| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Ok'd by: kan
Notes:
svn path=/head/; revision=169807
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
subject: ranges of uid, ranges of gid, jail id
objects: ranges of uid, ranges of gid, filesystem,
object is suid, object is sgid, object matches subject uid/gid
object type
We can also negate individual conditions. The ruleset language is
a superset of the previous language, so old rules should continue
to work.
These changes require a change to the API between libugidfw and the
mac_bsdextended module. Add a version number, so we can tell if
we're running mismatched versions.
Update man pages to reflect changes, add extra test cases to
test_ugidfw.c and add a shell script that checks that the the
module seems to do what we expect.
Suggestions from: rwatson, trhodes
Reviewed by: trhodes
MFC after: 2 months
Notes:
svn path=/head/; revision=157986
|
|
|
|
|
|
|
|
|
|
| |
been bumped since RELENG_5.
Reviewed by: ru
Approved by: re (not needed for commit check but in principle...)
Notes:
svn path=/head/; revision=148297
|
|
|
|
| |
Notes:
svn path=/head/; revision=145432
|
|
|
|
|
|
|
|
|
|
|
| |
check the password or group database before attempting to parse as an
integer, as is done for the first {uid,gid} in an identity phrase.
Obtained from: TrustedBSD Project
Sponsored by: SPAWAR, SPARTA
Notes:
svn path=/head/; revision=145140
|
|
|
|
|
|
|
|
|
|
| |
<security/mac_bsdextended/mac_bsdextended.h> in order to include
<ugidfw.h>, so document that.
MFC after: 3 days
Notes:
svn path=/head/; revision=145139
|
|
|
|
|
|
|
| |
MFC after: 1 week
Notes:
svn path=/head/; revision=144212
|
|
|
|
|
|
|
|
|
| |
Submitted by: Wojciech A. Koszek
PR: bin/79292
MFC after: 1 week
Notes:
svn path=/head/; revision=144210
|
|
|
|
|
|
|
|
|
|
| |
instead of using the V* permission flags from vnode.h. Remove include
of vnode.h.
Requested by: phk
Notes:
svn path=/head/; revision=136740
|
|
|
|
| |
Notes:
svn path=/head/; revision=131504
|
|
|
|
| |
Notes:
svn path=/head/; revision=131421
|
|
|
|
| |
Notes:
svn path=/head/; revision=126835
|
|
|
|
|
|
|
|
|
|
|
| |
the caller does not specify the rule number -- instead, the kernel
module is probed for the next available rule, which is then used.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, McAfee Research
Notes:
svn path=/head/; revision=126217
|
|
|
|
| |
Notes:
svn path=/head/; revision=115633
|
|
|
|
|
|
|
| |
Submitted by: Attila Nagy <bra@fsn.hu>
Notes:
svn path=/head/; revision=108878
|
|
|
|
|
|
|
| |
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=108873
|
|
|
|
| |
Notes:
svn path=/head/; revision=106573
|
|
|
|
| |
Notes:
svn path=/head/; revision=104073
|
|
|
|
|
|
|
| |
Pointed out by: jake
Notes:
svn path=/head/; revision=104038
|
|
|
|
|
|
|
| |
Suggested by: mike
Notes:
svn path=/head/; revision=101885
|
|
|
|
|
|
|
|
|
| |
NOMAN is no longer required when a man page is not yet present.
Submitted by: ru
Notes:
svn path=/head/; revision=101222
|
|
kernel access control.
Provide a library to manage user file system firewall-like rules
supported by the mac_bsdextended.ko security model. The kernel
module exports the current rule set using sysctl, and this
library provides a front end that includes support for retrieving
and setting rules, as well as printing and parsing them.
Note: as with other userland components, this is a WIP. However,
when used in combination with the soon-to-be-committed ugidfw,
it can actually be quite useful in multi-user environments to
allow the administrator to limit inter-user file operations without
resorting to heavier weight labeled security policies.
Obtained form: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Notes:
svn path=/head/; revision=101206
|