| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
| |
currently unimplemented.
Update copyrights.
Pointed out by: csjp
|
| |
|
|
|
| |
MFC after: 3 days
Pointed out by: trhodes
|
| |
|
|
|
|
|
|
|
| |
objects (message queues, semaphores, shared memory), exercising and
validating MAC labels on these objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
|
| |
|
|
|
|
|
|
| |
objects (message queues, semaphores, shared memory).
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
|
| |
|
|
|
|
|
|
| |
(message queues, semaphores, shared memory).
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
|
| |
|
|
|
|
|
|
| |
queues, semaphores, shared memory).
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
|
| |
|
|
|
|
| |
Submitted by: bkoenig at cs dot tu-berlin dot de
PR: 72238
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
security.mac.portacl.autoport_exempt
This sysctl exempts to bind port '0' as long as IP_PORTRANGELOW hasn't
been set on the socket. This is quite useful as it allows applications
to use automatic binding without adding overly broad rules for the
binding of port 0. This sysctl defaults to enabled.
This is a slight variation on the patch submitted by the contributor.
MFC after: 2 weeks
Submitted by: Michal Mertl <mime at traveller dot cz>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the sx lock was used previously because we might sleep allocating
additional memory by using auto-extending sbufs. However, we no longer
do this, instead retaining the user-submitted rule string, so mutexes
can be used instead. Annotate the reason for not using the sbuf-related
rule-to-string code with a comment.
Switch to using TAILQ_CONCAT() instead of manual list copying, as it's
O(1), reducing the rule replacement step under the mutex from O(2N) to
O(2).
Remove now uneeded vnode-related includes.
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
| |
MAC policies to perform object life cycle operations and access
control checks.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
objects and operations:
- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.
- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
|
| |
|
|
|
|
| |
changes associated with adding System V IPC support. This will prevent
old modules from being used with the new kernel, and new modules from
being used with the old kernel.
|
| |
|
|
|
|
| |
for modules linked into the kernel or loaded very early, panics will
result otherwise, as the CV code it calls will panic due to its use
of a mutex before it is initialized.
|
| |
|
|
|
|
| |
TrustedBSD branch.
Submitted by: bde
|
| |
|
|
|
|
|
|
|
| |
as well as document the properties of the mac_policy_conf structure.
Warn about the ABI risks in changing the structure without careful
consideration.
Obtained from: TrustedBSD Project
Sponsored by: SPAWAR
|
| |
|
|
|
|
|
| |
will call printf() if KDB isn't compiled into the kernel.
Obtained from: TrustedBSD Project
Sponsored by: SPAWAR
|
| | |
|
| |
|
|
| |
destroyed in an initialized state.
|
| |
|
|
| |
the CVS version of the MAC Framework.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
right bits rather than piggy-backing on the V* rights defined in
vnode.h. The mac_bsdextended bits are given the same values as the V*
bits to make the new kernel module binary compatible with the old
version of libugidfw that uses V* bits. This avoids leaking kernel
API/ABI to user management tools, and in particular should remove the
need for libugidfw to include vnode.h.
Requested by: phk
|
| |
|
|
|
|
| |
Enable first match by default.[1]
We should: rwatson [1]
|
| |
|
|
|
|
|
|
| |
facility. This is disabled by default but may be turned on by using
the mac_bsdextended_logging sysctl.
Reviewed by: re (jhb)
Approved by: re (jhb)
|
| |
|
|
|
|
|
|
|
|
| |
rule only in place of all rules match. This is similar to how ipfw(8) works.
Provide a sysctl, mac_bsdextended_firstmatch_enabled, to enable this
feature.
Reviewed by: re (jhb)
Aprroved by: re (jhb)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
so that they know whether the allocation is supposed to be able to sleep
or not.
* Allow uma_zone constructors and initialation functions to return either
success or error. Almost all of the ones in the tree currently return
success unconditionally, but mbuf is a notable exception: the packet
zone constructor wants to be able to fail if it cannot suballocate an
mbuf cluster, and the mbuf allocators want to be able to fail in general
in a MAC kernel if the MAC mbuf initializer fails. This fixes the
panics people are seeing when they run out of memory for mbuf clusters.
* Allow debug.nosleepwithlocks on WITNESS to be disabled, without changing
the default.
Both bmilekic and jeff have reviewed the changes made to make failable
zone allocations work.
|
| | |
|
| |
|
|
|
|
|
| |
Framework can restrict the root user, but this policy is not intended
to support that.
Stylish Swiss footwear provided for: trhodes
|
| |
|
|
|
|
|
|
|
| |
accurately represents the intention of the 'single' label element in
Biba and MLS labels. It also approximates the use of 'effective' in
traditional UNIX credentials, and avoids confusion with 'singlelabel'
in the context of file systems.
Inspired by: trhodes
|
| |
|
|
|
|
|
|
| |
for unknown events.
A number of modules return EINVAL in this instance, and I have left
those alone for now and instead taught MOD_QUIESCE to accept this
as "didn't do anything".
|
| |
|
|
| |
o Call kdb_enter() instead of Debugger().
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
network interfaces. This global mutex will protect all ifnet labels.
Acquire the mutex across various MAC activities on interfaces, such
as security checks, propagating interface labels to mbufs generated
from the interface, retrieving and setting the interface label.
Introduce mpo_copy_ifnet_label MAC policy entry point to copy the
value of an interface label from one label to another. Use this
to avoid performing a label externalize while holding mac_ifnet_mtx;
copy the label to a temporary ifnet label and then externalize that.
Implement mpo_copy_ifnet_label for various MAC policies that
implement interface labeling using generic label copying routines.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, McAfee Research
|
| |
|
|
| |
Bump __FreeBSD_version accordingly.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
SOCK_LOCK(so):
- Hold socket lock over calls to MAC entry points reading or
manipulating socket labels.
- Assert socket lock in MAC entry point implementations.
- When externalizing the socket label, first make a thread-local
copy while holding the socket lock, then release the socket lock
to externalize to userspace.
|
| | |
|
| |
|
|
|
|
|
| |
was never used.)
Reported by: pjd
Approved by: rwatson
|
| |
|
|
|
|
| |
them with '_', as well as beginning with '_'.
Observed by: bde
|
| |
|
|
|
|
|
|
|
|
|
| |
lookup for the label tag fails, return NULL rather than something close
to NULL. This scenario occurs if mbuf header labeling is optional and
a policy requiring labeling is loaded, resulting in some mbufs having
labels and others not. Previously, 0x14 would be returned because the
NULL from m_tag_find() was not treated specially.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, McAfee Research
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
test the label pointer for NULL before testing the label slot for
permitted values. When loading mac_test dynamically with conditional
mbuf labels, the label pointer may be NULL if the mbuf was
instantiated while labels were not required on mbufs by any policy.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, McAfee Research
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
synchronization protecting against dynamic load and unload of MAC
policies, and instead simply blocks load and unload. In a static
configuration, this allows you to avoid the synchronization costs
associated with introducing dynamicism.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, McAfee Research
|
| |
|
|
|
|
|
|
| |
Assert the BPF descriptor lock in the MAC calls referencing live
BPF descriptors.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, McAfee Research
|
| |
|
|
|
|
|
| |
are employed in entry points later in the same include file.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Air Force Research Laboratory, McAfee Research
|
| |
|
|
|
|
|
|
|
| |
struct vattr in mac_policy.h. This permits policies not
implementing entry points using these types to compile without
including include files with these types.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Air Force Research Laboratory
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
to a new mac_inet.c. This code is now conditionally compiled based
on inet support being compiled into the kernel.
Move socket related MAC Framework entry points from mac_net.c to a new
mac_socket.c.
To do this, some additional _enforce MIB variables are now non-static.
In addition, mbuf_to_label() is now mac_mbuf_to_label() and non-static.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, McAfee Research
|
| |
|
|
|
|
|
|
|
|
|
| |
Now I believe it is done in the right way.
Removed some XXMAC cases, we now assume 'high' integrity level for all
sysctls, except those with CTLFLAG_ANYBODY flag set. No more magic.
Reviewed by: rwatson
Approved by: rwatson, scottl (mentor)
Tested with: LINT (compilation), mac_biba(4) (functionality)
|
| |
|
|
|
|
|
|
| |
to use the "year1-year3" format, as opposed to "year1, year2, year3".
This seems to make lawyers more happy, but also prevents the
lines from getting excessively long as the years start to add up.
Suggested by: imp
|
| |
|
|
| |
'struct pipe' now.
|
