src/sys/security/mac/mac_process.c, branch release/6.0.0_cvs FreeBSD source tree This commit was manufactured by cvs2svn to create tag 2005-11-03T00:35:26+00:00 cvs2svn cvs2svn@FreeBSD.org 2005-11-03T00:35:26+00:00 3640cb54210edbb7edbf1b12ef0127ecfcea967d 'RELENG_6_0_0_RELEASE'. This commit was manufactured to restore the state of the 6.0-RELEASE image. 
'RELENG_6_0_0_RELEASE'.

This commit was manufactured to restore the state of the 6.0-RELEASE image.
Introduce p_canwait() and MAC Framework and MAC Policy entry points 2005-04-18T13:36:57+00:00 Robert Watson rwatson@FreeBSD.org 2005-04-18T13:36:57+00:00 babe9a2bb37a1c0a1e87cbe5c3ce5fd40c70d990 mac_check_proc_wait(), which control the ability to wait4() specific processes. This permits MAC policies to limit information flow from children that have changed label, although has to be handled carefully due to common programming expectations regarding the behavior of wait4(). The cr_seeotheruids() check in p_canwait() is #if 0'd for this reason. The mac_stub and mac_test policies are updated to reflect these new entry points. Sponsored by: SPAWAR, SPARTA Obtained from: TrustedBSD Project 
mac_check_proc_wait(), which control the ability to wait4() specific
processes.  This permits MAC policies to limit information flow from
children that have changed label, although has to be handled carefully
due to common programming expectations regarding the behavior of
wait4().  The cr_seeotheruids() check in p_canwait() is #if 0'd for
this reason.

The mac_stub and mac_test policies are updated to reflect these new
entry points.

Sponsored by:	SPAWAR, SPARTA
Obtained from:	TrustedBSD Project
Introduce new MAC Framework and MAC Policy entry points to control the use 2005-04-16T13:29:15+00:00 Robert Watson rwatson@FreeBSD.org 2005-04-16T13:29:15+00:00 030a28b3b5675711d9dbcef4dde8901eeda0bc6c of system calls to manipulate elements of the process credential, including: setuid() mac_check_proc_setuid() seteuid() mac_check_proc_seteuid() setgid() mac_check_proc_setgid() setegid() mac_check_proc_setegid() setgroups() mac_check_proc_setgroups() setreuid() mac_check_proc_setreuid() setregid() mac_check_proc_setregid() setresuid() mac_check_proc_setresuid() setresgid() mac_check_rpoc_setresgid() MAC checks are performed before other existing security checks; both current credential and intended modifications are passed as arguments to the entry points. The mac_test and mac_stub policies are updated. Submitted by: Samy Al Bahra <samy@kerneled.org> Obtained from: TrustedBSD Project 
of system calls to manipulate elements of the process credential,
including:

        setuid()                mac_check_proc_setuid()
        seteuid()               mac_check_proc_seteuid()
        setgid()                mac_check_proc_setgid()
        setegid()               mac_check_proc_setegid()
        setgroups()             mac_check_proc_setgroups()
        setreuid()              mac_check_proc_setreuid()
        setregid()              mac_check_proc_setregid()
        setresuid()             mac_check_proc_setresuid()
        setresgid()             mac_check_rpoc_setresgid()

MAC checks are performed before other existing security checks; both
current credential and intended modifications are passed as arguments
to the entry points.  The mac_test and mac_stub policies are updated.

Submitted by:	Samy Al Bahra <samy@kerneled.org>
Obtained from:	TrustedBSD Project
Update my personal copyrights and NETA copyrights in the kernel 2004-02-22T00:33:12+00:00 Robert Watson rwatson@FreeBSD.org 2004-02-22T00:33:12+00:00 f6a4109212fd8fbabc731f07b2dd5c7e07fbec33 to use the "year1-year3" format, as opposed to "year1, year2, year3". This seems to make lawyers more happy, but also prevents the lines from getting excessively long as the years start to add up. Suggested by: imp 
to use the "year1-year3" format, as opposed to "year1, year2, year3".
This seems to make lawyers more happy, but also prevents the
lines from getting excessively long as the years start to add up.

Suggested by:	imp
Rename mac_create_cred() MAC Framework entry point to mac_copy_cred(), 2003-12-06T21:48:03+00:00 Robert Watson rwatson@FreeBSD.org 2003-12-06T21:48:03+00:00 56d9e932072f81ebaa7bb1bf5995a46813bc91c4 and the mpo_create_cred() MAC policy entry point to mpo_copy_cred_label(). This is more consistent with similar entry points for creation and label copying, as mac_create_cred() was called from crdup() as opposed to during process creation. For a number of policies, this removes the requirement for special handling when copying credential labels, and improves consistency. Approved by: re (scottl) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories 
and the mpo_create_cred() MAC policy entry point to
mpo_copy_cred_label().  This is more consistent with similar entry
points for creation and label copying, as mac_create_cred() was
called from crdup() as opposed to during process creation.  For
a number of policies, this removes the requirement for special
handling when copying credential labels, and improves consistency.

Approved by:	re (scottl)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
Modify the MAC Framework so that instead of embedding a (struct label) 2003-11-12T03:14:31+00:00 Robert Watson rwatson@FreeBSD.org 2003-11-12T03:14:31+00:00 eca8a663d442468f64e21ed869817b9048ab5a7b in various kernel objects to represent security data, we embed a (struct label *) pointer, which now references labels allocated using a UMA zone (mac_label.c). This allows the size and shape of struct label to be varied without changing the size and shape of these kernel objects, which become part of the frozen ABI with 5-STABLE. This opens the door for boot-time selection of the number of label slots, and hence changes to the bound on the number of simultaneous labeled policies at boot-time instead of compile-time. This also makes it easier to embed label references in new objects as required for locking/caching with fine-grained network stack locking, such as inpcb structures. This change also moves us further in the direction of hiding the structure of kernel objects from MAC policy modules, not to mention dramatically reducing the number of '&' symbols appearing in both the MAC Framework and MAC policy modules, and improving readability. While this results in minimal performance change with MAC enabled, it will observably shrink the size of a number of critical kernel data structures for the !MAC case, and should have a small (but measurable) performance benefit (i.e., struct vnode, struct socket) do to memory conservation and reduced cost of zeroing memory. NOTE: Users of MAC must recompile their kernel and all MAC modules as a result of this change. Because this is an API change, third party MAC modules will also need to be updated to make less use of the '&' symbol. Suggestions from: bmilekic Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories 
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c).  This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE.  This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time.  This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.

This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.

While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.

NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change.  Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.

Suggestions from:	bmilekic
Obtained from:		TrustedBSD Project
Sponsored by:		DARPA, Network Associates Laboratories
Remove the flags argument from mac_externalize_*_label(), as it's not 2003-11-06T03:42:43+00:00 Robert Watson rwatson@FreeBSD.org 2003-11-06T03:42:43+00:00 83b7b0edcab422d62d6f847c421006a2a41c4e91 passed into policies or used internally to the MAC Framework. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories 
passed into policies or used internally to the MAC Framework.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
Make MAC_EXTERNALIZE() and MAC_INTERNALIZE() simply take the object 2003-10-25T15:28:20+00:00 Robert Watson rwatson@FreeBSD.org 2003-10-25T15:28:20+00:00 da77b2fa6bf3355ab40ef6047a11108dc1770f77 type, rather than "object_label" as the first argument. This reduces complexity a little for the consumer, and also makes it easier for use to rename the underlying entry points in struct mac_policy_obj. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories 
type, rather than "object_label" as the first argument.  This reduces
complexity a little for the consumer, and also makes it easier for
use to rename the underlying entry points in struct mac_policy_obj.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
Remove non-credential/process-related bits from mac_process.c. Leave: 2003-10-22T20:02:04+00:00 Robert Watson rwatson@FreeBSD.org 2003-10-22T20:02:04+00:00 5a9c1aaac539607c411d89f7557245abf777dc83 Enforce_process, enforce_vm access control enforcement twiddles. Credential, process label counters. VM revocation sysctls/tunables. Credential label management, internalization/externalization/relabel code. Process label management. Proc0, proc1 creation, cred creation. Thread userret. mac_execve_enter(), _exit(), transition at exec-time. VM revocation on process label change. Process-related access control checks (visibility, debug, signal, sched). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories 
  Enforce_process, enforce_vm access control enforcement twiddles.
  Credential, process label counters.
  VM revocation sysctls/tunables.
  Credential label management, internalization/externalization/relabel
    code.
  Process label management.
  Proc0, proc1 creation, cred creation.
  Thread userret.
  mac_execve_enter(), _exit(), transition at exec-time.
  VM revocation on process label change.
  Process-related access control checks (visibility, debug, signal, sched).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
If the struct mac copied into the kernel has a negative length, return 2003-09-29T18:35:17+00:00 Robert Watson rwatson@FreeBSD.org 2003-09-29T18:35:17+00:00 cc7b13bfe0dc4a881a42519ba6f8a959d0452d4e EINVAL rather than failing the following malloc due to the value being too large. 
EINVAL rather than failing the following malloc due to the value being
too large.