summaryrefslogtreecommitdiffstats
path: root/sys/security
Commit message (Collapse)AuthorAgeFilesLines
* Correct grammar error in commentcsjp2005-06-101-1/+1
| | | | MFC after: 3 days
* Gratuitous renaming of four System V Semaphore MAC Framework entryrwatson2005-06-077-56/+56
| | | | | | | | | | | | | | | points to convert _sema() to _sem() for consistency purposes with respect to the other semaphore-related entry points: mac_init_sysv_sema() -> mac_init_sysv_sem() mac_destroy_sysv_sem() -> mac_destroy_sysv_sem() mac_create_sysv_sema() -> mac_create_sysv_sem() mac_cleanup_sysv_sema() -> mac_cleanup_sysv_sem() Congruent changes are made to the policy interface to support this. Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA
* Introduce MAC Framework and MAC Policy entry points to label and controlrwatson2005-05-047-0/+462
| | | | | | | | | | | | | | | | | | | | | | access to POSIX Semaphores: mac_init_posix_sem() Initialize label for POSIX semaphore mac_create_posix_sem() Create POSIX semaphore mac_destroy_posix_sem() Destroy POSIX semaphore mac_check_posix_sem_destroy() Check whether semaphore may be destroyed mac_check_posix_sem_getvalue() Check whether semaphore may be queried mac_check_possix_sem_open() Check whether semaphore may be opened mac_check_posix_sem_post() Check whether semaphore may be posted to mac_check_posix_sem_unlink() Check whether semaphore may be unlinked mac_check_posix_sem_wait() Check whether may wait on semaphore Update Biba, MLS, Stub, and Test policies to implement these entry points. For information flow policies, most semaphore operations are effectively read/write. Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Sponsored by: DARPA, McAfee, SPARTA Obtained from: TrustedBSD Project
* Get the directory structure correct in a comment.trhodes2005-04-222-2/+4
| | | | Submitted by: Samy Al Bahra
* Add locking support to mac_bsdextended:trhodes2005-04-221-37/+67
| | | | | | | | - Introduce a global mutex, mac_bsdextended_mtx, to protect the rule array and hold this mutex over use and modification of the rule array and rules. - Re-order and clean up sysctl_rule so that copyin/copyout/update happen in the right order (suggested by: jhb done by rwatson).
* Introduce p_canwait() and MAC Framework and MAC Policy entry pointsrwatson2005-04-185-0/+37
| | | | | | | | | | | | | | | mac_check_proc_wait(), which control the ability to wait4() specific processes. This permits MAC policies to limit information flow from children that have changed label, although has to be handled carefully due to common programming expectations regarding the behavior of wait4(). The cr_seeotheruids() check in p_canwait() is #if 0'd for this reason. The mac_stub and mac_test policies are updated to reflect these new entry points. Sponsored by: SPAWAR, SPARTA Obtained from: TrustedBSD Project
* Introduce three additional MAC Framework and MAC Policy entry points torwatson2005-04-165-8/+166
| | | | | | | | | | | | | | | | | | | | control socket poll() (select()), fstat(), and accept() operations, required for some policies: poll() mac_check_socket_poll() fstat() mac_check_socket_stat() accept() mac_check_socket_accept() Update mac_stub and mac_test policies to be aware of these entry points. While here, add missing entry point implementations for: mac_stub.c stub_check_socket_receive() mac_stub.c stub_check_socket_send() mac_test.c mac_test_check_socket_send() mac_test.c mac_test_check_socket_visible() Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA
* In mac_get_fd(), remove unconditional acquisition of Giant around copyingrwatson2005-04-162-18/+14
| | | | | | | | | | | | | | of the socket label to thread-local storage, and replace it with conditional acquisition based on debug.mpsafenet. Acquire the socket lock around the copy operation. In mac_set_fd(), replace the unconditional acquisition of Giant with the conditional acquisition of Giant based on debug.mpsafenet. The socket lock is acquired in mac_socket_label_set() so doesn't have to be acquired here. Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA
* Introduce new MAC Framework and MAC Policy entry points to control the userwatson2005-04-165-0/+337
| | | | | | | | | | | | | | | | | | | | | | of system calls to manipulate elements of the process credential, including: setuid() mac_check_proc_setuid() seteuid() mac_check_proc_seteuid() setgid() mac_check_proc_setgid() setegid() mac_check_proc_setegid() setgroups() mac_check_proc_setgroups() setreuid() mac_check_proc_setreuid() setregid() mac_check_proc_setregid() setresuid() mac_check_proc_setresuid() setresgid() mac_check_rpoc_setresgid() MAC checks are performed before other existing security checks; both current credential and intended modifications are passed as arguments to the entry points. The mac_test and mac_stub policies are updated. Submitted by: Samy Al Bahra <samy@kerneled.org> Obtained from: TrustedBSD Project
* Move MAC check_vnode_mmap entry point out from being exclusive tocsjp2005-04-148-12/+16
| | | | | | | | | | | | | | | | | | | | MAP_SHARED so that the entry point gets executed un-conditionally. This may be useful for security policies which want to perform access control checks around run-time linking. -add the mmap(2) flags argument to the check_vnode_mmap entry point so that we can make access control decisions based on the type of mapped object. -update any dependent API around this parameter addition such as function prototype modifications, entry point parameter additions and the inclusion of sys/mman.h header file. -Change the MLS, BIBA and LOMAC security policies so that subject domination routines are not executed unless the type of mapping is shared. This is done to maintain compatibility between the old vm_mmap_vnode(9) and these policies. Reviewed by: rwatson MFC after: 1 month
* Remove an accidental clearing of the new label pointer on a system Vrwatson2005-02-241-1/+0
| | | | | | message queue, which was introduced during the merge process. Submitted by: Andrew Reisse <areisse at nailabs dot com>
* Synchronize HEAD copyright/license with RELENG_5 copyright/license:rwatson2005-02-131-5/+5
| | | | McAfee instead of NETA.
* Update copyright for NETA->McAfee.rwatson2005-01-301-5/+5
|
* Remove policy references to mpo_check_vnode_mprotect(), which isrwatson2005-01-265-54/+2
| | | | | | | | currently unimplemented. Update copyrights. Pointed out by: csjp
* Remove an obsoleted comment about struct versions.rwatson2005-01-231-1/+0
| | | | | MFC after: 3 days Pointed out by: trhodes
* Update mac_test for MAC Framework policy entry points System V IPCrwatson2005-01-221-0/+378
| | | | | | | | | objects (message queues, semaphores, shared memory), exercising and validating MAC labels on these objects. Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Obtained from: TrustedBSD Project Sponsored by: DARPA, SPAWAR, McAfee Research
* Update mac_stub for MAC Framework policy entry points System V IPCrwatson2005-01-221-5/+213
| | | | | | | | objects (message queues, semaphores, shared memory). Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Obtained from: TrustedBSD Project Sponsored by: DARPA, SPAWAR, McAfee Research
* Implement MLS confidentiality protection for System V IPC objectsrwatson2005-01-221-5/+391
| | | | | | | | (message queues, semaphores, shared memory). Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Obtained from: TrustedBSD Project Sponsored by: DARPA, SPAWAR, McAfee Research
* Implement Biba integrity protection for System V IPC objects (messagerwatson2005-01-221-5/+394
| | | | | | | | queues, semaphores, shared memory). Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Obtained from: TrustedBSD Project Sponsored by: DARPA, SPAWAR, McAfee Research
* Exempt the superuser from mac_seeotheruids checks.rwatson2005-01-031-0/+3
| | | | | | Submitted by: bkoenig at cs dot tu-berlin dot de PR: 72238 MFC after: 2 weeks
* Add a new sysctl/tunable to mac_portacl:rwatson2004-12-081-0/+23
| | | | | | | | | | | | | | security.mac.portacl.autoport_exempt This sysctl exempts to bind port '0' as long as IP_PORTRANGELOW hasn't been set on the socket. This is quite useful as it allows applications to use automatic binding without adding overly broad rules for the binding of port 0. This sysctl defaults to enabled. This is a slight variation on the patch submitted by the contributor. MFC after: 2 weeks Submitted by: Michal Mertl <mime at traveller dot cz>
* Switch from using an sx lock to a mutex for the mac_portacl rule chain:rwatson2004-12-061-26/+19
| | | | | | | | | | | | | | | | the sx lock was used previously because we might sleep allocating additional memory by using auto-extending sbufs. However, we no longer do this, instead retaining the user-submitted rule string, so mutexes can be used instead. Annotate the reason for not using the sbuf-related rule-to-string code with a comment. Switch to using TAILQ_CONCAT() instead of manual list copying, as it's O(1), reducing the rule replacement step under the mutex from O(2N) to O(2). Remove now uneeded vnode-related includes. MFC after: 2 weeks
* Implement MAC entry points relating to System V IPC, calling into therwatson2004-11-173-0/+592
| | | | | | | | | MAC policies to perform object life cycle operations and access control checks. Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Obtained from: TrustedBSD Project Sponsored by: DARPA, SPAWAR, McAfee Research
* Define new MAC framework and policy entry points for System V IPCrwatson2004-11-172-1/+129
| | | | | | | | | | | | | | | objects and operations: - System V IPC message, message queue, semaphore, and shared memory segment init, destroy, cleanup, create operations. - System V IPC message, message queue, seamphore, and shared memory segment access control entry points, including rights to attach, destroy, and manipulate these IPC objects. Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net> Obtained from: TrustedBSD Project Sponsored by: DARPA, SPAWAR, McAfee Research
* Bump MAC Framework version to 2 in preparation for the upcoming API/ABIrwatson2004-11-093-3/+3
| | | | | | changes associated with adding System V IPC support. This will prevent old modules from being used with the new kernel, and new modules from being used with the old kernel.
* Disable use of synchronization early in the boot by the MAC Framework;rwatson2004-10-302-0/+42
| | | | | | for modules linked into the kernel or loaded very early, panics will result otherwise, as the CV code it calls will panic due to its use of a mutex before it is initialized.
* /%x/%s/ -- mismerged DEBUGGER() printf() format stirng from therwatson2004-10-231-1/+1
| | | | | | TrustedBSD branch. Submitted by: bde
* Expand comments on various sections of the MAC Framework Policy API,rwatson2004-10-221-4/+15
| | | | | | | | | as well as document the properties of the mac_policy_conf structure. Warn about the ABI risks in changing the structure without careful consideration. Obtained from: TrustedBSD Project Sponsored by: SPAWAR
* Replace direct reference to kdb_enter() with a DEBUGGER() macro thatrwatson2004-10-221-28/+34
| | | | | | | will call printf() if KDB isn't compiled into the kernel. Obtained from: TrustedBSD Project Sponsored by: SPAWAR
* Minor white space synchronization and line wrapping.rwatson2004-10-222-1/+3
|
* In the MAC label zone destructor, assert that the label is onlyrwatson2004-10-221-1/+3
| | | | destroyed in an initialized state.
* Remove extern declaration of mac_enforce_sysv, as it's not present inrwatson2004-10-221-1/+0
| | | | the CVS version of the MAC Framework.
* Bump copyright dates for NETA on these files.rwatson2004-10-212-2/+2
|
* Modify mac_bsdextended policy so that it defines its own vnode accessrwatson2004-10-212-33/+74
| | | | | | | | | | | right bits rather than piggy-backing on the V* rights defined in vnode.h. The mac_bsdextended bits are given the same values as the V* bits to make the new kernel module binary compatible with the old version of libugidfw that uses V* bits. This avoids leaking kernel API/ABI to user management tools, and in particular should remove the need for libugidfw to include vnode.h. Requested by: phk
* Remove the debugging tunable, it was not being used.trhodes2004-09-101-10/+1
| | | | | | Enable first match by default.[1] We should: rwatson [1]
* Allow mac_bsdextended(4) to log failed attempts to syslog's AUTHPRIVtrhodes2004-08-211-5/+19
| | | | | | | | facility. This is disabled by default but may be turned on by using the mac_bsdextended_logging sysctl. Reviewed by: re (jhb) Approved by: re (jhb)
* Give the mac_bsdextended(4) policy the ability to match and apply on a firsttrhodes2004-08-211-2/+21
| | | | | | | | | | rule only in place of all rules match. This is similar to how ipfw(8) works. Provide a sysctl, mac_bsdextended_firstmatch_enabled, to enable this feature. Reviewed by: re (jhb) Aprroved by: re (jhb)
* * Add a "how" argument to uma_zone constructors and initialization functionsgreen2004-08-021-3/+4
| | | | | | | | | | | | | | | | | so that they know whether the allocation is supposed to be able to sleep or not. * Allow uma_zone constructors and initialation functions to return either success or error. Almost all of the ones in the tree currently return success unconditionally, but mbuf is a notable exception: the packet zone constructor wants to be able to fail if it cannot suballocate an mbuf cluster, and the mbuf allocators want to be able to fail in general in a MAC kernel if the MAC mbuf initializer fails. This fixes the panics people are seeing when they run out of memory for mbuf clusters. * Allow debug.nosleepwithlocks on WITNESS to be disabled, without changing the default. Both bmilekic and jeff have reviewed the changes made to make failable zone allocations work.
* Introduce SLOT_SET macro and use it in place of casts as lvalues.kan2004-07-283-12/+16
|
* Allow an effective uid of root to bypass mac_bsdextended rules; the MACrwatson2004-07-231-0/+3
| | | | | | | Framework can restrict the root user, but this policy is not intended to support that. Stylish Swiss footwear provided for: trhodes
* Rename Biba and MLS _single label elements to _effective, which morerwatson2004-07-164-353/+353
| | | | | | | | | accurately represents the intention of the 'single' label element in Biba and MLS labels. It also approximates the use of 'effective' in traditional UNIX credentials, and avoids confusion with 'singlelabel' in the context of file systems. Inspired by: trhodes
* Do a pass over all modules in the kernel and make them return EOPNOTSUPPphk2004-07-152-0/+2
| | | | | | | | for unknown events. A number of modules return EINVAL in this instance, and I have left those alone for now and instead taught MOD_QUIESCE to accept this as "didn't do anything".
* Update for the KDB framework:marcel2004-07-101-28/+29
| | | | o Call kdb_enter() instead of Debugger().
* Introduce a temporary mutex, mac_ifnet_mtx, to lock MAC labels onrwatson2004-06-247-0/+53
| | | | | | | | | | | | | | | | | | network interfaces. This global mutex will protect all ifnet labels. Acquire the mutex across various MAC activities on interfaces, such as security checks, propagating interface labels to mbufs generated from the interface, retrieving and setting the interface label. Introduce mpo_copy_ifnet_label MAC policy entry point to copy the value of an interface label from one label to another. Use this to avoid performing a label externalize while holding mac_ifnet_mtx; copy the label to a temporary ifnet label and then externalize that. Implement mpo_copy_ifnet_label for various MAC policies that implement interface labeling using generic label copying routines. Obtained from: TrustedBSD Project Sponsored by: DARPA, McAfee Research
* Do the dreaded s/dev_t/struct cdev */phk2004-06-168-8/+9
| | | | Bump __FreeBSD_version accordingly.
* Socket MAC labels so_label and so_peerlabel are now protected byrwatson2004-06-131-8/+57
| | | | | | | | | | | | | SOCK_LOCK(so): - Hold socket lock over calls to MAC entry points reading or manipulating socket labels. - Assert socket lock in MAC entry point implementations. - When externalizing the socket label, first make a thread-local copy while holding the socket lock, then release the socket lock to externalize to userspace.
* add missing #include <sys/module.h>phk2004-05-302-0/+2
|
* Remove dead code. (This loop counted the number of rules, but the countcperciva2004-05-151-7/+0
| | | | | | | was never used.) Reported by: pjd Approved by: rwatson
* Improve consistency of include file guards in src/sys/sys by terminatingrwatson2004-05-102-6/+6
| | | | | | them with '_', as well as beginning with '_'. Observed by: bde
* If the mbuf pointer passed to mac_mbuf_to_label() is NULL, or the tagrwatson2004-05-031-1/+4
| | | | | | | | | | | lookup for the label tag fails, return NULL rather than something close to NULL. This scenario occurs if mbuf header labeling is optional and a policy requiring labeling is loaded, resulting in some mbufs having labels and others not. Previously, 0x14 would be returned because the NULL from m_tag_find() was not treated specially. Obtained from: TrustedBSD Project Sponsored by: DARPA, McAfee Research
OpenPOWER on IntegriCloud