#
02be6269 |
| 25-Oct-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Normalize TCP syncache-related MAC Framework entry points to match most other entry points in the form mac_<object>_method().
Discussed with: csjp Obtained from: TrustedBSD Project
|
Revision tags: vendor/one-true-awk/20071023 |
|
#
3f1a7a90 |
| 25-Oct-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Consistently name functions for mac_<policy> as <policy>_whatever rather than mac_<policy>_whatever, as this shortens the names and makes the code a bit easier to read.
When dealing with label struc
Consistently name functions for mac_<policy> as <policy>_whatever rather than mac_<policy>_whatever, as this shortens the names and makes the code a bit easier to read.
When dealing with label structures, name variables 'mb', 'ml', 'mm rather than the longer 'mac_biba', 'mac_lomac', and 'mac_mls', likewise making the code a little easier to read.
Obtained from: TrustedBSD Project
show more ...
|
#
a7f3aac7 |
| 25-Oct-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Further MAC Framework cleanup: normalize some local variable names and clean up some comments.
Obtained from: TrustedBSD Project
|
#
30d239bc |
| 24-Oct-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms:
mac_<object>_<method/action> mac_<objec
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms:
mac_<object>_<method/action> mac_<object>_check_<method/action>
The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names.
All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI.
Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
show more ...
|
Revision tags: vendor/ipfilter/4.1.28, vendor/ipfilter-sys/4-1-28, vendor/openssl/0.9.8-20071018, vendor/tcpdump/3.9.8, vendor/libpcap/0.9.8, vendor/tcsh/6.15a, vendor/less/v409, vendor/tzdata/tzdata2007h, vendor/less/v408 |
|
#
b61ce5b0 |
| 17-Sep-2007 |
Jeff Roberson <jeff@FreeBSD.org> |
- Move all of the PS_ flags into either p_flag or td_flags. - p_sflag was mostly protected by PROC_LOCK rather than the PROC_SLOCK or previously the sched_lock. These bugs have existed for some
- Move all of the PS_ flags into either p_flag or td_flags. - p_sflag was mostly protected by PROC_LOCK rather than the PROC_SLOCK or previously the sched_lock. These bugs have existed for some time. - Allow swapout to try each thread in a process individually and then swapin the whole process if any of these fail. This allows us to move most scheduler related swap flags into td_flags. - Keep ki_sflag for backwards compat but change all in source tools to use the new and more correct location of P_INMEM.
Reported by: pho Reviewed by: attilio, kib Approved by: re (kensmith)
show more ...
|
#
45e0f3d6 |
| 10-Sep-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Rename mac_check_vnode_delete() MAC Framework and MAC Policy entry point to mac_check_vnode_unlink(), reflecting UNIX naming conventions.
This is the first of several commits to synchronize the MAC
Rename mac_check_vnode_delete() MAC Framework and MAC Policy entry point to mac_check_vnode_unlink(), reflecting UNIX naming conventions.
This is the first of several commits to synchronize the MAC Framework in FreeBSD 7.0 with the MAC Framework as it will appear in Mac OS X Leopard.
Reveiwed by: csjp, Samy Bahra <sbahra at gwu dot edu> Submitted by: Jacques Vidrine <nectar at apple dot com> Obtained from: Apple Computer, Inc. Sponsored by: SPARTA, SPAWAR Approved by: re (bmah)
show more ...
|
Revision tags: vendor/tzdata/tzdata2007g, vendor/gcc/4.2.1-20070718-SVN126787, vendor/bind9/9.4.1p1, vendor/openbsm/1.0-ALPHA-15, vendor/wpa_supplicant/0.5.8, vendor/hostapd/0.5.8, vendor/pf/4.1, vendor/pf-sys/4.1, vendor/less/v406, vendor/misc-GNU/diff/2.8.7, vendor/bind9/9.4.1, vendor/one-true-awk/20070501 |
|
#
982d11f8 |
| 05-Jun-2007 |
Jeff Roberson <jeff@FreeBSD.org> |
Commit 14/14 of sched_lock decomposition. - Use thread_lock() rather than sched_lock for per-thread scheduling sychronization. - Use the per-process spinlock rather than the sched_lock for per-p
Commit 14/14 of sched_lock decomposition. - Use thread_lock() rather than sched_lock for per-thread scheduling sychronization. - Use the per-process spinlock rather than the sched_lock for per-process scheduling synchronization.
Tested by: kris, current@ Tested on: i386, amd64, ULE, 4BSD, libthr, libkse, PREEMPTION, etc. Discussed with: kris, attilio, kmacy, jhb, julian, bde (small parts each)
show more ...
|
Revision tags: vendor/ipfilter/4.1.23, vendor/ipfilter-sys/4-1-23, vendor/less/v403, vendor/resolver/9.4.1, vendor/file/4.21, vendor/file/4.19, vendor/tzdata/tzdata2007f, vendor/gcc/4.2.0-20070514-SVN124707 |
|
#
30575990 |
| 23-Apr-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Rename mac*devfsdirent*() to mac*devfs*() to synchronize with SEDarwin, where similar data structures exist to support devfs and the MAC Framework, but are named differently.
Obtained from: TrustedB
Rename mac*devfsdirent*() to mac*devfs*() to synchronize with SEDarwin, where similar data structures exist to support devfs and the MAC Framework, but are named differently.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
show more ...
|
#
78007886 |
| 23-Apr-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Apply variable name normalization to MAC policies: adopt global conventions for the naming of variables associated with specific data structures.
Obtained from: TrustedBSD Project
|
#
eb542415 |
| 22-Apr-2007 |
Robert Watson <rwatson@FreeBSD.org> |
In the MAC Framework implementation, file systems have two per-mountpoint labels: the mount label (label of the mountpoint) and the fs label (label of the file system). In practice, policies appear
In the MAC Framework implementation, file systems have two per-mountpoint labels: the mount label (label of the mountpoint) and the fs label (label of the file system). In practice, policies appear to only ever use one, and the distinction is not helpful.
Combine mnt_mntlabel and mnt_fslabel into a single mnt_label, and eliminate extra machinery required to maintain the additional label. Update policies to reflect removal of extra entry points and label.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
show more ...
|
#
c14d15ae |
| 22-Apr-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Remove MAC Framework access control check entry points made redundant with the introduction of priv(9) and MAC Framework entry points for privilege checking/granting. These entry points exactly alig
Remove MAC Framework access control check entry points made redundant with the introduction of priv(9) and MAC Framework entry points for privilege checking/granting. These entry points exactly aligned with privileges and provided no additional security context:
- mac_check_sysarch_ioperm() - mac_check_kld_unload() - mac_check_settime() - mac_check_system_nfsd()
Add mpo_priv_check() implementations to Biba and LOMAC policies, which, for each privilege, determine if they can be granted to processes considered unprivileged by those two policies. These mostly, but not entirely, align with the set of privileges granted in jails.
Obtained from: TrustedBSD Project
show more ...
|
#
18717f69 |
| 21-Apr-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid().
MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points.
Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
show more ...
|
Revision tags: vendor/openbsm/1.0-ALPHA-14, vendor/libreadline/5.2p2, vendor/sendmail/8.14.1, vendor/binutils/2.15.20050217, vendor/tcpdump/3.9.1a, vendor/tcsh/6.15p1, vendor/bzip2/1.0.4, vendor/netcat/4.1, vendor/acpica/20070320, vendor/openssl/0.9.8-20070315, vendor/openssl/0.9.8e, vendor/tcsh/6.15 |
|
#
0142affc |
| 06-Feb-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Introduce accessor functions mac_label_get() and mac_label_set() to replace LABEL_TO_SLOT() macro used by policy modules to query and set label data in struct label. Instead of using a union, store
Introduce accessor functions mac_label_get() and mac_label_set() to replace LABEL_TO_SLOT() macro used by policy modules to query and set label data in struct label. Instead of using a union, store an intptr_t, simplifying the API.
Update policies: in most cases this required only small tweaks to current wrapper macros. In two cases, a single wrapper macros had to be split into separate get and set macros.
Move struct label definition from _label.h to mac_internal.h and remove _label.h. With this change, policies may now treat struct label * as opaque, allowing us to change the layout of struct label without breaking the policy module ABI. For example, we could make the maximum number of policies with labels modifiable at boot-time rather than just at compile-time.
Obtained from: TrustedBSD Project
show more ...
|
Revision tags: vendor/bind9/9.3.4, vendor/ncurses/5.6-20061217, release/6.2.0_cvs, release/6.2.0, vendor/gdtoa/20050923, vendor/libreadline/5.2p1, vendor/libreadline/5.2 |
|
#
0efd6615 |
| 22-Dec-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Move src/sys/sys/mac_policy.h, the kernel interface between the MAC Framework and security modules, to src/sys/security/mac/mac_policy.h, completing the removal of kernel-only MAC Framework include f
Move src/sys/sys/mac_policy.h, the kernel interface between the MAC Framework and security modules, to src/sys/security/mac/mac_policy.h, completing the removal of kernel-only MAC Framework include files from src/sys/sys. Update the MAC Framework and MAC policy modules. Delete the old mac_policy.h.
Third party policy modules will need similar updating.
Obtained from: TrustedBSD Project
show more ...
|
Revision tags: vendor/resolver/9.3.4, vendor/resolver/9.3.3, vendor/ath/0.9.20.3 |
|
#
430fc756 |
| 13-Dec-2006 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Teach the MAC policies which utilize mbuf labeling the new syncache entry points. Properly initialize the mbuf label based on the label we copy from the PCB. This fixes an LOR between the PCB and sy
Teach the MAC policies which utilize mbuf labeling the new syncache entry points. Properly initialize the mbuf label based on the label we copy from the PCB. This fixes an LOR between the PCB and syncache code.
show more ...
|
Revision tags: vendor/bind9/9.3.3, vendor/pppd/2.3.11, vendor/openssh/4.5p1 |
|
#
acd3428b |
| 06-Nov-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Sweep kernel replacing suser(9) calls with priv(9) calls, assigning specific privilege names to a broad range of privileges. These may require some future tweaking.
Sponsored by: nCircle
Sweep kernel replacing suser(9) calls with priv(9) calls, assigning specific privilege names to a broad range of privileges. These may require some future tweaking.
Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
show more ...
|
Revision tags: vendor/bind9/9.3.2p2, vendor/resolver/9.3.3RC2 |
|
#
aed55708 |
| 22-Oct-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h begun with a repo-copy of mac.h to mac_framework.h. sys/mac.h now contains the userspace and user<->kernel API and definitio
Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h begun with a repo-copy of mac.h to mac_framework.h. sys/mac.h now contains the userspace and user<->kernel API and definitions, with all in-kernel interfaces moved to mac_framework.h, which is now included across most of the kernel instead.
This change is the first step in a larger cleanup and sweep of MAC Framework interfaces in the kernel, and will not be MFC'd.
Obtained from: TrustedBSD Project Sponsored by: SPARTA
show more ...
|
Revision tags: vendor/tzdata/tzdata2006n, vendor/openssl/0.9.8-20060929, vendor/openssl/0.9.8d, vendor/openssh/4.4p1, vendor/openbsm/1.0-ALPHA-12, vendor/openbsm/1.0-ALPHA-11 |
|
#
d94f2a68 |
| 12-Sep-2006 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Introduce a new entry point, mac_create_mbuf_from_firewall. This entry point exists to allow the mandatory access control policy to properly initialize mbufs generated by the firewall. An example whe
Introduce a new entry point, mac_create_mbuf_from_firewall. This entry point exists to allow the mandatory access control policy to properly initialize mbufs generated by the firewall. An example where this might happen is keep alive packets, or ICMP error packets in response to other packets.
This takes care of kernel panics associated with un-initialize mbuf labels when the firewall generates packets.
[1] I modified this patch from it's original version, the initial patch introduced a number of entry points which were programmatically equivalent. So I introduced only one. Instead, we should leverage mac_create_mbuf_netlayer() which is used for similar situations, an example being icmp_error()
This will minimize the impact associated with the MFC
Submitted by: mlaier [1] MFC after: 1 week
This is a RELENG_6 candidate
show more ...
|
Revision tags: vendor/bind9/9.3.2p1, vendor/tcpdump/3.9.4, vendor/libpcap/0.9.4, vendor/openbsm/1.0-ALPHA-10, vendor/openbsm/1.0-ALPHA9-kwikfix_backout, vendor/NetBSD/lukemftpd/20060831, vendor/openbsm/1.0-ALPHA9-kwikfix, vendor/gcc/3.4.6-20060825-SVN116475, vendor/openbsm/1.0-ALPHA-9, vendor/gdb/6.1.1, vendor/less/v394, vendor/sendmail/8.13.8, vendor/ipfilter/4.1.13, vendor/ipfilter-sys/4-1-13, vendor/openssl/0.9.8b, vendor/libuwx/BETA10, vendor/openbsm/1.0-ALPHA-7, vendor/OpenBSD/cvs_20060501, vendor/file/4.17a, vendor/file/4.17, vendor/sendmail/8.13.7, vendor/binutils/2.15.NOTHING, vendor/ath/0.9.17.2, vendor/openbsm/1.0-ALPHA-6, release/5.5.0_cvs, release/5.5.0, vendor/netcat/3.9, vendor/resolver/9.3.2, vendor/tzdata/tzdata2006g, release/6.1.0_cvs, release/6.1.0, vendor/libreadline/5.1p1-p4, vendor/libreadline/5.1, vendor/zlib/1.2.3, vendor/openssh/4.3p1, vendor/sendmail/8.13.6, vendor/csup/20060313, vendor/hostapd/0.4.8, vendor/wpa_supplicant/0.4.8, vendor/openbsm/1.0-ALPHA-5, vendor/csup/20060303, vendor/csup/20060302, vendor/bsnmp/1.12, vendor/tcsh/6.14, vendor/openbsm/1.0-ALPHA-4, vendor/ath/0.9.16.16, vendor/openbsm/1.0-ALPHA-3, vendor/openbsm/1.0-ALPHA-2, vendor/openbsm/1.0-ALPHA-1, vendor/bind9/9.3.2-dougb-p1, vendor/ipfilter/4.1.10, vendor/ipfilter-sys/4-1-10, vendor/bind9/9.3.2, vendor/tzdata/tzdata2005r, vendor/tzdata/tzdata2005q, vendor/nve/1.0.0310, release/6.0.0_cvs, release/6.0.0, vendor/acpica/20051021 |
|
#
5bb84bc8 |
| 31-Oct-2005 |
Robert Watson <rwatson@FreeBSD.org> |
Normalize a significant number of kernel malloc type names:
- Prefer '_' to ' ', as it results in more easily parsed results in memory monitoring tools such as vmstat.
- Remove punctuation that i
Normalize a significant number of kernel malloc type names:
- Prefer '_' to ' ', as it results in more easily parsed results in memory monitoring tools such as vmstat.
- Remove punctuation that is incompatible with using memory type names as file names, such as '/' characters.
- Disambiguate some collisions by adding subsystem prefixes to some memory types.
- Generally prefer lower case to upper case.
- If the same type is defined in multiple architecture directories, attempt to use the same name in additional cases.
Not all instances were caught in this change, so more work is required to finish this conversion. Similar changes are required for UMA zone names.
show more ...
|
Revision tags: vendor/acpica/20041119sysinc, vendor/wpa_supplicant/0.3-latest, vendor/groff/1.19.2, vendor/wpa_supplicant/0.3.9, vendor/bsnmp/1.11, vendor/misc-GNU/cpio/2.6 |
|
#
36422989 |
| 19-Sep-2005 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Add #include <sys/sx.h>, devfs is going to require this shortly.
|
#
223aaaec |
| 19-Sep-2005 |
Robert Watson <rwatson@FreeBSD.org> |
Remove mac_create_root_mount() and mpo_create_root_mount(), which provided access to the root file system before the start of the init process. This was used briefly by SEBSD before it knew about pr
Remove mac_create_root_mount() and mpo_create_root_mount(), which provided access to the root file system before the start of the init process. This was used briefly by SEBSD before it knew about preloading data in the loader, and using that method to gain access to data earlier results in fewer inconsistencies in the approach. Policy modules still have access to the root file system creation event through the mac_create_mount() entry point.
Removed now, and will be removed from RELENG_6, in order to gain third party policy dependencies on the entry point for the lifetime of the 6.x branch.
MFC after: 3 days Submitted by: Chris Vance <Christopher dot Vance at SPARTA dot com> Sponsored by: SPARTA
show more ...
|
Revision tags: vendor/pf-sys/3.7.001, vendor/openssh/4.2p1, vendor/tzdata/tzdata2005m, vendor/tzdata/tzdata2005l, vendor/bind9/9.3.1p1 |
|
#
d26dd2d9 |
| 14-Jul-2005 |
Robert Watson <rwatson@FreeBSD.org> |
When devfs cloning takes place, provide access to the credential of the process that caused the clone event to take place for the device driver creating the device. This allows cloned device drivers
When devfs cloning takes place, provide access to the credential of the process that caused the clone event to take place for the device driver creating the device. This allows cloned device drivers to adapt the device node based on security aspects of the process, such as the uid, gid, and MAC label.
- Add a cred reference to struct cdev, so that when a device node is instantiated as a vnode, the cloning credential can be exposed to MAC.
- Add make_dev_cred(), a version of make_dev() that additionally accepts the credential to stick in the struct cdev. Implement it and make_dev() in terms of a back-end make_dev_credv().
- Add a new event handler, dev_clone_cred, which can be registered to receive the credential instead of dev_clone, if desired.
- Modify the MAC entry point mac_create_devfs_device() to accept an optional credential pointer (may be NULL), so that MAC policies can inspect and act on the label or other elements of the credential when initializing the skeleton device protections.
- Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(), so that the pty clone credential is exposed to the MAC Framework.
While currently primarily focussed on MAC policies, this change is also a prerequisite for changes to allow ptys to be instantiated with the UID of the process looking up the pty. This requires further changes to the pty driver -- in particular, to immediately recycle pty nodes on last close so that the credential-related state can be recreated on next lookup.
Submitted by: Andrew Reisse <andrew.reisse@sparta.com> Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA MFC after: 1 week MFC note: Merge to 6.x, but not 5.x for ABI reasons
show more ...
|
Revision tags: vendor/tcpdump/3.9.1, vendor/libpcap/0.9.1 |
|
#
3c308b09 |
| 05-Jul-2005 |
Robert Watson <rwatson@FreeBSD.org> |
Eliminate MAC entry point mac_create_mbuf_from_mbuf(), which is redundant with respect to existing mbuf copy label routines. Expose a new mac_copy_mbuf() routine at the top end of the Framework and
Eliminate MAC entry point mac_create_mbuf_from_mbuf(), which is redundant with respect to existing mbuf copy label routines. Expose a new mac_copy_mbuf() routine at the top end of the Framework and use that; use the existing mpo_copy_mbuf_label() routine on the bottom end.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, SPAWAR Approved by: re (scottl)
show more ...
|
Revision tags: vendor/openpam/FIGWORT, vendor/sendmail/8.13.4_1, vendor/hostapd/0.3.9, vendor/sendmail/8.13.4, vendor/OpenBSD/dhclient_openbsd_3_7, vendor/hostapd/0.3.7, vendor/wpa_supplicant/0.3.8, vendor/openssh/4.1p1, vendor/openssh/4.0p1, vendor/gcc/3.4.4-20050518, vendor/tcpdump/3.9.1-096, vendor/libpcap/0.9.1-096, vendor/ngatm/1.2, vendor/bsnmp/1.10, vendor/misc-GNU/texinfo/4.8, vendor/NetBSD/lukemftp/20050516, vendor/tnftp/20050516, vendor/one-true-awk/20050424, vendor/bzip2/1.0.3, vendor/libregex/fedora-glibc-2.3.4-21, release/5.4.0_cvs, release/5.4.0, vendor/NetBSD/regress_resolv_20050504, vendor/pf/3.7, vendor/pf-sys/3.7, vendor/bsnmp/1.9, vendor/ipfilter/4.1.8, vendor/ipfilter-sys/4-1-8, vendor/zlib/1.2.2 |
|
#
c92163dc |
| 14-Apr-2005 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Move MAC check_vnode_mmap entry point out from being exclusive to MAP_SHARED so that the entry point gets executed un-conditionally. This may be useful for security policies which want to perform acc
Move MAC check_vnode_mmap entry point out from being exclusive to MAP_SHARED so that the entry point gets executed un-conditionally. This may be useful for security policies which want to perform access control checks around run-time linking.
-add the mmap(2) flags argument to the check_vnode_mmap entry point so that we can make access control decisions based on the type of mapped object. -update any dependent API around this parameter addition such as function prototype modifications, entry point parameter additions and the inclusion of sys/mman.h header file. -Change the MLS, BIBA and LOMAC security policies so that subject domination routines are not executed unless the type of mapping is shared. This is done to maintain compatibility between the old vm_mmap_vnode(9) and these policies.
Reviewed by: rwatson MFC after: 1 month
show more ...
|
Revision tags: vendor/bind9/9.3.1, vendor/nve/1.0.0301, vendor/bsnmp/1.8, vendor/openssl/0.9.7e, vendor/heimdal/0.6.3, vendor/NetBSD/lukemftp/20050219, vendor/tnftp/20050219, vendor/sendmail/8.13.3, vendor/netcat/20050204, vendor/openpam/FETERITA |
|
#
c77cf2b1 |
| 26-Jan-2005 |
Robert Watson <rwatson@FreeBSD.org> |
Remove policy references to mpo_check_vnode_mprotect(), which is currently unimplemented.
Update copyrights.
Pointed out by: csjp
|