<feed xmlns='http://www.w3.org/2005/Atom'>
<title>src/sys/security/mac_test, branch releng/14.3</title>
<subtitle>FreeBSD source tree</subtitle>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/'/>
<entry>
<title>New setcred() system call and associated MAC hooks</title>
<updated>2025-04-03T19:31:03+00:00</updated>
<author>
<name>Olivier Certner</name>
<email>olce@FreeBSD.org</email>
</author>
<published>2024-07-18T20:47:43+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=c1d7552dddb5276c8d1cfe2b8c533646164e2f7a'/>
<id>c1d7552dddb5276c8d1cfe2b8c533646164e2f7a</id>
<content type='text'>
This new system call allows to set all necessary credentials of
a process in one go: Effective, real and saved UIDs, effective, real and
saved GIDs, supplementary groups and the MAC label.  Its advantage over
standard credential-setting system calls (such as setuid(), seteuid(),
etc.) is that it enables MAC modules, such as MAC/do, to restrict the
set of credentials some process may gain in a fine-grained manner.

Traditionally, credential changes rely on setuid binaries that call
multiple credential system calls and in a specific order (setuid() must
be last, so as to remain root for all other credential-setting calls,
which would otherwise fail with insufficient privileges).  This
piecewise approach causes the process to transiently hold credentials
that are neither the original nor the final ones.  For the kernel to
enforce that only certain transitions of credentials are allowed, either
these possibly non-compliant transient states have to disappear (by
setting all relevant attributes in one go), or the kernel must delay
setting or checking the new credentials.  Delaying setting credentials
could be done, e.g., by having some mode where the standard system calls
contribute to building new credentials but without committing them.  It
could be started and ended by a special system call.  Delaying checking
could mean that, e.g., the kernel only verifies the credentials
transition at the next non-credential-setting system call (we just
mention this possibility for completeness, but are certainly not
endorsing it).

We chose the simpler approach of a new system call, as we don't expect
the set of credentials one can set to change often.  It has the
advantages that the traditional system calls' code doesn't have to be
changed and that we can establish a special MAC protocol for it, by
having some cleanup function called just before returning (this is
a requirement for MAC/do), without disturbing the existing ones.

The mac_cred_check_setcred() hook is passed the flags received by
setcred() (including the version) and both the old and new kernel's
'struct ucred' instead of 'struct setcred' as this should simplify
evolving existing hooks as the 'struct setcred' structure evolves.  The
mac_cred_setcred_enter() and mac_cred_setcred_exit() hooks are always
called by pairs around potential calls to mac_cred_check_setcred().
They allow MAC modules to allocate/free data they may need in their
mac_cred_check_setcred() hook, as the latter is called under the current
process' lock, rendering sleepable allocations impossible.  MAC/do is
going to leverage these in a subsequent commit.  A scheme where
mac_cred_check_setcred() could return ERESTART was considered but is
incompatible with proper composition of MAC modules.

While here, add missing includes and declarations for standalone
inclusion of &lt;sys/ucred.h&gt; both from kernel and userspace (for the
latter, it has been working thanks to &lt;bsm/audit.h&gt; already including
&lt;sys/types.h&gt;).

Reviewed by:    brooks
Approved by:    markj (mentor)
Relnotes:       yes
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D47618

(cherry picked from commit ddb3eb4efe55e57c206f3534263c77b837aff1dc)
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This new system call allows to set all necessary credentials of
a process in one go: Effective, real and saved UIDs, effective, real and
saved GIDs, supplementary groups and the MAC label.  Its advantage over
standard credential-setting system calls (such as setuid(), seteuid(),
etc.) is that it enables MAC modules, such as MAC/do, to restrict the
set of credentials some process may gain in a fine-grained manner.

Traditionally, credential changes rely on setuid binaries that call
multiple credential system calls and in a specific order (setuid() must
be last, so as to remain root for all other credential-setting calls,
which would otherwise fail with insufficient privileges).  This
piecewise approach causes the process to transiently hold credentials
that are neither the original nor the final ones.  For the kernel to
enforce that only certain transitions of credentials are allowed, either
these possibly non-compliant transient states have to disappear (by
setting all relevant attributes in one go), or the kernel must delay
setting or checking the new credentials.  Delaying setting credentials
could be done, e.g., by having some mode where the standard system calls
contribute to building new credentials but without committing them.  It
could be started and ended by a special system call.  Delaying checking
could mean that, e.g., the kernel only verifies the credentials
transition at the next non-credential-setting system call (we just
mention this possibility for completeness, but are certainly not
endorsing it).

We chose the simpler approach of a new system call, as we don't expect
the set of credentials one can set to change often.  It has the
advantages that the traditional system calls' code doesn't have to be
changed and that we can establish a special MAC protocol for it, by
having some cleanup function called just before returning (this is
a requirement for MAC/do), without disturbing the existing ones.

The mac_cred_check_setcred() hook is passed the flags received by
setcred() (including the version) and both the old and new kernel's
'struct ucred' instead of 'struct setcred' as this should simplify
evolving existing hooks as the 'struct setcred' structure evolves.  The
mac_cred_setcred_enter() and mac_cred_setcred_exit() hooks are always
called by pairs around potential calls to mac_cred_check_setcred().
They allow MAC modules to allocate/free data they may need in their
mac_cred_check_setcred() hook, as the latter is called under the current
process' lock, rendering sleepable allocations impossible.  MAC/do is
going to leverage these in a subsequent commit.  A scheme where
mac_cred_check_setcred() could return ERESTART was considered but is
incompatible with proper composition of MAC modules.

While here, add missing includes and declarations for standalone
inclusion of &lt;sys/ucred.h&gt; both from kernel and userspace (for the
latter, it has been working thanks to &lt;bsm/audit.h&gt; already including
&lt;sys/types.h&gt;).

Reviewed by:    brooks
Approved by:    markj (mentor)
Relnotes:       yes
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D47618

(cherry picked from commit ddb3eb4efe55e57c206f3534263c77b837aff1dc)
</pre>
</div>
</content>
</entry>
<entry>
<title>MAC: mac_policy.h: Declare common MAC sysctl and jail parameters' nodes</title>
<updated>2025-01-16T18:06:55+00:00</updated>
<author>
<name>Olivier Certner</name>
<email>olce@FreeBSD.org</email>
</author>
<published>2024-07-04T14:08:20+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=62d3e81935c6b642bc6a3ffb0b909c14d15efbed'/>
<id>62d3e81935c6b642bc6a3ffb0b909c14d15efbed</id>
<content type='text'>
Do this only when the headers for these functionalities were included
prior to this one.  Indeed, if they need to be included, style(9)
mandates they should have been so before this one.

Remove the common MAC sysctl declaration from
&lt;security/mac/mac_internal.h&gt;, as it is now redundant (all its includers
also include &lt;security/mac/mac_policy.h&gt;).

Remove local such declarations from all policies' files.

Reviewed by:    jamie
Approved by:    markj (mentor)
MFC after:      5 days
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D46903

(cherry picked from commit db33c6f3ae9d1231087710068ee4ea5398aacca7)

The original changes in 'sys/security/mac_grantbylabel/mac_grantbylabel.c' were
removed as MAC/grantbylabel has not been MFCed.
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Do this only when the headers for these functionalities were included
prior to this one.  Indeed, if they need to be included, style(9)
mandates they should have been so before this one.

Remove the common MAC sysctl declaration from
&lt;security/mac/mac_internal.h&gt;, as it is now redundant (all its includers
also include &lt;security/mac/mac_policy.h&gt;).

Remove local such declarations from all policies' files.

Reviewed by:    jamie
Approved by:    markj (mentor)
MFC after:      5 days
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D46903

(cherry picked from commit db33c6f3ae9d1231087710068ee4ea5398aacca7)

The original changes in 'sys/security/mac_grantbylabel/mac_grantbylabel.c' were
removed as MAC/grantbylabel has not been MFCed.
</pre>
</div>
</content>
</entry>
<entry>
<title>sys: Remove $FreeBSD$: two-line .h pattern</title>
<updated>2023-08-16T17:54:11+00:00</updated>
<author>
<name>Warner Losh</name>
<email>imp@FreeBSD.org</email>
</author>
<published>2023-08-16T17:54:11+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=95ee2897e98f5d444f26ed2334cc7c439f9c16c6'/>
<id>95ee2897e98f5d444f26ed2334cc7c439f9c16c6</id>
<content type='text'>
Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
</pre>
</div>
</content>
</entry>
<entry>
<title>mac: kdb/ddb framework hooks</title>
<updated>2022-07-18T22:06:13+00:00</updated>
<author>
<name>Mitchell Horne</name>
<email>mhorne@FreeBSD.org</email>
</author>
<published>2022-07-18T21:23:16+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=2449b9e5fe565be757a4b29093fd1c9c6ffcf3c9'/>
<id>2449b9e5fe565be757a4b29093fd1c9c6ffcf3c9</id>
<content type='text'>
Add three simple hooks to the debugger allowing for a loaded MAC policy
to intervene if desired:
 1. Before invoking the kdb backend
 2. Before ddb command registration
 3. Before ddb command execution

We extend struct db_command with a private pointer and two flag bits
reserved for policy use.

Reviewed by:	markj
Sponsored by:	Juniper Networks, Inc.
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D35370
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add three simple hooks to the debugger allowing for a loaded MAC policy
to intervene if desired:
 1. Before invoking the kdb backend
 2. Before ddb command registration
 3. Before ddb command execution

We extend struct db_command with a private pointer and two flag bits
reserved for policy use.

Reviewed by:	markj
Sponsored by:	Juniper Networks, Inc.
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D35370
</pre>
</div>
</content>
</entry>
<entry>
<title>Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many)</title>
<updated>2020-02-26T14:26:36+00:00</updated>
<author>
<name>Pawel Biernacki</name>
<email>kaktus@FreeBSD.org</email>
</author>
<published>2020-02-26T14:26:36+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=7029da5c36f2d3cf6bb6c81bf551229f416399e8'/>
<id>7029da5c36f2d3cf6bb6c81bf551229f416399e8</id>
<content type='text'>
r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are
still not MPSAFE (or already are but aren’t properly marked).
Use it in preparation for a general review of all nodes.

This is non-functional change that adds annotations to SYSCTL_NODE and
SYSCTL_PROC nodes using one of the soon-to-be-required flags.

Mark all obvious cases as MPSAFE.  All entries that haven't been marked
as MPSAFE before are by default marked as NEEDGIANT

Approved by:	kib (mentor, blanket)
Commented by:	kib, gallatin, melifaro
Differential Revision:	https://reviews.freebsd.org/D23718
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are
still not MPSAFE (or already are but aren’t properly marked).
Use it in preparation for a general review of all nodes.

This is non-functional change that adds annotations to SYSCTL_NODE and
SYSCTL_PROC nodes using one of the soon-to-be-required flags.

Mark all obvious cases as MPSAFE.  All entries that haven't been marked
as MPSAFE before are by default marked as NEEDGIANT

Approved by:	kib (mentor, blanket)
Commented by:	kib, gallatin, melifaro
Differential Revision:	https://reviews.freebsd.org/D23718
</pre>
</div>
</content>
</entry>
<entry>
<title>Remove AppleTalk support.</title>
<updated>2014-03-14T06:29:43+00:00</updated>
<author>
<name>Gleb Smirnoff</name>
<email>glebius@FreeBSD.org</email>
</author>
<published>2014-03-14T06:29:43+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=45c203fce2d02381f76b2abf80edaea8cf7bc7f8'/>
<id>45c203fce2d02381f76b2abf80edaea8cf7bc7f8</id>
<content type='text'>
AppleTalk was a network transport protocol for Apple Macintosh devices
in 80s and then 90s. Starting with Mac OS X in 2000 the AppleTalk was
a legacy protocol and primary networking protocol is TCP/IP. The last
Mac OS X release to support AppleTalk happened in 2009. The same year
routing equipment vendors (namely Cisco) end their support.

Thus, AppleTalk won't be supported in FreeBSD 11.0-RELEASE.
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
AppleTalk was a network transport protocol for Apple Macintosh devices
in 80s and then 90s. Starting with Mac OS X in 2000 the AppleTalk was
a legacy protocol and primary networking protocol is TCP/IP. The last
Mac OS X release to support AppleTalk happened in 2009. The same year
routing equipment vendors (namely Cisco) end their support.

Thus, AppleTalk won't be supported in FreeBSD 11.0-RELEASE.
</pre>
</div>
</content>
</entry>
<entry>
<title>Implement read(2)/write(2) and neccessary lseek(2) for posix shmfd.</title>
<updated>2013-08-21T17:45:00+00:00</updated>
<author>
<name>Konstantin Belousov</name>
<email>kib@FreeBSD.org</email>
</author>
<published>2013-08-21T17:45:00+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=940cb0e2bb228ca52f2d29c9c990be0634aec7e4'/>
<id>940cb0e2bb228ca52f2d29c9c990be0634aec7e4</id>
<content type='text'>
Add MAC framework entries for posix shm read and write.

Do not allow implicit extension of the underlying memory segment past
the limit set by ftruncate(2) by either of the syscalls.  Read and
write returns short i/o, lseek(2) fails with EINVAL when resulting
offset does not fit into the limit.

Discussed with:	alc
Tested by:	pho
Sponsored by:	The FreeBSD Foundation
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add MAC framework entries for posix shm read and write.

Do not allow implicit extension of the underlying memory segment past
the limit set by ftruncate(2) by either of the syscalls.  Read and
write returns short i/o, lseek(2) fails with EINVAL when resulting
offset does not fit into the limit.

Discussed with:	alc
Tested by:	pho
Sponsored by:	The FreeBSD Foundation
</pre>
</div>
</content>
</entry>
<entry>
<title>Mark all SYSCTL_NODEs static that have no corresponding SYSCTL_DECLs.</title>
<updated>2011-11-07T15:43:11+00:00</updated>
<author>
<name>Ed Schouten</name>
<email>ed@FreeBSD.org</email>
</author>
<published>2011-11-07T15:43:11+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=6472ac3d8a86336899b6cfb789a4cd9897e3fab5'/>
<id>6472ac3d8a86336899b6cfb789a4cd9897e3fab5</id>
<content type='text'>
The SYSCTL_NODE macro defines a list that stores all child-elements of
that node. If there's no SYSCTL_DECL macro anywhere else, there's no
reason why it shouldn't be static.
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The SYSCTL_NODE macro defines a list that stores all child-elements of
that node. If there's no SYSCTL_DECL macro anywhere else, there's no
reason why it shouldn't be static.
</pre>
</div>
</content>
</entry>
<entry>
<title>Correct several issues in the integration of POSIX shared memory objects</title>
<updated>2011-09-02T17:40:39+00:00</updated>
<author>
<name>Robert Watson</name>
<email>rwatson@FreeBSD.org</email>
</author>
<published>2011-09-02T17:40:39+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=9b6dd12e5da17c85b9e93f1ed31ec8719e6f40db'/>
<id>9b6dd12e5da17c85b9e93f1ed31ec8719e6f40db</id>
<content type='text'>
and the new setmode and setowner fileops in FreeBSD 9.0:

- Add new MAC Framework entry point mac_posixshm_check_create() to allow
  MAC policies to authorise shared memory use.  Provide a stub policy and
  test policy templates.

- Add missing Biba and MLS implementations of mac_posixshm_check_setmode()
  and mac_posixshm_check_setowner().

- Add 'accmode' argument to mac_posixshm_check_open() -- unlike the
  mac_posixsem_check_open() entry point it was modeled on, the access mode
  is required as shared memory access can be read-only as well as writable;
  this isn't true of POSIX semaphores.

- Implement full range of POSIX shared memory entry points for Biba and MLS.

Sponsored by:   Google Inc.
Obtained from:	TrustedBSD Project
Approved by:    re (kib)
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
and the new setmode and setowner fileops in FreeBSD 9.0:

- Add new MAC Framework entry point mac_posixshm_check_create() to allow
  MAC policies to authorise shared memory use.  Provide a stub policy and
  test policy templates.

- Add missing Biba and MLS implementations of mac_posixshm_check_setmode()
  and mac_posixshm_check_setowner().

- Add 'accmode' argument to mac_posixshm_check_open() -- unlike the
  mac_posixsem_check_open() entry point it was modeled on, the access mode
  is required as shared memory access can be read-only as well as writable;
  this isn't true of POSIX semaphores.

- Implement full range of POSIX shared memory entry points for Biba and MLS.

Sponsored by:   Google Inc.
Obtained from:	TrustedBSD Project
Approved by:    re (kib)
</pre>
</div>
</content>
</entry>
<entry>
<title>Add the fo_chown and fo_chmod methods to struct fileops and use them</title>
<updated>2011-08-16T20:07:47+00:00</updated>
<author>
<name>Konstantin Belousov</name>
<email>kib@FreeBSD.org</email>
</author>
<published>2011-08-16T20:07:47+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=9c00bb9190391479885cfb14ed23fb7003d10109'/>
<id>9c00bb9190391479885cfb14ed23fb7003d10109</id>
<content type='text'>
to implement fchown(2) and fchmod(2) support for several file types
that previously lacked it. Add MAC entries for chown/chmod done on
posix shared memory and (old) in-kernel posix semaphores.

Based on the submission by:	glebius
Reviewed by:	rwatson
Approved by:	re (bz)
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
to implement fchown(2) and fchmod(2) support for several file types
that previously lacked it. Add MAC entries for chown/chmod done on
posix shared memory and (old) in-kernel posix semaphores.

Based on the submission by:	glebius
Reviewed by:	rwatson
Approved by:	re (bz)
</pre>
</div>
</content>
</entry>
</feed>
