Commit Graph

416 Commits

Author SHA1 Message Date
rwatson
7beaaf5cd2 Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h
begun with a repo-copy of mac.h to mac_framework.h.  sys/mac.h now
contains the userspace and user<->kernel API and definitions, with all
in-kernel interfaces moved to mac_framework.h, which is now included
across most of the kernel instead.

This change is the first step in a larger cleanup and sweep of MAC
Framework interfaces in the kernel, and will not be MFC'd.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA
2006-10-22 11:52:19 +00:00
rwatson
10cc7e208a Do allow jailed superuser to override the port ACL.
MFC after:	3 days
Submitted by:	Michal Mertl <mime at traveller dot cz>
2006-10-10 17:04:19 +00:00
csjp
fde20b9adc Mark the audit system calls as being un-implemented in jails. Currently we do
not trust jails enough to execute audit related system calls. An example of
this is with su(1), or login(1) within prisons. So, if the syscall request
comes from a jail return ENOSYS. This will cause these utilities to operate
as if audit is not present in the kernel.

Looking forward, this problem will be remedied by allowing non privileged
users to maintain and their own audit streams, but the details on exactly how
this will be implemented needs to be worked out.

This change should fix situations when options AUDIT has been compiled into
the kernel, and utilities like su(1), or login(1) fail due to audit system
call failures within jails.

This is a RELENG_6 candidate.

Reported by:	Christian Brueffer
Discussed with:	rwatson
MFC after:	3 days
2006-10-10 15:49:10 +00:00
rwatson
b648628439 Add BSM conversion switch entries for a number of system calls, many
administrative, to prevent console warnings and enable basic event
auditing (generally without arguments).

MFC after:	3 days
Obtained from:	TrustedBSD Project
2006-10-03 20:43:48 +00:00
rwatson
c780781f97 Trim some no longer XXX comments.
Remove some commented out debugging printfs.

MFC after:	3  days
Obtained from:	TrustedBSD Project
2006-10-02 11:32:23 +00:00
rwatson
8e20187251 Audit path argument when changing audit trails.
Call NDFREE(), which while not currently strictly necessary, isn't a
bad idea.

MFC after:	3 days
Obtained from:	TrustedBSD Project
2006-10-02 06:56:10 +00:00
rwatson
d277f6ba71 Rework the way errors are handled with respect to how audit records are
written to the audit trail file:

- audit_record_write() now returns void, and all file system specific
  error handling occurs inside this function.  This pushes error handling
  complexity out of the record demux routine that hands off to both the
  trail and audit pipes, and makes trail behavior more consistent with
  pipes as a record destination.

- Rate limit kernel printfs associated with running low on space.  Rate
  limit audit triggers for low space.  Rate limit printfs for fail stop
  events.  Rate limit audit worker write error printfs.

- Document in detail the types of limits and space checks we perform, and
  combine common cases.

This improves the audit subsystems tolerance to low space conditions by
avoiding toasting the console with printfs are waking up the audit daemon
continuously.

MFC after:	3 days
Obtained from:	TrustedBSD Project
2006-09-24 13:35:58 +00:00
rwatson
8e2099e1ea Merge OpenBSM 1.0 alpha 11 changes into src/sys/bsm and src/sys/security;
primarily, add new event identifiers and update trigger names.

Obtained from:	TrustedBSD Project
2006-09-21 07:27:02 +00:00
rwatson
5cab05d889 Remove MAC_DEBUG label counters, which were used to debug leaks and
other problems while labels were first being added to various kernel
objects.  They have outlived their usefulness.

MFC after:	1 month
Suggested by:	Christopher dot Vance at SPARTA dot com
Obtained from:	TrustedBSD Project
2006-09-20 13:33:41 +00:00
rwatson
6061806b7a Rather than allocating all buffer memory for the completed BSM record
when allocating the record in the first place, allocate the final buffer
when closing the BSM record.  At that point, more size information is
available, so a sufficiently large buffer can be allocated.

This allows the kernel to generate audit records in excess of
MAXAUDITDATA bytes, but is consistent with Solaris's behavior.  This only
comes up when auditing command line arguments, in which case we presume
the administrator really does want the data as they have specified the
policy flag to gather them.

Obtained from:	TrustedBSD Project
MFC after:	3 days
2006-09-20 13:23:40 +00:00
rwatson
e63183ab3b Add missing white space in au_to_exec_{args,env}().
MFC after:	 3 days
2006-09-20 13:14:47 +00:00
csjp
bd41b31cc8 Make sure that lutimes(2) gets processed and converted into a BSM record.
Submitted by:	rwatson
MFC after:	1 day
2006-09-18 17:55:32 +00:00
rwatson
8b3f7ca1ce Declare security and security.bsd sysctl hierarchies in sysctl.h along
with other commonly used sysctl name spaces, rather than declaring them
all over the place.

MFC after:	1 month
Sponsored by:	nCircle Network Security, Inc.
2006-09-17 20:00:36 +00:00
csjp
d271a33920 Correct a slight regression which was introduced with the implementation of
audit pipes. If the kernel record was not selected for the trail or the pipe,
any user supplied record attached to it would be tossed away, resulting in
otherwise selected events being lost.

- Introduce two new masks: AR_PRESELECT_USER_TRAIL AR_PRESELECT_USER_PIPE,
  currently we have AR_PRESELECT_TRAIL and AR_PRESELECT_PIPE, which tells
  the audit worker that we are interested in the kernel record, with
  the additional masks we can determine if either the pipe or trail is
  interested in seeing the kernel or user record.

- In audit(2), we unconditionally set the AR_PRESELECT_USER_TRAIL and
  AR_PRESELECT_USER_PIPE masks under the assumption that userspace has
  done the preselection [1].

Currently, there is work being done that allows the kernel to parse and
preselect user supplied records, so in the future preselection could occur
in either layer. But there is still a few details to work out here.

[1] At some point we need to teach au_preselect(3) about the interests of
    all the individual audit pipes.

This is a RELENG_6 candidate.

Reviewed by:	rwatson
Obtained from:	TrustedBSD Project
MFC after:	1 week
2006-09-17 17:52:57 +00:00
rwatson
517cd09f4a Add AUE_SYSARCH to the list of audit events during BSM conversion to prevent
a console warning.  Eventually, we will capture more arguments for sysarch.

Obtained from:	TrustedBSD Project
MFC after:	3 days
2006-09-17 11:42:40 +00:00
csjp
63e89c05d2 Introduce a new entry point, mac_create_mbuf_from_firewall. This entry point
exists to allow the mandatory access control policy to properly initialize
mbufs generated by the firewall. An example where this might happen is keep
alive packets, or ICMP error packets in response to other packets.

This takes care of kernel panics associated with un-initialize mbuf labels
when the firewall generates packets.

[1] I modified this patch from it's original version, the initial patch
    introduced a number of entry points which were programmatically
    equivalent. So I introduced only one. Instead, we should leverage
    mac_create_mbuf_netlayer() which is used for similar situations,
    an example being icmp_error()

    This will minimize the impact associated with the MFC

Submitted by:	mlaier [1]
MFC after:	1 week

This is a RELENG_6 candidate
2006-09-12 04:25:13 +00:00
rwatson
b5865520e1 Add struct msg to the forwarded declared data structures in mac_policy.h.
Obtained from:	TrustedBSD Project
2006-09-09 16:35:44 +00:00
rwatson
a68eb47776 Add a BSM conversion switch case for AUE_GETCWD, so that a console
warning isn't generated when __getcwd() is invoked.

MFC after:	3 days
Obtained from:	TrustedBSD Project
2006-09-09 10:23:44 +00:00
rwatson
81d9ff8b37 Small style cleanup.
MFC after:	3 days
2006-09-09 10:23:00 +00:00
rwatson
9af04e1fec White space cleanup, no functional change. 2006-09-04 06:06:23 +00:00
wsalamon
c62317c442 Audit the argv and env vectors passed in on exec:
Add the argument auditing functions for argv and env.
  Add kernel-specific versions of the tokenizer functions for the
  arg and env represented as a char array.
  Implement the AUDIT_ARGV and AUDIT_ARGE audit policy commands to
  enable/disable argv/env auditing.
  Call the argument auditing from the exec system calls.

Obtained from: TrustedBSD Project
Approved by: rwatson (mentor)
2006-09-01 11:45:40 +00:00
csjp
d35597591e Fix panic associated with file creation via RPC/NFS when the MLS policy
is loaded. This problem stems from the fact that the policy is not properly
initializing the mac label associated with the NFS daemon.

Obtained from:	TrustedBSD Project
Discussed with:	rwatson
2006-08-26 20:13:35 +00:00
rwatson
c9215ad31e Allow the user process to query the kernel's notion of a maximum
audit record size at run-time, which can be used by the user
process to size the user space buffer it reads into from the audit
pipe.

Perforce change:	105098
Obtained from:		TrustedBSD Project
2006-08-26 17:59:31 +00:00
rwatson
0e87efb2f4 Update kernel OpenBSM parts, especially src/sys/bsm, for the OpenBSM
1.0 alpha 9 import.  See the OpenBSM import commit message for a
detailed summary of changes.

Obtained from:  TrustedBSD Project
2006-08-26 08:17:58 +00:00
rwatson
31d250192d Remove $P4$ from this file; other then temporarily P4-local work in
progress the kernel audit code in CVS is considered authoritative.
This will ease $P4$-related merging issues during the CVS loopback.

Obtained from:	TrustedBSD Project
2006-08-25 07:30:23 +00:00
rwatson
1e4f4abfce Add kqueue support to audit pipe pseudo-devices.
Obtained from:	TrustedBSD Project
2006-08-24 17:42:38 +00:00
rwatson
2e4df4a141 Make mpo_associate_nfsd_label() return void, not int, to match
mac_associate_nfsd_label().

Head nod:	csjp
2006-08-06 16:56:15 +00:00
phk
0f924547b0 Remove the NDEVFSINO and NDEVFSOVERFLOW options which no longer exists in
DEVFS.

Remove the opt_devfs.h file now that it is empty.
2006-07-17 09:07:02 +00:00
csjp
0baddf7a5b Implement mpo_associate_nfsd_label entry point for the BIBA security policy,
we will initialize the label to biba/low for files that have been created
through an NFS RPC. This is a safe default given the default nature of our
NFS implementation, there is not a whole lot of data integrity there by
default. This also fixes kernel panics associated with file creation over NFS
while creating files on filesystems which have multilabel enabled with BIBA
enabled.

MFC after:	2 weeks
Discussed with:	rwatson
2006-07-10 19:13:32 +00:00
wsalamon
3f67fc0a68 Audit the remaining parameters to the extattr system calls. Generate
the audit records for those calls.

Obtained from: TrustedBSD Project
Approved by: rwatson (mentor)
2006-07-06 19:33:38 +00:00
rwatson
981c1cc4c8 Correct a number of problems that were previously commented on:
- Correct audit_arg_socketaddr() argument name from so to sa.
- Assert arguments are non-NULL to many argument capture functions
  rather than testing them.  This may trip some bugs.
- Assert the process lock is held when auditing process
  information.
- Test currecord in several more places.
- Test validity of more arguments with kasserts, such as flag
  values when auditing vnode information.

Perforce change:	98825
Obtained from:		TrustedBSD Project
2006-07-03 14:55:55 +00:00
wsalamon
3a6d7ed2cf Make the size of the subject32_ex and process32_ex tokens depend on
whether we have an IPv6 address. Write the term ID as 4 or
16 bytes depending on address type. This change matches the recent
OpenBSM change, and what Solaris does.

Obtained from: TrustedBSD Project
Approved by: rwatson (mentor)
2006-06-17 13:53:04 +00:00
rwatson
276b52de67 Lock process when copying fields from process structure so as to
get a consistent snapshot, as well as get consistent values (i.e.,
that p_comm is properly nul-terminated).

Perforce CID:	98824
Obtained from:	TrustedBSD Project
2006-06-08 21:58:04 +00:00
rwatson
f0de47503d Prefer C to C++ comments per style(9).
Perforce CID:	98826
Obtained from:	TrustedBSD Project
2006-06-08 21:55:39 +00:00
rwatson
abd4afc6be Extract pointer value for mnt_stat from vp after the NULL check, not
before.

Coverity ID:	134394
Found with:	Coverity Prevent (tm)
2006-06-06 08:43:27 +00:00
rwatson
abd422e295 Remove use of Giant around vn_open() in audit trail setup.
Submitted by:	jhb, wsalamon
Obtained from:	TrustedBSD Project
2006-06-05 22:36:12 +00:00
rwatson
1063b3ddc4 When generating BSM tokens for mkfifo(), include mode argument.
Submitted by:	wsalamon
Obtained from:	TrustedBSD Project
2006-06-05 16:14:49 +00:00
rwatson
bc4af49415 When generating the process token, need to check whether the
process was sucessfully audited.  Otherwise, generate the PID
token. This change covers the pid < 0 cases, and pid lookup
failure cases.

Submitted by:	wsalamon
Obtained from:	TrustedBSD Project
2006-06-05 16:12:00 +00:00
rwatson
97c0c78df7 Consistently use audit_free() to free records, rather than
directly invoking uma_zfree().

Perforce change:	96652
Obtained from:		TrustedBSD Project
2006-06-05 15:38:12 +00:00
rwatson
4f317e1576 Introduce support for per-audit pipe preselection independent from the
global audit trail configuration.  This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present).  To implement this:

- Kernel audit records now carry a flag to indicate whether they have
  been selected by the global trail or by the audit pipe subsystem,
  set during record commit, so that this information is available
  after BSM conversion when delivering the BSM to the trail and audit
  pipes in the audit worker thread asynchronously.  Preselection by
  either record target will cause the record to be kept.

- Similar changes to preselection when the audit record is created
  when the system call is entering: consult both the global trail and
  pipes.

- au_preselect() now accepts the class in order to avoid repeatedly
  looking up the mask for each preselection test.

- Define a series of ioctls that allow applications to specify whether
  they want to track the global trail, or program their own
  preselection parameters: they may specify their own flags and naflags
  masks, similar to the global masks of the same name, as well as a set
  of per-auid masks.  They also set a per-pipe mode specifying whether
  they track the global trail, or user their own -- the door is left
  open for future additional modes.  A new ioctl is defined to allow a
  user process to flush the current audit pipe queue, which can be used
  after reprogramming pre-selection to make sure that only records of
  interest are received in future reads.

- Audit pipe data structures are extended to hold the additional fields
  necessary to support preselection.  By default, audit pipes track the
  global trail, so "praudit /dev/auditpipe" will track the global audit
  trail even though praudit doesn't program the audit pipe selection
  model.

- Comment about the complexities of potentially adding partial read
  support to audit pipes.

By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.

Obtained from:	TrustedBSD Project
2006-06-05 14:48:17 +00:00
rwatson
62baf512de Shorten audit record zone name.
Perforce change:	93598
Obtained from:	TrustedBSD Project
2006-06-05 14:11:28 +00:00
rwatson
805dfc4801 No longer unconditionally drain the audit record queue if there is
not an active audit trail: instead, continue to iterate through
each record in case an audit pipe is interested.

Obtained from:	TrustedBSD Project
2006-06-05 14:09:59 +00:00
rwatson
7ac842a4f9 Pull BSM conversion logic out of audit_record_write(), as well as
knowledge of user vs. kernel audit records into
audit_worker_process_record().  This largely confines vnode
knowledge to audit_record_write(), but avoids that logic knowing
about BSM as opposed to byte streams.  This will allow us to
improve our ability to support real-time audit stream processing
by audit pipe consumers while auditing is disabled, but this
support is not yet complete.

Obtained from:	TrustedBSD Project
2006-06-05 13:50:02 +00:00
rwatson
03ff784a40 Assert audit mtx in audit_worker_drain().
Break out logic to call audit_record_write() and handle error
conditions into audit_worker_process_record().  This will be the
future home of some logic now present in audit_record_write()
also.

Obtained from:	TrustedBSD Project
2006-06-05 13:46:55 +00:00
rwatson
9c450e4c02 Use struct kaudit_queue instead of a hand-crafted queue type for
audit records in the audit_worker thread.

Obtained from:	TrustedBSD Project
2006-06-05 13:45:05 +00:00
rwatson
4f92724562 Rename audit_cv to audit_worker_cv, as it wakes up the audit
worker.

Rename audit_commit_cv to audit_watermark_cv, since it is there to
wake up threads waiting on hitting the low watermark.  Describe
properly in comment.

Obtained from:	TrustedBSD Project
2006-06-05 13:43:57 +00:00
rwatson
bfd8acfedd Merge OpenBSM 1.0 alpha 6 changes for BSM token creation to
src/sys/security/audit:

- Clarify and clean up AUR_ types to match Solaris.
- Clean up use of host vs. network byte order for IP addresses.
- Remove combined user/kernel implementations of some token creation
  calls, such as au_to_file(), header calls, etc.

Obtained from:	TrustedBSD Project
2006-06-05 13:13:02 +00:00
csjp
65422bb622 Check to see if the rootdir is the same as the current working directory.
If it is, and the pathname was relative, do not separate the componenets
with a '/' character.

Obtained from:	TrustedBSD Project
2006-06-01 15:38:30 +00:00
rwatson
6b4573613f Reconstitute struct mac_policy_ops by breaking out individual function
pointer prototypes from it into their own typedefs.  No functional or
ABI change.  This allows policies to declare their own function
prototypes based on a common definition from mac_policy.h rather than
duplicating these definitions.

Obtained from:	SEDarwin, SPARTA
MFC after:	1 month
2006-04-26 14:18:55 +00:00
dwmalone
b6a2964430 Add some new options to mac_bsdestended. We can now match on:
subject: ranges of uid, ranges of gid, jail id
	objects: ranges of uid, ranges of gid, filesystem,
		object is suid, object is sgid, object matches subject uid/gid
		object type

We can also negate individual conditions. The ruleset language is
a superset of the previous language, so old rules should continue
to work.

These changes require a change to the API between libugidfw and the
mac_bsdextended module. Add a version number, so we can tell if
we're running mismatched versions.

Update man pages to reflect changes, add extra test cases to
test_ugidfw.c and add a shell script that checks that the the
module seems to do what we expect.

Suggestions from: rwatson, trhodes
Reviewed by: trhodes
MFC after: 2 months
2006-04-23 17:06:18 +00:00