summaryrefslogtreecommitdiffstats
path: root/sys/security
Commit message (Collapse)AuthorAgeFilesLines
* Mark all SYSCTL_NODEs static that have no corresponding SYSCTL_DECLs.ed2011-11-0711-13/+13
| | | | | | The SYSCTL_NODE macro defines a list that stores all child-elements of that node. If there's no SYSCTL_DECL macro anywhere else, there's no reason why it shouldn't be static.
* Mark MALLOC_DEFINEs static that have no corresponding MALLOC_DECLAREs.ed2011-11-073-3/+4
| | | | This means that their use is restricted to a single C file.
* Get rid of D_PSEUDO.ed2011-10-181-1/+1
| | | | | | | | | | It seems the D_PSEUDO flag was meant to allow make_dev() to return NULL. Nowadays we have a different interface for that; make_dev_p(). There's no need to keep it there. While there, remove an unneeded D_NEEDMINOR from the gpio driver. Discussed with: gonzo@ (gpio)
* Remove two dublicated assignments.brueffer2011-10-081-3/+0
| | | | | | | CID: 9870 Found with: Coverity Prevent(tm) Confirmed by: rwatson MFC after: 1 week
* In order to maximize the re-usability of kernel code in user space thiskmacy2011-09-162-38/+38
| | | | | | | | | | | | | patch modifies makesyscalls.sh to prefix all of the non-compatibility calls (e.g. not linux_, freebsd32_) with sys_ and updates the kernel entry points and all places in the code that use them. It also fixes an additional name space collision between the kernel function psignal and the libc function of the same name by renaming the kernel psignal kern_psignal(). By introducing this change now we will ease future MFCs that change syscalls. Reviewed by: rwatson Approved by: re (bz)
* Correct several issues in the integration of POSIX shared memory objectsrwatson2011-09-027-16/+462
| | | | | | | | | | | | | | | | | | | | | | and the new setmode and setowner fileops in FreeBSD 9.0: - Add new MAC Framework entry point mac_posixshm_check_create() to allow MAC policies to authorise shared memory use. Provide a stub policy and test policy templates. - Add missing Biba and MLS implementations of mac_posixshm_check_setmode() and mac_posixshm_check_setowner(). - Add 'accmode' argument to mac_posixshm_check_open() -- unlike the mac_posixsem_check_open() entry point it was modeled on, the access mode is required as shared memory access can be read-only as well as writable; this isn't true of POSIX semaphores. - Implement full range of POSIX shared memory entry points for Biba and MLS. Sponsored by: Google Inc. Obtained from: TrustedBSD Project Approved by: re (kib)
* Fix a deficiency in the selinfo interface:attilio2011-08-251-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If a selinfo object is recorded (via selrecord()) and then it is quickly destroyed, with the waiters missing the opportunity to awake, at the next iteration they will find the selinfo object destroyed, causing a PF#. That happens because the selinfo interface has no way to drain the waiters before to destroy the registered selinfo object. Also this race is quite rare to get in practice, because it would require a selrecord(), a poll request by another thread and a quick destruction of the selrecord()'ed selinfo object. Fix this by adding the seldrain() routine which should be called before to destroy the selinfo objects (in order to avoid such case), and fix the present cases where it might have already been called. Sometimes, the context is safe enough to prevent this type of race, like it happens in device drivers which installs selinfo objects on poll callbacks. There, the destruction of the selinfo object happens at driver detach time, when all the filedescriptors should be already closed, thus there cannot be a race. For this case, mfi(4) device driver can be set as an example, as it implements a full correct logic for preventing this from happening. Sponsored by: Sandvine Incorporated Reported by: rstone Tested by: pluknet Reviewed by: jhb, kib Approved by: re (bz) MFC after: 3 weeks
* Add the fo_chown and fo_chmod methods to struct fileops and use themkib2011-08-166-0/+176
| | | | | | | | | | to implement fchown(2) and fchmod(2) support for several file types that previously lacked it. Add MAC entries for chown/chmod done on posix shared memory and (old) in-kernel posix semaphores. Based on the submission by: glebius Reviewed by: rwatson Approved by: re (bz)
* Second-to-last commit implementing Capsicum capabilities in the FreeBSDrwatson2011-08-112-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | kernel for FreeBSD 9.0: Add a new capability mask argument to fget(9) and friends, allowing system call code to declare what capabilities are required when an integer file descriptor is converted into an in-kernel struct file *. With options CAPABILITIES compiled into the kernel, this enforces capability protection; without, this change is effectively a no-op. Some cases require special handling, such as mmap(2), which must preserve information about the maximum rights at the time of mapping in the memory map so that they can later be enforced in mprotect(2) -- this is done by narrowing the rights in the existing max_protection field used for similar purposes with file permissions. In namei(9), we assert that the code is not reached from within capability mode, as we're not yet ready to enforce namespace capabilities there. This will follow in a later commit. Update two capability names: CAP_EVENT and CAP_KEVENT become CAP_POST_KEVENT and CAP_POLL_KEVENT to more accurately indicate what they represent. Approved by: re (bz) Submitted by: jonathan Sponsored by: Google Inc
* Provide ability to audit cap_rights_t arguments.jonathan2011-07-184-0/+44
| | | | | | | | | | | We wish to be able to audit capability rights arguments; this code provides the necessary infrastructure. This commit does not, of itself, turn on such auditing for any system call; that should follow shortly. Approved by: mentor (rwatson), re (Capsicum blanket) Sponsored by: Google Inc
* - Add a FEATURE for capsicum (security_capabilities).netchild2011-03-041-1/+1
| | | | | | - Rename mac FEATURE to security_mac. Discussed with: rwatson
* Add ECAPMODE, "Not permitted in capability mode", a new kernel errnorwatson2011-03-011-0/+14
| | | | | | | | | | constant to indicate that a system call (or perhaps an operation requested via a system call) is not permitted for a capability mode process. Submitted by: anderson Sponsored by: Google, Inc. Obtained from: Capsicum Project MFC after: 1 week
* Add some FEATURE macros for various features (AUDIT/CAM/IPC/KTR/MAC/NFS/NTP/netchild2011-02-252-0/+5
| | | | | | | | | | | | | PMC/SYSV/...). No FreeBSD version bump, the userland application to query the features will be committed last and can serve as an indication of the availablility if needed. Sponsored by: Google Summer of Code 2010 Submitted by: kibab Reviewed by: arch@ (parts by rwatson, trasz, jhb) X-MFC after: to be determined in last commit with code from this project
* Unless "cnt" exceeds MAX_COMMIT_COUNT, nfsrv_commit() and nfsvno_fsync() arealc2011-02-051-5/+2
| | | | | | | | | | | incorrectly calling vm_object_page_clean(). They are passing the length of the range rather than the ending offset of the range. Perform the OFF_TO_IDX() conversion in vm_object_page_clean() rather than the callers. Reviewed by: kib MFC after: 3 weeks
* sysctl(9) cleanup checkpoint: amd64 GENERIC builds cleanly.mdf2011-01-122-2/+2
| | | | Commit the security directory.
* Fix typos.brucec2010-11-091-1/+1
| | | | | PR: bin/148894 Submitted by: olgeni
* Add missing DTrace probe invocation to mac_vnode_check_open; the proberwatson2010-10-231-0/+2
| | | | | | | was declared, but never used. MFC after: 3 days Sponsored by: Google, Inc.
* Replace sbuf_overflowed() with sbuf_error(), which returns any errormdf2010-09-101-1/+1
| | | | | | code associated with overflow or with the drain function. While this function is not expected to be used often, it produces more information in the form of an errno that sbuf_overflowed() did.
* Add an extra comment to the SDT probes definition. This allows us to getrpaulo2010-08-222-13/+15
| | | | | | | | | use '-' in probe names, matching the probe names in Solaris.[1] Add userland SDT probes definitions to sys/sdt.h. Sponsored by: The FreeBSD Foundation Discussed with: rwaston [1]
* Add a case to make sure that internal audit records get convertedcsjp2010-05-041-0/+1
| | | | | | to BSM format for lpathconf(2) events. MFC after: 2 weeks
* Update device-labeling logic for Biba, LOMAC, and MLS to recognize new-stylerwatson2010-03-023-0/+3
| | | | | | | pts devices when various policy ptys_equal flags are enabled. Submitted by: Estella Mystagic <estella at mystagic.com> MFC after: 1 week
* Make sure we convert audit records that were produced as the result of thecsjp2010-01-311-0/+7
| | | | closefrom(2) syscall.
* Replace the static NGROUPS=NGROUPS_MAX+1=1024 with a dynamicbrooks2010-01-121-2/+2
| | | | | | | | kern.ngroups+1. kern.ngroups can range from NGROUPS_MAX=1023 to INT_MAX-1. Given that the Windows group limit is 1024, this range should be sufficient for most applications. MFC after: 1 month
* Make mac_lomac(4) able to interpret NFSv4 access bits.trasz2010-01-031-1/+1
| | | | Reviewed by: rwatson
* Having thrown the cat out of the house, add a necessary include.phk2009-09-081-0/+1
|
* Revert previous commit and add myself to the list of people who shouldphk2009-09-081-1/+0
| | | | know better than to commit with a cat in the area.
* Add necessary include.phk2009-09-081-0/+1
|
* Correctly audit real gids following changes to the audit record argumentrwatson2009-08-121-1/+1
| | | | | | interface. Approved by: re (kib)
* Eliminate ARG_UPATH[12] arguments to AUDIT_ARG_UPATH() and insteadrwatson2009-07-293-89/+89
| | | | | | | | | | | | provide specific macros, AUDIT_ARG_UPATH1() and AUDIT_ARG_UPATH2() to capture path information for audit records. This allows us to move the definitions of ARG_* out of the public audit header file, as they are an implementation detail of our current kernel-internal audit record, which may change. Approved by: re (kensmith) Obtained from: TrustedBSD Project MFC after: 1 month
* Rework vnode argument auditing to follow the same structure, in orderrwatson2009-07-283-34/+50
| | | | | | | | | | to avoid exposing ARG_ macros/flag values outside of the audit code in order to name which one of two possible vnodes will be audited for a system call. Approved by: re (kib) Obtained from: TrustedBSD Project MFC after: 1 month
* Audit file descriptors passed to fooat(2) system calls, which are usedrwatson2009-07-286-83/+184
| | | | | | | | | | | | | | | instead of the root/current working directory as the starting point for lookups. Up to two such descriptors can be audited. Add audit record BSM encoding for fooat(2). Note: due to an error in the OpenBSM 1.1p1 configuration file, a further change is required to that file in order to fix openat(2) auditing. Approved by: re (kib) Reviewed by: rdivacky (fooat(2) portions) Obtained from: TrustedBSD Project MFC after: 1 month
* Import OpenBSM 1.1p1 from vendor branch to 8-CURRENT, populatingrwatson2009-07-172-8/+121
| | | | | | | | | | | | | | | | | contrib/openbsm and a subset also imported into sys/security/audit. This patch release addresses several minor issues: - Fixes to AUT_SOCKUNIX token parsing. - IPv6 support for au_to_me(3). - Improved robustness in the parsing of audit_control, especially long flags/naflags strings and whitespace in all fields. - Add missing conversion of a number of FreeBSD/Mac OS X errnos to/from BSM error number space. MFC after: 3 weeks Obtained from: TrustedBSD Project Sponsored by: Apple, Inc. Approved by: re (kib)
* Create audit records for AUE_POSIX_OPENPT, currently w/o arguments.rwatson2009-07-021-0/+1
| | | | Approved by: re (audit argument blanket)
* Fix comment misthink.rwatson2009-07-021-1/+1
| | | | | | Submitted by: b. f. <bf1783 at googlemail.com> Approved by: re (audit argument blanket) MFC after: 1 week
* Clean up a number of aspects of token generation from audit arguments torwatson2009-07-021-69/+55
| | | | | | | | | | | | | | | | system calls: - Centralize generation of argument tokens for VM addresses in a macro, ADDR_TOKEN(), and properly encode 64-bit addresses in 64-bit arguments. - Fix up argument numbers across a large number of syscalls so that they match the numeric argument into the system call. - Don't audit the address argument to ioctl(2) or ptrace(2), but do keep generating tokens for mmap(2), minherit(2), since they relate to passing object access across execve(2). Approved by: re (audit argument blanket) Obtained from: TrustedBSD Project MFC after: 1 week
* For access(2) and eaccess(2), audit the requested access mode.rwatson2009-07-011-2/+9
| | | | | Approved by: re (audit argument blanket) MFC after: 3 days
* Define missing audit argument macro AUDIT_ARG_SOCKET(), andrwatson2009-07-011-0/+6
| | | | | | | | capture the domain, type, and protocol arguments to socket(2) and socketpair(2). Approved by: re (audit argument blanket) MFC after: 3 days
* When auditing unmount(2), capture FSID arguments as regular text stringsrwatson2009-07-011-0/+8
| | | | | | | | | | rather than as paths, which would lead to them being treated as relative pathnames and hence confusingly converted into absolute pathnames. Capture flags to unmount(2) via an argument token. Approved by: re (audit argument blanket) MFC after: 3 days
* Audit the file descriptor number passed to lseek(2).rwatson2009-07-011-1/+1
| | | | | Approved by: re (kib) MFC after: 3 days
* udit the 'options' argument to wait4(2).rwatson2009-07-011-0/+4
| | | | | Approved by: re (kib) MFC after: 3 days
* Dynamically allocate the gidset field in audit record.sson2009-06-293-2/+13
| | | | | | | | | This fixes a problem created by the recent change that allows a large number of groups per user. The gidset field in struct kaudit_record is now dynamically allocated to the size needed rather than statically (using NGROUPS). Approved by: re@ (kensmith, rwatson), gnn (mentor)
* Replace AUDIT_ARG() with variable argument macros with a set more morerwatson2009-06-272-15/+174
| | | | | | | | | | | | | | specific macros for each audit argument type. This makes it easier to follow call-graphs, especially for automated analysis tools (such as fxr). In MFC, we should leave the existing AUDIT_ARG() macros as they may be used by third-party kernel modules. Suggested by: brooks Approved by: re (kib) Obtained from: TrustedBSD Project MFC after: 1 week
* Implement global and per-uid accounting of the anonymous memory. Addkib2009-06-232-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | rlimit RLIMIT_SWAP that limits the amount of swap that may be reserved for the uid. The accounting information (charge) is associated with either map entry, or vm object backing the entry, assuming the object is the first one in the shadow chain and entry does not require COW. Charge is moved from entry to object on allocation of the object, e.g. during the mmap, assuming the object is allocated, or on the first page fault on the entry. It moves back to the entry on forks due to COW setup. The per-entry granularity of accounting makes the charge process fair for processes that change uid during lifetime, and decrements charge for proper uid when region is unmapped. The interface of vm_pager_allocate(9) is extended by adding struct ucred *, that is used to charge appropriate uid when allocation if performed by kernel, e.g. md(4). Several syscalls, among them is fork(2), may now return ENOMEM when global or per-uid limits are enforced. In collaboration with: pho Reviewed by: alc Approved by: re (kensmith)
* Chase the removal of PRIV_TTY_PRISON in the mac(9) modules.ed2009-06-202-2/+0
| | | | | Reported by: kib Pointy hat to: me
* Adapt vfs kqfilter to the shared vnode lock used by zfs write vop. Usekib2009-06-101-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | vnode interlock to protect the knote fields [1]. The locking assumes that shared vnode lock is held, thus we get exclusive access to knote either by exclusive vnode lock protection, or by shared vnode lock + vnode interlock. Do not use kl_locked() method to assert either lock ownership or the fact that curthread does not own the lock. For shared locks, ownership is not recorded, e.g. VOP_ISLOCKED can return LK_SHARED for the shared lock not owned by curthread, causing false positives in kqueue subsystem assertions about knlist lock. Remove kl_locked method from knlist lock vector, and add two separate assertion methods kl_assert_locked and kl_assert_unlocked, that are supposed to use proper asserts. Change knlist_init accordingly. Add convenience function knlist_init_mtx to reduce number of arguments for typical knlist initialization. Submitted by: jhb [1] Noted by: jhb [2] Reviewed by: jhb Tested by: rnoland
* Move "options MAC" from opt_mac.h to opt_global.h, as it's now in GENERICrwatson2009-06-051-2/+0
| | | | | | | | and used in a large number of files, but also because an increasing number of incorrect uses of MAC calls were sneaking in due to copy-and-paste of MAC-aware code without the associated opt_mac.h include. Discussed with: pjd
* Add one further check with mac_policy_count to an mbuf copying caserwatson2009-06-031-0/+3
| | | | | | | (limited to netatalk) to avoid MAC label lookup on both mbufs if no policies are registered. Obtained from: TrustedBSD Project
* Continue work to optimize performance of "options MAC" when no MAC policyrwatson2009-06-0310-94/+328
| | | | | | | | | | | | | | | | | | | | | | | | | | | modules are loaded by avoiding mbuf label lookups when policies aren't loaded, pushing further socket locking into MAC policy modules, and avoiding locking MAC ifnet locks when no policies are loaded: - Check mac_policies_count before looking for mbuf MAC label m_tags in MAC Framework entry points. We will still pay label lookup costs if MAC policies are present but don't require labels (typically a single mbuf header field read, but perhaps further indirection if IPSEC or other m_tag consumers are in use). - Further push socket locking for socket-related access control checks and events into MAC policies from the MAC Framework, so that sockets are only locked if a policy specifically requires a lock to protect a label. This resolves lock order issues during sonewconn() and also in local domain socket cross-connect where multiple socket locks could not be held at once for the purposes of propagatig MAC labels across multiple sockets. Eliminate mac_policy_count check in some entry points where it no longer avoids locking. - Add mac_policy_count checking in some entry points relating to network interfaces that otherwise lock a global MAC ifnet lock used to protect ifnet labels. Obtained from: TrustedBSD Project
* By default, label all network interfaces as biba/equal on attach. Thisrwatson2009-06-031-1/+1
| | | | | | | | makes it easier for first-time users to configure and work with biba as remote acess is still allowed. Effectively, this means that, by default, only local security properties, not distributed ones, are enforced. Obtained from: TrustedBSD Project
* Mark MAC Framework sx and rm locks as NOWITNESS to suppress warnings thatrwatson2009-06-021-2/+2
| | | | | | | | | might arise from WITNESS not understanding its locking protocol, which should be deadlock-free. Currently these warnings generally don't occur, but as object locking is pushed into policies for some object types, they would otherwise occur more often. Obtained from: TrustedBSD Project
OpenPOWER on IntegriCloud