FreeBSD-src - Raptor Engineering's fork of pfsense FreeBSD src with pfSense changes

	Commit message (Collapse)	Author	Age	Files	Lines
*	Apply variable name normalization to MAC policies: adopt global conventions	rwatson	2007-04-23	1	-4/+3
\| \| \| \| \| \|	for the naming of variables associated with specific data structures. Obtained from: TrustedBSD Project
*	More unnecessary include reduction.	rwatson	2007-02-23	1	-9/+1
\|
*	Continue 7-CURRENT MAC Framework rearrangement and cleanup:	rwatson	2007-02-06	1	-1/+0
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	Don't perform a nested include of _label.h in mac.h, as mac.h now describes only the user API to MAC, and _label.h defines the in-kernel representation of MAC labels. Remove mac.h includes from policies and MAC framework components that do not use userspace MAC API definitions. Add _KERNEL inclusion checks to mac_internal.h and mac_policy.h, as these are kernel-only include files Obtained from: TrustedBSD Project
*	Move src/sys/sys/mac_policy.h, the kernel interface between the MAC	rwatson	2006-12-22	1	-1/+1
\| \| \| \| \| \| \| \| \| \| \|	Framework and security modules, to src/sys/security/mac/mac_policy.h, completing the removal of kernel-only MAC Framework include files from src/sys/sys. Update the MAC Framework and MAC policy modules. Delete the old mac_policy.h. Third party policy modules will need similar updating. Obtained from: TrustedBSD Project
*	Sweep kernel replacing suser(9) calls with priv(9) calls, assigning	rwatson	2006-11-06	1	-1/+3
\| \| \| \| \| \| \| \| \| \| \| \| \|	specific privilege names to a broad range of privileges. These may require some future tweaking. Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
*	Do allow jailed superuser to override the port ACL.	rwatson	2006-10-10	1	-1/+1
\| \| \| \| \|	MFC after: 3 days Submitted by: Michal Mertl <mime at traveller dot cz>
*	Normalize a significant number of kernel malloc type names:	rwatson	2005-10-31	1	-1/+1
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	- Prefer '_' to ' ', as it results in more easily parsed results in memory monitoring tools such as vmstat. - Remove punctuation that is incompatible with using memory type names as file names, such as '/' characters. - Disambiguate some collisions by adding subsystem prefixes to some memory types. - Generally prefer lower case to upper case. - If the same type is defined in multiple architecture directories, attempt to use the same name in additional cases. Not all instances were caught in this change, so more work is required to finish this conversion. Similar changes are required for UMA zone names.
*	Add a new sysctl/tunable to mac_portacl:	rwatson	2004-12-08	1	-0/+23
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	security.mac.portacl.autoport_exempt This sysctl exempts to bind port '0' as long as IP_PORTRANGELOW hasn't been set on the socket. This is quite useful as it allows applications to use automatic binding without adding overly broad rules for the binding of port 0. This sysctl defaults to enabled. This is a slight variation on the patch submitted by the contributor. MFC after: 2 weeks Submitted by: Michal Mertl <mime at traveller dot cz>
*	Switch from using an sx lock to a mutex for the mac_portacl rule chain:	rwatson	2004-12-06	1	-26/+19
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	the sx lock was used previously because we might sleep allocating additional memory by using auto-extending sbufs. However, we no longer do this, instead retaining the user-submitted rule string, so mutexes can be used instead. Annotate the reason for not using the sbuf-related rule-to-string code with a comment. Switch to using TAILQ_CONCAT() instead of manual list copying, as it's O(1), reducing the rule replacement step under the mutex from O(2N) to O(2). Remove now uneeded vnode-related includes. MFC after: 2 weeks
*	Remove dead code. (This loop counted the number of rules, but the count	cperciva	2004-05-15	1	-7/+0
\| \| \| \| \| \| \|	was never used.) Reported by: pjd Approved by: rwatson
*	Pay attention to mac_portacl_enabled.	rwatson	2004-01-20	1	-1/+5
\| \| \| \|	Submitted by: simon
*	Including <sys/stdint.h> is (almost?) universally only to be able to use	phk	2003-03-18	1	-1/+0
\| \| \| \| \|	%j in printfs, so put a newsted include in <sys/systm.h> where the printf prototype lives and save everybody else the trouble.
*	Do not depend on namespace pollution, explicitly include sys/sx.h	kan	2003-03-12	1	-0/+1
\|
*	A cute yet small MAC policy that provides a simple ACL mechanism to	rwatson	2003-03-02	1	-0/+485
	permit users and groups to bind ports for TCP or UDP, and is intended to be combined with the recently committed support for net.inet.ip.portrange.reservedhigh. The policy is twiddled using sysctl(8). To use this module, you will need to compile in MAC support, and probably set reservedhigh to 0, then twiddle security.mac.portacl.rules to set things as desired. This policy module only restricts ports explicitly bound using bind(), not implicitly bound ports where the port number is selected by the IP stack. It appears to work properly in my local configuration, but needs more broad testing. A sample policy might be: # sysctl security.mac.portacl.rules="uid:425:tcp:80,uid:425:tcp:79" This permits uid 425 to bind TCP sockets to ports 79 and 80. Currently no distinction is made for incoming vs. outgoing ports with TCP, although that would probably be easy to add. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories