, which to my
eyes appears right following a check.

MFC after:	3 days
2008-03-10 18:15:02 +00:00
csjp
af9b2bc27f Change auditon(2) so that if somebody supplies an invalid command, it
returns EINVAL. Right now we return 0 or success for invalid commands,
which could be quite problematic in certain conditions.

MFC after:	1 week
Discussed with:	rwatson
2008-03-06 22:57:03 +00:00
rwatson
db38a25102 Rather than copying out the full audit trigger record, which includes
a queue entry field, just copy out the unsigned int that is the trigger
message.  In practice, auditd always requested sizeof(unsigned int), so
the extra bytes were ignored, but copying them out was not the intent.

MFC after:	1 month
2008-03-02 21:34:17 +00:00
rwatson
5461383352 Add audit_prefixes to two more globally visible functions in the Audit
implementation.

MFC after:	1 month
2008-03-01 11:40:49 +00:00
rwatson
ac01550a5d Rename globally exposed symbol send_trigger() to audit_send_trigger().
MFC after:	1 month
2008-03-01 11:04:04 +00:00
rwatson
76461e66bc Replace somewhat awkward audit trail rotation scheme, which involved the
global audit mutex and condition variables, with an sx lock which protects
the trail vnode and credential while in use, and is acquired by the system
call code when rotating the trail.  Previously, a "message" would be sent
to the kernel audit worker, which did the rotation, but the new code is
simpler and (hopefully) less error-prone.

Obtained from:	TrustedBSD Project
MFC after:	1 month
2008-02-27 17:12:22 +00:00
rwatson
2cf50b2daa Rename several audit functions in the global kernel symbol namespace to
have audit_ on the front:

- canon_path -> audit_canon_path
- msgctl_to_event -> audit_msgctl_to_event
- semctl_to_event -> audit_semctl_to_event

MFC after:	1 month
2008-02-25 20:28:00 +00:00
csjp
03cdec7669 Make sure that the termid type is initialized to AU_IPv4 by default.
This makes sure that process tokens credentials with un-initialized
audit contexts are handled correctly.  Currently, when invariants are
enabled, this change fixes a panic by ensuring that we have a valid
termid family.  Also, this fixes token generation for process tokens
making sure that userspace is always getting a valid token.

This is consistent with what Solaris does when an audit context is
un-initialized.

Obtained from:	TrustedBSD Project
MFC after:	1 week
2008-01-28 17:33:46 +00:00
rwatson
3043fa2dca Properly return the error from mls_subject_privileged() in the ifnet
relabel check for MLS rather than returning 0 directly.

This problem didn't result in a vulnerability currently as the central
implementation of ifnet relabeling also checks for UNIX privilege, and
we currently don't guarantee containment for the root user in mac_mls,
but we should be using the MLS definition of privilege as well as the
UNIX definition in anticipation of supporting root containment at some
point.

MFC after:	3 days
Submitted by:	Zhouyi Zhou <zhouzhouyi at gmail dot com>
Sponsored by:	Google SoC 2007
2008-01-28 10:20:18 +00:00
csjp
6f5423890a Fix gratuitous whitespace bug
MFC after:	1 week
Obtained from:	TrustedBSD Project
2008-01-18 19:57:21 +00:00
csjp
ad1f18f4a9 Add a case for AUE_LISTEN. This removes the following console error message:
"BSM conversion requested for unknown event 43140"

It should be noted that we need to audit the fd argument for this system
call.

Obtained from:	TrustedBSD Project
MFC after:	1 week
2008-01-18 19:50:34 +00:00
attilio
71b7824213 VOP_LOCK1() (and so VOP_LOCK()) and VOP_UNLOCK() are only used in
conjuction with 'thread' argument passing which is always curthread.
Remove the unuseful extra-argument and pass explicitly curthread to lower
layer functions, when necessary.

KPI results broken by this change, which should affect several ports, so
version bumping and manpage update will be further committed.

Tested by: kris, pho, Diego Sardina <siarodx at gmail dot com>
2008-01-13 14:44:15 +00:00
attilio
18d0a0dd51 vn_lock() is currently only used with the 'curthread' passed as argument.
Remove this argument and pass curthread directly to underlying
VOP_LOCK1() VFS method. This modify makes the code cleaner and in
particular remove an annoying dependence helping next lockmgr() cleanup.
KPI results, obviously, changed.

Manpage and FreeBSD_version will be updated through further commits.

As a side note, would be valuable to say that next commits will address
a similar cleanup about VFS methods, in particular vop_lock1 and
vop_unlock.

Tested by:	Diego Sardina <siarodx at gmail dot com>,
		Andrea Di Pasquale <whyx dot it at gmail dot com>
2008-01-10 01:10:58 +00:00
jhb
8cd9437636 Add a new file descriptor type for IPC shared memory objects and use it to
implement shm_open(2) and shm_unlink(2) in the kernel:
- Each shared memory file descriptor is associated with a swap-backed vm
  object which provides the backing store.  Each descriptor starts off with
  a size of zero, but the size can be altered via ftruncate(2).  The shared
  memory file descriptors also support fstat(2).  read(2), write(2),
  ioctl(2), select(2), poll(2), and kevent(2) are not supported on shared
  memory file descriptors.
- shm_open(2) and shm_unlink(2) are now implemented as system calls that
  manage shared memory file descriptors.  The virtual namespace that maps
  pathnames to shared memory file descriptors is implemented as a hash
  table where the hash key is generated via the 32-bit Fowler/Noll/Vo hash
  of the pathname.
- As an extension, the constant 'SHM_ANON' may be specified in place of the
  path argument to shm_open(2).  In this case, an unnamed shared memory
  file descriptor will be created similar to the IPC_PRIVATE key for
  shmget(2).  Note that the shared memory object can still be shared among
  processes by sharing the file descriptor via fork(2) or sendmsg(2), but
  it is unnamed.  This effectively serves to implement the getmemfd() idea
  bandied about the lists several times over the years.
- The backing store for shared memory file descriptors are garbage
  collected when they are not referenced by any open file descriptors or
  the shm_open(2) virtual namespace.

Submitted by:	dillon, peter (previous versions)
Submitted by:	rwatson (I based this on his version)
Reviewed by:	alc (suggested converting getmemfd() to shm_open())
2008-01-08 21:58:16 +00:00
rwatson
bdee30611d Add a new 'why' argument to kdb_enter(), and a set of constants to use
for that argument.  This will allow DDB to detect the broad category of
reason why the debugger has been entered, which it can use for the
purposes of deciding which DDB script to run.

Assign approximate why values to all current consumers of the
kdb_enter() interface.
2007-12-25 17:52:02 +00:00
wkoszek
a8e6c33502 Change "audit_pipe_preselect" to "audit_pipe_presel" to make it print
with proper alignment in ddb(4) and vmstat(8).

Reviewed by:	rwatson@
2007-12-25 13:23:19 +00:00
rwatson
658a0a8d45 Fix a MAC label leak for POSIX semaphores, in which per-policy labels
would be properly disposed of, but the global label structure for the
semaphore wouldn't be freed.

MFC after:	3 days
Reported by:	tanyong <tanyong at ercist dot iscas dot ac dot cn>,
		zhouzhouyi
2007-12-17 17:26:32 +00:00
wkoszek
354f6f4c2e Explicitly initialize 'ret' to 0'. It lets one to build tmpfs from the
latest source tree with older compiler--gcc3.

Approved by:	cognet (mentor)
2007-12-04 20:20:59 +00:00
rwatson
aaad69006f Implement per-object type consistency checks for labels passed to
'internalize' operations rather than using a single common check.

Obtained from:	TrustedBSD Project
2007-10-30 00:01:28 +00:00
rwatson
21a7ea24a4 Replace use of AU_NULL with 0 when no audit classes are in use; this
supports the removal of hard-coded audit class constants in OpenBSM
1.0.  All audit classes are now dynamically configured via the
audit_class database.

Obtained from:	TrustedBSD Project
2007-10-29 18:07:48 +00:00
rwatson
d0482ebdae Canonicalize names of local variables.
Add some missing label checks in mac_test.

Obtained from:	TrustedBSD Project
2007-10-29 15:30:47 +00:00
rwatson
a426571905 Resort TrustedBSD MAC Framework policy entry point implementations and
declarations to match the object, operation sort order in the framework
itself.

Obtained from:	TrustedBSD Project
2007-10-29 13:33:06 +00:00
rwatson
80e186726f Add missing mac_test labeling and sleep checks for the syncache.
Discussed with:	csjp
Obtained from:	TrustedBSD Project
2007-10-28 18:33:31 +00:00
rwatson
54102acdd3 Garbage collect mac_mbuf_create_multicast_encap TrustedBSD MAC Framework
entry point, which is no longer required now that we don't support
old-style multicast tunnels.  This removes the last mbuf object class
entry point that isn't init/copy/destroy.

Obtained from:	TrustedBSD Project
2007-10-28 17:55:57 +00:00
rwatson
369fd04f48 Continue to move from generic network entry points in the TrustedBSD MAC
Framework by moving from mac_mbuf_create_netlayer() to more specific
entry points for specific network services:

- mac_netinet_firewall_reply() to be used when replying to in-bound TCP
  segments in pf and ipfw (etc).

- Rename mac_netinet_icmp_reply() to mac_netinet_icmp_replyinplace() and
  add mac_netinet_icmp_reply(), reflecting that in some cases we overwrite
  a label in place, but in others we apply the label to a new mbuf.

Obtained from:	TrustedBSD Project
2007-10-28 17:12:48 +00:00
rwatson
2bca3d4001 Move towards more explicit support for various network protocol stacks
in the TrustedBSD MAC Framework:

- Add mac_atalk.c and add explicit entry point mac_netatalk_aarp_send()
  for AARP packet labeling, rather than using a generic link layer
  entry point.

- Add mac_inet6.c and add explicit entry point mac_netinet6_nd6_send()
  for ND6 packet labeling, rather than using a generic link layer entry
  point.

- Add expliict entry point mac_netinet_arp_send() for ARP packet
  labeling, and mac_netinet_igmp_send() for IGMP packet labeling,
  rather than using a generic link layer entry point.

- Remove previous genering link layer entry point,
  mac_mbuf_create_linklayer() as it is no longer used.

- Add implementations of new entry points to various policies, largely
  by replicating the existing link layer entry point for them; remove
  old link layer entry point implementation.

- Make MAC_IFNET_LOCK(), MAC_IFNET_UNLOCK(), and mac_ifnet_mtx global
  to the MAC Framework rather than static to mac_net.c as it is now
  needed outside of mac_net.c.

Obtained from:	TrustedBSD Project
2007-10-28 15:55:23 +00:00
rwatson
5b4c0a83ff Perform explicit label type checks for externalize entry points, rather than
a generic initialized test.

Obtained from:	TrustedBSD Project
2007-10-28 14:28:33 +00:00
csjp
eaecf9354f Make sure we are incrementing the read count for each audit pipe read.
MFC after:	1 week
2007-10-27 22:28:01 +00:00
rwatson
744e5dbc97 Give each posixsem MAC Framework entry point its own counter and test case
in the mac_test policy, rather than sharing a single function for all of
the access control checks.

Obtained from:	TrustedBSD Project
2007-10-27 10:38:57 +00:00
rwatson
5c16f69bcc Update comment following MAC Framework entry point renaming and
reorganization.

Obtained from:	TrustedBSD Project
2007-10-26 21:16:34 +00:00
rwatson
a3b8fc4866 Rename 'mac_mbuf_create_from_firewall' to 'mac_netinet_firewall_send' as
we move towards netinet as a pseudo-object for the MAC Framework.

Rename 'mac_create_mbuf_linklayer' to 'mac_mbuf_create_linklayer' to
reflect general object-first ordering preference.

Sponsored by:	SPARTA (original patches against Mac OS X)
Obtained from:	TrustedBSD Project, Apple Computer
2007-10-26 13:18:38 +00:00
csjp
a16bb8381d Implement AUE_CORE, which adds process core dump support into the kernel.
This change introduces audit_proc_coredump() which is called by coredump(9)
to create an audit record for the coredump event.  When a process
dumps a core, it could be security relevant.  It could be an indicator that
a stack within the process has been overflowed with an incorrectly constructed
malicious payload or a number of other events.

The record that is generated looks like this:

header,111,10,process dumped core,0,Thu Oct 25 19:36:29 2007, + 179 msec
argument,0,0xb,signal
path,/usr/home/csjp/test.core
subject,csjp,csjp,staff,csjp,staff,1101,1095,50457,10.37.129.2
return,success,1
trailer,111

- We allocate a completely new record to make sure we arent clobbering
  the audit data associated with the syscall that produced the core
  (assuming the core is being generated in response to SIGABRT  and not
  an invalid memory access).
- Shuffle around expand_name() so we can use the coredump name at the very
  beginning of the coredump call.  Make sure we free the storage referenced
  by "name" if we need to bail out early.
- Audit both successful and failed coredump creation efforts

Obtained from:	TrustedBSD Project
Reviewed by:	rwatson
MFC after:	1 month
2007-10-26 01:23:07 +00:00
rwatson
d27f567131 Sort entry points in mac_framework.h and mac_policy.h alphabetically by
primary object type, and then by secondarily by method name.  This sorts
entry points relating to particular objects, such as pipes, sockets, and
vnodes together.

Sponsored by:	SPARTA (original patches against Mac OS X)
Obtained from:	TrustedBSD Project, Apple Computer
2007-10-25 22:45:25 +00:00
rwatson
ad62572aa2 Normalize TCP syncache-related MAC Framework entry points to match most
other entry points in the form mac_<object>_method().

Discussed with:	csjp
Obtained from:	TrustedBSD Project
2007-10-25 14:37:37 +00:00
rwatson
8756317538 Rename mac_associate_nfsd_label() to mac_proc_associate_nfsd(), and move
from mac_vfs.c to mac_process.c to join other functions that setup up
process labels for specific purposes.  Unlike the two proc create calls,
this call is intended to run after creation when a process registers as
the NFS daemon, so remains an _associate_ call..

Obtained from:	TrustedBSD Project
2007-10-25 12:34:14 +00:00
rwatson
2fd98af619 Consistently name functions for mac_<policy> as <policy>_whatever rather
than mac_<policy>_whatever, as this shortens the names and makes the code
a bit easier to read.

When dealing with label structures, name variables 'mb', 'ml', 'mm rather
than the longer 'mac_biba', 'mac_lomac', and 'mac_mls', likewise making
the code a little easier to read.

Obtained from:	TrustedBSD Project
2007-10-25 11:31:11 +00:00
rwatson
94fbc001c8 Further MAC Framework cleanup: normalize some local variable names and
clean up some comments.

Obtained from:	TrustedBSD Project
2007-10-25 07:49:47 +00:00
rwatson
60570a92bf Merge first in a series of TrustedBSD MAC Framework KPI changes
from Mac OS X Leopard--rationalize naming for entry points to
the following general forms:

  mac_<object>_<method/action>
  mac_<object>_check_<method/action>

The previous naming scheme was inconsistent and mostly
reversed from the new scheme.  Also, make object types more
consistent and remove spaces from object types that contain
multiple parts ("posix_sem" -> "posixsem") to make mechanical
parsing easier.  Introduce a new "netinet" object type for
certain IPv4/IPv6-related methods.  Also simplify, slightly,
some entry point names.

All MAC policy modules will need to be recompiled, and modules
not updates as part of this commit will need to be modified to
conform to the new KPI.

Sponsored by:	SPARTA (original patches against Mac OS X)
Obtained from:	TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
csjp
34260afd90 Use extended process token. The in kernel process audit
state is stored in an extended subject token now.  Make sure
that we are using the extended data.  This fixes the termID
for process tokens.

Obtained from:	TrustedBSD Project
Discussed with:	rwatson
MFC after:	1 week
2007-10-24 00:05:52 +00:00
rwatson
019b6cfbf0 Bump MAC_VERSION to 4 and add an 8.x line in the version table. Version 4
will include significant synchronization to the Mac OS X Leopard version
of the MAC Framework.

Obtained from:	TrustedBSD Project
2007-10-23 14:12:16 +00:00
rwatson
9916bac030 Canonicalize naming of local variables for struct ksem and associated
labels to 'ks' and 'kslabel' to reflect the convention in posix_sem.c.

MFC after:	3 days
Obtained from:	TrustedBSD Project
2007-10-21 11:11:07 +00:00
julian
51d643caa6 Rename the kthread_xxx (e.g. kthread_create()) calls
to kproc_xxx as they actually make whole processes.
Thos makes way for us to add REAL kthread_create() and friends
that actually make theads. it turns out that most of these
calls actually end up being moved back to the thread version
when it's added. but we need to make this cosmetic change first.

I'd LOVE to do this rename in 7.0  so that we can eventually MFC the
new kthread_xxx() calls.
2007-10-20 23:23:23 +00:00
csjp
d250020a68 - Change the wakeup logic associated with having multiple sleepers
on multiple different audit pipes.  The old method used cv_signal()
  which would result in only one thread being woken up after we
  appended a record to it's queue.  This resulted in un-timely wake-ups
  when processing audit records real-time.

- Assign PSOCK priority to threads that have been sleeping on a read(2).
  This is the same priority threads are woken up with when they select(2)
  or poll(2).  This yields fairness between various forms of sleep on
  the audit pipes.

Obtained from:	TrustedBSD Project
Discussed with:	rwatson
MFC after:	1 week
2007-10-12 15:09:02 +00:00
jeff
3fc0f8b973 - Move all of the PS_ flags into either p_flag or td_flags.
- p_sflag was mostly protected by PROC_LOCK rather than the PROC_SLOCK or
   previously the sched_lock.  These bugs have existed for some time.
 - Allow swapout to try each thread in a process individually and then
   swapin the whole process if any of these fail.  This allows us to move
   most scheduler related swap flags into td_flags.
 - Keep ki_sflag for backwards compat but change all in source tools to
   use the new and more correct location of P_INMEM.

Reported by:	pho
Reviewed by:	attilio, kib
Approved by:	re (kensmith)
2007-09-17 05:31:39 +00:00
rwatson
198c38400a Rename mac_check_vnode_delete() MAC Framework and MAC Policy entry
point to mac_check_vnode_unlink(), reflecting UNIX naming conventions.

This is the first of several commits to synchronize the MAC Framework
in FreeBSD 7.0 with the MAC Framework as it will appear in Mac OS X
Leopard.

Reveiwed by:    csjp, Samy Bahra <sbahra at gwu dot edu>
Submitted by:   Jacques Vidrine <nectar at apple dot com>
Obtained from:  Apple Computer, Inc.
Sponsored by:   SPARTA, SPAWAR
Approved by:    re (bmah)
2007-09-10 00:00:18 +00:00
rwatson
23574c8673 Remove the now-unused NET_{LOCK,UNLOCK,ASSERT}_GIANT() macros, which
previously conditionally acquired Giant based on debug.mpsafenet.  As that
has now been removed, they are no longer required.  Removing them
significantly simplifies error-handling in the socket layer, eliminated
quite a bit of unwinding of locking in error cases.

While here clean up the now unneeded opt_net.h, which previously was used
for the NET_WITH_GIANT kernel option.  Clean up some related gotos for
consistency.

Reviewed by:	bz, csjp
Tested by:	kris
Approved by:	re (kensmith)
2007-08-06 14:26:03 +00:00
rwatson
4d894bfc82 When checking labels during a vnode link operation in MLS, use the file
vnode label for a check rather than the directory vnode label a second
time.

MFC after:	3 days
Submitted by:	Zhouyi ZHOU <zhouzhouyi at FreeBSD dot org>
Reviewed by:	csjp
Sponsored by:	Google Summer of Code 2007
Approved by:	re (bmah)
2007-07-23 13:28:54 +00:00
rwatson
f6b06699b2 In preparation for 7.0 privilege cleanup, clean up style:
- Sort copyrights by date.
- Re-wrap, and in some cases, fix comments.
- Fix tabbing, white space, remove extra blank lines.
- Remove commented out debugging printfs.

Approved by:	re (kensmith)
2007-07-05 13:16:04 +00:00
peter
f84e4f38b6 Fix a bunch of warnings due to a missing forward declaration of a struct.
Approved by: re (rwatson)
2007-07-05 06:45:37 +00:00
rwatson
f4cc305d06 Remove two boot printfs generated by Audit to announce it's presence,
and replace with software-testable sysctl node (security.audit) that
can be used to detect kernel audit support.

Obtained from:	TrustedBSD Project
Approved by:	re (kensmith)
2007-07-01 20:51:30 +00:00
csjp
94aa9c0f8b - Add audit_arg_audinfo_addr() for auditing the arguments for setaudit_addr(2)
- In audit_bsm.c, make sure all the arguments: ARG_AUID, ARG_ASID, ARG_AMASK,
  and ARG_TERMID{_ADDR} are valid before auditing their arguments. (This is done
  for both setaudit and setaudit_addr.
- Audit the arguments passed to setaudit_addr(2)
- AF_INET6 does not equate to AU_IPv6. Change this in au_to_in_addr_ex() so the
  audit token is created with the correct type. This fixes the processing of the
  in_addr_ex token in users pace.
- Change the size of the token (as generated by the kernel) from 5*4 bytes to
  4*4 bytes (the correct size of an ip6 address)
- Correct regression from ucred work which resulted in getaudit() not returning
  E2BIG if the subject had an ip6 termid
- Correct slight regression in getaudit(2) which resulted in the size of a pointer
  being passed instead of the size of the structure. (This resulted in invalid
  auditinfo data being returned via getaudit(2))

Reviewed by:	rwatson
Approved by:	re@ (kensmith)
Obtained from:	TrustedBSD Project
MFC after:	1 month
2007-06-27 17:01:15 +00:00
rwatson
4d365126c5 Add a new MAC framework and policy entry point,
mpo_check_proc_setaudit_addr to be used when controlling use of
setaudit_addr(), rather than mpo_check_proc_setaudit(), which takes a
different argument type.

Reviewed by:	csjp
Approved by:	re (kensmith)
2007-06-26 14:14:01 +00:00
rwatson
b1995f0f15 In setaudit_addr(), drop the process lock in error cases.
Submitted by:	Peter Holm <peter@holm.cc> (BugMaster)
2007-06-15 15:20:56 +00:00
rwatson
680f293154 Spell statistics more correctly in comments. 2007-06-14 03:02:33 +00:00
rwatson
f938c62f4e Include priv.h to pick up suser(9) definitions, missed in an earlier
commit.

Warnings spotted by:	kris
2007-06-13 22:42:43 +00:00
rwatson
aa30311010 Close a very narrow race that might cause a trigger allocation to be
leaked if a trigger is delivered as the trigger device is closed.

Obtained from:	TrustedBSD Project
2007-06-13 21:17:23 +00:00
rwatson
00b02345d4 Eliminate now-unused SUSER_ALLOWJAIL arguments to priv_check_cred(); in
some cases, move to priv_check() if it was an operation on a thread and
no other flags were present.

Eliminate caller-side jail exception checking (also now-unused); jail
privilege exception code now goes solely in kern_jail.c.

We can't yet eliminate suser() due to some cases in the KAME code where
a privilege check is performed and then used in many different deferred
paths.  Do, however, move those prototypes to priv.h.

Reviewed by:	csjp
Obtained from:	TrustedBSD Project
2007-06-12 00:12:01 +00:00
rwatson
65d74ebe28 Clean up, and sometimes remove, a number of audit-related implementation
comments.

Obtained from:	TrutstedBSD Project
2007-06-11 22:10:54 +00:00
rwatson
9f332c91ef Move per-process audit state from a pointer in the proc structure to
embedded storage in struct ucred.  This allows audit state to be cached
with the thread, avoiding locking operations with each system call, and
makes it available in asynchronous execution contexts, such as deep in
the network stack or VFS.

Reviewed by:	csjp
Approved by:	re (kensmith)
Obtained from:	TrustedBSD Project
2007-06-07 22:27:15 +00:00
jeff
91d1501790 Commit 14/14 of sched_lock decomposition.
- Use thread_lock() rather than sched_lock for per-thread scheduling
   sychronization.
 - Use the per-process spinlock rather than the sched_lock for per-process
   scheduling synchronization.

Tested by:      kris, current@
Tested on:      i386, amd64, ULE, 4BSD, libthr, libkse, PREEMPTION, etc.
Discussed with: kris, attilio, kmacy, jhb, julian, bde (small parts each)
2007-06-05 00:00:57 +00:00
rwatson
0d42b093e7 Clean up audit comments--formatting, spelling, etc. 2007-06-01 21:58:59 +00:00
kib
17260ba6f1 Change the VOP_OPEN(), vn_open() vnode operation and d_fdopen() cdev operation
argument from being file descriptor index into the pointer to struct file:
part 2. Convert calls missed in the first big commit.

Noted by:	rwatson
Pointy hat to:	kib
2007-06-01 14:33:11 +00:00
rwatson
e62312b692 Remove AUDIT_PRINTF() debugging statements and definition; clean up or
remove associated comments.

Slip audit_file_rotate_wait assignment in audit_rotate_vnode() before
the drop of the global audit mutex.

Obtained from:	TrustedBSD Project
2007-06-01 13:53:37 +00:00
rwatson
8abaa44b8f Remove unused !AUDIT audit_proc_*() prototypes: unlike in Mac OS X, we
don't define or use these functions if AUDIT isn't configured.

Obtained from:	TrustedBSD Project
2007-05-30 11:41:28 +00:00
rwatson
66b95b8855 Synchronize white space to congruent user-space code in OpenBSM.
Obtained from:	TrustedBSD Project
2007-05-30 09:48:37 +00:00
rwatson
a846d9ed4d Remove unused ar_subj_comm field from in-kernel audit record; we never
export this via BSM, so don't pay space/time cost of maintaining it.

Obtained from:	TrustedBSD Project
2007-05-30 09:14:14 +00:00
rwatson
bbc6212f21 Consistent white space after .'s in comments. 2007-05-30 08:39:16 +00:00
rwatson
799e37dd6b No need to force __inline__ of currecord(), as the compiler will usefully
inline it when needed already, and the symbol is also required outside of
audit.c.  This silences a new gcc warning on the topic of using __inline__
instead of __inline.

MFC after:	3 days
2007-05-23 09:32:30 +00:00
rwatson
41c6ca714f Short name of kernel audit worker thread from "audit_worker" to "audit".
MFC after:	3 days
2007-05-21 14:08:26 +00:00
rwatson
6f35138769 Don't expose #ifdef NOTYET parts to userspace via audit_ioctl.h, just
remove them, since the functionality they are associated with isn't there
yet.

MFC after:	3 days
2007-04-29 16:20:32 +00:00
rwatson
62d2d15116 Rename mac*devfsdirent*() to mac*devfs*() to synchronize with SEDarwin,
where similar data structures exist to support devfs and the MAC
Framework, but are named differently.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, Inc.
2007-04-23 13:36:54 +00:00
rwatson
7ffc2492ae Apply variable name normalization to MAC policies: adopt global conventions
for the naming of variables associated with specific data structures.

Obtained from:	TrustedBSD Project
2007-04-23 13:15:23 +00:00
rwatson
48ef639907 Normalize variable naming in the MAC Framework by adopting the normal
variable name conventions for arguments passed into the framework --
for example, name network interfaces 'ifp', sockets 'so', mounts 'mp',
mbufs 'm', processes 'p', etc, wherever possible.  Previously there
was significant variation in this regard.

Normalize copyright lists to ranges where sensible.
2007-04-22 19:55:56 +00:00
rwatson
1c94b6d3ee In the MAC Framework implementation, file systems have two per-mountpoint
labels: the mount label (label of the mountpoint) and the fs label (label
of the file system).  In practice, policies appear to only ever use one,
and the distinction is not helpful.

Combine mnt_mntlabel and mnt_fslabel into a single mnt_label, and
eliminate extra machinery required to maintain the additional label.
Update policies to reflect removal of extra entry points and label.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, Inc.
2007-04-22 16:18:10 +00:00
rwatson
d1196975a0 Remove MAC Framework access control check entry points made redundant with
the introduction of priv(9) and MAC Framework entry points for privilege
checking/granting.  These entry points exactly aligned with privileges and
provided no additional security context:

- mac_check_sysarch_ioperm()
- mac_check_kld_unload()
- mac_check_settime()
- mac_check_system_nfsd()

Add mpo_priv_check() implementations to Biba and LOMAC policies, which,
for each privilege, determine if they can be granted to processes
considered unprivileged by those two policies.  These mostly, but not
entirely, align with the set of privileges granted in jails.

Obtained from:	TrustedBSD Project
2007-04-22 15:31:22 +00:00
rwatson
7851a71064 Further MAC test policy cleanup and enhancement:
- Redistribute counter declarations to where they are used, rather than at
  the file header, so it's more clear where we do (and don't) have
  counters.

- Add many more counters, one per policy entry point, so that many
  individual access controls and object life cycle events are tracked.

- Perform counter increments for label destruction explicitly in entry
  point functions rather than in LABEL_DESTROY().

- Use LABEL_INIT() instead of SLOT_SET() directly in label init functions
  to be symmetric with destruction.

- Align counter names more carefully with entry point names.

- More constant and variable name normalization.

Obtained from:	TrustedBSD Project
2007-04-22 13:29:37 +00:00
rwatson
27da76ec29 Perform overdue clean up mac_test policy:
- Add a more detailed comment describing the mac_test policy.

- Add COUNTER_DECL() and COUNTER_INC() macros to declare and manage
  various test counters, reducing the verbosity of the test policy
  quite a bit.

- Add LABEL_CHECK() macro to abbreviate normal validation of labels.
  Unlike the previous check macros, this checks for a NULL label and
  doesn't test NULL labels.  This means that optionally passed labels
  will now be handled automatically, although in the case of optional
  credentials, NULL-checks are still required.

- Add LABEL_DESTROY() macro to abbreviate the handling of label
  validation and tear-down.

- Add LABEL_NOTFREE() macro to abbreviate check for non-free labels.

- Normalize the names of counters, magic values.

- Remove unused policy "enabled" flag.

Obtained from:	TrustedBSD Project
2007-04-22 11:35:15 +00:00
rwatson
9792022e80 Allow MAC policy modules to control access to audit configuration system
calls.  Add MAC Framework entry points and MAC policy entry points for
audit(), auditctl(), auditon(), setaudit(), aud setauid().

MAC Framework entry points are only added for audit system calls where
additional argument context may be useful for policy decision-making; other
audit system calls without arguments may be controlled via the priv(9)
entry points.

Update various policy modules to implement audit-related checks, and in
some cases, other missing system-related checks.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, Inc.
2007-04-21 22:08:48 +00:00
rwatson
7ea3197c4f Remove $P4$ that snuck into CVS from Perforce. 2007-04-17 12:24:18 +00:00
rwatson
dd6ab6dfe7 Merge OpenBSM 1.0 alpha 14 changes to src/sys/security/audit:
- au_to_attr64(), au_to_process64(), au_to_subject64(),
  au_to_subject64_ex(), au_to_zonename(), au_to_header64_tm().
- Extended address token fixes.

Obtained from:	TrustedBSD Project
2007-04-16 16:20:45 +00:00
csjp
118c82a5e3 Fix the handling of IPv6 addresses for subject and process BSM audit
tokens. Currently, we do not support the set{get}audit_addr(2) system
calls which allows processes like sshd to set extended or ip6
information for subject tokens.

The approach that was taken was to change the process audit state
slightly to use an extended terminal ID in the kernel. This allows
us to store both IPv4 IPv6 addresses. In the case that an IPv4 address
is in use, we convert the terminal ID from an struct auditinfo_addr to
a struct auditinfo.

If getaudit(2) is called when the subject is bound to an ip6 address,
we return E2BIG.

- Change the internal audit record to store an extended terminal ID
- Introduce ARG_TERMID_ADDR
- Change the kaudit <-> BSM conversion process so that we are using
  the appropriate subject token. If the address associated with the
  subject is IPv4, we use the standard subject32 token. If the subject
  has an IPv6 address associated with them, we use an extended subject32
  token.
- Fix a couple of endian issues where we do a couple of byte swaps when
  we shouldn't be. IP addresses are already in the correct byte order,
  so reading the ip6 address 4 bytes at a time and swapping them results
  in in-correct address data. It should be noted that the same issue was
  found in the openbsm library and it has been changed there too on the
  vendor branch
- Change A_GETPINFO to use the appropriate structures
- Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does,
  but can also handle ip6 addresses
- Adjust get{set}audit(2) syscalls to convert the data
  auditinfo <-> auditinfo_addr
- Fully implement set{get}audit_addr(2)

NOTE: This adds the ability for processes to correctly set extended subject
information. The appropriate userspace utilities still need to be updated.

MFC after:	1 month
Reviewed by:	rwatson
Obtained from:	TrustedBSD
2007-04-13 14:55:19 +00:00
rwatson
765a83fd79 Replace custom file descriptor array sleep lock constructed using a mutex
and flags with an sxlock.  This leads to a significant and measurable
performance improvement as a result of access to shared locking for
frequent lookup operations, reduced general overhead, and reduced overhead
in the event of contention.  All of these are imported for threaded
applications where simultaneous access to a shared file descriptor array
occurs frequently.  Kris has reported 2x-4x transaction rate improvements
on 8-core MySQL benchmarks; smaller improvements can be expected for many
workloads as a result of reduced overhead.

- Generally eliminate the distinction between "fast" and regular
  acquisisition of the filedesc lock; the plan is that they will now all
  be fast.  Change all locking instances to either shared or exclusive
  locks.

- Correct a bug (pointed out by kib) in fdfree() where previously msleep()
  was called without the mutex held; sx_sleep() is now always called with
  the sxlock held exclusively.

- Universally hold the struct file lock over changes to struct file,
  rather than the filedesc lock or no lock.  Always update the f_ops
  field last. A further memory barrier is required here in the future
  (discussed with jhb).

- Improve locking and reference management in linux_at(), which fails to
  properly acquire vnode references before using vnode pointers.  Annotate
  improper use of vn_fullpath(), which will be replaced at a future date.

In fcntl(), we conservatively acquire an exclusive lock, even though in
some cases a shared lock may be sufficient, which should be revisited.
The dropping of the filedesc lock in fdgrowtable() is no longer required
as the sxlock can be held over the sleep operation; we should consider
removing that (pointed out by attilio).

Tested by:	kris
Discussed with:	jhb, kris, attilio, jeff
2007-04-04 09:11:34 +00:00
rwatson
300d4098cf Remove 'MPSAFE' annotations from the comments above most system calls: all
system calls now enter without Giant held, and then in some cases, acquire
Giant explicitly.

Remove a number of other MPSAFE annotations in the credential code and
tweak one or two other adjacent comments.
2007-03-04 22:36:48 +00:00
rwatson
a29076f446 More unnecessary include reduction. 2007-02-23 14:39:04 +00:00
rwatson
7b48c9d783 Remove many unneeded includes, update copyright. 2007-02-23 11:21:26 +00:00
rwatson
3f41cc3fee Remove empty entry point functions (init, destroy, syscall) from
policies that don't need them.
2007-02-23 11:15:35 +00:00
rwatson
becd6b211a mac_none sample policy has nothing to enforce, so remove sysctls.
mac_stub acts as a template policy and holds sample sysctls.
2007-02-23 11:08:45 +00:00
rwatson
c208b1a04f Update auditing of socket information for the inpcb new world order:
so_pcb will always be non-NULL, and lock the inpcb while non-atomically
accessing address data.
2007-02-20 13:38:11 +00:00
rwatson
4904133d3c Move mapping of MBI_APPEND to MBI_WRITE from inside the rule loop in
mac_bsdextended_check() to before the loop, as it needs to happen only
once.

MFC after:	1 week
2007-02-20 10:21:27 +00:00
rwatson
07f6768e54 Do allow bypass of mac_seeotheruids in jail in order to be consistent
with other uses of PRIV_SEEOTHERUIDS.  This will automatically be
scoped to the jail by the jail policy.
2007-02-19 13:25:17 +00:00
rwatson
8f30a62d60 In mac_biba_check_system_swapoff(), don't extract the object label since
it isn't used in the access control decision.  This became visible to
Coverity with the change to a function call retrieving label values.

Coverity CID:	1723
2007-02-10 08:59:39 +00:00
rwatson
477d310a8e Print intptr_t values by first casting to intmax_t and then printing with
%jd, as intptr_t may not be int-sized.

Assistance from:	jhb
Spotted by:		Mr Tinderbox
2007-02-06 17:22:36 +00:00
rwatson
19777f0802 Introduce accessor functions mac_label_get() and mac_label_set() to replace
LABEL_TO_SLOT() macro used by policy modules to query and set label data
in struct label.  Instead of using a union, store an intptr_t, simplifying
the API.

Update policies: in most cases this required only small tweaks to current
wrapper macros.  In two cases, a single wrapper macros had to be split into
separate get and set macros.

Move struct label definition from _label.h to mac_internal.h and remove
_label.h.  With this change, policies may now treat struct label * as
opaque, allowing us to change the layout of struct label without breaking
the policy module ABI.  For example, we could make the maximum number of
policies with labels modifiable at boot-time rather than just at
compile-time.

Obtained from:	TrustedBSD Project
2007-02-06 14:19:25 +00:00
rwatson
d945a8c499 Continue 7-CURRENT MAC Framework rearrangement and cleanup:
Don't perform a nested include of _label.h in mac.h, as mac.h now
describes only  the user API to MAC, and _label.h defines the in-kernel
representation of MAC labels.

Remove mac.h includes from policies and MAC framework components that do
not use userspace MAC API definitions.

Add _KERNEL inclusion checks to mac_internal.h and mac_policy.h, as these
are kernel-only include files

Obtained from:	TrustedBSD Project
2007-02-06 10:59:23 +00:00
rwatson
6ac99f7113 When returning early from audit_arg_file() due to so->so_pcb being NULL
(due to an early reset or the like), remember to unlock the socket lock.
This will not occur in 7-CURRENT, but could in theory occur in 6-STABLE.

MFC after:	1 week
2007-01-06 22:28:28 +00:00
csjp
c394e563bc Teach the stub policy about some of the more recent entry points that have
been introduced to the MAC framework:

mpo_associate_nfsd_label
mpo_create_mbuf_from_firewall
mpo_check_system_nfsd
mpo_check_vnode_mmap_downgrade
mpo_check_vnode_mprotect
mpo_init_syncache_label
mpo_destroy_syncache_label
mpo_init_syncache_from_inpcb
mpo_create_mbuf_from_syncache

MFC after:	2 weeks [1]

[1] The syncache related entry points will NOT be MFCed as the changes in
    the syncache subsystem are not present in RELENG_6 yet.
2007-01-01 01:47:18 +00:00
csjp
dac8fa36f8 Remove conditional return of 1. For the MAC_STATIC case at this point in
the code, one being returned is invariant.

Discussed with:	rwatson
MFC after:	1 week
2007-01-01 01:40:29 +00:00
rwatson
b790270fcf Only signal the CV indicating that the MAC Framework is available for
exclusive access if there is at least one thread waiting for it to
become available.  This may significantly reduce overhead by reducing
the number of unnecessary wakeups issued whenever the framework becomes
idle.

Annotate that we still signal the CV more than necessary and should
fix this.

Obtained from:	TrustedBSD Project
Reviewed by:	csjp
Tested by:	csjp
2006-12-31 20:26:20 +00:00
rwatson
c2bdc9dc5c Slightly resort functions in file so that no forward function prototypes
are required.

Obtained from:	TrustedBSD Project
2006-12-29 20:21:21 +00:00
rwatson
468e5443ba Re-add include of opt_mac.h in mac_framework.c, which was improperly
removed from this file.  It is required to pick up the definition of
MAC_STATIC.
2006-12-29 20:16:29 +00:00
rwatson
b35ac7f09b Remove two XXX comments that no longer apply.
Obtained from:	TrustedBSD Project
2006-12-29 11:03:44 +00:00
rwatson
accf7ddf5a Use p_cansee() to check that a target process for an audit state
manipulation is visible to the subject process.  Remove XXX comments
suggesting this.

Convert one XXX on a difference from Darwin into a note: it's not a
bug, it's a feature.

Obtained from:	TrustedBSD Project
2006-12-29 10:49:13 +00:00
rwatson
46f7cb9d3b Add a witness sleep warning to canon_path(), which invokes vput() and hence
may perform an unbounded sleep.  Remove an XXX comment suggesting that one
be added.

Obtained from:	TrustedBSD Project
2006-12-29 10:37:32 +00:00
rwatson
1828ce8b9a Add missing include guards to mac_internal.h, update include guards in
mac_policy.h following move to new location in src/sys/security/mac.

Obtained from:	TrustedBSD Project
2006-12-28 23:23:35 +00:00
rwatson
ecb6fa46c8 Update a number of comments:
- Replace XXX with Note: in several cases where observations are made about
  future functionality rather than problems or bugs.

- Remove an XXX comment about byte order and au_to_ip() -- IP headers must
  be submitted in network byte order.  Add a comment to this effect.

- Mention that we don't implement select/poll for /dev/audit.

Obtained from:	TrustedBSD Project
2006-12-28 22:18:43 +00:00
rwatson
687cc5fe5c Remove XXX comments about EA transaction support and provide a more
general and detailed comment on the topic of EA transactions and kernel
warnings.

Obtained from:	TrustedBSD Project
2006-12-28 22:02:59 +00:00
rwatson
59b306db83 Remove an inaccurate comment I added regarding storage for mbuf tag
labels: they are in fact stored in the tag directly.

Obtained from:	TrustedBSD Project
2006-12-28 21:57:59 +00:00
rwatson
f1bd870753 In mac_inpcb_sosetlabel(), assert the socket lock rather than commenting
that we should assert the socket lock.

Obtained from:	TrustedBSD Project
2006-12-28 21:56:39 +00:00
rwatson
d4e941ae59 Centralize definition of MAC_VERSION in mac_policy.h, as it defines the
kernel<->policy ABI version.  Add a comment to the definition describing
it and listing known versions.  Modify MAC_POLICY_SET() to reference the
current kernel version by name rather than by number.

Staticize mac_late, which is used only in mac_framework.c.

Obtained from:	TrustedBSD Project
2006-12-28 21:48:38 +00:00
rwatson
8a59ab518d Move mac_init_label() and mac_destroy_label() from mac_framework.c to
mac_label.c, and use these instead of replicated code in the label zone
constructor and destructor.

Obtained from:	TrustedBSD Project
2006-12-28 21:15:37 +00:00
rwatson
4289e30504 Trim unneeded includes. 2006-12-28 21:07:45 +00:00
rwatson
4a9f23955f Break contents of kern_mac.c out into two files following a repo-copy:
mac_framework.c   Contains basic MAC Framework functions, policy
                  registration, sysinits, etc.

mac_syscalls.c    Contains implementations of various MAC system calls,
                  including ENOSYS stubs when compiling without options
                  MAC.

Obtained from:	TrustedBSD Project
2006-12-28 20:52:02 +00:00
rwatson
e7f843dc94 Update MAC Framework general comments, referencing various interfaces it
consumes and implements, as well as the location of the framework and
policy modules.

Refactor MAC Framework versioning a bit so that the current ABI version can
be exported via a read-only sysctl.

Further update comments relating to locking/synchronization.

Update copyright to take into account these and other recent changes.

Obtained from:	TrustedBSD Project
2006-12-28 17:25:57 +00:00
rwatson
01a38eca27 Re-wrap comments following de-indentation. 2006-12-23 22:21:13 +00:00
rwatson
ae9ef07995 Move src/sys/sys/mac_policy.h, the kernel interface between the MAC
Framework and security modules, to src/sys/security/mac/mac_policy.h,
completing the removal of kernel-only MAC Framework include files from
src/sys/sys.  Update the MAC Framework and MAC policy modules.  Delete
the old mac_policy.h.

Third party policy modules will need similar updating.

Obtained from:	TrustedBSD Project
2006-12-22 23:34:47 +00:00
rwatson
e767bf8cfd Minor style fixes. 2006-12-21 09:58:02 +00:00
rwatson
6fa1425be4 Remove mac_enforce_subsystem debugging sysctls. Enforcement on
subsystems will be a property of policy modules, which may require
access control check entry points to be invoked even when not actively
enforcing (i.e., to track information flow without providing
protection).

Obtained from:	TrustedBSD Project
Suggested by:	Christopher dot Vance at sparta dot com
2006-12-21 09:51:34 +00:00
rwatson
9abf6b51e4 Comment LABEL_TO_SLOT() macro, including observing that we'd like to improve
this policy API to avoid encoding struct label binary layout in policy
modules.

Obtained from:	TrustedBSD Project
2006-12-20 23:41:59 +00:00
rwatson
00c95308bf Trim trailing white space, clean up comment line wrapping and formatting.
Document mac_associate_nfsd_label().

Obtained from:	TrustedBSD Project
2006-12-20 23:18:17 +00:00
rwatson
08ad649b5f Trim trailing white space. 2006-12-20 23:17:34 +00:00
rwatson
b8ec51a064 Document socket labeling model.
Clean up comment white space and wrapping.

Obtained from:	TrustedBSD Project
2006-12-20 23:16:41 +00:00
rwatson
cada726d8e Clean up comment white space and line wrapping. 2006-12-20 23:16:01 +00:00
rwatson
49509e92eb Additional comments regarding the interaction between the kernel privilege
model and the MAC Framework.

Obtained from:	TrustedBSD Project
2006-12-20 23:15:27 +00:00
rwatson
c77864165e Document that we could allocate the mbuf label as part of the tag rather
than from the slab, but don't.

Document mac_mbuf_to_label(), mac_copy_mbuf_tag().

Clean up white space/wrapping for other comments.

Obtained from:	TrustedBSD Project
2006-12-20 23:14:33 +00:00
rwatson
f30462f07d Staticize and comment zone_label.
Obtained from:	TrustedBSD Project
2006-12-20 23:13:04 +00:00
rwatson
65458541b7 Clean up comments, trailing white space.
Provide a comment describing MAC_EXTERNALIZE().

Obtained from:	TrustedBSD Project
2006-12-20 23:12:36 +00:00
rwatson
97c0fff7b2 Re-wrap comment at 77 character columns. 2006-12-20 23:11:01 +00:00
rwatson
abc0e2cde9 Comment and white space cleanup.
Exapnd comments on System V IPC labeling methods, which could use improved
consistency with respect to other object types.

Obtained from:	TrustedBSD Project
2006-12-20 20:43:19 +00:00
rwatson
8fb47d67d7 Externalize local stack copy of the ifnet label, rather than the copy on
the ifnet itself.  The stack copy has been made while holding the mutex
protecting ifnet labels, so copying from the ifnet copy could result in
an inconsistent version being copied out.

Reported by:	Todd.Miller@sparta.com
Obtained from:	TrustedBSD Project
MFC after:	3 weeks
2006-12-20 20:40:29 +00:00
rwatson
5749ecccba Expand commenting on label slots, justification for the MAC Framework locking
model, interactions between locking and policy init/destroy methods.

Rewrap some comments to 77 character line wrap.

Obtained from:	TrustedBSD Project
2006-12-20 20:38:44 +00:00
csjp
3193aa5601 Teach the MAC policies which utilize mbuf labeling the new syncache
entry points.  Properly initialize the mbuf label based on the label
we copy from the PCB. This fixes an LOR between the PCB and syncache
code.
2006-12-13 06:03:22 +00:00
csjp
7aaca1dfe1 Fix LOR between the syncache and inpcb locks when MAC is present in the
kernel.  This LOR snuck in with some of the recent syncache changes.  To
fix this, the inpcb handling was changed:

- Hang a MAC label off the syncache object
- When the syncache entry is initially created, we pickup the PCB lock
  is held because we extract information from it while initializing the
  syncache entry.  While we do this, copy the MAC label associated with
  the PCB and use it for the syncache entry.
- When the packet is transmitted, copy the label from the syncache entry
  to the mbuf so it can be processed by security policies which analyze
  mbuf labels.

This change required that the MAC framework be extended to support the
label copy operations from the PCB to the syncache entry, and then from
the syncache entry to the mbuf.

These functions really should be referencing the syncache structure instead
of the label.  However, due to some of the complexities associated with
exposing this syncache structure we operate directly on it's label pointer.
This should be OK since we aren't making any access control decisions within
this code directly, we are merely allocating and copying label storage so
we can properly initialize mbuf labels for any packets the syncache code
might create.

This also has a nice side effect of caching.  Prior to this change, the
PCB would be looked up/locked for each packet transmitted.  Now the label
is cached at the time the syncache entry is initialized.

Submitted by:	andre [1]
Discussed with:	rwatson

[1] andre submitted the tcp_syncache.c changes
2006-12-13 06:00:57 +00:00
trhodes
58cca8458a Merge posix4/* into normal kernel hierarchy.
Reviewed by:	glanced at by jhb
Approved by:	silence on -arch@ and -standards@
2006-11-11 16:26:58 +00:00
rwatson
13dc4f1b11 Add stub entry point implementations of mpo_priv_check and mpo_priv_grant to
the mac_stub policy.

Obtained from:	TrustedBSD Project
2006-11-06 13:45:45 +00:00
rwatson
10d0d9cf47 Sweep kernel replacing suser(9) calls with priv(9) calls, assigning
specific privilege names to a broad range of privileges.  These may
require some future tweaking.

Sponsored by:           nCircle Network Security, Inc.
Obtained from:          TrustedBSD Project
Discussed on:           arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
                        Alex Lyashkov <umka at sevcity dot net>,
                        Skip Ford <skip dot ford at verizon dot net>,
                        Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
rwatson
7288104e20 Add a new priv(9) kernel interface for checking the availability of
privilege for threads and credentials.  Unlike the existing suser(9)
interface, priv(9) exposes a named privilege identifier to the privilege
checking code, allowing more complex policies regarding the granting of
privilege to be expressed.  Two interfaces are provided, replacing the
existing suser(9) interface:

suser(td)                 ->   priv_check(td, priv)
suser_cred(cred, flags)   ->   priv_check_cred(cred, priv, flags)

A comprehensive list of currently available kernel privileges may be
found in priv.h.  New privileges are easily added as required, but the
comments on adding privileges found in priv.h and priv(9) should be read
before doing so.

The new privilege interface exposed sufficient information to the
privilege checking routine that it will now be possible for jail to
determine whether a particular privilege is granted in the check routine,
rather than relying on hints from the calling context via the
SUSER_ALLOWJAIL flag.  For now, the flag is maintained, but a new jail
check function, prison_priv_check(), is exposed from kern_jail.c and used
by the privilege check routine to determine if the privilege is permitted
in jail.  As a result, a centralized list of privileges permitted in jail
is now present in kern_jail.c.

The MAC Framework is now also able to instrument privilege checks, both
to deny privileges otherwise granted (mac_priv_check()), and to grant
privileges otherwise denied (mac_priv_grant()), permitting MAC Policy
modules to implement privilege models, as well as control a much broader
range of system behavior in order to constrain processes running with
root privilege.

The suser() and suser_cred() functions remain implemented, now in terms
of priv_check() and the PRIV_ROOT privilege, for use during the transition
and possibly continuing use by third party kernel modules that have not
been updated.  The PRIV_DRIVER privilege exists to allow device drivers to
check privilege without adopting a more specific privilege identifier.

This change does not modify the actual security policy, rather, it
modifies the interface for privilege checks so changes to the security
policy become more feasible.

Sponsored by:		nCircle Network Security, Inc.
Obtained from:		TrustedBSD Project
Discussed on:		arch@
Reviewed (at least in part) by:	mlaier, jmg, pjd, bde, ceri,
			Alex Lyashkov <umka at sevcity dot net>,
			Skip Ford <skip dot ford at verizon dot net>,
			Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:37:19 +00:00
csjp
cf1f0416d1 Change the type of ar_arg_sockaddr from struct sockaddr to struct
sockaddr_storage.  This structure is defined in RFC 2553 and is a more
semantically correct structure for holding IP and IP6 sockaddr information.
struct sockaddr is not big enough to hold all the required information for
IP6, resulting in truncated addresses et al when auditing IP6 sockaddr
information.

We also need to assume that the sa->sa_len has been validated before the call to
audit_arg_sockaddr() is made, otherwise it could result in a buffer overflow.
This is being done to accommodate auditing of network related arguments (like
connect, bind et al) that will be added soon.

Discussed with:	rwatson
Obtained from:	TrustedBSD Project
MFC after:	2 weeks
2006-11-06 00:15:44 +00:00
rwatson
0c409b5873 Forward declare struct cdev, since arguments of this type are used in
function prototypes.

Obtained from:	TrustedBSD Project
2006-10-30 15:20:49 +00:00
rwatson
430a6e6576 Remove extra _MAC_ from #ifdef guard. 2006-10-25 13:14:25 +00:00
rwatson
7beaaf5cd2 Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h
begun with a repo-copy of mac.h to mac_framework.h.  sys/mac.h now
contains the userspace and user<->kernel API and definitions, with all
in-kernel interfaces moved to mac_framework.h, which is now included
across most of the kernel instead.

This change is the first step in a larger cleanup and sweep of MAC
Framework interfaces in the kernel, and will not be MFC'd.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA
2006-10-22 11:52:19 +00:00
rwatson
10cc7e208a Do allow jailed superuser to override the port ACL.
MFC after:	3 days
Submitted by:	Michal Mertl <mime at traveller dot cz>
2006-10-10 17:04:19 +00:00
csjp
fde20b9adc Mark the audit system calls as being un-implemented in jails. Currently we do
not trust jails enough to execute audit related system calls. An example of
this is with su(1), or login(1) within prisons. So, if the syscall request
comes from a jail return ENOSYS. This will cause these utilities to operate
as if audit is not present in the kernel.

Looking forward, this problem will be remedied by allowing non privileged
users to maintain and their own audit streams, but the details on exactly how
this will be implemented needs to be worked out.

This change should fix situations when options AUDIT has been compiled into
the kernel, and utilities like su(1), or login(1) fail due to audit system
call failures within jails.

This is a RELENG_6 candidate.

Reported by:	Christian Brueffer
Discussed with:	rwatson
MFC after:	3 days
2006-10-10 15:49:10 +00:00
rwatson
b648628439 Add BSM conversion switch entries for a number of system calls, many
administrative, to prevent console warnings and enable basic event
auditing (generally without arguments).

MFC after:	3 days
Obtained from:	TrustedBSD Project
2006-10-03 20:43:48 +00:00
rwatson
c780781f97 Trim some no longer XXX comments.
Remove some commented out debugging printfs.

MFC after:	3  days
Obtained from:	TrustedBSD Project
2006-10-02 11:32:23 +00:00
rwatson
8e20187251 Audit path argument when changing audit trails.
Call NDFREE(), which while not currently strictly necessary, isn't a
bad idea.

MFC after:	3 days
Obtained from:	TrustedBSD Project
2006-10-02 06:56:10 +00:00
rwatson
d277f6ba71 Rework the way errors are handled with respect to how audit records are
written to the audit trail file:

- audit_record_write() now returns void, and all file system specific
  error handling occurs inside this function.  This pushes error handling
  complexity out of the record demux routine that hands off to both the
  trail and audit pipes, and makes trail behavior more consistent with
  pipes as a record destination.

- Rate limit kernel printfs associated with running low on space.  Rate
  limit audit triggers for low space.  Rate limit printfs for fail stop
  events.  Rate limit audit worker write error printfs.

- Document in detail the types of limits and space checks we perform, and
  combine common cases.

This improves the audit subsystems tolerance to low space conditions by
avoiding toasting the console with printfs are waking up the audit daemon
continuously.

MFC after:	3 days
Obtained from:	TrustedBSD Project
2006-09-24 13:35:58 +00:00
rwatson
8e2099e1ea Merge OpenBSM 1.0 alpha 11 changes into src/sys/bsm and src/sys/security;
primarily, add new event identifiers and update trigger names.

Obtained from:	TrustedBSD Project
2006-09-21 07:27:02 +00:00
rwatson
5cab05d889 Remove MAC_DEBUG label counters, which were used to debug leaks and
other problems while labels were first being added to various kernel
objects.  They have outlived their usefulness.

MFC after:	1 month
Suggested by:	Christopher dot Vance at SPARTA dot com
Obtained from:	TrustedBSD Project
2006-09-20 13:33:41 +00:00
rwatson
6061806b7a Rather than allocating all buffer memory for the completed BSM record
when allocating the record in the first place, allocate the final buffer
when closing the BSM record.  At that point, more size information is
available, so a sufficiently large buffer can be allocated.

This allows the kernel to generate audit records in excess of
MAXAUDITDATA bytes, but is consistent with Solaris's behavior.  This only
comes up when auditing command line arguments, in which case we presume
the administrator really does want the data as they have specified the
policy flag to gather them.

Obtained from:	TrustedBSD Project
MFC after:	3 days
2006-09-20 13:23:40 +00:00
rwatson
e63183ab3b Add missing white space in au_to_exec_{args,env}().
MFC after:	 3 days
2006-09-20 13:14:47 +00:00
csjp
bd41b31cc8 Make sure that lutimes(2) gets processed and converted into a BSM record.
Submitted by:	rwatson
MFC after:	1 day
2006-09-18 17:55:32 +00:00
rwatson
8b3f7ca1ce Declare security and security.bsd sysctl hierarchies in sysctl.h along
with other commonly used sysctl name spaces, rather than declaring them
all over the place.

MFC after:	1 month
Sponsored by:	nCircle Network Security, Inc.
2006-09-17 20:00:36 +00:00
csjp
d271a33920 Correct a slight regression which was introduced with the implementation of
audit pipes. If the kernel record was not selected for the trail or the pipe,
any user supplied record attached to it would be tossed away, resulting in
otherwise selected events being lost.

- Introduce two new masks: AR_PRESELECT_USER_TRAIL AR_PRESELECT_USER_PIPE,
  currently we have AR_PRESELECT_TRAIL and AR_PRESELECT_PIPE, which tells
  the audit worker that we are interested in the kernel record, with
  the additional masks we can determine if either the pipe or trail is
  interested in seeing the kernel or user record.

- In audit(2), we unconditionally set the AR_PRESELECT_USER_TRAIL and
  AR_PRESELECT_USER_PIPE masks under the assumption that userspace has
  done the preselection [1].

Currently, there is work being done that allows the kernel to parse and
preselect user supplied records, so in the future preselection could occur
in either layer. But there is still a few details to work out here.

[1] At some point we need to teach au_preselect(3) about the interests of
    all the individual audit pipes.

This is a RELENG_6 candidate.

Reviewed by:	rwatson
Obtained from:	TrustedBSD Project
MFC after:	1 week
2006-09-17 17:52:57 +00:00
rwatson
517cd09f4a Add AUE_SYSARCH to the list of audit events during BSM conversion to prevent
a console warning.  Eventually, we will capture more arguments for sysarch.

Obtained from:	TrustedBSD Project
MFC after:	3 days
2006-09-17 11:42:40 +00:00
csjp
63e89c05d2 Introduce a new entry point, mac_create_mbuf_from_firewall. This entry point
exists to allow the mandatory access control policy to properly initialize
mbufs generated by the firewall. An example where this might happen is keep
alive packets, or ICMP error packets in response to other packets.

This takes care of kernel panics associated with un-initialize mbuf labels
when the firewall generates packets.

[1] I modified this patch from it's original version, the initial patch
    introduced a number of entry points which were programmatically
    equivalent. So I introduced only one. Instead, we should leverage
    mac_create_mbuf_netlayer() which is used for similar situations,
    an example being icmp_error()

    This will minimize the impact associated with the MFC

Submitted by:	mlaier [1]
MFC after:	1 week

This is a RELENG_6 candidate
2006-09-12 04:25:13 +00:00
rwatson
b5865520e1 Add struct msg to the forwarded declared data structures in mac_policy.h.
Obtained from:	TrustedBSD Project
2006-09-09 16:35:44 +00:00
rwatson
a68eb47776 Add a BSM conversion switch case for AUE_GETCWD, so that a console
warning isn't generated when __getcwd() is invoked.

MFC after:	3 days
Obtained from:	TrustedBSD Project
2006-09-09 10:23:44 +00:00
rwatson
81d9ff8b37 Small style cleanup.
MFC after:	3 days
2006-09-09 10:23:00 +00:00
rwatson
9af04e1fec White space cleanup, no functional change. 2006-09-04 06:06:23 +00:00
wsalamon
c62317c442 Audit the argv and env vectors passed in on exec:
Add the argument auditing functions for argv and env.
  Add kernel-specific versions of the tokenizer functions for the
  arg and env represented as a char array.
  Implement the AUDIT_ARGV and AUDIT_ARGE audit policy commands to
  enable/disable argv/env auditing.
  Call the argument auditing from the exec system calls.

Obtained from: TrustedBSD Project
Approved by: rwatson (mentor)
2006-09-01 11:45:40 +00:00
csjp
d35597591e Fix panic associated with file creation via RPC/NFS when the MLS policy
is loaded. This problem stems from the fact that the policy is not properly
initializing the mac label associated with the NFS daemon.

Obtained from:	TrustedBSD Project
Discussed with:	rwatson
2006-08-26 20:13:35 +00:00
rwatson
c9215ad31e Allow the user process to query the kernel's notion of a maximum
audit record size at run-time, which can be used by the user
process to size the user space buffer it reads into from the audit
pipe.

Perforce change:	105098
Obtained from:		TrustedBSD Project
2006-08-26 17:59:31 +00:00
rwatson
0e87efb2f4 Update kernel OpenBSM parts, especially src/sys/bsm, for the OpenBSM
1.0 alpha 9 import.  See the OpenBSM import commit message for a
detailed summary of changes.

Obtained from:  TrustedBSD Project
2006-08-26 08:17:58 +00:00
rwatson
31d250192d Remove $P4$ from this file; other then temporarily P4-local work in
progress the kernel audit code in CVS is considered authoritative.
This will ease $P4$-related merging issues during the CVS loopback.

Obtained from:	TrustedBSD Project
2006-08-25 07:30:23 +00:00
rwatson
1e4f4abfce Add kqueue support to audit pipe pseudo-devices.
Obtained from:	TrustedBSD Project
2006-08-24 17:42:38 +00:00
rwatson
2e4df4a141 Make mpo_associate_nfsd_label() return void, not int, to match
mac_associate_nfsd_label().

Head nod:	csjp
2006-08-06 16:56:15 +00:00
phk
0f924547b0 Remove the NDEVFSINO and NDEVFSOVERFLOW options which no longer exists in
DEVFS.

Remove the opt_devfs.h file now that it is empty.
2006-07-17 09:07:02 +00:00
csjp
0baddf7a5b Implement mpo_associate_nfsd_label entry point for the BIBA security policy,
we will initialize the label to biba/low for files that have been created
through an NFS RPC. This is a safe default given the default nature of our
NFS implementation, there is not a whole lot of data integrity there by
default. This also fixes kernel panics associated with file creation over NFS
while creating files on filesystems which have multilabel enabled with BIBA
enabled.

MFC after:	2 weeks
Discussed with:	rwatson
2006-07-10 19:13:32 +00:00
wsalamon
3f67fc0a68 Audit the remaining parameters to the extattr system calls. Generate
the audit records for those calls.

Obtained from: TrustedBSD Project
Approved by: rwatson (mentor)
2006-07-06 19:33:38 +00:00
rwatson
981c1cc4c8 Correct a number of problems that were previously commented on:
- Correct audit_arg_socketaddr() argument name from so to sa.
- Assert arguments are non-NULL to many argument capture functions
  rather than testing them.  This may trip some bugs.
- Assert the process lock is held when auditing process
  information.
- Test currecord in several more places.
- Test validity of more arguments with kasserts, such as flag
  values when auditing vnode information.

Perforce change:	98825
Obtained from:		TrustedBSD Project
2006-07-03 14:55:55 +00:00
wsalamon
3a6d7ed2cf Make the size of the subject32_ex and process32_ex tokens depend on
whether we have an IPv6 address. Write the term ID as 4 or
16 bytes depending on address type. This change matches the recent
OpenBSM change, and what Solaris does.

Obtained from: TrustedBSD Project
Approved by: rwatson (mentor)
2006-06-17 13:53:04 +00:00
rwatson
276b52de67 Lock process when copying fields from process structure so as to
get a consistent snapshot, as well as get consistent values (i.e.,
that p_comm is properly nul-terminated).

Perforce CID:	98824
Obtained from:	TrustedBSD Project
2006-06-08 21:58:04 +00:00
rwatson
f0de47503d Prefer C to C++ comments per style(9).
Perforce CID:	98826
Obtained from:	TrustedBSD Project
2006-06-08 21:55:39 +00:00
rwatson
abd4afc6be Extract pointer value for mnt_stat from vp after the NULL check, not
before.

Coverity ID:	134394
Found with:	Coverity Prevent (tm)
2006-06-06 08:43:27 +00:00
rwatson
abd422e295 Remove use of Giant around vn_open() in audit trail setup.
Submitted by:	jhb, wsalamon
Obtained from:	TrustedBSD Project
2006-06-05 22:36:12 +00:00
rwatson
1063b3ddc4 When generating BSM tokens for mkfifo(), include mode argument.
Submitted by:	wsalamon
Obtained from:	TrustedBSD Project
2006-06-05 16:14:49 +00:00
rwatson
bc4af49415 When generating the process token, need to check whether the
process was sucessfully audited.  Otherwise, generate the PID
token. This change covers the pid < 0 cases, and pid lookup
failure cases.

Submitted by:	wsalamon
Obtained from:	TrustedBSD Project
2006-06-05 16:12:00 +00:00
rwatson
97c0c78df7 Consistently use audit_free() to free records, rather than
directly invoking uma_zfree().

Perforce change:	96652
Obtained from:		TrustedBSD Project
2006-06-05 15:38:12 +00:00
rwatson
4f317e1576 Introduce support for per-audit pipe preselection independent from the
global audit trail configuration.  This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present).  To implement this:

- Kernel audit records now carry a flag to indicate whether they have
  been selected by the global trail or by the audit pipe subsystem,
  set during record commit, so that this information is available
  after BSM conversion when delivering the BSM to the trail and audit
  pipes in the audit worker thread asynchronously.  Preselection by
  either record target will cause the record to be kept.

- Similar changes to preselection when the audit record is created
  when the system call is entering: consult both the global trail and
  pipes.

- au_preselect() now accepts the class in order to avoid repeatedly
  looking up the mask for each preselection test.

- Define a series of ioctls that allow applications to specify whether
  they want to track the global trail, or program their own
  preselection parameters: they may specify their own flags and naflags
  masks, similar to the global masks of the same name, as well as a set
  of per-auid masks.  They also set a per-pipe mode specifying whether
  they track the global trail, or user their own -- the door is left
  open for future additional modes.  A new ioctl is defined to allow a
  user process to flush the current audit pipe queue, which can be used
  after reprogramming pre-selection to make sure that only records of
  interest are received in future reads.

- Audit pipe data structures are extended to hold the additional fields
  necessary to support preselection.  By default, audit pipes track the
  global trail, so "praudit /dev/auditpipe" will track the global audit
  trail even though praudit doesn't program the audit pipe selection
  model.

- Comment about the complexities of potentially adding partial read
  support to audit pipes.

By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.

Obtained from:	TrustedBSD Project
2006-06-05 14:48:17 +00:00
rwatson
62baf512de Shorten audit record zone name.
Perforce change:	93598
Obtained from:	TrustedBSD Project
2006-06-05 14:11:28 +00:00