summaryrefslogtreecommitdiffstats
path: root/sys/security/mac_bsdextended
Commit message (Collapse)AuthorAgeFilesLines
* Add hierarchical jails. A jail may further virtualize its environmentjamie2009-05-271-2/+2
| | | | | | | | | | | | | | | | | | | | | | by creating a child jail, which is visible to that jail and to any parent jails. Child jails may be restricted more than their parents, but never less. Jail names reflect this hierarchy, being MIB-style dot-separated strings. Every thread now points to a jail, the default being prison0, which contains information about the physical system. Prison0's root directory is the same as rootvnode; its hostname is the same as the global hostname, and its securelevel replaces the global securelevel. Note that the variable "securelevel" has actually gone away, which should not cause any problems for code that properly uses securelevel_gt() and securelevel_ge(). Some jail-related permissions that were kept in global variables and set via sysctls are now per-jail settings. The sysctls still exist for backward compatibility, used only by the now-deprecated jail(2) system call. Approved by: bz (mentor)
* Get rid of VSTAT and replace it with VSTAT_PERMS, which is somewhattrasz2009-03-291-2/+2
| | | | | | better defined. Approved by: rwatson (mentor)
* Mark the bsdextended rules sysctl as being mpsafe.csjp2009-03-091-2/+2
| | | | Discussed with: rwatson
* Remove 'uio' argument from MAC Framework and MAC policy entry points forrwatson2009-03-082-8/+4
| | | | | | | | | extended attribute get/set; in the case of get an uninitialized user buffer was passed before the EA was retrieved, making it of relatively little use; the latter was simply unused by any policies. Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
* Rather than having MAC policies explicitly declare what object typesrwatson2009-01-101-1/+1
| | | | | | | | | | | | | | they label, derive that information implicitly from the set of label initializers in their policy operations set. This avoids a possible class of programmer errors, while retaining the structure that allows us to avoid allocating labels for objects that don't need them. As before, we regenerate a global mask of labeled objects each time a policy is loaded or unloaded, stored in mac_labeled. Discussed with: csjp Suggested by: Jacques Vidrine <nectar at apple.com> Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
* MFp4:bz2008-11-291-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bring in updated jail support from bz_jail branch. This enhances the current jail implementation to permit multiple addresses per jail. In addtion to IPv4, IPv6 is supported as well. Due to updated checks it is even possible to have jails without an IP address at all, which basically gives one a chroot with restricted process view, no networking,.. SCTP support was updated and supports IPv6 in jails as well. Cpuset support permits jails to be bound to specific processor sets after creation. Jails can have an unrestricted (no duplicate protection, etc.) name in addition to the hostname. The jail name cannot be changed from within a jail and is considered to be used for management purposes or as audit-token in the future. DDB 'show jails' command was added to aid debugging. Proper compat support permits 32bit jail binaries to be used on 64bit systems to manage jails. Also backward compatibility was preserved where possible: for jail v1 syscalls, as well as with user space management utilities. Both jail as well as prison version were updated for the new features. A gap was intentionally left as the intermediate versions had been used by various patches floating around the last years. Bump __FreeBSD_version for the afore mentioned and in kernel changes. Special thanks to: - Pawel Jakub Dawidek (pjd) for his multi-IPv4 patches and Olivier Houchard (cognet) for initial single-IPv6 patches. - Jeff Roberson (jeff) and Randall Stewart (rrs) for their help, ideas and review on cpuset and SCTP support. - Robert Watson (rwatson) for lots and lots of help, discussions, suggestions and review of most of the patch at various stages. - John Baldwin (jhb) for his help. - Simon L. Nielsen (simon) as early adopter testing changes on cluster machines as well as all the testers and people who provided feedback the last months on freebsd-jail and other channels. - My employer, CK Software GmbH, for the support so I could work on this. Reviewed by: (see above) MFC after: 3 months (this is just so that I get the mail) X-MFC Before: 7.2-RELEASE if possible
* The V* flags passed using an accmode_t to the access() and open()rwatson2008-10-303-12/+26
| | | | | | | | access control checks in mac_bsdextended are not in the same namespace as the MBI_ flags used in ugidfw policies, so add an explicit conversion routine to get from one to the other. Obtained from: TrustedBSD Project
* Introduce accmode_t. This is required for NFSv4 ACLs - it will be neccessarytrasz2008-10-282-6/+14
| | | | | | | to add more V* constants, and the variables changed by this patch were often being assigned to mode_t variables, which is 16 bit. Approved by: rwatson (mentor)
* When the mac_bsdextended policy is unloaded, free rule memory.rwatson2008-10-271-0/+5
| | | | | Obtained from: TrustedBSD Project MFC after: 3 days
* Add TrustedBSD credit to new ugidfw_internal.h file.rwatson2008-10-271-0/+2
|
* Break mac_bsdextended.c out into multiple .c files, with the base accessrwatson2008-10-274-1451/+149
| | | | | | | control logic and policy registration remaining in that file, and access control checks broken out into other files by class of check. Obtained from: TrustedBSD Project
* Copy mac_bsdextended.c to two object-specific files as a prototype for howrwatson2008-10-272-0/+1536
| | | | | | modularize MAC policy layout. Obtained from: TrustedBSD Project
* Fix a number of style issues in the MALLOC / FREE commit. I've tried todes2008-10-231-1/+2
| | | | | be careful not to fix anything that was already broken; the NFSv4 code is particularly bad in this respect.
* Retire the MALLOC and FREE macros. They are an abomination unto style(9).des2008-10-231-3/+2
| | | | MFC after: 3 months
* Remove the suser(9) interface from the kernel. It has been replaced fromattilio2008-09-171-8/+24
| | | | | | | | | | | | | | | | | years by the priv_check(9) interface and just very few places are left. Note that compatibility stub with older FreeBSD version (all above the 8 limit though) are left in order to reduce diffs against old versions. It is responsibility of the maintainers for any module, if they think it is the case, to axe out such cases. This patch breaks KPI so __FreeBSD_version will be bumped into a later commit. This patch needs to be credited 50-50 with rwatson@ as he found time to explain me how the priv_check() works in detail and to review patches. Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com> Reviewed by: rwatson
* Remove VSVTX, VSGID and VSUID. This should be a no-op,trasz2008-09-101-2/+3
| | | | | | as VSVTX == S_ISVTX, VSGID == S_ISGID and VSUID == S_ISUID. Approved by: rwatson (mentor)
* Decontextualize the couplet VOP_GETATTR / VOP_SETATTR as the passed threadattilio2008-08-281-1/+1
| | | | | | was always curthread and totally unuseful. Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
* Introduce two related changes to the TrustedBSD MAC Framework:rwatson2008-08-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | (1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2) so that the general exec code isn't aware of the details of allocating, copying, and freeing labels, rather, simply passes in a void pointer to start and stop functions that will be used by the framework. This change will be MFC'd. (2) Introduce a new flags field to the MAC_POLICY_SET(9) interface allowing policies to declare which types of objects require label allocation, initialization, and destruction, and define a set of flags covering various supported object types (MPC_OBJECT_PROC, MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the overhead of compiling the MAC Framework into the kernel if policies aren't loaded, or if policies require labels on only a small number or even no object types. Each time a policy is loaded or unloaded, we recalculate a mask of labeled object types across all policies present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it is no longer required. MFC after: 1 week ((1) only) Reviewed by: csjp Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
* In mac_bsdextended's auditctl and acct policy access control checks,rwatson2008-07-311-11/+8
| | | | | | | | | | | | | | return success if the passed vnode pointer is NULL (rather than panicking). This can occur if either audit or accounting are disabled while the policy is running. Since the swapoff control has no real relevance to this policy, which is concerned about intent to write rather than water under the bridge, remove it. PR: kern/126100 Reported by: Alan Amesbury <amesbury at umn dot edu> MFC after: 3 days
* Resort TrustedBSD MAC Framework policy entry point implementations andrwatson2007-10-291-0/+4
| | | | | | | declarations to match the object, operation sort order in the framework itself. Obtained from: TrustedBSD Project
* Consistently name functions for mac_<policy> as <policy>_whatever ratherrwatson2007-10-251-133/+131
| | | | | | | | | | | than mac_<policy>_whatever, as this shortens the names and makes the code a bit easier to read. When dealing with label structures, name variables 'mb', 'ml', 'mm rather than the longer 'mac_biba', 'mac_lomac', and 'mac_mls', likewise making the code a little easier to read. Obtained from: TrustedBSD Project
* Merge first in a series of TrustedBSD MAC Framework KPI changesrwatson2007-10-241-58/+62
| | | | | | | | | | | | | | | | | | | | | | | from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
* Rename mac_check_vnode_delete() MAC Framework and MAC Policy entryrwatson2007-09-101-14/+14
| | | | | | | | | | | | | | point to mac_check_vnode_unlink(), reflecting UNIX naming conventions. This is the first of several commits to synchronize the MAC Framework in FreeBSD 7.0 with the MAC Framework as it will appear in Mac OS X Leopard. Reveiwed by: csjp, Samy Bahra <sbahra at gwu dot edu> Submitted by: Jacques Vidrine <nectar at apple dot com> Obtained from: Apple Computer, Inc. Sponsored by: SPARTA, SPAWAR Approved by: re (bmah)
* In preparation for 7.0 privilege cleanup, clean up style:rwatson2007-07-052-87/+32
| | | | | | | | | - Sort copyrights by date. - Re-wrap, and in some cases, fix comments. - Fix tabbing, white space, remove extra blank lines. - Remove commented out debugging printfs. Approved by: re (kensmith)
* Include priv.h to pick up suser(9) definitions, missed in an earlierrwatson2007-06-131-0/+1
| | | | | | commit. Warnings spotted by: kris
* Apply variable name normalization to MAC policies: adopt global conventionsrwatson2007-04-231-32/+35
| | | | | | for the naming of variables associated with specific data structures. Obtained from: TrustedBSD Project
* Allow MAC policy modules to control access to audit configuration systemrwatson2007-04-211-0/+27
| | | | | | | | | | | | | | | | calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
* More unnecessary include reduction.rwatson2007-02-231-17/+2
|
* Move mapping of MBI_APPEND to MBI_WRITE from inside the rule loop inrwatson2007-02-201-9/+8
| | | | | | | mac_bsdextended_check() to before the loop, as it needs to happen only once. MFC after: 1 week
* Continue 7-CURRENT MAC Framework rearrangement and cleanup:rwatson2007-02-061-1/+0
| | | | | | | | | | | | | | Don't perform a nested include of _label.h in mac.h, as mac.h now describes only the user API to MAC, and _label.h defines the in-kernel representation of MAC labels. Remove mac.h includes from policies and MAC framework components that do not use userspace MAC API definitions. Add _KERNEL inclusion checks to mac_internal.h and mac_policy.h, as these are kernel-only include files Obtained from: TrustedBSD Project
* Move src/sys/sys/mac_policy.h, the kernel interface between the MACrwatson2006-12-221-2/+1
| | | | | | | | | | | Framework and security modules, to src/sys/security/mac/mac_policy.h, completing the removal of kernel-only MAC Framework include files from src/sys/sys. Update the MAC Framework and MAC policy modules. Delete the old mac_policy.h. Third party policy modules will need similar updating. Obtained from: TrustedBSD Project
* Sweep kernel replacing suser(9) calls with priv(9) calls, assigningrwatson2006-11-061-0/+3
| | | | | | | | | | | | | specific privilege names to a broad range of privileges. These may require some future tweaking. Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
* Add some new options to mac_bsdestended. We can now match on:dwmalone2006-04-232-35/+210
| | | | | | | | | | | | | | | | | | | | | | | subject: ranges of uid, ranges of gid, jail id objects: ranges of uid, ranges of gid, filesystem, object is suid, object is sgid, object matches subject uid/gid object type We can also negate individual conditions. The ruleset language is a superset of the previous language, so old rules should continue to work. These changes require a change to the API between libugidfw and the mac_bsdextended module. Add a version number, so we can tell if we're running mismatched versions. Update man pages to reflect changes, add extra test cases to test_ugidfw.c and add a shell script that checks that the the module seems to do what we expect. Suggestions from: rwatson, trhodes Reviewed by: trhodes MFC after: 2 months
* Create a mac_bsdextended_check_vp function that takes a cred, adwmalone2006-03-041-280/+43
| | | | | | | | | | | | | vnode and a mode and checks if a given access mode is permitted. This centralises the mac_bsdextended_enabled check and the GETATTR calls and makes the implementation of the mac policy methods simple. This should make it easier for us to match vnodes on more complex attributes than just uid and gid in the future, but for now there should be no functional change. Approved/Reviewed by: rwatson, trhodes MFC after: 1 month
* Fix potential overrun of static stack allocated array which storescsjp2006-01-151-1/+1
| | | | | | | | the rules. If an array is N elements large, we can only access elements 0..(N-1). MFC after: 1 week Found with: Coverity Prevent(tm)
* If a "hole" opens up in the ruleset (i.e.: remove 5), do not returntrhodes2005-07-281-5/+2
| | | | | | | unknown error. Instead, just return error. Submitted by: avatar Tested by: trhodes
* Add locking support to mac_bsdextended:trhodes2005-04-221-37/+67
| | | | | | | | - Introduce a global mutex, mac_bsdextended_mtx, to protect the rule array and hold this mutex over use and modification of the rule array and rules. - Re-order and clean up sysctl_rule so that copyin/copyout/update happen in the right order (suggested by: jhb done by rwatson).
* Minor white space synchronization and line wrapping.rwatson2004-10-221-0/+1
|
* Bump copyright dates for NETA on these files.rwatson2004-10-212-2/+2
|
* Modify mac_bsdextended policy so that it defines its own vnode accessrwatson2004-10-212-33/+74
| | | | | | | | | | | right bits rather than piggy-backing on the V* rights defined in vnode.h. The mac_bsdextended bits are given the same values as the V* bits to make the new kernel module binary compatible with the old version of libugidfw that uses V* bits. This avoids leaking kernel API/ABI to user management tools, and in particular should remove the need for libugidfw to include vnode.h. Requested by: phk
* Remove the debugging tunable, it was not being used.trhodes2004-09-101-10/+1
| | | | | | Enable first match by default.[1] We should: rwatson [1]
* Allow mac_bsdextended(4) to log failed attempts to syslog's AUTHPRIVtrhodes2004-08-211-5/+19
| | | | | | | | facility. This is disabled by default but may be turned on by using the mac_bsdextended_logging sysctl. Reviewed by: re (jhb) Approved by: re (jhb)
* Give the mac_bsdextended(4) policy the ability to match and apply on a firsttrhodes2004-08-211-2/+21
| | | | | | | | | | rule only in place of all rules match. This is similar to how ipfw(8) works. Provide a sysctl, mac_bsdextended_firstmatch_enabled, to enable this feature. Reviewed by: re (jhb) Aprroved by: re (jhb)
* Allow an effective uid of root to bypass mac_bsdextended rules; the MACrwatson2004-07-231-0/+3
| | | | | | | Framework can restrict the root user, but this policy is not intended to support that. Stylish Swiss footwear provided for: trhodes
* Update my personal copyrights and NETA copyrights in the kernelrwatson2004-02-222-4/+4
| | | | | | | | to use the "year1-year3" format, as opposed to "year1, year2, year3". This seems to make lawyers more happy, but also prevents the lines from getting excessively long as the years start to add up. Suggested by: imp
* Implementations of mpo_check_vnode_deleteextattr() andrwatson2003-08-211-1/+35
| | | | | | | mpo_check_vnode_listextattr() for Biba, MLS, and BSD Extended. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Remove trailing whitespace.rwatson2003-07-051-3/+3
|
* Trim "trustedbsd_" from the front of the policy module "short names";rwatson2003-03-271-1/+1
| | | | | | | | the vendor is only included in the long name currently, reducing verbosity when modules are registered and unregistered. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Expand scope of the BSD extended "file system firewall" policy torwatson2003-03-251-0/+17
| | | | | | | | | | include a new entry point available for enforcement: mac_bsdextended_check_system_swapon() - Apply extended access control checks to the file target of swap. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Back out M_* changes, per decision of the TRB.imp2003-02-191-1/+1
| | | | Approved by: trb
OpenPOWER on IntegriCloud