Commit Graph

5 Commits

Author SHA1 Message Date
dwmalone
b6a2964430 Add some new options to mac_bsdestended. We can now match on:
subject: ranges of uid, ranges of gid, jail id
	objects: ranges of uid, ranges of gid, filesystem,
		object is suid, object is sgid, object matches subject uid/gid
		object type

We can also negate individual conditions. The ruleset language is
a superset of the previous language, so old rules should continue
to work.

These changes require a change to the API between libugidfw and the
mac_bsdextended module. Add a version number, so we can tell if
we're running mismatched versions.

Update man pages to reflect changes, add extra test cases to
test_ugidfw.c and add a shell script that checks that the the
module seems to do what we expect.

Suggestions from: rwatson, trhodes
Reviewed by: trhodes
MFC after: 2 months
2006-04-23 17:06:18 +00:00
rwatson
09eb839cca Add bsde_add_rule(), which is similar to bsde_set_rule() except that
the caller does not specify the rule number -- instead, the kernel
module is probed for the next available rule, which is then used.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research
2004-02-25 03:24:39 +00:00
rwatson
007eb8a428 License and blurb update authorized by Network Associates. 2002-11-07 20:37:04 +00:00
rwatson
6ef83883d8 Use size_t instead of int for len variables passed in/out of sysctl.
Pointed out by:	jake
2002-09-27 16:35:19 +00:00
rwatson
b7b34f0249 Introduce support for Mandatory Access Control and extensible
kernel access control.

Provide a library to manage user file system firewall-like rules
supported by the mac_bsdextended.ko security model.  The kernel
module exports the current rule set using sysctl, and this
library provides a front end that includes support for retrieving
and setting rules, as well as printing and parsing them.

Note: as with other userland components, this is a WIP.  However,
when used in combination with the soon-to-be-committed ugidfw,
it can actually be quite useful in multi-user environments to
allow the administrator to limit inter-user file operations without
resorting to heavier weight labeled security policies.

Obtained form:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-02 07:07:35 +00:00