Commit Graph

53 Commits

Author SHA1 Message Date
trasz
4e57a80147 Rename a variable missed in previous accmode_t-related commits.
Approved by:	rwatson (mentor)
2008-10-28 21:58:48 +00:00
trasz
0ad8692247 Introduce accmode_t. This is required for NFSv4 ACLs - it will be neccessary
to add more V* constants, and the variables changed by this patch were often
being assigned to mode_t variables, which is 16 bit.

Approved by:	rwatson (mentor)
2008-10-28 13:44:11 +00:00
rwatson
00b02345d4 Eliminate now-unused SUSER_ALLOWJAIL arguments to priv_check_cred(); in
some cases, move to priv_check() if it was an operation on a thread and
no other flags were present.

Eliminate caller-side jail exception checking (also now-unused); jail
privilege exception code now goes solely in kern_jail.c.

We can't yet eliminate suser() due to some cases in the KAME code where
a privilege check is performed and then used in many different deferred
paths.  Do, however, move those prototypes to priv.h.

Reviewed by:	csjp
Obtained from:	TrustedBSD Project
2007-06-12 00:12:01 +00:00
rwatson
10d0d9cf47 Sweep kernel replacing suser(9) calls with priv(9) calls, assigning
specific privilege names to a broad range of privileges.  These may
require some future tweaking.

Sponsored by:           nCircle Network Security, Inc.
Obtained from:          TrustedBSD Project
Discussed on:           arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
                        Alex Lyashkov <umka at sevcity dot net>,
                        Skip Ford <skip dot ford at verizon dot net>,
                        Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
rwatson
39c8e12140 Update and reformat comments for POSIX.1e ACL utility routines. 2006-07-23 19:35:10 +00:00
rwatson
e8e07ae08e Move POSIX.1e-specific utility routines from kern_acl.c to
subr_acl_posix1e.c, leaving kern_acl.c containing only ACL system
calls and utility routines common across ACL types.

Add subr_acl_posix1e.c to the build.

Obtained from:	TrustedBSD Project
2006-07-06 23:37:39 +00:00
csjp
7d71792fdf Implement new world order in VFS locking for ACLs. This will remove the
unconditional acquisition of Giant for ACL related operations. If the file
system is set as being MP safe and debug.mpsafevfs is 1, do not pickup
giant.

For any operations which require namei(9) lookups:

__acl_get_file
__acl_get_link
__acl_set_file
__acl_set_link
__acl_delete_file
__acl_delete_link
__acl_aclcheck_file
__acl_aclcheck_link

-Set the MPSAFE flag in NDINIT
-Initialize vfslocked variable using the NDHASGIANT macro

For functions which operate on fds, make sure the operations are locked:

__acl_get_fd
__acl_set_fd
__acl_delete_fd
__acl_aclcheck_fd

-Initialize vfslocked using VFS_LOCK_GIANT before we manipulate the vnode

Discussed with:	jeff
2005-09-17 22:01:14 +00:00
csjp
33e564c762 Convert the primary ACL allocator from malloc(9) to using a UMA zone instead.
Also introduce an aclinit function which will be used to create the UMA zone
for use by file systems at system start up.

MFC after:	1 month
Discussed with:	rwatson
2005-09-06 00:06:30 +00:00
cperciva
d9fecc83c8 Rename suser_cred()'s PRISON_ROOT flag to SUSER_ALLOWJAIL. This is
somewhat clearer, but more importantly allows for a consistent naming
scheme for suser_cred flags.

The old name is still defined, but will be removed in a few days (unless I
hear any complaints...)

Discussed with:	rwatson, scottl
Requested by:	jhb
2004-07-26 07:24:04 +00:00
rwatson
90431761a2 Update my personal copyrights and NETA copyrights in the kernel
to use the "year1-year3" format, as opposed to "year1, year2, year3".
This seems to make lawyers more happy, but also prevents the
lines from getting excessively long as the years start to add up.

Suggested by:	imp
2004-02-22 00:33:12 +00:00
rwatson
543a037619 Move more ACL logic from the UFS code (ufs_acl.c) to the central POSIX.1e
support routines in kern_acl.c:

- Define ACL_OVERRIDE_MASK and ACL_PRESERVE_MASK centrally in acl.h: the
  mode bits that are (and aren't) stored in the ACL.

- Add acl_posix1e_acl_to_mode(): given a POSIX.1e extended ACL, generate
  a compatibility mode (only the bits supported by the POSIX.1e ACL).

- acl_posix1e_newfilemode(): Given a requested creation mode and default
  ACL, calculate the mode for the new file system object (only the bits
  supported by the POSIX.1e ACL).

PR:		50148
Reported by:	Ritz, Bruno <bruno_ritz@gmx.ch>
Obtained from:	TrustedBSD Project
2003-08-04 02:13:05 +00:00
phk
c81c59299b Add a f_vnode field to struct file.
Several of the subtypes have an associated vnode which is used for
stuff like the f*() functions.

By giving the vnode a speparate field, a number of checks for the specific
subtype can be replaced simply with a check for f_vnode != NULL, and
we can later free f_data up to subtype specific use.

At this point in time, f_data still points to the vnode, so any code I
might have overlooked will still work.
2003-06-22 08:41:43 +00:00
obrien
3b8fff9e4c Use __FBSDID(). 2003-06-11 00:56:59 +00:00
dillon
ccd5574cc6 Bow to the whining masses and change a union back into void *. Retain
removal of unnecessary casts and throw in some minor cleanups to see if
anyone complains, just for the hell of it.
2003-01-13 00:33:17 +00:00
dillon
ddf9ef103e Change struct file f_data to un_data, a union of the correct struct
pointer types, and remove a huge number of casts from code using it.

Change struct xfile xf_data to xun_data (ABI is still compatible).

If we need to add a #define for f_data and xf_data we can, but I don't
think it will be necessary.  There are no operational changes in this
commit.
2003-01-12 01:37:13 +00:00
alfred
927595101c When compiling the kernel do not implicitly include filedesc.h from proc.h,
this was causing filedesc work to be very painful.
In order to make this work split out sigio definitions to thier own header
(sigio.h) which is included from proc.h for the time being.
2003-01-01 01:56:19 +00:00
rwatson
f6e97a7e61 Implement new ACL system calls which do not follow symbolic links:
__acl_get_link(), __acl_set_link(), acl_delete_link(), and
__acl_aclcheck_link(), with almost identical implementations to
the existing __acl_*_file() variants on these calls.  Update
copyright.

Obtained from:	TrustedBSD Project
2002-12-29 20:28:44 +00:00
alfred
5512694b25 unwrap lines made short enough by SCARGS removal 2002-12-14 08:18:06 +00:00
alfred
d070c0a52d SCARGS removal take II. 2002-12-14 01:56:26 +00:00
alfred
4f48184fb2 Backout removal SCARGS, the code freeze is only "selectively" over. 2002-12-13 22:41:47 +00:00
alfred
d19b4e039d Remove SCARGS.
Reviewed by: md5
2002-12-13 22:27:25 +00:00
rwatson
c16bdd7f11 Introduce support for Mandatory Access Control and extensible
kernel access control.

Instrument the kernel ACL retrieval and modification system calls
to invoke MAC framework entry points to authorize these operations.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-01 01:04:16 +00:00
rwatson
7be639a7c0 Teach discretionary access control methods for files about VAPPEND
and VALLPERM.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-07-22 03:57:07 +00:00
rwatson
c282ad9b24 Fix a bug that prevented the deletion of non-default ACLs from being
passed down the VFS stack.  While I'm here, replace a '0' with a 'NULL'
to make the code more readable.

Sponsored by:	DARPA, NAI Labs
Obtained from:	TrustedBSD Project
2002-06-27 19:31:15 +00:00
rwatson
99f90043d5 A bit of whitespace magic. 2002-06-27 19:30:11 +00:00
rwatson
4ad90dd62b opt_cap.c no longer needed 2002-06-13 23:17:39 +00:00
trhodes
28d42899b7 More s/file system/filesystem/g 2002-05-16 21:28:32 +00:00
jhb
dc2e474f79 Change the suser() API to take advantage of td_ucred as well as do a
general cleanup of the API.  The entire API now consists of two functions
similar to the pre-KSE API.  The suser() function takes a thread pointer
as its only argument.  The td_ucred member of this thread must be valid
so the only valid thread pointers are curthread and a few kernel threads
such as thread0.  The suser_cred() function takes a pointer to a struct
ucred as its first argument and an integer flag as its second argument.
The flag is currently only used for the PRISON_ROOT flag.

Discussed on:	smp@
2002-04-01 21:31:13 +00:00
peter
83444279ce Fix a gcc-3.1+ warning.
warning: deprecated use of label at end of compound statement

ie: you cannot do this anymore:
switch(foo) {
....

default:
}
2002-03-19 11:02:06 +00:00
jhb
3706cd3509 Simple p_ucred -> td_ucred changes to start using the per-thread ucred
reference.
2002-02-27 18:32:23 +00:00
rwatson
10b6b09b25 o Scatter vn_start_write() and vn_finished_write() through ACL code so
that it interacts properly with snapshotting.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-02-04 17:58:15 +00:00
rwatson
ca6a9763cb Note that Kirk apparently missed adding vn_start_write() and friends
to kern_acl.c when he added snapshotting.  This will need to be added
at some point.
2002-02-04 16:41:59 +00:00
alfred
844237b396 SMP Lock struct file, filedesc and the global file list.
Seigo Tanimura (tanimura) posted the initial delta.

I've polished it quite a bit reducing the need for locking and
adapting it for KSE.

Locks:

1 mutex in each filedesc
   protects all the fields.
   protects "struct file" initialization, while a struct file
     is being changed from &badfileops -> &pipeops or something
     the filedesc should be locked.

1 mutex in each struct file
   protects the refcount fields.
   doesn't protect anything else.
   the flags used for garbage collection have been moved to
     f_gcflag which was the FILLER short, this doesn't need
     locking because the garbage collection is a single threaded
     container.
  could likely be made to use a pool mutex.

1 sx lock for the global filelist.

struct file *	fhold(struct file *fp);
        /* increments reference count on a file */

struct file *	fhold_locked(struct file *fp);
        /* like fhold but expects file to locked */

struct file *	ffind_hold(struct thread *, int fd);
        /* finds the struct file in thread, adds one reference and
                returns it unlocked */

struct file *	ffind_lock(struct thread *, int fd);
        /* ffind_hold, but returns file locked */

I still have to smp-safe the fget cruft, I'll get to that asap.
2002-01-13 11:58:06 +00:00
rwatson
2ad5877b40 o Since kern_acl.c uses #ifdef CAPABILITIES to control
capability-specific semantics, #include "opt_cap.h".

Obtained from:	TrustedBSD Project
2001-11-02 14:53:04 +00:00
rwatson
58469c01a1 o Update copyright dates.
o Add reference to TrustedBSD Project in license header.
o Update dated comments, including comment in extattr.h claiming that
  no file systems support extended attributes.
o Improve comment consistency.
2001-11-01 21:37:07 +00:00
rwatson
ae1f0a9b00 o Update copyright dates.
Obtained from:	TrustedBSD Project
2001-10-27 05:46:43 +00:00
rwatson
7261cce4ae o Improve style(9) compliance following KSE modifications. In particular,
strip the space from '( struct thread *...', wrap long lines.
o Remove an unneeded comment on the topic of no lock being required as
  part of the NDINIT() in __acl_get_file(), as it's really not required
  there.

Obtained from:	TrustedBSD Project
2001-10-27 05:45:42 +00:00
julian
5596676e6c KSE Milestone 2
Note ALL MODULES MUST BE RECOMPILED
make the kernel aware that there are smaller units of scheduling than the
process. (but only allow one thread per process at this time).
This is functionally equivalent to teh previousl -current except
that there is a thread associated with each process.

Sorry john! (your next MFC will be a doosie!)

Reviewed by: peter@freebsd.org, dillon@freebsd.org

X-MFC after:    ha ha ha ha
2001-09-12 08:38:13 +00:00
jedgar
3a1dcb19ea In the case of ACL_OTHER and undefined ACL entry id's, set
ae_id to ACL_UNDEFINED_ID instead of 0.

Reviewed by:	rwatson
2001-09-01 23:16:02 +00:00
dillon
4969658e58 Giant Pushdown ACL syscalls:
__acl_get_file, __acl_set_file, __acl_get_fd, __acl_set_fd,
	__acl_delete_file, __acl_delete_fd, __acl_aclcheck_file,
	__acl_aclcheck_fd
2001-09-01 04:33:22 +00:00
rwatson
e640f9f979 o Clarify comments in vaccess_acl_posix1e() ACL evaluation routine so
as to improve readability and accuracy.

Obtained from:	TrustedBSD Project
2001-08-24 01:41:42 +00:00
rwatson
616044a97d o As part of the move to not maintaining copies of the vnode owning uid
and gid in the ACL, vaccess_acl_posix1e() was changed to accept
  explicit file_uid and file_gid as arguments.  However, in making the
  change, I explicitly checked file_gid against cr->cr_groups[0], rather
  than using groupmember, resulting in ACL_GROUP_OBJ entries being
  compared to the caller's effective gid only, not the remainder of
  its groups.  This was recently corrected for the version of the
  group call without privilege, but the second test (when privilege is
  added) was missed.  This change replaces an additiona cr->cr_groups[0]
  check with groupmember().

Pointed out by:	jedgar
Reviewed by:	jedgar
Obtained from:	TrustedBSD Project
2001-04-29 19:53:50 +00:00
tmm
901e595f36 Fix a bug introduced in the last commit: vaccess_acl_posix1 only checked
the file gid gainst the egid of the accessing process for the
ACL_GROUP_OBJ case, and ignored supplementary groups.

Approved by:	rwatson
2001-04-23 22:52:26 +00:00
rwatson
678b28a532 In my first reading of POSIX.1e, I misinterpreted handling of the
ACL_USER_OBJ and ACL_GROUP_OBJ fields, believing that modification of the
access ACL could be used by privileged processes to change file/directory
ownership.  In fact, this is incorrect; ACL_*_OBJ (+ ACL_MASK and
ACL_OTHER) should have undefined ae_id fields; this commit attempts
to correct that misunderstanding.

o Modify arguments to vaccess_acl_posix1e() to accept the uid and gid
  associated with the vnode, as those can no longer be extracted from
  the ACL passed as an argument.  Perform all comparisons against
  the passed arguments.  This actually has the effect of simplifying
  a number of components of this call, as well as reducing the indent
  level, but now seperates handling of ACL_GROUP_OBJ from ACL_GROUP.

o Modify acl_posix1e_check() to return EINVAL if the ae_id field of
  any of the ACL_{USER_OBJ,GROUP_OBJ,MASK,OTHER} entries is a value
  other than ACL_UNDEFINED_ID.  As a temporary work-around to allow
  clean upgrades, set the ae_id field to ACL_UNDEFINED_ID before
  each check so that this cannot cause a failure in the short term
  (this work-around will be removed when the userland libraries and
  utilities are updated to take this change into account).

o Modify ufs_sync_acl_from_inode() so that it forces
  ACL_{USER_OBJ,GROUP_OBJ,MASK,OTHER} ae_id fields to ACL_UNDEFINED_ID
  when synchronizing the ACL from the inode.

o Modify ufs_sync_inode_from_acl to not propagate uid and gid
  information to the inode from the ACL during ACL update.  Also
  modify the masking of permission bits that may be set from
  ALLPERMS to (S_IRWXU|S_IRWXG|S_IRWXO), as ACLs currently do not
  carry none-ACCESSPERMS (S_ISUID, S_ISGID, S_ISTXT).

o Modify ufs_getacl() so that when it emulates an access ACL from
  the inode, it initializes the ae_id fields to ACL_UNDEFINED_ID.

o Clean up ufs_setacl() substantially since it is no longer possible
  to perform chown/chgrp operations using vop_setacl(), so all the
  access control for that can be eliminated.

o Modify ufs_access() so that it passes owner uid and gid information
  into vaccess_acl_posix1e().

Pointed out by:	jedger
Obtained from:	TrustedBSD Project
2001-04-17 04:33:34 +00:00
jedgar
512fd8bc5f Correct the following defines to match the POSIX.1e spec:
ACL_PERM_EXEC  -> ACL_EXECUTE
  ACL_PERM_READ  -> ACL_READ
  ACL_PERM_WRITE -> ACL_WRITE

Obtained from:	TrustedBSD
2001-04-11 02:19:01 +00:00
rwatson
171a68d94e o Introduce filesystem-independent POSIX.1e ACL utility routines to
support implementations of ACLs in file systems.  Introduce the
  following new functions:

      vaccess_acl_posix1e()          vaccess() that accepts an ACL
      acl_posix1e_mode_to_perm()     Convert mode bits to ACL rights
      acl_posix1e_mode_to_entry()    Build ACL entry from mode/uid/gid
      acl_posix1e_perms_to_mode()    Generate file mode from ACL
      acl_posix1e_check()            Syntax verification for ACL

  These functions allow a file system to rely on central ACL evaluation
  and syntax checking, as well as providing useful utilities to
  allow ACL-based file systems to generate mode/owner/etc information
  to return via VOP_GETATTR(), and to support file systems that split
  their ACL information over their existing inode storage (mode, uid,
  gid) and extended ACL into extended attributes (additional users,
  groups, ACL mask).

o Add prototypes for exported functions to sys/acl.h, sys/vnode.h

Reviewed by:	trustedbsd-discuss, freebsd-arch
Obtained from:	TrustedBSD Project
2001-03-06 17:28:24 +00:00
jhb
b6baa60b1e Back out proc locking to protect p_ucred for obtaining additional
references along with the actual obtaining of additional references.
2001-01-27 00:01:31 +00:00
jhb
7c01c0a2c2 Proc locking. 2001-01-24 00:35:12 +00:00
phk
c3f2ee9700 Staticize some malloc M_ instances. 2000-12-08 20:09:00 +00:00
rwatson
bda3a40562 o Change locking rules for VOP_GETACL() to indicate that vnode locks
must be held when retrieving ACLs from vnodes.  This is required for
  EA-based UFS ACL implementations.
o Update vacl_get_acl() so that it does appropriate vnode locking.
o Remove static from M_ACL malloc define so that it is accessible for
  consumers of ACLs other than in kern_acl.c

Obtained from:	TrustedBSD Project
2000-09-21 18:43:32 +00:00