Mark MALLOC_DEFINEs static that have no corresponding MALLOC_DECLAREs.

This means that their use is restricted to a single C file.

Merge r204581 from head to stable/8:

Update device-labeling logic for Biba, LOMAC, and MLS to recognize new-style
pts devices when various policy ptys_equal flags are enabled.

Submitted by: E

Merge r204581 from head to stable/8:

Update device-labeling logic for Biba, LOMAC, and MLS to recognize new-style
pts devices when various policy ptys_equal flags are enabled.

Submitted by: Estella Mystagic <estella at mystagic.com>

Approved by: re (kib)

show more ...

MFC r201438:

Make mac_lomac(4) able to interpret NFSv4 access bits.

Reviewed by: rwatson

Update device-labeling logic for Biba, LOMAC, and MLS to recognize new-style
pts devices when various policy ptys_equal flags are enabled.

Submitted by: Estella Mystagic <estella at mystagic.com>
MF

Update device-labeling logic for Biba, LOMAC, and MLS to recognize new-style
pts devices when various policy ptys_equal flags are enabled.

Submitted by: Estella Mystagic <estella at mystagic.com>
MFC after: 1 week

show more ...

Make mac_lomac(4) able to interpret NFSv4 access bits.

Reviewed by: rwatson

Implement global and per-uid accounting of the anonymous memory. Add
rlimit RLIMIT_SWAP that limits the amount of swap that may be reserved
for the uid.

The accounting information (charge) is associ

Implement global and per-uid accounting of the anonymous memory. Add
rlimit RLIMIT_SWAP that limits the amount of swap that may be reserved
for the uid.

The accounting information (charge) is associated with either map entry,
or vm object backing the entry, assuming the object is the first one
in the shadow chain and entry does not require COW. Charge is moved
from entry to object on allocation of the object, e.g. during the mmap,
assuming the object is allocated, or on the first page fault on the
entry. It moves back to the entry on forks due to COW setup.

The per-entry granularity of accounting makes the charge process fair
for processes that change uid during lifetime, and decrements charge
for proper uid when region is unmapped.

The interface of vm_pager_allocate(9) is extended by adding struct ucred *,
that is used to charge appropriate uid when allocation if performed by
kernel, e.g. md(4).

Several syscalls, among them is fork(2), may now return ENOMEM when
global or per-uid limits are enforced.

In collaboration with: pho
Reviewed by: alc
Approved by: re (kensmith)

show more ...

Chase the removal of PRIV_TTY_PRISON in the mac(9) modules.

Reported by: kib
Pointy hat to: me

Continue work to optimize performance of "options MAC" when no MAC policy
modules are loaded by avoiding mbuf label lookups when policies aren't
loaded, pushing further socket locking into MAC policy

Continue work to optimize performance of "options MAC" when no MAC policy
modules are loaded by avoiding mbuf label lookups when policies aren't
loaded, pushing further socket locking into MAC policy modules, and
avoiding locking MAC ifnet locks when no policies are loaded:

- Check mac_policies_count before looking for mbuf MAC label m_tags in MAC
Framework entry points. We will still pay label lookup costs if MAC
policies are present but don't require labels (typically a single mbuf
header field read, but perhaps further indirection if IPSEC or other
m_tag consumers are in use).

- Further push socket locking for socket-related access control checks and
events into MAC policies from the MAC Framework, so that sockets are
only locked if a policy specifically requires a lock to protect a label.
This resolves lock order issues during sonewconn() and also in local
domain socket cross-connect where multiple socket locks could not be
held at once for the purposes of propagatig MAC labels across multiple
sockets. Eliminate mac_policy_count check in some entry points where it
no longer avoids locking.

- Add mac_policy_count checking in some entry points relating to network
interfaces that otherwise lock a global MAC ifnet lock used to protect
ifnet labels.

Obtained from: TrustedBSD Project

show more ...

Remove 'uio' argument from MAC Framework and MAC policy entry points for
extended attribute get/set; in the case of get an uninitialized user
buffer was passed before the EA was retrieved, making it

Remove 'uio' argument from MAC Framework and MAC policy entry points for
extended attribute get/set; in the case of get an uninitialized user
buffer was passed before the EA was retrieved, making it of relatively
little use; the latter was simply unused by any policies.

Obtained from: TrustedBSD Project
Sponsored by: Google, Inc.

show more ...

Rather than having MAC policies explicitly declare what object types
they label, derive that information implicitly from the set of label
initializers in their policy operations set. This avoids a p

Rather than having MAC policies explicitly declare what object types
they label, derive that information implicitly from the set of label
initializers in their policy operations set. This avoids a possible
class of programmer errors, while retaining the structure that
allows us to avoid allocating labels for objects that don't need
them. As before, we regenerate a global mask of labeled objects
each time a policy is loaded or unloaded, stored in mac_labeled.

Discussed with: csjp
Suggested by: Jacques Vidrine <nectar at apple.com>
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.

show more ...

Use MPC_OBJECT_IP6Q to indicate labeling of struct ip6q rather than
MPC_OBJECT_IPQ; it was already defined, just not used.

Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.

Introduce accmode_t. This is required for NFSv4 ACLs - it will be neccessary
to add more V* constants, and the variables changed by this patch were often
being assigned to mode_t variables, which is

Introduce accmode_t. This is required for NFSv4 ACLs - it will be neccessary
to add more V* constants, and the variables changed by this patch were often
being assigned to mode_t variables, which is 16 bit.

Approved by: rwatson (mentor)

show more ...

Rename mac_cred_mmapped_drop_perms(), which revokes access to virtual
memory mappings when the MAC label on a process changes, to
mac_proc_vm_revoke(),

It now also acquires its own credential refere

Rename mac_cred_mmapped_drop_perms(), which revokes access to virtual
memory mappings when the MAC label on a process changes, to
mac_proc_vm_revoke(),

It now also acquires its own credential reference directly from the
affected process rather than accepting one passed by the the caller,
simplifying the API and consumer code.

Obtained from: TrustedBSD Project

show more ...

Rename three MAC entry points from _proc_ to _cred_ to reflect the fact
that they operate directly on credentials: mac_proc_create_swapper(),
mac_proc_create_init(), and mac_proc_associate_nfsd(). U

Rename three MAC entry points from _proc_ to _cred_ to reflect the fact
that they operate directly on credentials: mac_proc_create_swapper(),
mac_proc_create_init(), and mac_proc_associate_nfsd(). Update policies.

Obtained from: TrustedBSD Project

show more ...

Implement MAC policy support for IPv6 fragment reassembly queues,
modeled on IPv4 fragment reassembly queue support.

Obtained from: TrustedBSD Project

Retire the MALLOC and FREE macros. They are an abomination unto style(9).

MFC after: 3 months

Add a mac_inpcb_check_visible implementation to all MAC policies
that handle mac_socket_check_visible.

Reviewed by: rwatson
MFC after: 3 months (set timer; decide then)

Decontextualize the couplet VOP_GETATTR / VOP_SETATTR as the passed thread
was always curthread and totally unuseful.

Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com>

Introduce two related changes to the TrustedBSD MAC Framework:

(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of

Introduce two related changes to the TrustedBSD MAC Framework:

(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.

(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.

MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.

show more ...

Minor style tweaks.

The TrustedBSD MAC Framework named struct ipq instances 'ipq', which is the
same as the global variable defined in ip_input.c. Instead, adopt the name
'q' as found in about 1/2 of uses in ip_input.c

The TrustedBSD MAC Framework named struct ipq instances 'ipq', which is the
same as the global variable defined in ip_input.c. Instead, adopt the name
'q' as found in about 1/2 of uses in ip_input.c, preventing a collision on
the name. This is non-harmful, but means that search and replace on the
global works less well (as in the virtualization work), as well as indexing
tools.

MFC after: 1 week
Reported by: julian

show more ...

Resort TrustedBSD MAC Framework policy entry point implementations and
declarations to match the object, operation sort order in the framework
itself.

Obtained from: TrustedBSD Project

Garbage collect mac_mbuf_create_multicast_encap TrustedBSD MAC Framework
entry point, which is no longer required now that we don't support
old-style multicast tunnels. This removes the last mbuf ob

Garbage collect mac_mbuf_create_multicast_encap TrustedBSD MAC Framework
entry point, which is no longer required now that we don't support
old-style multicast tunnels. This removes the last mbuf object class
entry point that isn't init/copy/destroy.

Obtained from: TrustedBSD Project

show more ...

Continue to move from generic network entry points in the TrustedBSD MAC
Framework by moving from mac_mbuf_create_netlayer() to more specific
entry points for specific network services:

- mac_netine

Continue to move from generic network entry points in the TrustedBSD MAC
Framework by moving from mac_mbuf_create_netlayer() to more specific
entry points for specific network services:

- mac_netinet_firewall_reply() to be used when replying to in-bound TCP
segments in pf and ipfw (etc).

- Rename mac_netinet_icmp_reply() to mac_netinet_icmp_replyinplace() and
add mac_netinet_icmp_reply(), reflecting that in some cases we overwrite
a label in place, but in others we apply the label to a new mbuf.

Obtained from: TrustedBSD Project

show more ...

Move towards more explicit support for various network protocol stacks
in the TrustedBSD MAC Framework:

- Add mac_atalk.c and add explicit entry point mac_netatalk_aarp_send()
for AARP packet labe

Move towards more explicit support for various network protocol stacks
in the TrustedBSD MAC Framework:

- Add mac_atalk.c and add explicit entry point mac_netatalk_aarp_send()
for AARP packet labeling, rather than using a generic link layer
entry point.

- Add mac_inet6.c and add explicit entry point mac_netinet6_nd6_send()
for ND6 packet labeling, rather than using a generic link layer entry
point.

- Add expliict entry point mac_netinet_arp_send() for ARP packet
labeling, and mac_netinet_igmp_send() for IGMP packet labeling,
rather than using a generic link layer entry point.

- Remove previous genering link layer entry point,
mac_mbuf_create_linklayer() as it is no longer used.

- Add implementations of new entry points to various policies, largely
by replicating the existing link layer entry point for them; remove
old link layer entry point implementation.

- Make MAC_IFNET_LOCK(), MAC_IFNET_UNLOCK(), and mac_ifnet_mtx global
to the MAC Framework rather than static to mac_net.c as it is now
needed outside of mac_net.c.

Obtained from: TrustedBSD Project

show more ...