summaryrefslogtreecommitdiffstats
path: root/sys/security/mac_stub
Commit message (Collapse)AuthorAgeFilesLines
...
* Reimplement sysctls handling by MAC framework.pjd2004-02-221-2/+2
| | | | | | | | | | | Now I believe it is done in the right way. Removed some XXMAC cases, we now assume 'high' integrity level for all sysctls, except those with CTLFLAG_ANYBODY flag set. No more magic. Reviewed by: rwatson Approved by: rwatson, scottl (mentor) Tested with: LINT (compilation), mac_biba(4) (functionality)
* Update my personal copyrights and NETA copyrights in the kernelrwatson2004-02-221-2/+2
| | | | | | | | to use the "year1-year3" format, as opposed to "year1, year2, year3". This seems to make lawyers more happy, but also prevents the lines from getting excessively long as the years start to add up. Suggested by: imp
* Commit file missed in last pass: MAC api uses 'struct pipepair', notrwatson2004-02-011-8/+8
| | | | 'struct pipe' now.
* Switch TCP over to using the inpcb label when responding in timedrwatson2003-12-171-0/+8
| | | | | | | | | | | | | | | | wait, rather than the socket label. This avoids reaching up to the socket layer during connection close, which requires locking changes. To do this, introduce MAC Framework entry point mac_create_mbuf_from_inpcb(), which is called from tcp_twrespond() instead of calling mac_create_mbuf_from_socket() or mac_create_mbuf_netlayer(). Introduce MAC Policy entry point mpo_create_mbuf_from_inpcb(), and implementations for various policies, which generally just copy label data from the inpcb to the mbuf. Assert the inpcb lock in the entry point since we require consistency for the inpcb label reference. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Rename mac_create_cred() MAC Framework entry point to mac_copy_cred(),rwatson2003-12-061-7/+1
| | | | | | | | | | | | | and the mpo_create_cred() MAC policy entry point to mpo_copy_cred_label(). This is more consistent with similar entry points for creation and label copying, as mac_create_cred() was called from crdup() as opposed to during process creation. For a number of policies, this removes the requirement for special handling when copying credential labels, and improves consistency. Approved by: re (scottl) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Introduce a MAC label reference in 'struct inpcb', which cachesrwatson2003-11-181-0/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | the MAC label referenced from 'struct socket' in the IPv4 and IPv6-based protocols. This permits MAC labels to be checked during network delivery operations without dereferencing inp->inp_socket to get to so->so_label, which will eventually avoid our having to grab the socket lock during delivery at the network layer. This change introduces 'struct inpcb' as a labeled object to the MAC Framework, along with the normal circus of entry points: initialization, creation from socket, destruction, as well as a delivery access control check. For most policies, the inpcb label will simply be a cache of the socket label, so a new protocol switch method is introduced, pr_sosetlabel() to notify protocols that the socket layer label has been updated so that the cache can be updated while holding appropriate locks. Most protocols implement this using pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use the the worker function in_pcbsosetlabel(), which calls into the MAC Framework to perform a cache update. Biba, LOMAC, and MLS implement these entry points, as do the stub policy, and test policy. Reviewed by: sam, bms Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Implement sockets support for __mac_get_fd() and __mac_set_fd()rwatson2003-11-161-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | system calls, and prefer these calls over getsockopt()/setsockopt() for ABI reasons. When addressing UNIX domain sockets, these calls retrieve and modify the socket label, not the label of the rendezvous vnode. - Create mac_copy_socket_label() entry point based on mac_copy_pipe_label() entry point, intended to copy the socket label into temporary storage that doesn't require a socket lock to be held (currently Giant). - Implement mac_copy_socket_label() for various policies. - Expose socket label allocation, free, internalize, externalize entry points as non-static from mac_net.c. - Use mac_socket_label_set() in __mac_set_fd(). MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and mac_get_peer() to retrieve and set various socket labels without directly invoking the getsockopt() interface. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Implement mpo_copy_{mbuf,pipe,vnode}_label() entry points forrwatson2003-11-161-0/+9
| | | | | | | mac_stub and mac_test. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Add stub entries for new MAC framework entry points:rwatson2003-08-211-0/+32
| | | | | | | | | | mpo_reflect_mbuf_icmp() mpo_reflect_mbuf_tcp() mpo_check_vnode_deletextattr() mpo_check_vnode_listextattr() Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Generally rename things to represent the fact that this is now therwatson2003-08-211-269/+271
| | | | | | | | mac_stub policy and no longer mac_none (as found in the repocopy). Add comment to this effect. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Redesign the externalization APIs from the MAC Framework torwatson2003-06-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | the MAC policy modules to improve robustness against C string bugs and vulnerabilities. Following these revisions, all string construction of labels for export to userspace (or elsewhere) is performed using the sbuf API, which prevents the consumer from having to perform laborious and intricate pointer and buffer checks. This substantially simplifies the externalization logic, both at the MAC Framework level, and in individual policies; this becomes especially useful when policies export more complex label data, such as with compartments in Biba and MLS. Bundled in here are some other minor fixes associated with externalization: including avoiding malloc while holding the process mutex in mac_lomac, and hence avoid a failure mode when printing labels during a downgrade operation due to the removal of the M_NOWAIT case. This has been running in the MAC development tree for about three weeks without problems. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Trim "trustedbsd_" from the front of the policy module "short names";rwatson2003-03-271-1/+1
| | | | | | | | the vendor is only included in the long name currently, reducing verbosity when modules are registered and unregistered. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Modify the mac_init_ipq() MAC Framework entry point to accept anrwatson2003-03-261-1/+1
| | | | | | | | | | | | | additional flags argument to indicate blocking disposition, and pass in M_NOWAIT from the IP reassembly code to indicate that blocking is not OK when labeling a new IP fragment reassembly queue. This should eliminate some of the WITNESS warnings that have started popping up since fine-grained IP stack locking started going in; if memory allocation fails, the creation of the fragment queue will be aborted. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Update MAC "none" stub policy to include stubs for the followingrwatson2003-03-251-0/+98
| | | | | | | | | | | | | | | | | | | | entry points: mac_none_thread_userret() mac_none_check_kenv_dump() mac_none_check_kenv_get() mac_none_check_kenv_set() mac_none_check_kenv_unset() mac_none_check_kld_load() mac_none_check_kld_stat() mac_none_check_kld_unload() mac_none_check_sysarch_ioperm() mac_none_check_system_acct() mac_none_check_system_settime() mac_none_check_system_swapoff() Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Default policies to on: if you load them or compile them into yourrwatson2002-12-101-1/+1
| | | | | | | | | | kernel, you should expect them to do something, so now they do. This doesn't affect users who don't load or explicitly compile in the policies. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Remove dm_root entry from struct devfs_mount. It's never set, and isrwatson2002-12-091-8/+10
| | | | | | | | | | | | unused. Replace it with a dm_mount back-pointer to the struct mount that the devfs_mount is associated with. Export that pointer to MAC Framework entry points, where all current policies don't use the pointer. This permits the SEBSD port of SELinux's FLASK/TE to compile out-of-the-box on 5.0-CURRENT with full file system labeling support. Approved by: re (murray) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Garbage collect mac_create_devfs_vnode() -- it hasn't been used sincerwatson2002-11-121-8/+0
| | | | | | | | we brought in the new cache and locking model for vnode labels. We now rely on mac_associate_devfs_vnode(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Update MAC modules for changes in arguments for exec MAC policyrwatson2002-11-081-3/+5
| | | | | | | | entry points to include an explicit execlabel. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Update policy modules for changes in arguments associated with supportrwatson2002-11-051-3/+5
| | | | | for label access on the interpreter, not just the shell script. No policies currently present in the system rely on the new labels.
* License and wording updates: NAI has authorized the removal of clauserwatson2002-11-041-7/+4
| | | | | three from their BSD-style license. Also, s/NAI Labs/Network Associates Laboratories/.
* Move to C99 sparse structure initialization for the mac_policy_opsrwatson2002-10-301-272/+137
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | structure definition, rather than using an operation vector we translate into the structure. Originally, we used a vector for two reasons: (1) We wanted to define the structure sparsely, which wasn't supported by the C compiler for structures. For a policy with five entry points, you don't want to have to stick in a few hundred NULL function pointers. (2) We thought it would improve ABI compatibility allowing modules to work with kernels that had a superset of the entry points defined in the module, even if the kernel had changed its entry point set. Both of these no longer apply: (1) C99 gives us a way to sparsely define a static structure. (2) The ABI problems existed anyway, due to enumeration numbers, argument changes, and semantic mismatches. Since the going rule for FreeBSD is that you really need your modules to pretty closely match your kernel, it's not worth the complexity. This submit eliminates the operation vector, dynamic allocation of the operation structure, copying of the vector to the structure, and redoes the vectors in each policy to direct structure definitions. One enourmous benefit of this change is that we now get decent type checking on policy entry point implementation arguments. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Various minor type, prototype tweaks -- clean up cruft due to lack ofrwatson2002-10-301-1/+1
| | | | | | | type checking on entry points (to be introduced shortly). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* While 'mode_t' seemed like a good idea for the access mode argument forrwatson2002-10-301-2/+2
| | | | | | | | | MAC access() and open() checks, the argument actually has an int type where it becomes available. Switch to using 'int' for the mode argument throughout the MAC Framework and policy modules. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Hook up no-op stubs for reboot, swapon, sysctl entry points.rwatson2002-10-291-0/+29
| | | | | Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Slightly change the semantics of vnode labels for MAC: rather thanrwatson2002-10-261-39/+43
| | | | | | | | | | | | | | | | | | | | | "refreshing" the label on the vnode before use, just get the label right from inception. For single-label file systems, set the label in the generic VFS getnewvnode() code; for multi-label file systems, leave the labeling up to the file system. With UFS1/2, this means reading the extended attribute during vfs_vget() as the inode is pulled off disk, rather than hitting the extended attributes frequently during operations later, improving performance. This also corrects sematics for shared vnode locks, which were not previously present in the system. This chances the cache coherrency properties WRT out-of-band access to label data, but in an acceptable form. With UFS1, there is a small race condition during automatic extended attribute start -- this is not present with UFS2, and occurs because EAs aren't available at vnode inception. We'll introduce a work around for this shortly. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Adapt MAC policies for the new user API changes; teach policies howrwatson2002-10-221-11/+36
| | | | | | | | | | to parse their own label elements (some cleanup to occur here in the future to use the newly added kernel strsep()). Policies now entirely encapsulate their notion of label in the policy module. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* mac_none is a stub policy without any functional implementation.rwatson2002-10-211-7/+7
| | | | | | | | | | | | Various cleanups, no functional changes: - Fix a type in an entry point stub, socket checks accept sockets, not vnodes. - Trailing whitespace - Entry point sort order Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Sync from MAC tree: break out the single mmap entry point intorwatson2002-10-061-2/+22
| | | | | | | | | | | | | | | | | | | seperate entry points for each occasion: mac_check_vnode_mmap() Check at initial mapping mac_check_vnode_mprotect() Check at mapping protection change mac_check_vnode_mmap_downgrade() Determine if a mapping downgrade should take place following subject relabel. Implement mmap() and mprotect() entry points for labeled vnode policies. These entry points are currently not hooked up to the VM system in the base tree. These changes improve the consistency of the access control interface and offer more flexibility regarding limiting access to vnode mmaping. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Modify label allocation semantics for sockets: pass in soalloc's mallocrwatson2002-10-051-2/+2
| | | | | | | | | | | flags so that we can call malloc with M_NOWAIT if necessary, avoiding potential sleeps while holding mutexes in the TCP syncache code. Similar to the existing support for mbuf label allocation: if we can't allocate all the necessary label store in each policy, we back out the label allocation and fail the socket creation. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Implement mac_create_devfs_symlink() for policies that interact withrwatson2002-10-051-0/+9
| | | | | | | vnode labels. Sync from MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Merge implementation of mpo_check_vnode_link() for various appropriaterwatson2002-10-051-0/+11
| | | | | | | file-system aware MAC policies. Sync to MAC tree. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Begin another merge from the TrustedBSD MAC branch:rwatson2002-10-051-167/+55
| | | | | | | | | | | | | | | | | | | | | - Change mpo_init_foo(obj, label) and mpo_destroy_foo(obj, label) policy entry points to mpo_init_foo_label(label) and mpo_destroy_foo_label(label). This will permit the use of the same entry points for holding temporary type-specific label during internalization and externalization, as well as for caching purposes. - Because of this, break out mpo_{init,destroy}_socket() and mpo_{init,destroy}_mount() into seperate entry points for socket main/peer labels and mount main/fs labels. - Since the prototype for label initialization is the same across almost all entry points, implement these entry points using common implementations for Biba, MLS, and Test, reducing the number of almost identical looking functions. This simplifies policy implementation, as well as preparing us for the merge of the new flexible userland API for managing labels on objects. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Prefer NULL to 0 when passing a NULL pointer.rwatson2002-08-201-1/+1
|
* Provide stub mpo_syscall() implementations for mac_none and mac_test.rwatson2002-08-201-0/+9
| | | | | Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
* Pass active_cred and file_cred into the MAC framework explicitlyrwatson2002-08-191-8/+8
| | | | | | | | | | | for mac_check_vnode_{poll,read,stat,write}(). Pass in fp->f_cred when calling these checks with a struct file available. Otherwise, pass NOCRED. All currently MAC policies use active_cred, but could now offer the cached credential semantic used for the base system security model. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
* Break out mac_check_pipe_op() into component check entry points:rwatson2002-08-191-4/+34
| | | | | | | | | | | mac_check_pipe_poll(), mac_check_pipe_read(), mac_check_pipe_stat(), and mac_check_pipe_write(). This is improves consistency with other access control entry points and permits security modules to only control the object methods that they are interested in, avoiding switch statements. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
* Break out mac_check_vnode_op() into three seperate checks:rwatson2002-08-191-0/+30
| | | | | | | | | | mac_check_vnode_poll(), mac_check_vnode_read(), mac_check_vnode_write(). This improves the consistency with other existing vnode checks, and allows policies to avoid implementing switch statements to determine what operations they do and do not want to authorize. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
* Rename mac_check_socket_receive() to mac_check_socket_deliver() so thatrwatson2002-08-151-6/+6
| | | | | | | | we can use the names _receive() and _send() for the receive() and send() checks. Rename related constants, policy implementations, etc. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
* Introduce support for Mandatory Access Control and extensiblerwatson2002-07-311-0/+1105
kernel access control. Provide implementations of some sample operating system security policy extensions. These are not yet hooked up to the build as other infrastructure is still being committed. Most of these work fairly well and are in daily use in our development and (limited) production environments. Some are not yet in their final form, and a number of the labeled policies waste a lot of kernel memory and will be fixed over the next month or so to be more conservative. They do give good examples of the flexibility of the MAC framework for implementing a variety of security policies. mac_biba: Implementation of fixed-label Biba integrity policy, similar to those found in a number of commercial trusted operating systems. All subjects and objects are assigned integrity levels, and information flow is controlled based on a read-up, write-down policy. Currently, purely hierarchal. mac_bsdextended: Implementation of a "file system firewall", which allows the administrator to specify a series of rules limiting access by users and groups to objects owned by other users and groups. This policy is unlabeled, relying on existing system security labeling (file permissions/ownership, process credentials). mac_ifoff: Secure interface silencing. Special-purpose module to limit inappropriate out-going network traffic for silent monitoring scenarios. Prevents the various network stacks from generating any output despite an interface being live for reception. mac_mls: Implementation of fixed-label Multi-Level Security confidentiality policy, similar to those found in a number of commercial trusted operating systems. All subjects and objects are assigned confidentiality levels, and information flow is controlled based on a write-up, read-down policy. Currently, purely hiearchal, although non-hierarchal support is in the works. mac_none: Policy module implementing all MAC policy entry points with empty stubs. A good place to start if you want all the prototypes types in for you, and don't mind a bit of pruning. Can be loaded, but has no access control impact. Useful also for performance measurements. mac_seeotheruids: Policy module implementing a security service similar to security.bsd.seeotheruids, only a slightly more detailed policy involving exceptions for members of specific groups, etc. This policy is unlabeled, relying on existing system security labeling (process credentials). mac_test: Policy module implementing basic sanity tests for label handling. Attempts to ensure that labels are not freed multiple times, etc, etc. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
OpenPOWER on IntegriCloud