| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Notes:
svn path=/releng/5.2/; revision=123193
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and the mpo_create_cred() MAC policy entry point to
mpo_copy_cred_label(). This is more consistent with similar entry
points for creation and label copying, as mac_create_cred() was
called from crdup() as opposed to during process creation. For
a number of policies, this removes the requirement for special
handling when copying credential labels, and improves consistency.
Approved by: re (scottl)
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=123173
|
| |
|
|
|
|
|
|
| |
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=122879
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols. This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.
This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.
For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks. Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.
Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.
Reviewed by: sam, bms
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=122875
|
| |
|
|
|
|
|
|
|
|
| |
aren't allowed to be unloaded.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=122824
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
system calls, and prefer these calls over getsockopt()/setsockopt()
for ABI reasons. When addressing UNIX domain sockets, these calls
retrieve and modify the socket label, not the label of the
rendezvous vnode.
- Create mac_copy_socket_label() entry point based on
mac_copy_pipe_label() entry point, intended to copy the socket
label into temporary storage that doesn't require a socket lock
to be held (currently Giant).
- Implement mac_copy_socket_label() for various policies.
- Expose socket label allocation, free, internalize, externalize
entry points as non-static from mac_net.c.
- Use mac_socket_label_set() in __mac_set_fd().
MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and
mac_get_peer() to retrieve and set various socket labels without
directly invoking the getsockopt() interface.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=122820
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SO_PEERLABEL. This provides an interface to query the label of a
socket peer without embedding implementation details of mac_t in
the application. Previously, sizeof(*mac_t) had to be specified
by an application when performing getsockopt().
Document mac_get_peer(3), and expand documentation of the other
mac_get(3) functions. Note that it's possible to get EINVAL back
from mac_get_fd(3) when pointing it at an inappropriate object.
NOTE: mac_get_fd() and mac_set_fd() support for sockets will
follow shortly, so the documentation is slightly ahead of the
code.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=122810
|
| |
|
|
|
|
|
|
|
|
|
| |
mac_setsockopt_label() into mac_socket_label_set(); make it non-static
so that it can be invoked from kern_mac.c for mac_set_fd().
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=122809
|
| |
|
|
|
|
|
|
|
|
| |
mac_stub and mac_test.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=122808
|
| |
|
|
|
|
|
|
|
|
|
|
| |
mac_setsockopt_label_set() -> mac_setsockopt_label()
mac_getsockopt_label_get() -> mac_getsockopt_label()
mac_getsockopt_peerlabel_get() -> mac_getsockopt_peerlabel()
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=122807
|
| |
|
|
| |
Notes:
svn path=/head/; revision=122774
|
| |
|
|
|
|
|
|
|
|
| |
vnode label; update assertion.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=122718
|
| |
|
|
|
|
|
|
|
|
|
| |
This fixes a dependency of mac_label.c on namespace pollution in
<vm/uma.h>.
Similarly for SYSCTL_DECL() although I had no problems with it. This
probably makes some includes of <sys/sysctl.h> bogus.
Notes:
svn path=/head/; revision=122705
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Giant and is also MPSAFE.
Push Giant further down into __mac_get_fd() and __mac_set_fd(),
grabbing it only for constrained regions dealing with VFS, and
dropping it entirely for operations related to labeling of pipes.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=122584
|
| |
|
|
| |
Notes:
svn path=/head/; revision=122569
|
| |
|
|
|
|
|
|
|
| |
extra argument to the devfs MAC policy entry points was accidentally
merged from the MAC branch during my earlier commit to these policies,
and is not scheduled to be merged just yet.
Notes:
svn path=/head/; revision=122563
|
| |
|
|
| |
Notes:
svn path=/head/; revision=122527
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=122524
|
| |
|
|
| |
Notes:
svn path=/head/; revision=122454
|
| |
|
|
|
|
|
| |
PR: 53195
Notes:
svn path=/head/; revision=122270
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
successfully initialized in the label as a socket peer label, not a
socket label. For current policy modules, this didn't make a
difference, but if a policy module had label data in the peer label
that was to be GC'd in a different way than the normal socket label,
it might have been a problem.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=122260
|
| |
|
|
| |
Notes:
svn path=/head/; revision=122202
|
| |
|
|
|
|
|
|
|
|
| |
passed into policies or used internally to the MAC Framework.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=122159
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
if_xname, if_dname, and if_dunit. if_xname is the name of the interface
and if_dname/unit are the driver name and instance.
This change paves the way for interface renaming and enhanced pseudo
device creation and configuration symantics.
Approved By: re (in principle)
Reviewed By: njl, imp
Tested On: i386, amd64, sparc64
Obtained From: NetBSD (if_xname)
Notes:
svn path=/head/; revision=121816
|
| |
|
|
|
|
|
|
|
|
|
|
| |
type, rather than "object_label" as the first argument. This reduces
complexity a little for the consumer, and also makes it easier for
use to rename the underlying entry points in struct mac_policy_obj.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=121507
|
| |
|
|
|
|
|
|
|
|
| |
Remove an excess carriage return.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=121490
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Include src/sys/security/mac/mac_internal.h in kern_mac.c.
Remove redundant defines from the include: SYSCTL_DECL(), debug macros,
composition macros.
Unstaticize various bits now exposed to the remainder of the kernel:
mac_init_label(), mac_destroy_label().
Remove all the functions now implemented in mac_process/mac_vfs/mac_net/
mac_pipe. Also remove debug counters, sysctls exporting debug
counters, enforcement flags, sysctls exporting enforcement flags.
Leave module declaration, sysctl nodes, mactemp malloc type, system
calls.
This should conclude MAC/LINT/NOTES breakage from the break-out process,
but I'm running builds now to make sure I caught everything.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=121374
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unstaticize mac_late.
Remove ea_warn_once, now in mac_vfs.c.
Unstaticisize mac_policy_list, mac_static_policy_list, use
struct mac_policy_list_head instead of LIST_HEAD() directly.
Unstaticize and un-inline MAC policy locking functions so they can
be referenced from mac_*.c.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=121372
|
| |
|
|
|
|
|
|
|
|
| |
can be used from src/sys/security/mac/mac_*.c.
Obtained from: TrustedBSD Project
Sponosred by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=121371
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Extended attribute transaction warning flag if transactions aren't
supported on the EA implementation being used.
Debug fallback flag to permit a less conservative fallback if reading
an on-disk label fails.
Enforce_fs toggle to enforce file systme access control.
Debugging counters for file system objects: mounts, vnodes, devfs_dirents.
Object initialization, destruction, copying, internalization,
externalization, relabeling for file system objects.
Life cycle operations for devfs entries.
Generic extended attribute label implementation for use by UFS, UFS2 in
multilabel mode.
Generic single-level label implementation for use by all file systems
when in singlelabel mode.
Exec-time transition based on file label entry points.
Vnode operation access control checks (many).
Mount operation access control checks (few).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=121367
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Enforce_kld, enforce_system access control toggles.
Access control checks for: kenv operation, kld operations,
sysarch_ioperm(), acct(), nfsd(), reboot(), settime(), swapon(),
swapoff(), sysctl().
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=121362
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enforce_process, enforce_vm access control enforcement twiddles.
Credential, process label counters.
VM revocation sysctls/tunables.
Credential label management, internalization/externalization/relabel
code.
Process label management.
Proc0, proc1 creation, cred creation.
Thread userret.
mac_execve_enter(), _exit(), transition at exec-time.
VM revocation on process label change.
Process-related access control checks (visibility, debug, signal, sched).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=121361
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pipe enforcement flag.
Pipe object debugging counters.
MALLOC type for MAC label storage.
Pipe MAC label management routines, externalize/internalization/change
routines.
Pipe MAC access control checks.
Un-staticize functions called from mac_set_fd() when operating on a
pipe. Abstraction improvements in this space seem likely.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=121359
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Network and socket enforcement toggles.
Counters for network objects (mbufs, ifnets, bpfdecs, sockets, and ipqs).
Label management routines for network objects.
Life cycle events for network objects.
Label internalization/externalization/relabel for ifnets, sockets,
including ioctl implementations for sockets, ifnets.
Access control checks relating to network obejcts.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=121357
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
in mac_internal.h:
Sysctl tree declarations.
Policy list structure definition.
Policy list variables (static, dynamic).
mac_late flag.
Enforcement flags for process, vm, which have checks in multiple files.
mac_labelmbufs variable to drive conditional mbuf labeling.
M_MACTEMP malloc type.
Debugging counter macros.
MAC Framework infrastructure primitives, including policy locking
primitives, kernel label initialization/destruction, userland
label consistency checks, policy slot allocation.
Per-object interfaces for objects that are internalized and externalized
using system calls that will remain centrally defined: credentials,
pipes, vnodes.
MAC policy composition macros: MAC_CHECK, MAC_BOOLEAN, MAC_EXTERNALIZE,
MAC_INTERNALIZE, MAC_PERFORM.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=121352
|
| |
|
|
| |
Notes:
svn path=/head/; revision=121304
|
| |
|
|
|
|
|
|
|
|
| |
so that mac.h may be more safely included in userland C++ applications.
PR: bin/56595
Submitted by: "KONDOU, Kazuhiro" <kazuhiro@alib.jp>
Notes:
svn path=/head/; revision=120657
|
| |
|
|
|
|
|
|
| |
EINVAL rather than failing the following malloc due to the value being
too large.
Notes:
svn path=/head/; revision=120582
|
| |
|
|
|
|
|
|
|
|
|
| |
line up the function names in an earlier generation of the API when
some of the functions returned structure pointers.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=119546
|
| |
|
|
|
|
|
|
|
|
|
| |
reference: this fixes mac_syscall() for static policies when using
optimized locking.
Obtained from: TrustedBSD Project
Sponosred by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=119494
|
| |
|
|
|
|
|
|
| |
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=119317
|
| |
|
|
|
|
|
|
| |
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=119315
|
| |
|
|
|
|
|
|
|
|
| |
test to the reflect_tcp entry point, rather than the reflect_icmp
entry point.
Submitted by: naddy
Notes:
svn path=/head/; revision=119301
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
mac_reflect_mbuf_icmp()
mac_reflect_mbuf_tcp()
These entry points permit MAC policies to do "update in place"
changes to the labels on ICMP and TCP mbuf headers when an ICMP or
TCP response is generated to a packet outside of the context of
an existing socket. For example, in respond to a ping or a RST
packet to a SYN on a closed port.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=119244
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
change in mac_lomac: if both flags are set on the new label, we
may not need to always fill out the label (only if one flag is
set, not both). Avoid stomping on a section of the label if we
are in fact modifying both elements.
Because we know that both flags will be set, we don't need to
test whether the range or single are set in later consistency
checks of the range and single -- just test them.
By checking the range of the new vs. the range of the old label
before testing the single against the new range, we implicitly
test that the new single is in the old range. Document this
with a comment.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=119242
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Framework labels:
- Re-work the label state assertions to use a set of central
ASSERT_type_LABEL() assertions.
- Test to make sure labels passed to externalize/internalize calls haven't
been destroyed.
- For access control checks, assert the condition of all labels passed in.
- For life cycle events, assert the condition of all labels passed in.
- Add new entry point implementations for new MAC Framework entry points:
mac_test_reflect_mbuf_icmp(), mac_test_reflect_mbuf_tcp(),
mac_test_check_vnode_deleteextattr(), mac_test_check_vnode_listextattr().
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=119228
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
mpo_reflect_mbuf_icmp()
mpo_reflect_mbuf_tcp()
mpo_check_vnode_deletextattr()
mpo_check_vnode_listextattr()
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=119223
|
| |
|
|
|
|
|
|
|
|
|
| |
mac_stub policy and no longer mac_none (as found in the repocopy).
Add comment to this effect.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=119211
|
| |
|
|
|
|
|
|
|
|
| |
stubs. Add a pointer to mac_stub, which is now the stub policy.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=119210
|
| |
|
|
|
|
|
|
|
|
| |
mpo_check_vnode_listextattr() for Biba, MLS, and BSD Extended.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes:
svn path=/head/; revision=119202
|
