Commit Graph

416 Commits

Author SHA1 Message Date
imp
cf874b345d Back out M_* changes, per decision of the TRB.
Approved by: trb
2003-02-19 05:47:46 +00:00
julian
af55753a06 Move a bunch of flags from the KSE to the thread.
I was in two minds as to where to put them in the first case..
I should have listenned to the other mind.

Submitted by:	 parts by davidxu@
Reviewed by:	jeff@ mini@
2003-02-17 09:55:10 +00:00
rwatson
22a1b720c1 Implement mpo_check_kld_load() and mpo_check_kld_unload() for the Biba
MAC policy.  To load a KLD, require that the subject hold Biba privilege,
and the the kernel module be marked as high integrity.  To unload a
KLD, require that the subject hold Biba privilege.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-02-04 22:38:33 +00:00
rwatson
61099be7de Place more stringent checks on process credential relabeling for the Biba
and MLS policies: as we support both an effective (single) element and
range (available) elements, require that the single be in the range if
both the single and range are defined in the update.  Remove comments
suggesting that such a check might be a good idea.

Don't introduce a similar check for network interfaces; due to different
interpretations of the single and range elements, it's not clear that
it's useful to do so.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-02-04 21:28:46 +00:00
rwatson
413da05130 Rename the variable 'grade' to 'type' in interface parsing and
labeling for Biba.

Rename the variable 'level' to 'type' in interface parsing and
labeling for MLS.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-02-04 21:00:51 +00:00
alfred
bf8e8a6e8f Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
2003-01-21 08:56:16 +00:00
dillon
ccd5574cc6 Bow to the whining masses and change a union back into void *. Retain
removal of unnecessary casts and throw in some minor cleanups to see if
anyone complains, just for the hell of it.
2003-01-13 00:33:17 +00:00
dillon
ddf9ef103e Change struct file f_data to un_data, a union of the correct struct
pointer types, and remove a huge number of casts from code using it.

Change struct xfile xf_data to xun_data (ABI is still compatible).

If we need to add a #define for f_data and xf_data we can, but I don't
think it will be necessary.  There are no operational changes in this
commit.
2003-01-12 01:37:13 +00:00
mux
a7aae2379c Fix warnings on 64bits architectures.
Noticed by:	alpha tinderbox
2003-01-06 12:07:38 +00:00
rwatson
7892c5c36d Map VAPPEND to VWRITE since the ugidfw rule syntax doesn't specifically
address the append access mode.

Reported by:	"Daniel C. Sobral" <dcs@newsguy.com>
Obtained from:	TrustedBSD Project
Sponosred by:	DARPA, Network Associates Laboratories

MFC Candidate.
2002-12-28 23:41:18 +00:00
alfred
d070c0a52d SCARGS removal take II. 2002-12-14 01:56:26 +00:00
alfred
4f48184fb2 Backout removal SCARGS, the code freeze is only "selectively" over. 2002-12-13 22:41:47 +00:00
alfred
d19b4e039d Remove SCARGS.
Reviewed by: md5
2002-12-13 22:27:25 +00:00
rwatson
f38706bfe3 Default policies to on: if you load them or compile them into your
kernel, you should expect them to do something, so now they do.  This
doesn't affect users who don't load or explicitly compile in the
policies.

Approved by:	re (jhb)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-12-10 16:20:34 +00:00
rwatson
c5caffe9c4 Remove dm_root entry from struct devfs_mount. It's never set, and is
unused.  Replace it with a dm_mount back-pointer to the struct mount
that the devfs_mount is associated with.  Export that pointer to MAC
Framework entry points, where all current policies don't use the
pointer.  This permits the SEBSD port of SELinux's FLASK/TE to compile
out-of-the-box on 5.0-CURRENT with full file system labeling support.

Approved by:	re (murray)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-12-09 03:44:28 +00:00
rwatson
bc339ca6ac Remove a const that generates a warning: the const isn't strictly
wrong, since we don't want the variable changed, but since we assign
it to variables that may also refer to other non-const strings,
warnings were generated that could break LINT.

Approved by:	re
Spotted by:	sam
2002-12-04 22:01:03 +00:00
rwatson
641c5e9ff3 License tweak: remove clause 3 per permission of NAI.
Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-12-03 15:26:01 +00:00
rwatson
bb2d09c9b0 Unhook the old LOMAC module, now replaced with mac_lomac.
Approved by:	re (jhb)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-12-03 15:12:36 +00:00
rwatson
9b4709eca2 Correct two warnings by staticizing a function and removing an unused
function.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-26 17:38:25 +00:00
rwatson
c6f89c6561 Import an implementation of LOMAC (Low-Watermark Mandatory Access
Control) as a MAC Framework policy module.  Unlike the existing
src/sys/security/lomac implementation, this one has its fingers out
of the kernel lock order and doesn't make use of flags in existing
kernel structures.  This greatly reduces the quantity of replicated
code with src/sys/kern, simplifies the implementation (3000 vs 8500
lines), and correctes a number of known stability problems with
the existing LOMAC implementation, which will be removed.  A bit
more hooking up to do here.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-26 17:26:06 +00:00
rwatson
2f11222833 Un-staticize mac_cred_mmapped_drop_perms() so that it may be used
by policy modules making use of downgrades in the MAC AST event.  This
is required by the mac_lomac port of LOMAC to the MAC Framework.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-26 17:11:57 +00:00
rwatson
569048d3f9 Introduce p_label, extensible security label storage for the MAC framework
in struct proc.  While the process label is actually stored in the
struct ucred pointed to by p_ucred, there is a need for transient
storage that may be used when asynchronous (deferred) updates need to
be performed on the "real" label for locking reasons.  Unlike other
label storage, this label has no locking semantics, relying on policies
to provide their own protection for the label contents, meaning that
a policy leaf mutex may be used, avoiding lock order issues.  This
permits policies that act based on historical process behavior (such
as audit policies, the MAC Framework port of LOMAC, etc) can update
process properties even when many existing locks are held without
violating the lock order.  No currently committed policies implement use
of this label storage.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-20 15:41:25 +00:00
rwatson
3753917a2e Merge kld access control checks from the MAC tree: these access control
checks permit policy modules to augment the system policy for permitting
kld operations.  This permits policies to limit access to kld operations
based on credential (and other) properties, as well as to perform checks
on the kld being loaded (integrity, etc).

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-19 22:12:42 +00:00
rwatson
9dde910437 Introduce a condition variable to avoid returning EBUSY when
the MAC policy list is busy during a load or unload attempt.
We assert no locks held during the cv wait, meaning we should
be fairly deadlock-safe.  Because of the cv model and busy
count, it's possible for a cv waiter waiting for exclusive
access to the policy list to be starved by active and
long-lived access control/labeling events.  For now, we
accept that as a necessary tradeoff.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-13 15:47:09 +00:00
rwatson
1e2f849511 Garbage collect mac_create_devfs_vnode() -- it hasn't been used since
we brought in the new cache and locking model for vnode labels.  We
now rely on mac_associate_devfs_vnode().

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-12 04:20:36 +00:00
rwatson
01cba722c4 Garbage collect definition of M_MACOPVEC -- we no longer perform a
dynamic mapping of an operation vector into an operation structure,
rather, we rely on C99 sparse structure initialization.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-11 14:15:58 +00:00
rwatson
f3748b0c0b Update MAC modules for changes in arguments for exec MAC policy
entry points to include an explicit execlabel.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-08 18:04:36 +00:00
rwatson
95c4afbed0 Add an explicit execlabel argument to exec-related MAC policy entry
points, rather than relying on policies to grub around in the
image activator instance structure.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-08 18:04:00 +00:00
rwatson
d575478d80 Update policy modules for changes in arguments associated with support
for label access on the interpreter, not just the shell script.  No
policies currently present in the system rely on the new labels.
2002-11-05 17:52:42 +00:00
rwatson
6c4f4d26f4 Bring in two sets of changes:
(1) Permit userland applications to request a change of label atomic
    with an execve() via mac_execve().  This is required for the
    SEBSD port of SELinux/FLASK.  Attempts to invoke this without
    MAC compiled in result in ENOSYS, as with all other MAC system
    calls.  Complexity, if desired, is present in policy modules,
    rather than the framework.

(2) Permit policies to have access to both the label of the vnode
    being executed as well as the interpreter if it's a shell
    script or related UNIX nonsense.  Because we can't hold both
    vnode locks at the same time, cache the interpreter label.
    SEBSD relies on this because it supports secure transitioning
    via shell script executables.  Other policies might want to
    take both labels into account during an integrity or
    confidentiality decision at execve()-time.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-05 17:51:56 +00:00
rwatson
4f3c382c18 Since neither the Biba policy nor the MLS policy make use of
transitioning, remove their transition entry points.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-05 16:44:29 +00:00
rwatson
373a915367 Assert that appropriate vnodes are locked in mac_execve_will_transition().
Allow transitioning to be twiddled off using the process and fs enforcement
flags, although at some point this should probably be its own flag.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-05 15:11:33 +00:00
rwatson
ca2d41f714 Implement mpo_check_system_acct and mpo_check_system_settime() for Biba:
require Biba privilege to configure either, and require that accounting
files be high integrity.  Note that this does allow implicit information
flow from low to high integrity, but it also protects the integrity
of accounting data.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-04 17:50:52 +00:00
rwatson
8ea7b65d85 Correct use of mac_biba_subject_privileged() in swapon() code.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-04 17:36:47 +00:00
rwatson
b8dd64f5ef Permit MAC policies to instrument the access control decisions for
system accounting configuration and for nfsd server thread attach.
Policies might use this to protect the integrity or confidentiality
of accounting data, limit the ability to turn on or off accounting,
as well as to prevent inappropriately labeled threads from becoming nfs
server threads.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-04 15:13:36 +00:00
rwatson
8f2b40ef3f Remove mac_cache_fslabel_in_vnode sysctl -- with the new VFS/MAC
construction, labels are always cached.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-04 14:55:14 +00:00
rwatson
c7ea6f5cb9 License and wording updates: NAI has authorized the removal of clause
three from their BSD-style license.  Also, s/NAI Labs/Network Associates
Laboratories/.
2002-11-04 01:53:12 +00:00
rwatson
89cdee7c52 License clarification and wording changes: NAI has approved removal of
clause three, and NAI Labs now goes by the name Network Associates
Laboratories.
2002-11-04 01:42:39 +00:00
rwatson
7537530ad8 Introduce mac_check_system_settime(), a MAC check allowing policies to
augment the system policy for changing the system time.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-03 02:39:42 +00:00
rwatson
02575bafa7 Change privilege model for mac_partition such that BSD superuser can change
the partition once a partition has been set.  This is required for correct
operation of sendmail between partitions.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-03 00:53:03 +00:00
mux
a79bd334d7 Fix some warnings on 64 bit architectures. The vn_extattr_get()
function takes an int * parameter, not a size_t * parameter.

Arguably, it should rather take a size_t *, but that would
require changing the uio_resid field of struct uio to be a size_t
instead of an int, which I don't want to do that close to
5.0-RELEASE.

Reviewed by:	rwatson
2002-11-02 20:16:35 +00:00
rwatson
61ffc1b9bb Add MAC checks for various kenv() operations: dump, get, set, unset,
permitting MAC policies to limit access to the kernel environment.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-01 20:46:53 +00:00
rwatson
122a6b9ad2 Move to C99 sparse structure initialization for the mac_policy_ops
structure definition, rather than using an operation vector
we translate into the structure.  Originally, we used a vector
for two reasons:

(1) We wanted to define the structure sparsely, which wasn't
    supported by the C compiler for structures.  For a policy
    with five entry points, you don't want to have to stick in
    a few hundred NULL function pointers.

(2) We thought it would improve ABI compatibility allowing modules
    to work with kernels that had a superset of the entry points
    defined in the module, even if the kernel had changed its
    entry point set.

Both of these no longer apply:

(1) C99 gives us a way to sparsely define a static structure.

(2) The ABI problems existed anyway, due to enumeration numbers,
    argument changes, and semantic mismatches.  Since the going
    rule for FreeBSD is that you really need your modules to
    pretty closely match your kernel, it's not worth the
    complexity.

This submit eliminates the operation vector, dynamic allocation
of the operation structure, copying of the vector to the
structure, and redoes the vectors in each policy to direct
structure definitions.  One enourmous benefit of this change
is that we now get decent type checking on policy entry point
implementation arguments.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-30 18:48:51 +00:00
rwatson
e3a98b382a Various minor type, prototype tweaks -- clean up cruft due to lack of
type checking on entry points (to be introduced shortly).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-30 18:10:46 +00:00
rwatson
27e2336a32 While 'mode_t' seemed like a good idea for the access mode argument for
MAC access() and open() checks, the argument actually has an int type
where it becomes available.  Switch to using 'int' for the mode argument
throughout the MAC Framework and policy modules.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-30 17:56:57 +00:00
rwatson
d81ef804ab Try again to fix the KASSERT. 2002-10-30 00:16:59 +00:00
rwatson
fc851fde9e Fix a KASSERT bug that showed up only in the LINT build, not the
module build, so I missed it in the merge.

Pointed out by:	sam
2002-10-30 00:04:31 +00:00
rwatson
4db30046bd Hook up no-op stubs for reboot, swapon, sysctl entry points.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-29 19:57:28 +00:00
rwatson
6c3898d0fc Implement Biba policy entry points for mac_check_system_swapon()
and mac_check_system_sysctl(), providing additional integrity
protections relating to swap target device selection and system
management via sysctl().  Require Biba privilege for both; also
require that the target of swap operations be a high integrity
object, since swap data is high integrity.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Asssociates Laboratories
2002-10-29 19:18:52 +00:00
rwatson
34c75e428f Require Biba privilege to relabel a network interface.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-29 19:14:16 +00:00
rwatson
345064545a Correct a typo in a previously commented include entry that was made
visible in the recent commit.
2002-10-28 19:50:06 +00:00
rwatson
71ce8bbc83 Remove all reference to 'struct oldmac', since it's no longer required
with the new VFS/EA semantics in the MAC framework.  Move the per-policy
structures out to per-policy include files, removing all policy-specific
defines and structures out of the base framework includes and
implementation, making mac_biba and mac_mls entirely self-contained.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-28 19:44:05 +00:00
rwatson
9146f5fdfa Add a return type for mac_biba_high_single(), apparently lost in an
earlier merge.  It's a 'static int'.
2002-10-28 19:18:29 +00:00
rwatson
9c894a8e1c Rename mac_biba_subject_equal_ok() to mac_biba_subject_privileged()
to evolve the notion of Biba privilege a bit.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-28 19:17:39 +00:00
rwatson
1295b8ff0f Zero the trusted_interface buffer before starting parsing.
Print a warning if a requested interface name is longer than
IFNAMSIZ.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-28 19:16:44 +00:00
rwatson
9ae04d1a06 An inappropriate ASSERT slipped in during the recent merge of the
reboot checking; remove.
2002-10-28 18:53:53 +00:00
rwatson
e6f3037210 Centrally manage enforcement of {reboot,swapon,sysctl} using the
mac_enforce_system toggle, rather than several separate toggles.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-27 15:50:49 +00:00
rwatson
653f637c44 Implement mac_check_system_sysctl(), a MAC Framework entry point to
permit MAC policies to augment the security protections on sysctl()
operations.  This is not really a wonderful entry point, as we
only have access to the MIB of the target sysctl entry, rather than
the more useful entry name, but this is sufficient for policies
like Biba that wish to use their notions of privilege or integrity
to prevent inappropriate sysctl modification.  Affects MAC kernels
only.  Since SYSCTL_LOCK isn't in sysctl.h, just kern_sysctl.c,
we can't assert the SYSCTL subsystem lockin the MAC Framework.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-27 07:12:34 +00:00
rwatson
be98961ae9 Hook up mac_check_system_reboot(), a MAC Framework entry point that
permits MAC modules to augment system security decisions regarding
the reboot() system call, if MAC is compiled into the kernel.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-27 07:03:29 +00:00
rwatson
8cd9e63819 Merge from MAC tree: rename mac_check_vnode_swapon() to
mac_check_system_swapon(), to reflect the fact that the primary
object of this change is the running kernel as a whole, rather
than just the vnode.  We'll drop additional checks of this
class into the same check namespace, including reboot(),
sysctl(), et al.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-27 06:54:06 +00:00
rwatson
312cab0dee Slightly change the semantics of vnode labels for MAC: rather than
"refreshing" the label on the vnode before use, just get the label
right from inception.  For single-label file systems, set the label
in the generic VFS getnewvnode() code; for multi-label file systems,
leave the labeling up to the file system.  With UFS1/2, this means
reading the extended attribute during vfs_vget() as the inode is
pulled off disk, rather than hitting the extended attributes
frequently during operations later, improving performance.  This
also corrects sematics for shared vnode locks, which were not
previously present in the system.  This chances the cache
coherrency properties WRT out-of-band access to label data, but in
an acceptable form.  With UFS1, there is a small race condition
during automatic extended attribute start -- this is not present
with UFS2, and occurs because EAs aren't available at vnode
inception.  We'll introduce a work around for this shortly.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
rwatson
068e73d389 Comment describing the semantics of mac_late.
Trim trailing whitespace.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-25 20:45:27 +00:00
rwatson
e8d6763a91 Provide a simple sample labeled access control policy, mac_partition.
This policy can be loaded dynamically, and assigns each process a
partition number, as well as permitting processes to operate outside
the partition.  Processes contained in a partition can only "see"
processes inside the same partition, so it's a little like jail.
The partition of a user can be set using the label mechanisms in
login.conf.  This sample policy is a good starting point for developers
wanting to learn about how to produce labeled policies, as it labels
only one kernel object, the process credential.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-23 23:36:27 +00:00
rwatson
29ef1b5025 Style fix: space between 'switch' and '('. 2002-10-22 19:01:49 +00:00
rwatson
d6241fec61 s/mls/biba/ in a copy+paste error for a printf. 2002-10-22 18:36:47 +00:00
rwatson
7b35ce62ba Remove the mac_te policy bits from 'struct oldmac' -- we're not going
to merge mac_te, since the SEBSD port of SELinux/FLASK provides a much
more mature Type Enforcement implementation.  This changes the size
of the on-disk 'struct oldmac' EA labels, which may require regeneration.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-22 17:19:06 +00:00
rwatson
3d192c6f03 Don't enforce MAC Biba policy for socket visibility if Biba is not
explicitly enabled.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-22 17:02:42 +00:00
rwatson
e40371a8f9 Introduce MAC_CHECK_VNODE_SWAPON, which permits MAC policies to
perform authorization checks during swapon() events; policies
might choose to enforce protections based on the credential
requesting the swap configuration, the target of the swap operation,
or other factors such as internal policy state.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-22 15:53:43 +00:00
rwatson
9fe777b3e6 Missed in previous merge: export sizeof(struct oldmac) rather than
sizeof(struct mac).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-22 15:33:33 +00:00
rwatson
433e63644a Adapt MAC policies for the new user API changes; teach policies how
to parse their own label elements (some cleanup to occur here in the
future to use the newly added kernel strsep()).  Policies now
entirely encapsulate their notion of label in the policy module.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-22 14:31:34 +00:00
rwatson
4651fb3eba Support the new MAC user API in kernel: modify existing system calls
to use a modified notion of 'struct mac', and flesh out the new variation
system calls (almost identical to existing ones except that they permit
a pid to be specified for process label retrieval, and don't follow
symlinks).  This generalizes the label API so that the framework is
now almost entirely policy-agnostic.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
rwatson
a60c645b42 Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries.  This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels.  In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules.  This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want.  This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-22 14:27:44 +00:00
rwatson
0a4c2cb09a mac_none is a stub policy without any functional implementation.
Various cleanups, no functional changes:

	- Fix a type in an entry point stub, socket checks accept
	  sockets, not vnodes.
	- Trailing whitespace
	- Entry point sort order

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-21 23:16:23 +00:00
rwatson
3304731f7b Introduce mac_biba_copy() and mac_mls_copy(), which conditionally
copy elements of one Biba or MLS label to another based on the flags
on the source label element.  Use this instead of
mac_{biba,mls}_{single,range}() to simplify the existing code, as
well as support partial label updates (we don't update if none is
requested).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-21 20:55:39 +00:00
rwatson
63323cc3ae Add compartment support to Biba and MLS policies. The logic of the
policies remains the same: subjects and objects are labeled for
integrity or sensitivity, and a dominance operator determines whether
or not subject/object accesses are permitted to limit inappropriate
information flow.  Compartments are a non-hierarchal component to
the label, so add a bitfield to the label element for each, and a
set check as part of the dominance operator.  This permits the
implementation of "need to know" elements of MLS.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-21 18:42:01 +00:00
rwatson
a52c2344dd More in the way of minor consistency improvements: trim 'mac_mls_'
from another variable to line this up with mac_biba.c

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-21 18:14:30 +00:00
rwatson
a47467b826 Demote sockets to single-label objects rather than maintaining a
range on them, leaving process credentials as the only kernel
objects with label ranges in the Biba and MLS policies.  We
weren't using the range in any access control decisions, so this
lets us garbage collect effectively unused code.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-21 18:05:12 +00:00
rwatson
25b8d9a4ba Synchonize variable spelling with the MAC tree: we shortened some of
the names.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-21 17:05:48 +00:00
rwatson
92611f31b9 White space nit the crept in during merge. 2002-10-21 17:01:30 +00:00
rwatson
963bded1fb Since the Biba and MLS access checks are identical to the open checks,
collapse the two cases more cleanly: rather than wrapping an access
check around open, simply provide the open implementation for the
access vector entry.  No functional change.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-21 16:39:12 +00:00
rwatson
ec031d4923 Cleanup of relabel authorization checks -- almost identical logic,
we just break out some of the tests better.  Minor change in that
we now better support incremental update of labels.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-21 16:35:54 +00:00
rwatson
684bc9e08e Add a twiddle to create PTY's with a biba/equal or mls/equal label
instead of the default biba/high, mls/low, making it easier to use
ptys with these policies.  This isn't the final solution, but does
help.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-21 04:15:40 +00:00
brooks
3eee68d184 Use if_printf(ifp, "blah") instead of
printf("%s%d: blah", ifp->if_name, ifp->if_xname).
2002-10-21 02:51:56 +00:00
rwatson
d9307dee7e If MAC_MAX_POLICIES isn't defined, don't try to define it, just let the
compile fail.  MAC_MAX_POLICIES should always be defined, or we have
bigger problems at hand.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-20 03:41:09 +00:00
rwatson
08f5fce118 Make sure to clear the 'registered' flag for MAC policies when they
unregister.  Under some obscure (perhaps demented) circumstances,
this can result in a panic if a policy is unregistered, and then someone
foolishly unregisters it again.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-19 20:30:12 +00:00
mckusick
25230d4c6a Regularize the vop_stdlock'ing protocol across all the filesystems
that use it. Specifically, vop_stdlock uses the lock pointed to by
vp->v_vnlock. By default, getnewvnode sets up vp->v_vnlock to
reference vp->v_lock. Filesystems that wish to use the default
do not need to allocate a lock at the front of their node structure
(as some still did) or do a lockinit. They can simply start using
vn_lock/VOP_UNLOCK. Filesystems that wish to manage their own locks,
but still use the vop_stdlock functions (such as nullfs) can simply
replace vp->v_vnlock with a pointer to the lock that they wish to
have used for the vnode. Such filesystems are responsible for
setting the vp->v_vnlock back to the default in their vop_reclaim
routine (e.g., vp->v_vnlock = &vp->v_lock).

In theory, this set of changes cleans up the existing filesystem
lock interface and should have no function change to the existing
locking scheme.

Sponsored by:	DARPA & NAI Labs.
2002-10-14 03:20:36 +00:00
rwatson
1f2df65750 Integrate mac_check_socket_send() and mac_check_socket_receive()
checks from the MAC tree: allow policies to perform access control
for the ability of a process to send and receive data via a socket.
At some point, we might also pass in additional address information
if an explicit address is requested on send.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-06 14:39:15 +00:00
rwatson
ab1575713d Trim accidentally introduced trailing whitespace. 2002-10-06 13:11:01 +00:00
rwatson
2ad996a2d3 Sync from MAC tree: break out the single mmap entry point into
seperate entry points for each occasion:

mac_check_vnode_mmap()		Check at initial mapping
mac_check_vnode_mprotect()	Check at mapping protection change
mac_check_vnode_mmap_downgrade()	Determine if a mapping downgrade
					should take place following
					subject relabel.

Implement mmap() and mprotect() entry points for labeled vnode
policies.  These entry points are currently not hooked up to the
VM system in the base tree.  These changes improve the consistency
of the access control interface and offer more flexibility regarding
limiting access to vnode mmaping.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-06 02:46:26 +00:00
rwatson
74ec128a1c Modify label allocation semantics for sockets: pass in soalloc's malloc
flags so that we can call malloc with M_NOWAIT if necessary, avoiding
potential sleeps while holding mutexes in the TCP syncache code.
Similar to the existing support for mbuf label allocation: if we can't
allocate all the necessary label store in each policy, we back out
the label allocation and fail the socket creation.  Sync from MAC tree.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
rwatson
d8184bd58c Implement mac_create_devfs_symlink() for policies that interact with
vnode labels.  Sync from MAC tree.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 18:56:25 +00:00
rwatson
7b150b70c2 Integrate a devfs/MAC fix from the MAC tree: avoid a race condition during
devfs VOP symlink creation by introducing a new entry point to determine
the label of the devfs_dirent prior to allocation of a vnode for the
symlink.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 18:40:10 +00:00
rwatson
f79fd8d75d Merge implementation of mpo_check_vnode_link() for various appropriate
file-system aware MAC policies.  Sync to MAC tree.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 18:25:48 +00:00
rwatson
abda58cc1e Merge support for mac_check_vnode_link(), a MAC framework/policy entry
point that instruments the creation of hard links.  Policy implementations
to follow.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 18:11:36 +00:00
rwatson
d273cfe761 While the MAC API has supported the ability to handle M_NOWAIT passed
to mbuf label initialization, that functionality was never merged to
the main tree.  Go ahead and merge that functionality now.  Note that
this requires policy modules to accept the case where the label
element may be destroyed even if init has not succeeded on it (in
the event that policy failed the init).  This will shortly also
apply to sockets.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 17:44:49 +00:00
rwatson
7a8226480f Rearrange object and label init/destroy functions to match the
order used in mac_policy.h and elsewhere.  Sort order is basically
"by operation category", then "alphabetically by object". Sync to
MAC tree.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 17:38:45 +00:00
rwatson
5669cfde80 Sync to MAC tree: use 'flag' instead of 'how' for mac_init_mbuf();
remove a slightly less than useful comment.
2002-10-05 17:18:43 +00:00
rwatson
7c754b7adc Another big diff, little functional change: move label internalization,
externalization, and cred label life cycle events to entirely above
devfs and vnode events.  Sync from MAC tree.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 16:57:16 +00:00
rwatson
aece5c85f0 Move all object label init/destroy routines to the head of the
entry points to better match the entry point ordering in mac_policy.h.
Big diff, no functional change; merge from the MAC tree.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
rwatson
c98d753496 Synch from TrustedBSD MAC tree:
- If a policy isn't registered when a policy module unloads, silently
  succeed.

- Hold the policy list lock across more of the validity tests to avoid
  races.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 16:46:03 +00:00
rwatson
ca4946005d Cosmetic line wrap synchronization. 2002-10-05 16:33:46 +00:00
rwatson
8cc4bbaa82 Push the debugging obect label counters into security.mac.debug.counters
rather than directly under security.mac.debug.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 16:30:53 +00:00
rwatson
2670ddfd3d Begin another merge from the TrustedBSD MAC branch:
- Change mpo_init_foo(obj, label) and mpo_destroy_foo(obj, label) policy
  entry points to mpo_init_foo_label(label) and
  mpo_destroy_foo_label(label).  This will permit the use of the same
  entry points for holding temporary type-specific label during
  internalization and externalization, as well as for caching purposes.
- Because of this, break out mpo_{init,destroy}_socket() and
  mpo_{init,destroy}_mount() into seperate entry points for socket
  main/peer labels and mount main/fs labels.
- Since the prototype for label initialization is the same across almost
  all entry points, implement these entry points using common
  implementations for Biba, MLS, and Test, reducing the number of
  almost identical looking functions.

This simplifies policy implementation, as well as preparing us for the
merge of the new flexible userland API for managing labels on objects.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 15:10:00 +00:00
rwatson
4be0d09ad3 Add a new MAC entry point, mac_thread_userret(td), which permits policy
modules to perform MAC-related events when a thread returns to user
space.  This is required for policies that have floating process labels,
as it's not always possible to acquire the process lock at arbitrary
points in the stack during system call processing; process labels might
represent traditional authentication data, process history information,
or other data.

LOMAC will use this entry point to perform the process label update
prior to the thread returning to userspace, when plugged into the MAC
framework.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-02 02:42:38 +00:00
phk
32912489c9 Remember to include "opt_devfs.h" so we get any relevant changes
to NDEVFSINO before we include devfs.h.

Spotted by:	FlexeLint
2002-10-01 15:24:35 +00:00
rwatson
0b0e14e462 Improve locking of pipe mutexes in the context of MAC:
(1) Where previously the pipe mutex was selectively grabbed during
    pipe_ioctl(), now always grab it and then release if if not
    needed.  This protects the call to mac_check_pipe_ioctl() to
    make sure the label remains consistent.  (Note: it looks
    like sigio locking may be incorrect for fgetown() since we
    call it not-by-reference and sigio locking assumes call by
    reference).

(2) In pipe_stat(), lock the pipe if MAC is compiled in so that
    the call to mac_check_pipe_stat() gets a locked pipe to
    protect label consistency.  We still release the lock before
    returning actual stat() data, risking inconsistency, but
    apparently our pipe locking model accepts that risk.

(3) In various pipe MAC authorization checks, assert that the pipe
    lock is held.

(4) Grab the lock when performing a pipe relabel operation, and
    assert it a little deeper in the stack.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-01 04:30:19 +00:00
rwatson
d95d2f1aae Push 'security.mac.debug_label_fallback' behind options MAC_DEBUG.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-10-01 03:24:20 +00:00
rwatson
731b954aba Add tunables for the existing sysctl twiddles for pipe and vm
enforcement so they can be disabled prior to kernel start.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-09-30 20:50:00 +00:00
jeff
76a1e2b647 - Use vrefcnt() instead of v_usecount. 2002-09-25 02:42:43 +00:00
rwatson
48eceacd5b Remove another missed trailing space. 2002-09-21 19:50:28 +00:00
rwatson
eaf29d3807 Trim trailing whitespace from the ends of lines. 2002-09-21 19:26:59 +00:00
rwatson
8d4439455d Continue cleanup and sync of mac_biba and mac_mls policies to the
TrustedBSD MAC Perforce tree.  Remove unused functions
mac_biba_equal_range and mac_mls_equal_range, which determined if the
ranges in two range-enabled labels were equal.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-09-21 19:20:01 +00:00
rwatson
efd3f8f916 Remove mac_biba_high_single() check for interface renaming: we now
use the notion that a subject range of (low-high) connotes Biba
privilege rather than a single of high.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-09-21 19:01:44 +00:00
rwatson
5bc8683c98 As INVARIANTS isn't supported for code that loads only as a kernel
module and is not linked into the base system, two KASSERT's rotted.
Fix them by fixing variable names.  It would be really nice if
opt_global.h was used when building modules as part of a buildkernel.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-09-21 18:29:37 +00:00
rwatson
8f4cf6aafc Remove un-needed stack variable 'ops'.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-09-18 22:35:02 +00:00
rwatson
90f35dab01 Add a toggle to disable VM enforcement.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-09-18 02:02:08 +00:00
rwatson
22d6bef96d At the cost of seeming a little gauche, make use of more traditional
alphabetization for mac_enforce_pipe sysctl.

Obtained from:	TrustedBSD Project
Sponsored by:	DAPRA, NAI Labs
2002-09-18 02:00:19 +00:00
njl
0590c43070 Remove all use of vnode->v_tag, replacing with appropriate substitutes.
v_tag is now const char * and should only be used for debugging.

Additionally:
1. All users of VT_NTS now check vfsconf->vf_type VFCF_NETWORK
2. The user of VT_PROCFS now checks for the new flag VV_PROCDEP, which
is propagated by pseudofs to all child vnodes if the fs sets PFS_PROCDEP.

Suggested by:   phk
Reviewed by:    bde, rwatson (earlier version)
2002-09-14 09:02:28 +00:00
bde
35091030c1 Include <sys/malloc.h> instead of depending on namespace pollution 2
layers deep in <sys/proc.h> or <sys/vnode.h>.
2002-09-10 12:45:02 +00:00
rwatson
990d7cf43e Add security.mac.mmap_revocation, a flag indicating whether we
should revoke access to memory maps on a process label change.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-09-09 17:12:24 +00:00
rwatson
bb15291772 Minor code sync to MAC tree: push Giant locking up from
mac_cred_mmapped_drop_perms() to the caller.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-09-09 17:10:16 +00:00
rwatson
315e4703e1 Re-insert TUNABLE() export of MAC Biba and MAC MLS module 'enabled'
sysctls.  Apparently lost during some or another merge.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-09-05 18:52:52 +00:00
bde
725b1916bd Include <sys/malloc.h> instead of depending on namespace pollution 2
layers deep in <sys/proc.h> or <sys/vnode.h>.

Removed unused includes.

Fixed some printf format errors (1 fatal on i386's; 1 fatal on alphas;
1 not fatal on any supported machine).
2002-09-05 07:02:43 +00:00
rwatson
f0810dcb75 Prefer NULL to 0 when passing a NULL pointer. 2002-08-20 02:54:09 +00:00
rwatson
d4026d9db7 Provide stub mpo_syscall() implementations for mac_none and mac_test.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-20 02:53:35 +00:00
rwatson
83ecac75d4 Close a race in process label changing opened due to dropping the
proc locking when revoking access to mmaps.  Instead, perform this
later once we've changed the process label (hold onto a reference
to the new cred so that we don't lose it when we release the
process lock if another thread changes the credential).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-19 20:26:32 +00:00
rwatson
a1cb1e3bed Pass active_cred and file_cred into the MAC framework explicitly
for mac_check_vnode_{poll,read,stat,write}().  Pass in fp->f_cred
when calling these checks with a struct file available.  Otherwise,
pass NOCRED.  All currently MAC policies use active_cred, but
could now offer the cached credential semantic used for the base
system security model.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-19 19:04:53 +00:00
rwatson
4cb63b194b Provide an implementation of mac_syscall() so that security modules
can offer new services without reserving system call numbers, or
augmented versions of existing services.  User code requests a
target policy by name, and specifies the policy-specific API plus
target.  This is required in particular for our port of SELinux/FLASK
to the MAC framework since it offers additional security services.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-19 17:59:48 +00:00
rwatson
fd544421f3 Break out mac_check_pipe_op() into component check entry points:
mac_check_pipe_poll(), mac_check_pipe_read(), mac_check_pipe_stat(),
and mac_check_pipe_write().  This is improves consistency with other
access control entry points and permits security modules to only
control the object methods that they are interested in, avoiding
switch statements.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-19 16:59:37 +00:00
rwatson
1a7cd1a210 Break out mac_check_vnode_op() into three seperate checks:
mac_check_vnode_poll(), mac_check_vnode_read(), mac_check_vnode_write().
This improves the consistency with other existing vnode checks, and
allows policies to avoid implementing switch statements to determine
what operations they do and do not want to authorize.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-19 16:43:25 +00:00
rwatson
c601d7b784 Assert process locks in proces-related access control checks.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-19 15:30:30 +00:00
rwatson
8c753954cb Add a missing vnode assertion for the exec() check.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-19 15:28:39 +00:00
phk
8346c2fde3 Keep a copy of the credential used to mount filesystems around so
we can check and use it later on.

Change the pieces of code which relied on mount->mnt_stat.f_owner
to check which user mounted the filesystem.

This became needed as the EA code needs to be able to allocate
blocks for "system" EA users like ACLs.

There seems to be some half-baked (probably only quarter- actually)
notion that the superuser for a given filesystem is the user who
mounted it, but this has far from been carried through.  It is
unclear if it should be.

Sponsored by: DARPA & NAI Labs.
2002-08-19 06:52:21 +00:00
rwatson
9c78782941 Wrap maintenance of varios nmac{objectname} counters in MAC_DEBUG so we
can avoid the cost of a large number of atomic operations if we're not
interested in the object count statistics.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-16 14:21:38 +00:00
rwatson
aa8060c29e Rename mac_check_socket_receive() to mac_check_socket_deliver() so that
we can use the names _receive() and _send() for the receive() and send()
checks.  Rename related constants, policy implementations, etc.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-15 18:51:27 +00:00
rwatson
9725be3a61 Rename mac_check_socket_receive() to mac_check_socket_deliver() so that
we can use the names _receive() and _send() for the receive() and send()
checks.  Rename related constants, policy implementations, etc.

PR:
Submitted by:
Reviewed by:
Approved by:
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
MFC after:
2002-08-15 18:51:26 +00:00
rwatson
f77c281019 Sync to trustedbsd_mac tree: default to sigsegv rather than copy-on-write
during a label change resulting in an mmap removal.  This is "fail stop"
behavior, which is preferred, although it offers slightly less
transparency.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-15 02:28:32 +00:00
rwatson
de88edcff7 Define 'struct label' in _label.h rather than mac.h, which will permit
us to reduce namespace pollution by doing a nested include of _label.h
rather than mac.h.  mac.h contains lots of baggage, whereas _label.h
contains much less.  A follow-up sweep to change nested inclusion will
follow.  The problem regarding exporting 'struct label' to userland
due to excessive exporting of kernel structures to userland still
needs to be resolved.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
Suggested by:	bde
2002-08-13 15:54:28 +00:00
rwatson
2f9e2502bd Declare a module service "kernel_mac_support" when MAC support is
enabled and the kernel provides the MAC registration and entry point
service.  Declare a dependency on that module service for any
MAC module registered using mac_policy.h.  For now, hard code the
version as 1, but once we've come up with a versioning policy, we'll
move to a #define of some sort.  In the mean time, this will prevent
loading a MAC module when 'options MAC' isn't present, which (due to
a bug in the kernel linker) can result if the MAC module is preloaded
via loader.conf.

This particular evil recommended by:	peter
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI LAbs
2002-08-12 02:00:21 +00:00
jeff
02517b6731 - Replace v_flag with v_iflag and v_vflag
- v_vflag is protected by the vnode lock and is used when synchronization
   with VOP calls is needed.
 - v_iflag is protected by interlock and is used for dealing with vnode
   management issues.  These flags include X/O LOCK, FREE, DOOMED, etc.
 - All accesses to v_iflag and v_vflag have either been locked or marked with
   mp_fixme's.
 - Many ASSERT_VOP_LOCKED calls have been added where the locking was not
   clear.
 - Many functions in vfs_subr.c were restructured to provide for stronger
   locking.

Idea stolen from:	BSD/OS
2002-08-04 10:29:36 +00:00
rwatson
5d31ba7f61 Improve ordering of MAC entry points in mac_policy_op structure.
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-02 20:33:05 +00:00
rwatson
a5dcc1fd3d Include file cleanup; mac.h and malloc.h at one point had ordering
relationship requirements, and no longer do.

Reminded by:	bde
2002-08-01 17:47:56 +00:00
rwatson
c429949b89 Change macop_t to const, use macop_t in MAC policy entry point definition
structure.  This prevents a boatload of warnings in the MAC modules,
so we can hook them up to the build.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-01 17:32:01 +00:00
rwatson
5529143578 Introduce support for Mandatory Access Control and extensible
kernel access control.

Provide implementations of some sample operating system security
policy extensions.  These are not yet hooked up to the build as
other infrastructure is still being committed.  Most of these
work fairly well and are in daily use in our development and (limited)
production environments.  Some are not yet in their final form,
and a number of the labeled policies waste a lot of kernel memory
and will be fixed over the next month or so to be more conservative.
They do give good examples of the flexibility of the MAC framework
for implementing a variety of security policies.

mac_biba:	Implementation of fixed-label Biba integrity policy,
		similar to those found in a number of commercial
		trusted operating systems.  All subjects and objects
		are assigned integrity levels, and information flow
		is controlled based on a read-up, write-down
		policy.  Currently, purely hierarchal.

mac_bsdextended:	Implementation of a "file system firewall",
		which allows the administrator to specify a series
		of rules limiting access by users and groups to
		objects owned by other users and groups.  This
		policy is unlabeled, relying on existing system
		security labeling (file permissions/ownership,
		process credentials).

mac_ifoff:	Secure interface silencing.  Special-purpose module
		to limit inappropriate out-going network traffic
		for silent monitoring scenarios.  Prevents the
		various network stacks from generating any output
		despite an interface being live for reception.

mac_mls:	Implementation of fixed-label Multi-Level Security
		confidentiality policy, similar to those found in
		a number of commercial trusted operating systems.
		All subjects and objects are assigned confidentiality
		levels, and information flow is controlled based on
		a write-up, read-down policy.  Currently, purely
		hiearchal, although non-hierarchal support is in the
		works.

mac_none:	Policy module implementing all MAC policy entry
		points with empty stubs.  A good place to start if
		you want all the prototypes types in for you, and
		don't mind a bit of pruning.  Can be loaded, but
		has no access control impact.  Useful also for
		performance measurements.

mac_seeotheruids:	Policy module implementing a security service
		similar to security.bsd.seeotheruids, only a slightly
		more detailed policy involving exceptions for members
		of specific groups, etc.  This policy is unlabeled,
		relying on existing system security labeling
		(process credentials).

mac_test:	Policy module implementing basic sanity tests for
		label handling.  Attempts to ensure that labels are
		not freed multiple times, etc, etc.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-07-31 18:07:45 +00:00
rwatson
e4b29af39a Reduce the memory footprint of MAC in the base system by halving
the number of policy slots to 4.

(Having run a quick errand, time to start on phase 2 of the MAC
integration)

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-07-31 00:03:26 +00:00
rwatson
dd98c92e63 Begin committing support for Mandatory Access Control and extensible
kernel access control.  The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy.  This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported.  Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.

kern_mac.c contains the body of the MAC framework.  Kernel and
user APIs defined in mac.h are implemented here, providing a front end
to loaded security modules.  This code implements a module registration
service, state (label) management, security configuration and policy
composition.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-07-30 21:36:05 +00:00
rwatson
dba3c73b7b Begin committing support for Mandatory Access Control and extensible
kernel access control.  The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy.  This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported.  Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.

Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h).  These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module.  These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-07-30 21:32:34 +00:00
rwatson
6d23f2cbf6 Stubs for the TrustedBSD MAC system calls to permit TrustedBSD MAC
userland code to operate on kernel's from the main tree.  Not much
in this file yet.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-07-30 02:04:05 +00:00
alfred
15e61a8561 Get rid of warnings, there's no need to do preprocessor concatination of
things with commas and equal signs.
2002-06-01 18:45:33 +00:00
tanimura
e6fa9b9e92 Back out my lats commit of locking down a socket, it conflicts with hsu's work.
Requested by:	hsu
2002-05-31 11:52:35 +00:00
alfred
26c9c27f03 Check for defined(__i386__) instead of just defined(i386) since the compiler
will be updated to only define(__i386__) for ANSI cleanliness.
2002-05-30 07:32:58 +00:00
tanimura
92d8381dd5 Lock down a socket, milestone 1.
o Add a mutex (sb_mtx) to struct sockbuf. This protects the data in a
  socket buffer. The mutex in the receive buffer also protects the data
  in struct socket.

o Determine the lock strategy for each members in struct socket.

o Lock down the following members:

  - so_count
  - so_options
  - so_linger
  - so_state

o Remove *_locked() socket APIs.  Make the following socket APIs
  touching the members above now require a locked socket:

 - sodisconnect()
 - soisconnected()
 - soisconnecting()
 - soisdisconnected()
 - soisdisconnecting()
 - sofree()
 - soref()
 - sorele()
 - sorwakeup()
 - sotryfree()
 - sowakeup()
 - sowwakeup()

Reviewed by:	alfred
2002-05-20 05:41:09 +00:00
jhb
b6d6774e76 Change p_can{debug,see,sched,signal}()'s first argument to be a thread
pointer instead of a proc pointer and require the process pointed to
by the second argument to be locked.  We now use the thread ucred reference
for the credential checks in p_can*() as a result.  p_canfoo() should now
no longer need Giant.
2002-05-19 00:14:50 +00:00
trhodes
28d42899b7 More s/file system/filesystem/g 2002-05-16 21:28:32 +00:00
jhb
7b11cd5cb0 Use the proc lock to protect p_ucred while we read a few items from it. 2002-04-11 21:17:45 +00:00
jhb
dc2e474f79 Change the suser() API to take advantage of td_ucred as well as do a
general cleanup of the API.  The entire API now consists of two functions
similar to the pre-KSE API.  The suser() function takes a thread pointer
as its only argument.  The td_ucred member of this thread must be valid
so the only valid thread pointers are curthread and a few kernel threads
such as thread0.  The suser_cred() function takes a pointer to a struct
ucred as its first argument and an integer flag as its second argument.
The flag is currently only used for the PRISON_ROOT flag.

Discussed on:	smp@
2002-04-01 21:31:13 +00:00
rwatson
0de282ee42 DBA update: pick the right DBA for various LOMAC copyrights. 2002-03-13 22:55:20 +00:00
jhb
3706cd3509 Simple p_ucred -> td_ucred changes to start using the per-thread ucred
reference.
2002-02-27 18:32:23 +00:00
dd
c8a6bd9922 Introduce a version field to `struct xucred' in place of one of the
spares (the size of the field was changed from u_short to u_int to
reflect what it really ends up being).  Accordingly, change users of
xucred to set and check this field as appropriate.  In the kernel,
this is being done inside the new cru2x() routine which takes a
`struct ucred' and fills out a `struct xucred' according to the
former.  This also has the pleasant sideaffect of removing some
duplicate code.

Reviewed by:	rwatson
2002-02-27 04:45:37 +00:00
rwatson
6ca91a055c Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
  as not to use the scatter gather API (which appeared not to be used
  by any consumers, and be less portable), rather, accepts 'data'
  and 'nbytes' in the style of other simple read/write interfaces.
  This changes the API and ABI.

o Modify system call semantics so that extattr_get_{fd,file}() return
  a size_t.  When performing a read, the number of bytes read will
  be returned, unless the data pointer is NULL, in which case the
  number of bytes of data are returned.  This changes the API only.

o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
  argument so as to return the size, if desirable.  If set to NULL,
  the size will not be returned.

o Update various filesystems (pseodofs, ufs) to DTRT.

These changes should make extended attributes more useful and more
portable.  More commits to rebuild the system call files, as well
as update userland utilities to follow.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
mjacob
f5604f2085 Replace a few more lines of code orphaned by MFREE going away.
MFC after:	1 day
2002-02-07 22:08:32 +00:00
julian
b5eb64d6f0 Pre-KSE/M3 commit.
this is a low-functionality change that changes the kernel to access the main
thread of a process via the linked list of threads rather than
assuming that it is embedded in the process. It IS still embeded there
but remove all teh code that assumes that in preparation for the next commit
which will actually move it out.

Reviewed by: peter@freebsd.org, gallatin@cs.duke.edu, benno rice,
2002-02-07 20:58:47 +00:00
green
48a2f127d4 s/sonewconn3/sonewconn/ forgotten by the modifier. 2001-12-26 18:31:22 +00:00
green
f9d5720e42 Split out NAI Labs license and BSD license to prevent the accidental
violation of either.
2001-12-03 00:21:18 +00:00
green
a7fea08d45 Return a POSIX-compliant error for write(2) failure. 2001-11-28 23:02:33 +00:00
green
beff114774 Import LOMAC preliminary release 2.0.0 in src/sys/security. These files may
be modified and do not have to remain on the vendor branch.

http://opensource.nailabs.com/lomac/index.html

Sponsored by: DARPA, NAI Labs (CBOSS project)
2001-11-19 22:34:06 +00:00