summaryrefslogtreecommitdiffstats
path: root/sys/security
Commit message (Collapse)AuthorAgeFilesLines
* Trim "trustedbsd_" from the front of the policy module "short names";rwatson2003-03-279-10/+10
| | | | | | | | the vendor is only included in the long name currently, reducing verbosity when modules are registered and unregistered. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Modify the mac_init_ipq() MAC Framework entry point to accept anrwatson2003-03-2616-41/+106
| | | | | | | | | | | | | additional flags argument to indicate blocking disposition, and pass in M_NOWAIT from the IP reassembly code to indicate that blocking is not OK when labeling a new IP fragment reassembly queue. This should eliminate some of the WITNESS warnings that have started popping up since fine-grained IP stack locking started going in; if memory allocation fails, the creation of the fragment queue will be aborted. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Update the MAC regression test policy to include stubs and testingrwatson2003-03-251-0/+155
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | functionality for the following entry pints: mac_test_init_proc_label() mac_test_destroy_proc_label() For process labeling entry points, now also track the use of process labels and test assertions about their integrity and life cycle. mac_test_thread_userret() mac_test_check_kenv_dump() mac_test_check_kenv_get() mac_test_check_kenv_set() mac_test_check_kenv_unset() mac_test_check_kld_load() mac_test_check_kld_stat() mac_test_check_kld_unload() mac_test_check_sysarch_ioperm() mac_test_check_system_acct() mac_test_check_system_reboot() mac_test_check_system_settime() mac_test_check_system_swapon() mac_test_check_system_swapoff() mac_test_check_system_sysctl() For other entry points, just provide testing stubs. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Update MAC "none" stub policy to include stubs for the followingrwatson2003-03-252-0/+196
| | | | | | | | | | | | | | | | | | | | entry points: mac_none_thread_userret() mac_none_check_kenv_dump() mac_none_check_kenv_get() mac_none_check_kenv_set() mac_none_check_kenv_unset() mac_none_check_kld_load() mac_none_check_kld_stat() mac_none_check_kld_unload() mac_none_check_sysarch_ioperm() mac_none_check_system_acct() mac_none_check_system_settime() mac_none_check_system_swapoff() Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Expand scope of the MLS policy to include a new entry point availablerwatson2003-03-251-0/+20
| | | | | | | | | | | | | for enforcement: mac_mls_check_system_swapon() - Require that the subject and the swapfile target vnode labels dominate one another. An additional check is probably needed here to require that the swapfile target has a label of mls/high to prevent information leakage through swapfiles. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Expand scope of the BSD extended "file system firewall" policy torwatson2003-03-251-0/+17
| | | | | | | | | | include a new entry point available for enforcement: mac_bsdextended_check_system_swapon() - Apply extended access control checks to the file target of swap. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Expand scope of the Biba policy to include some of the new entryrwatson2003-03-251-0/+40
| | | | | | | | | | | | | | points available for enforcement: mac_biba_check_sysarch_ioperm() - Require Biba privilege to make use of privileged machine-dependent interfaces, protecting against bypass of the policy via various mechanisms. mac_biba_check_system_swapoff() - Require Biba privilege to disable swapping against a vnode target. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Garbage collect FREEBSD_MAC_EXTATTR_NAME and FREEBSD_MAC_EXTATTR_NAMESPACE,rwatson2003-03-231-8/+0
| | | | | | | | which are no longer required now that we have UFS2 with extended attribute transactions. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Including <sys/stdint.h> is (almost?) universally only to be able to usephk2003-03-181-1/+0
| | | | | %j in printfs, so put a newsted include in <sys/systm.h> where the printf prototype lives and save everybody else the trouble.
* Do not depend on namespace pollution, explicitly include sys/sx.hkan2003-03-121-0/+1
|
* Instrument sysarch() MD privileged I/O access interfaces with a MACrwatson2003-03-0610-0/+98
| | | | | | | | | | | check, mac_check_sysarch_ioperm(), permitting MAC security policy modules to control access to these interfaces. Currently, they protect access to IOPL on i386, and setting HAE on Alpha. Additional checks might be required on other platforms to prevent bypass of kernel security protections by unauthorized processes. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Provide a mac_check_system_swapoff() entry point, which permits MACrwatson2003-03-0510-0/+115
| | | | | | | modules to authorize disabling of swap against a particular vnode. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Replace calls to WITNESS_SLEEP() and witness_list() with equivalent callsjhb2003-03-048-16/+24
| | | | to WITNESS_WARN().
* A cute yet small MAC policy that provides a simple ACL mechanism torwatson2003-03-021-0/+485
| | | | | | | | | | | | | | | | | | | | | | | | permit users and groups to bind ports for TCP or UDP, and is intended to be combined with the recently committed support for net.inet.ip.portrange.reservedhigh. The policy is twiddled using sysctl(8). To use this module, you will need to compile in MAC support, and probably set reservedhigh to 0, then twiddle security.mac.portacl.rules to set things as desired. This policy module only restricts ports explicitly bound using bind(), not implicitly bound ports where the port number is selected by the IP stack. It appears to work properly in my local configuration, but needs more broad testing. A sample policy might be: # sysctl security.mac.portacl.rules="uid:425:tcp:80,uid:425:tcp:79" This permits uid 425 to bind TCP sockets to ports 79 and 80. Currently no distinction is made for incoming vs. outgoing ports with TCP, although that would probably be easy to add. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Back out M_* changes, per decision of the TRB.imp2003-02-1912-277/+277
| | | | Approved by: trb
* Move a bunch of flags from the KSE to the thread.julian2003-02-171-1/+1
| | | | | | | | I was in two minds as to where to put them in the first case.. I should have listenned to the other mind. Submitted by: parts by davidxu@ Reviewed by: jeff@ mini@
* Implement mpo_check_kld_load() and mpo_check_kld_unload() for the Bibarwatson2003-02-041-0/+39
| | | | | | | | | MAC policy. To load a KLD, require that the subject hold Biba privilege, and the the kernel module be marked as high integrity. To unload a KLD, require that the subject hold Biba privilege. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Place more stringent checks on process credential relabeling for the Bibarwatson2003-02-042-12/+21
| | | | | | | | | | | | | | and MLS policies: as we support both an effective (single) element and range (available) elements, require that the single be in the range if both the single and range are defined in the update. Remove comments suggesting that such a check might be a good idea. Don't introduce a similar check for network interfaces; due to different interpretations of the single and range elements, it's not clear that it's useful to do so. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Rename the variable 'grade' to 'type' in interface parsing andrwatson2003-02-042-12/+12
| | | | | | | | | | labeling for Biba. Rename the variable 'level' to 'type' in interface parsing and labeling for MLS. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.alfred2003-01-2112-277/+277
| | | | Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
* Bow to the whining masses and change a union back into void *. Retaindillon2003-01-138-32/+32
| | | | | removal of unnecessary casts and throw in some minor cleanups to see if anyone complains, just for the hell of it.
* Change struct file f_data to un_data, a union of the correct structdillon2003-01-128-32/+32
| | | | | | | | | | pointer types, and remove a huge number of casts from code using it. Change struct xfile xf_data to xun_data (ABI is still compatible). If we need to add a #define for f_data and xf_data we can, but I don't think it will be necessary. There are no operational changes in this commit.
* Fix warnings on 64bits architectures.mux2003-01-061-2/+1
| | | | Noticed by: alpha tinderbox
* Map VAPPEND to VWRITE since the ugidfw rule syntax doesn't specificallyrwatson2002-12-281-0/+9
| | | | | | | | | | address the append access mode. Reported by: "Daniel C. Sobral" <dcs@newsguy.com> Obtained from: TrustedBSD Project Sponosred by: DARPA, Network Associates Laboratories MFC Candidate.
* SCARGS removal take II.alfred2002-12-148-40/+40
|
* Backout removal SCARGS, the code freeze is only "selectively" over.alfred2002-12-138-40/+40
|
* Remove SCARGS.alfred2002-12-138-40/+40
| | | | Reviewed by: md5
* Default policies to on: if you load them or compile them into yourrwatson2002-12-107-7/+7
| | | | | | | | | | kernel, you should expect them to do something, so now they do. This doesn't affect users who don't load or explicitly compile in the policies. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Remove dm_root entry from struct devfs_mount. It's never set, and isrwatson2002-12-0916-131/+164
| | | | | | | | | | | | unused. Replace it with a dm_mount back-pointer to the struct mount that the devfs_mount is associated with. Export that pointer to MAC Framework entry points, where all current policies don't use the pointer. This permits the SEBSD port of SELinux's FLASK/TE to compile out-of-the-box on 5.0-CURRENT with full file system labeling support. Approved by: re (murray) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Remove a const that generates a warning: the const isn't strictlyrwatson2002-12-041-1/+1
| | | | | | | | | wrong, since we don't want the variable changed, but since we assign it to variables that may also refer to other non-const strings, warnings were generated that could break LINT. Approved by: re Spotted by: sam
* License tweak: remove clause 3 per permission of NAI.rwatson2002-12-032-6/+0
| | | | | | Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Unhook the old LOMAC module, now replaced with mac_lomac.rwatson2002-12-0327-6787/+0
| | | | | | Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Correct two warnings by staticizing a function and removing an unusedrwatson2002-11-261-11/+1
| | | | | | | | function. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Import an implementation of LOMAC (Low-Watermark Mandatory Accessrwatson2002-11-262-0/+2842
| | | | | | | | | | | | | | | Control) as a MAC Framework policy module. Unlike the existing src/sys/security/lomac implementation, this one has its fingers out of the kernel lock order and doesn't make use of flags in existing kernel structures. This greatly reduces the quantity of replicated code with src/sys/kern, simplifies the implementation (3000 vs 8500 lines), and correctes a number of known stability problems with the existing LOMAC implementation, which will be removed. A bit more hooking up to do here. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Un-staticize mac_cred_mmapped_drop_perms() so that it may be usedrwatson2002-11-269-8/+9
| | | | | | | | | by policy modules making use of downgrades in the MAC AST event. This is required by the mac_lomac port of LOMAC to the MAC Framework. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Introduce p_label, extensible security label storage for the MAC frameworkrwatson2002-11-2010-8/+204
| | | | | | | | | | | | | | | | | | | in struct proc. While the process label is actually stored in the struct ucred pointed to by p_ucred, there is a need for transient storage that may be used when asynchronous (deferred) updates need to be performed on the "real" label for locking reasons. Unlike other label storage, this label has no locking semantics, relying on policies to provide their own protection for the label contents, meaning that a policy leaf mutex may be used, avoiding lock order issues. This permits policies that act based on historical process behavior (such as audit policies, the MAC Framework port of LOMAC, etc) can update process properties even when many existing locks are held without violating the lock order. No currently committed policies implement use of this label storage. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Merge kld access control checks from the MAC tree: these access controlrwatson2002-11-1910-0/+375
| | | | | | | | | | | checks permit policy modules to augment the system policy for permitting kld operations. This permits policies to limit access to kld operations based on credential (and other) properties, as well as to perform checks on the kld being loaded (integrity, etc). Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Introduce a condition variable to avoid returning EBUSY whenrwatson2002-11-138-232/+416
| | | | | | | | | | | | | the MAC policy list is busy during a load or unload attempt. We assert no locks held during the cv wait, meaning we should be fairly deadlock-safe. Because of the cv model and busy count, it's possible for a cv waiter waiting for exclusive access to the policy list to be starved by active and long-lived access control/labeling events. For now, we accept that as a necessary tradeoff. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Garbage collect mac_create_devfs_vnode() -- it hasn't been used sincerwatson2002-11-1215-108/+0
| | | | | | | | we brought in the new cache and locking model for vnode labels. We now rely on mac_associate_devfs_vnode(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Garbage collect definition of M_MACOPVEC -- we no longer perform arwatson2002-11-118-16/+0
| | | | | | | | dynamic mapping of an operation vector into an operation structure, rather, we rely on C99 sparse structure initialization. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Update MAC modules for changes in arguments for exec MAC policyrwatson2002-11-087-14/+68
| | | | | | | | entry points to include an explicit execlabel. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Add an explicit execlabel argument to exec-related MAC policy entryrwatson2002-11-089-27/+36
| | | | | | | | | points, rather than relying on policies to grub around in the image activator instance structure. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Update policy modules for changes in arguments associated with supportrwatson2002-11-056-12/+18
| | | | | for label access on the interpreter, not just the shell script. No policies currently present in the system rely on the new labels.
* Bring in two sets of changes:rwatson2002-11-0510-55/+467
| | | | | | | | | | | | | | | | | | | | | | (1) Permit userland applications to request a change of label atomic with an execve() via mac_execve(). This is required for the SEBSD port of SELinux/FLASK. Attempts to invoke this without MAC compiled in result in ENOSYS, as with all other MAC system calls. Complexity, if desired, is present in policy modules, rather than the framework. (2) Permit policies to have access to both the label of the vnode being executed as well as the interpreter if it's a shell script or related UNIX nonsense. Because we can't hold both vnode locks at the same time, cache the interpreter label. SEBSD relies on this because it supports secure transitioning via shell script executables. Other policies might want to take both labels into account during an integrity or confidentiality decision at execve()-time. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Since neither the Biba policy nor the MLS policy make use ofrwatson2002-11-052-46/+0
| | | | | | | transitioning, remove their transition entry points. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Assert that appropriate vnodes are locked in mac_execve_will_transition().rwatson2002-11-058-0/+64
| | | | | | | | Allow transitioning to be twiddled off using the process and fs enforcement flags, although at some point this should probably be its own flag. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Implement mpo_check_system_acct and mpo_check_system_settime() for Biba:rwatson2002-11-041-0/+46
| | | | | | | | | | require Biba privilege to configure either, and require that accounting files be high integrity. Note that this does allow implicit information flow from low to high integrity, but it also protects the integrity of accounting data. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Correct use of mac_biba_subject_privileged() in swapon() code.rwatson2002-11-041-2/+4
| | | | | Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Permit MAC policies to instrument the access control decisions forrwatson2002-11-0410-0/+253
| | | | | | | | | | | system accounting configuration and for nfsd server thread attach. Policies might use this to protect the integrity or confidentiality of accounting data, limit the ability to turn on or off accounting, as well as to prevent inappropriately labeled threads from becoming nfs server threads. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Remove mac_cache_fslabel_in_vnode sysctl -- with the new VFS/MACrwatson2002-11-048-48/+0
| | | | | | | construction, labels are always cached. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
OpenPOWER on IntegriCloud