Make sure to clear the 'registered' flag for MAC policies when they
unregister. Under some obscure (perhaps demented) circumstances,
this can result in a panic if a policy is unregistered, and then

Make sure to clear the 'registered' flag for MAC policies when they
unregister. Under some obscure (perhaps demented) circumstances,
this can result in a panic if a policy is unregistered, and then someone
foolishly unregisters it again.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Integrate mac_check_socket_send() and mac_check_socket_receive()
checks from the MAC tree: allow policies to perform access control
for the ability of a process to send and receive data via a socket.

Integrate mac_check_socket_send() and mac_check_socket_receive()
checks from the MAC tree: allow policies to perform access control
for the ability of a process to send and receive data via a socket.
At some point, we might also pass in additional address information
if an explicit address is requested on send.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Sync from MAC tree: break out the single mmap entry point into
seperate entry points for each occasion:

mac_check_vnode_mmap() Check at initial mapping
mac_check_vnode_mprotect() Check at mapping p

Sync from MAC tree: break out the single mmap entry point into
seperate entry points for each occasion:

mac_check_vnode_mmap() Check at initial mapping
mac_check_vnode_mprotect() Check at mapping protection change
mac_check_vnode_mmap_downgrade() Determine if a mapping downgrade
should take place following
subject relabel.

Implement mmap() and mprotect() entry points for labeled vnode
policies. These entry points are currently not hooked up to the
VM system in the base tree. These changes improve the consistency
of the access control interface and offer more flexibility regarding
limiting access to vnode mmaping.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Modify label allocation semantics for sockets: pass in soalloc's malloc
flags so that we can call malloc with M_NOWAIT if necessary, avoiding
potential sleeps while holding mutexes in the TCP syncach

Modify label allocation semantics for sockets: pass in soalloc's malloc
flags so that we can call malloc with M_NOWAIT if necessary, avoiding
potential sleeps while holding mutexes in the TCP syncache code.
Similar to the existing support for mbuf label allocation: if we can't
allocate all the necessary label store in each policy, we back out
the label allocation and fail the socket creation. Sync from MAC tree.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Integrate a devfs/MAC fix from the MAC tree: avoid a race condition during
devfs VOP symlink creation by introducing a new entry point to determine
the label of the devfs_dirent prior to allocation o

Integrate a devfs/MAC fix from the MAC tree: avoid a race condition during
devfs VOP symlink creation by introducing a new entry point to determine
the label of the devfs_dirent prior to allocation of a vnode for the
symlink.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Merge support for mac_check_vnode_link(), a MAC framework/policy entry
point that instruments the creation of hard links. Policy implementations
to follow.

Obtained from: TrustedBSD Project
Sponsor

Merge support for mac_check_vnode_link(), a MAC framework/policy entry
point that instruments the creation of hard links. Policy implementations
to follow.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

While the MAC API has supported the ability to handle M_NOWAIT passed
to mbuf label initialization, that functionality was never merged to
the main tree. Go ahead and merge that functionality now.

While the MAC API has supported the ability to handle M_NOWAIT passed
to mbuf label initialization, that functionality was never merged to
the main tree. Go ahead and merge that functionality now. Note that
this requires policy modules to accept the case where the label
element may be destroyed even if init has not succeeded on it (in
the event that policy failed the init). This will shortly also
apply to sockets.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Rearrange object and label init/destroy functions to match the
order used in mac_policy.h and elsewhere. Sort order is basically
"by operation category", then "alphabetically by object". Sync to
MAC

Rearrange object and label init/destroy functions to match the
order used in mac_policy.h and elsewhere. Sort order is basically
"by operation category", then "alphabetically by object". Sync to
MAC tree.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Sync to MAC tree: use 'flag' instead of 'how' for mac_init_mbuf();
remove a slightly less than useful comment.

Another big diff, little functional change: move label internalization,
externalization, and cred label life cycle events to entirely above
devfs and vnode events. Sync from MAC tree.

Obtained from

Another big diff, little functional change: move label internalization,
externalization, and cred label life cycle events to entirely above
devfs and vnode events. Sync from MAC tree.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Move all object label init/destroy routines to the head of the
entry points to better match the entry point ordering in mac_policy.h.
Big diff, no functional change; merge from the MAC tree.

Obtaine

Move all object label init/destroy routines to the head of the
entry points to better match the entry point ordering in mac_policy.h.
Big diff, no functional change; merge from the MAC tree.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Synch from TrustedBSD MAC tree:

- If a policy isn't registered when a policy module unloads, silently
succeed.

- Hold the policy list lock across more of the validity tests to avoid
races.

Obt

Synch from TrustedBSD MAC tree:

- If a policy isn't registered when a policy module unloads, silently
succeed.

- Hold the policy list lock across more of the validity tests to avoid
races.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Cosmetic line wrap synchronization.

Push the debugging obect label counters into security.mac.debug.counters
rather than directly under security.mac.debug.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Labo

Push the debugging obect label counters into security.mac.debug.counters
rather than directly under security.mac.debug.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Begin another merge from the TrustedBSD MAC branch:

- Change mpo_init_foo(obj, label) and mpo_destroy_foo(obj, label) policy
entry points to mpo_init_foo_label(label) and
mpo_destroy_foo_label(l

Begin another merge from the TrustedBSD MAC branch:

- Change mpo_init_foo(obj, label) and mpo_destroy_foo(obj, label) policy
entry points to mpo_init_foo_label(label) and
mpo_destroy_foo_label(label). This will permit the use of the same
entry points for holding temporary type-specific label during
internalization and externalization, as well as for caching purposes.
- Because of this, break out mpo_{init,destroy}_socket() and
mpo_{init,destroy}_mount() into seperate entry points for socket
main/peer labels and mount main/fs labels.
- Since the prototype for label initialization is the same across almost
all entry points, implement these entry points using common
implementations for Biba, MLS, and Test, reducing the number of
almost identical looking functions.

This simplifies policy implementation, as well as preparing us for the
merge of the new flexible userland API for managing labels on objects.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Add a new MAC entry point, mac_thread_userret(td), which permits policy
modules to perform MAC-related events when a thread returns to user
space. This is required for policies that have floating pr

Add a new MAC entry point, mac_thread_userret(td), which permits policy
modules to perform MAC-related events when a thread returns to user
space. This is required for policies that have floating process labels,
as it's not always possible to acquire the process lock at arbitrary
points in the stack during system call processing; process labels might
represent traditional authentication data, process history information,
or other data.

LOMAC will use this entry point to perform the process label update
prior to the thread returning to userspace, when plugged into the MAC
framework.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Remember to include "opt_devfs.h" so we get any relevant changes
to NDEVFSINO before we include devfs.h.

Spotted by: FlexeLint

Improve locking of pipe mutexes in the context of MAC:

(1) Where previously the pipe mutex was selectively grabbed during
pipe_ioctl(), now always grab it and then release if if not
needed.

Improve locking of pipe mutexes in the context of MAC:

(1) Where previously the pipe mutex was selectively grabbed during
pipe_ioctl(), now always grab it and then release if if not
needed. This protects the call to mac_check_pipe_ioctl() to
make sure the label remains consistent. (Note: it looks
like sigio locking may be incorrect for fgetown() since we
call it not-by-reference and sigio locking assumes call by
reference).

(2) In pipe_stat(), lock the pipe if MAC is compiled in so that
the call to mac_check_pipe_stat() gets a locked pipe to
protect label consistency. We still release the lock before
returning actual stat() data, risking inconsistency, but
apparently our pipe locking model accepts that risk.

(3) In various pipe MAC authorization checks, assert that the pipe
lock is held.

(4) Grab the lock when performing a pipe relabel operation, and
assert it a little deeper in the stack.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Push 'security.mac.debug_label_fallback' behind options MAC_DEBUG.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs

Add tunables for the existing sysctl twiddles for pipe and vm
enforcement so they can be disabled prior to kernel start.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Lab

Add tunables for the existing sysctl twiddles for pipe and vm
enforcement so they can be disabled prior to kernel start.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Remove un-needed stack variable 'ops'.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Add a toggle to disable VM enforcement.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs

At the cost of seeming a little gauche, make use of more traditional
alphabetization for mac_enforce_pipe sysctl.

Obtained from: TrustedBSD Project
Sponsored by: DAPRA, NAI Labs

Remove all use of vnode->v_tag, replacing with appropriate substitutes.
v_tag is now const char * and should only be used for debugging.

Additionally:
1. All users of VT_NTS now check vfsconf->vf_ty

Remove all use of vnode->v_tag, replacing with appropriate substitutes.
v_tag is now const char * and should only be used for debugging.

Additionally:
1. All users of VT_NTS now check vfsconf->vf_type VFCF_NETWORK
2. The user of VT_PROCFS now checks for the new flag VV_PROCDEP, which
is propagated by pseudofs to all child vnodes if the fs sets PFS_PROCDEP.

Suggested by: phk
Reviewed by: bde, rwatson (earlier version)

show more ...

Add security.mac.mmap_revocation, a flag indicating whether we
should revoke access to memory maps on a process label change.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs