| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
mutex, as it's rarely changed but frequently accessed read-only from
multiple threads, so a potentially significant source of contention.
MFC after: 1 month
Sponsored by: Apple, Inc.
|
| |
|
|
|
|
|
|
| |
access control checks in mac_bsdextended are not in the same
namespace as the MBI_ flags used in ugidfw policies, so add an
explicit conversion routine to get from one to the other.
Obtained from: TrustedBSD Project
|
| |
|
|
| |
Approved by: rwatson (mentor)
|
| |
|
|
|
|
| |
new file, mac_cred.c.
Obtained from: TrustedBSD Project
|
| |
|
|
|
|
|
| |
to add more V* constants, and the variables changed by this patch were often
being assigned to mode_t variables, which is 16 bit.
Approved by: rwatson (mentor)
|
| |
|
|
|
|
|
|
|
|
|
| |
memory mappings when the MAC label on a process changes, to
mac_proc_vm_revoke(),
It now also acquires its own credential reference directly from the
affected process rather than accepting one passed by the the caller,
simplifying the API and consumer code.
Obtained from: TrustedBSD Project
|
| |
|
|
|
|
|
| |
that they operate directly on credentials: mac_proc_create_swapper(),
mac_proc_create_init(), and mac_proc_associate_nfsd(). Update policies.
Obtained from: TrustedBSD Project
|
| |
|
|
|
|
|
|
| |
be a no-op request, and why this might have to change if we want to allow
leaving a partition someday.
Obtained from: TrustedBSD Project
MFC after: 3 days
|
| |
|
|
|
|
|
| |
suggestive as to its actual function.
Obtained from: TrustedBSD Project
MFC after: 3 days
|
| | |
|
| |
|
|
|
| |
Obtained from: TrustedBSD Project
MFC after: 3 days
|
| | |
|
| |
|
|
|
|
|
| |
control logic and policy registration remaining in that file, and access
control checks broken out into other files by class of check.
Obtained from: TrustedBSD Project
|
| |
|
|
|
|
| |
modularize MAC policy layout.
Obtained from: TrustedBSD Project
|
| |
|
|
|
|
| |
modeled on IPv4 fragment reassembly queue support.
Obtained from: TrustedBSD Project
|
| |
|
|
|
|
|
|
|
|
|
| |
fragment reassembly queues.
This allows policies to label reassembly queues, perform access
control checks when matching fragments to a queue, update a queue
label when fragments are matched, and label the resulting
reassembled datagram.
Obtained from: TrustedBSD Project
|
| |
|
|
|
| |
be careful not to fix anything that was already broken; the NFSv4 code is
particularly bad in this respect.
|
| |
|
|
| |
MFC after: 3 months
|
| |
|
|
|
|
|
| |
that handle mac_socket_check_visible.
Reviewed by: rwatson
MFC after: 3 months (set timer; decide then)
|
| |
|
|
|
|
|
| |
to mac_socket_check_visible but operates on the inpcb.
Reviewed by: rwatson
MFC after: 3 months (set timer, decide then)
|
| |
|
|
|
|
|
|
| |
solabel which was not set by the mac_partition policy.
Spotted by: rwatson
Reviewed by: rwatson
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When I changed kern_conf.c three months ago I made device unit numbers
equal to (unneeded) device minor numbers. We used to require
bitshifting, because there were eight bits in the middle that were
reserved for a device major number. Not very long after I turned
dev2unit(), minor(), unit2minor() and minor2unit() into macro's.
The unit2minor() and minor2unit() macro's were no-ops.
We'd better not remove these four macro's from the kernel, because there
is a lot of (external) code that may still depend on them. For now it's
harmless to remove all invocations of unit2minor() and minor2unit().
Reviewed by: kib
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
years by the priv_check(9) interface and just very few places are left.
Note that compatibility stub with older FreeBSD version
(all above the 8 limit though) are left in order to reduce diffs against
old versions. It is responsibility of the maintainers for any module, if
they think it is the case, to axe out such cases.
This patch breaks KPI so __FreeBSD_version will be bumped into a later
commit.
This patch needs to be credited 50-50 with rwatson@ as he found time to
explain me how the priv_check() works in detail and to review patches.
Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
Reviewed by: rwatson
|
| |
|
|
|
|
| |
as VSVTX == S_ISVTX, VSGID == S_ISGID and VSUID == S_ISUID.
Approved by: rwatson (mentor)
|
| |
|
|
| |
Pointy hat to: kevlo
|
| | |
|
| |
|
|
|
|
| |
was always curthread and totally unuseful.
Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
|
| |
|
|
|
| |
Obtained from: TrustedBSD Project
Sponsored by: Google, Inc.
|
| |
|
|
|
|
|
|
|
| |
appropriate even if Solaris doesn't document it (E2BIG) or use it
(EOVERFLOW).
Submitted by: nectar at apple dot com
Sponsored by: Apple, Inc.
MFC after: 3 days
|
| |
|
|
|
|
| |
appending a single character to the buffer.
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
|
| |
|
|
|
|
|
|
|
|
|
| |
space provided by its argument structure, return EOVERFLOW instead of
E2BIG. The latter is documented in Solaris's man page, but the
former is implemented. In either case, the caller should use
getaudit_addr(2) to return the IPv6 address.
Submitted by: sson
Obtained from: Apple, Inc.
MFC after: 3 days
|
| |
|
|
|
|
|
|
| |
It is possible that the audit pipe(s) have different preselection configs
then the global preselection mask.
Spotted by: Vincenzo Iozzo
MFC after: 2 weeks
|
| |
|
|
|
|
|
| |
completely dynamic sbuf.
Obtained from: Varnish
MFC after: 2 weeks
|
| | |
|
| |
|
|
|
|
|
| |
other policies that similarly now avoid the additional mac_ prefix on
variables.
MFC after: soon
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
return success if the passed vnode pointer is NULL (rather than
panicking). This can occur if either audit or accounting are
disabled while the policy is running.
Since the swapoff control has no real relevance to this policy,
which is concerned about intent to write rather than water under the
bridge, remove it.
PR: kern/126100
Reported by: Alan Amesbury <amesbury at umn dot edu>
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
processes are not producing absolute pathname tokens. It is required
that audited pathnames are generated relative to the global root mount
point. This modification changes our implementation of audit_canon_path(9)
and introduces a new function: vn_fullpath_global(9) which performs a
vnode -> pathname translation relative to the global mount point based
on the contents of the name cache. Much like vn_fullpath,
vn_fullpath_global is a wrapper function which called vn_fullpath1.
Further, the string parsing routines have been converted to use the
sbuf(9) framework. This change also removes the conditional acquisition
of Giant, since the vn_fullpath1 method will not dip into file system
dependent code.
The vnode locking was modified to use vhold()/vdrop() instead the vref()
and vrele(). This will modify the hold count instead of modifying the
user count. This makes more sense since it's the kernel that requires
the reference to the vnode. This also makes sure that the vnode does not
get recycled we hold the reference to it. [1]
Discussed with: rwatson
Reviewed by: kib [1]
MFC after: 2 weeks
|
| |
|
|
|
|
|
| |
Apple and from the OpenBSM vendor tree.
Obtained from: Apple Inc., TrustedBSD Project
MFC after: 3 days
|
| |
|
|
|
| |
Obtained from: Apple Inc.
MFC after: 3 days
|
| |
|
|
|
|
|
| |
with equivilent content to AUE_SYSCTL.
Obtained from: Apple Inc.
MFC after: 3 days
|
| |
|
|
|
| |
Obtained from: Apple Inc.
MFC after: 3 days
|
| |
|
|
|
| |
Obtained from: Apple Inc.
MFC after: 3 days
|
| |
|
|
|
| |
Obtained from: Apple Inc.
MFC after: 3 days
|
| |
|
|
|
| |
Obtained from: Apple Inc.
MFC after: 3 days
|
| |
|
|
|
| |
Obtained from: Apple Inc.
MFC after: 3 days
|
| |
|
|
|
| |
Obtained from: Apple Inc.
MFC after: 3 days
|
| |
|
|
|
| |
Obtained from: Apple Inc.
MFC after: 3 days
|
| |
|
|
|
| |
Obtained from: Apple Inc.
MFC after: 3 days
|
| |
|
|
|
|
|
|
| |
pick up the Apple Computer -> Apple change in their copyright and
license templates.
Obtained from: Apple Inc.
MFC after: 3 days
|
