summaryrefslogtreecommitdiffstats
path: root/sys/security
Commit message (Collapse)AuthorAgeFilesLines
* Back out M_* changes, per decision of the TRB.imp2003-02-1912-277/+277
| | | | Approved by: trb
* Move a bunch of flags from the KSE to the thread.julian2003-02-171-1/+1
| | | | | | | | I was in two minds as to where to put them in the first case.. I should have listenned to the other mind. Submitted by: parts by davidxu@ Reviewed by: jeff@ mini@
* Implement mpo_check_kld_load() and mpo_check_kld_unload() for the Bibarwatson2003-02-041-0/+39
| | | | | | | | | MAC policy. To load a KLD, require that the subject hold Biba privilege, and the the kernel module be marked as high integrity. To unload a KLD, require that the subject hold Biba privilege. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Place more stringent checks on process credential relabeling for the Bibarwatson2003-02-042-12/+21
| | | | | | | | | | | | | | and MLS policies: as we support both an effective (single) element and range (available) elements, require that the single be in the range if both the single and range are defined in the update. Remove comments suggesting that such a check might be a good idea. Don't introduce a similar check for network interfaces; due to different interpretations of the single and range elements, it's not clear that it's useful to do so. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Rename the variable 'grade' to 'type' in interface parsing andrwatson2003-02-042-12/+12
| | | | | | | | | | labeling for Biba. Rename the variable 'level' to 'type' in interface parsing and labeling for MLS. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.alfred2003-01-2112-277/+277
| | | | Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
* Bow to the whining masses and change a union back into void *. Retaindillon2003-01-138-32/+32
| | | | | removal of unnecessary casts and throw in some minor cleanups to see if anyone complains, just for the hell of it.
* Change struct file f_data to un_data, a union of the correct structdillon2003-01-128-32/+32
| | | | | | | | | | pointer types, and remove a huge number of casts from code using it. Change struct xfile xf_data to xun_data (ABI is still compatible). If we need to add a #define for f_data and xf_data we can, but I don't think it will be necessary. There are no operational changes in this commit.
* Fix warnings on 64bits architectures.mux2003-01-061-2/+1
| | | | Noticed by: alpha tinderbox
* Map VAPPEND to VWRITE since the ugidfw rule syntax doesn't specificallyrwatson2002-12-281-0/+9
| | | | | | | | | | address the append access mode. Reported by: "Daniel C. Sobral" <dcs@newsguy.com> Obtained from: TrustedBSD Project Sponosred by: DARPA, Network Associates Laboratories MFC Candidate.
* SCARGS removal take II.alfred2002-12-148-40/+40
|
* Backout removal SCARGS, the code freeze is only "selectively" over.alfred2002-12-138-40/+40
|
* Remove SCARGS.alfred2002-12-138-40/+40
| | | | Reviewed by: md5
* Default policies to on: if you load them or compile them into yourrwatson2002-12-107-7/+7
| | | | | | | | | | kernel, you should expect them to do something, so now they do. This doesn't affect users who don't load or explicitly compile in the policies. Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Remove dm_root entry from struct devfs_mount. It's never set, and isrwatson2002-12-0916-131/+164
| | | | | | | | | | | | unused. Replace it with a dm_mount back-pointer to the struct mount that the devfs_mount is associated with. Export that pointer to MAC Framework entry points, where all current policies don't use the pointer. This permits the SEBSD port of SELinux's FLASK/TE to compile out-of-the-box on 5.0-CURRENT with full file system labeling support. Approved by: re (murray) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Remove a const that generates a warning: the const isn't strictlyrwatson2002-12-041-1/+1
| | | | | | | | | wrong, since we don't want the variable changed, but since we assign it to variables that may also refer to other non-const strings, warnings were generated that could break LINT. Approved by: re Spotted by: sam
* License tweak: remove clause 3 per permission of NAI.rwatson2002-12-032-6/+0
| | | | | | Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Unhook the old LOMAC module, now replaced with mac_lomac.rwatson2002-12-0327-6787/+0
| | | | | | Approved by: re (jhb) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Correct two warnings by staticizing a function and removing an unusedrwatson2002-11-261-11/+1
| | | | | | | | function. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Import an implementation of LOMAC (Low-Watermark Mandatory Accessrwatson2002-11-262-0/+2842
| | | | | | | | | | | | | | | Control) as a MAC Framework policy module. Unlike the existing src/sys/security/lomac implementation, this one has its fingers out of the kernel lock order and doesn't make use of flags in existing kernel structures. This greatly reduces the quantity of replicated code with src/sys/kern, simplifies the implementation (3000 vs 8500 lines), and correctes a number of known stability problems with the existing LOMAC implementation, which will be removed. A bit more hooking up to do here. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Un-staticize mac_cred_mmapped_drop_perms() so that it may be usedrwatson2002-11-269-8/+9
| | | | | | | | | by policy modules making use of downgrades in the MAC AST event. This is required by the mac_lomac port of LOMAC to the MAC Framework. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Introduce p_label, extensible security label storage for the MAC frameworkrwatson2002-11-2010-8/+204
| | | | | | | | | | | | | | | | | | | in struct proc. While the process label is actually stored in the struct ucred pointed to by p_ucred, there is a need for transient storage that may be used when asynchronous (deferred) updates need to be performed on the "real" label for locking reasons. Unlike other label storage, this label has no locking semantics, relying on policies to provide their own protection for the label contents, meaning that a policy leaf mutex may be used, avoiding lock order issues. This permits policies that act based on historical process behavior (such as audit policies, the MAC Framework port of LOMAC, etc) can update process properties even when many existing locks are held without violating the lock order. No currently committed policies implement use of this label storage. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Merge kld access control checks from the MAC tree: these access controlrwatson2002-11-1910-0/+375
| | | | | | | | | | | checks permit policy modules to augment the system policy for permitting kld operations. This permits policies to limit access to kld operations based on credential (and other) properties, as well as to perform checks on the kld being loaded (integrity, etc). Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Introduce a condition variable to avoid returning EBUSY whenrwatson2002-11-138-232/+416
| | | | | | | | | | | | | the MAC policy list is busy during a load or unload attempt. We assert no locks held during the cv wait, meaning we should be fairly deadlock-safe. Because of the cv model and busy count, it's possible for a cv waiter waiting for exclusive access to the policy list to be starved by active and long-lived access control/labeling events. For now, we accept that as a necessary tradeoff. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Garbage collect mac_create_devfs_vnode() -- it hasn't been used sincerwatson2002-11-1215-108/+0
| | | | | | | | we brought in the new cache and locking model for vnode labels. We now rely on mac_associate_devfs_vnode(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Garbage collect definition of M_MACOPVEC -- we no longer perform arwatson2002-11-118-16/+0
| | | | | | | | dynamic mapping of an operation vector into an operation structure, rather, we rely on C99 sparse structure initialization. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Update MAC modules for changes in arguments for exec MAC policyrwatson2002-11-087-14/+68
| | | | | | | | entry points to include an explicit execlabel. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Add an explicit execlabel argument to exec-related MAC policy entryrwatson2002-11-089-27/+36
| | | | | | | | | points, rather than relying on policies to grub around in the image activator instance structure. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Update policy modules for changes in arguments associated with supportrwatson2002-11-056-12/+18
| | | | | for label access on the interpreter, not just the shell script. No policies currently present in the system rely on the new labels.
* Bring in two sets of changes:rwatson2002-11-0510-55/+467
| | | | | | | | | | | | | | | | | | | | | | (1) Permit userland applications to request a change of label atomic with an execve() via mac_execve(). This is required for the SEBSD port of SELinux/FLASK. Attempts to invoke this without MAC compiled in result in ENOSYS, as with all other MAC system calls. Complexity, if desired, is present in policy modules, rather than the framework. (2) Permit policies to have access to both the label of the vnode being executed as well as the interpreter if it's a shell script or related UNIX nonsense. Because we can't hold both vnode locks at the same time, cache the interpreter label. SEBSD relies on this because it supports secure transitioning via shell script executables. Other policies might want to take both labels into account during an integrity or confidentiality decision at execve()-time. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Since neither the Biba policy nor the MLS policy make use ofrwatson2002-11-052-46/+0
| | | | | | | transitioning, remove their transition entry points. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Assert that appropriate vnodes are locked in mac_execve_will_transition().rwatson2002-11-058-0/+64
| | | | | | | | Allow transitioning to be twiddled off using the process and fs enforcement flags, although at some point this should probably be its own flag. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Implement mpo_check_system_acct and mpo_check_system_settime() for Biba:rwatson2002-11-041-0/+46
| | | | | | | | | | require Biba privilege to configure either, and require that accounting files be high integrity. Note that this does allow implicit information flow from low to high integrity, but it also protects the integrity of accounting data. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Correct use of mac_biba_subject_privileged() in swapon() code.rwatson2002-11-041-2/+4
| | | | | Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Permit MAC policies to instrument the access control decisions forrwatson2002-11-0410-0/+253
| | | | | | | | | | | system accounting configuration and for nfsd server thread attach. Policies might use this to protect the integrity or confidentiality of accounting data, limit the ability to turn on or off accounting, as well as to prevent inappropriately labeled threads from becoming nfs server threads. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Remove mac_cache_fslabel_in_vnode sysctl -- with the new VFS/MACrwatson2002-11-048-48/+0
| | | | | | | construction, labels are always cached. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* License and wording updates: NAI has authorized the removal of clauserwatson2002-11-0413-91/+52
| | | | | three from their BSD-style license. Also, s/NAI Labs/Network Associates Laboratories/.
* License clarification and wording changes: NAI has approved removal ofrwatson2002-11-0410-70/+40
| | | | | clause three, and NAI Labs now goes by the name Network Associates Laboratories.
* Introduce mac_check_system_settime(), a MAC check allowing policies torwatson2002-11-0310-0/+106
| | | | | | | augment the system policy for changing the system time. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Change privilege model for mac_partition such that BSD superuser can changerwatson2002-11-031-6/+4
| | | | | | | | the partition once a partition has been set. This is required for correct operation of sendmail between partitions. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Fix some warnings on 64 bit architectures. The vn_extattr_get()mux2002-11-022-4/+2
| | | | | | | | | | | function takes an int * parameter, not a size_t * parameter. Arguably, it should rather take a size_t *, but that would require changing the uio_resid field of struct uio to be a size_t instead of an int, which I don't want to do that close to 5.0-RELEASE. Reviewed by: rwatson
* Add MAC checks for various kenv() operations: dump, get, set, unset,rwatson2002-11-0110-0/+425
| | | | | | | permitting MAC policies to limit access to the kernel environment. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Move to C99 sparse structure initialization for the mac_policy_opsrwatson2002-10-3018-6263/+734
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | structure definition, rather than using an operation vector we translate into the structure. Originally, we used a vector for two reasons: (1) We wanted to define the structure sparsely, which wasn't supported by the C compiler for structures. For a policy with five entry points, you don't want to have to stick in a few hundred NULL function pointers. (2) We thought it would improve ABI compatibility allowing modules to work with kernels that had a superset of the entry points defined in the module, even if the kernel had changed its entry point set. Both of these no longer apply: (1) C99 gives us a way to sparsely define a static structure. (2) The ABI problems existed anyway, due to enumeration numbers, argument changes, and semantic mismatches. Since the going rule for FreeBSD is that you really need your modules to pretty closely match your kernel, it's not worth the complexity. This submit eliminates the operation vector, dynamic allocation of the operation structure, copying of the vector to the structure, and redoes the vectors in each policy to direct structure definitions. One enourmous benefit of this change is that we now get decent type checking on policy entry point implementation arguments. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Various minor type, prototype tweaks -- clean up cruft due to lack ofrwatson2002-10-305-10/+10
| | | | | | | type checking on entry points (to be introduced shortly). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* While 'mode_t' seemed like a good idea for the access mode argument forrwatson2002-10-3016-41/+41
| | | | | | | | | MAC access() and open() checks, the argument actually has an int type where it becomes available. Switch to using 'int' for the mode argument throughout the MAC Framework and policy modules. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Try again to fix the KASSERT.rwatson2002-10-301-1/+1
|
* Fix a KASSERT bug that showed up only in the LINT build, not therwatson2002-10-301-1/+1
| | | | | | module build, so I missed it in the merge. Pointed out by: sam
* Hook up no-op stubs for reboot, swapon, sysctl entry points.rwatson2002-10-292-0/+58
| | | | | Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Implement Biba policy entry points for mac_check_system_swapon()rwatson2002-10-291-0/+59
| | | | | | | | | | | and mac_check_system_sysctl(), providing additional integrity protections relating to swap target device selection and system management via sysctl(). Require Biba privilege for both; also require that the target of swap operations be a high integrity object, since swap data is high integrity. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Asssociates Laboratories
* Require Biba privilege to relabel a network interface.rwatson2002-10-291-0/+7
| | | | | Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
OpenPOWER on IntegriCloud