New setcred() system call and associated MAC hooks

This new system call allows to set all necessary credentials of
a process in one go: Effective, real and saved UIDs, effective, real and
saved GIDs

New setcred() system call and associated MAC hooks

This new system call allows to set all necessary credentials of
a process in one go: Effective, real and saved UIDs, effective, real and
saved GIDs, supplementary groups and the MAC label. Its advantage over
standard credential-setting system calls (such as setuid(), seteuid(),
etc.) is that it enables MAC modules, such as MAC/do, to restrict the
set of credentials some process may gain in a fine-grained manner.

Traditionally, credential changes rely on setuid binaries that call
multiple credential system calls and in a specific order (setuid() must
be last, so as to remain root for all other credential-setting calls,
which would otherwise fail with insufficient privileges). This
piecewise approach causes the process to transiently hold credentials
that are neither the original nor the final ones. For the kernel to
enforce that only certain transitions of credentials are allowed, either
these possibly non-compliant transient states have to disappear (by
setting all relevant attributes in one go), or the kernel must delay
setting or checking the new credentials. Delaying setting credentials
could be done, e.g., by having some mode where the standard system calls
contribute to building new credentials but without committing them. It
could be started and ended by a special system call. Delaying checking
could mean that, e.g., the kernel only verifies the credentials
transition at the next non-credential-setting system call (we just
mention this possibility for completeness, but are certainly not
endorsing it).

We chose the simpler approach of a new system call, as we don't expect
the set of credentials one can set to change often. It has the
advantages that the traditional system calls' code doesn't have to be
changed and that we can establish a special MAC protocol for it, by
having some cleanup function called just before returning (this is
a requirement for MAC/do), without disturbing the existing ones.

The mac_cred_check_setcred() hook is passed the flags received by
setcred() (including the version) and both the old and new kernel's
'struct ucred' instead of 'struct setcred' as this should simplify
evolving existing hooks as the 'struct setcred' structure evolves. The
mac_cred_setcred_enter() and mac_cred_setcred_exit() hooks are always
called by pairs around potential calls to mac_cred_check_setcred().
They allow MAC modules to allocate/free data they may need in their
mac_cred_check_setcred() hook, as the latter is called under the current
process' lock, rendering sleepable allocations impossible. MAC/do is
going to leverage these in a subsequent commit. A scheme where
mac_cred_check_setcred() could return ERESTART was considered but is
incompatible with proper composition of MAC modules.

While here, add missing includes and declarations for standalone
inclusion of <sys/ucred.h> both from kernel and userspace (for the
latter, it has been working thanks to <bsm/audit.h> already including
<sys/types.h>).

Reviewed by: brooks
Approved by: markj (mentor)
Relnotes: yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47618

show more ...

Regen

sysent: regen with refactored code

All changes are no-ops and are one of:
- Name changes of obsolete system calls in comments
- Correct prefixes on unimplemented freebsd32 system calls
- Currentl

sysent: regen with refactored code

All changes are no-ops and are one of:
- Name changes of obsolete system calls in comments
- Correct prefixes on unimplemented freebsd32 system calls
- Currently unused macros for FreeBSD 14 compatablity

show more ...

Regen

regen

Remove never implemented sbrk and sstk syscalls

Both system calls were stubs returning EOPNOTSUPP and libc did not
provide _ or __sys_ prefixed symbols. The actual implementation of
sbrk(2) is on t

Remove never implemented sbrk and sstk syscalls

Both system calls were stubs returning EOPNOTSUPP and libc did not
provide _ or __sys_ prefixed symbols. The actual implementation of
sbrk(2) is on top of the undocumented break(2) system call.

Technically this is a change in ABI, but no non-contrived program ever
called these syscalls.

Reviewed by: kib, emaste
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D42872

show more ...

freebsd32: Remove mac_syscall from the unimpl list

The mac_syscall system call works fine as long as any MAC module
that provides a mpo_syscall method handles compat32 appropriately.

Regenerate sys

freebsd32: Remove mac_syscall from the unimpl list

The mac_syscall system call works fine as long as any MAC module
that provides a mpo_syscall method handles compat32 appropriately.

Regenerate system call files for freebsd32.

Reviewed by: sjg
Obtained from: Juniper Networks, Inc.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D41575

show more ...

timerfd: Move implementation from linux compat to sys/kern

Move the timerfd impelemntation from linux compat code to sys/kern. Use
it to implement the new system calls for timerfd. Add a hook to ker

timerfd: Move implementation from linux compat to sys/kern

Move the timerfd impelemntation from linux compat code to sys/kern. Use
it to implement the new system calls for timerfd. Add a hook to kern_tc
to allow timerfd to know when the system time has stepped. Add kqueue
support to timerfd. Adjust a few names to be less Linux centric.

RelNotes: YES
Reviewed by: markj (on irc), imp, kib (with reservations), jhb (slack)
Differential Revision: https://reviews.freebsd.org/D38459

show more ...

Regen

Regenerate sysent stuff after $FreeBSD$ removal

Sponsored by: Netflix

freebsd32: Regen

Need to regen freebsd32 as well when sys/kern/syscalls.master is
updated.

Sponsored by: Netflix

Regen

Regen

Regen

freebsd32: regen

There there are two changes here. First, ofreebsd32_sigreturn
is declared to take a struct osigcontext rather than a struct
ia32_sigcontext3. This type is incorrect, but harmlessly

freebsd32: regen

There there are two changes here. First, ofreebsd32_sigreturn
is declared to take a struct osigcontext rather than a struct
ia32_sigcontext3. This type is incorrect, but harmlessly so.
Second, the name of the unimplemented ogetkerninfo changes in
freebsd32_syscallnames.

show more ...

freebsd32: regen

freebsd32: regen

freebsd32: regen

fspacectl: remove unneeded freebsd32 wrapper

fspacectl(2) does not require special handling on freebsd32. The
presence of off_t in a struct does not cause it's size to change
between the native ABI

fspacectl: remove unneeded freebsd32 wrapper

fspacectl(2) does not require special handling on freebsd32. The
presence of off_t in a struct does not cause it's size to change
between the native ABI and the 32-bit ABI supported by freebsd32
because off_t is always int64_t on BSD systems. Further, byte
order only requires handling for paired argument or return registers.

(32-byte alignment of 64-bit objects on i386 can require special
handling, but that situtation does not apply here.)

Reviewed by: kib, khng, emaste, delphij
Differential Revision: https://reviews.freebsd.org/D32994

show more ...

freebsd32: update unimplemented syscall comments

These were out of sync with sys/kern/syscalls.master

Reviewed by: kevans

freebsd32: tag RESERVED syscalls

This reduces diffs when generating freebsd32 files from the default
ABI's syscalls.master.

Reviewed by: kevans

freebsd32: fix getfsstat sign extension bugs

Add freebsd32 versions of getfsstat and freebsd11_getfsstat so that
bufsize is properly sign-extended if a negative value is passed.
Reject negative valu

freebsd32: fix getfsstat sign extension bugs

Add freebsd32 versions of getfsstat and freebsd11_getfsstat so that
bufsize is properly sign-extended if a negative value is passed.
Reject negative values before passing to kern_getfsstat as a size_t.

Reviewed by: kevans

show more ...

freebsd32: signed long corrections

Syscalls that take signed longs need to treat the 32-bit versions as
signed int so that sign extension happens correctly. Improve
decleration quality and add a fe

freebsd32: signed long corrections

Syscalls that take signed longs need to treat the 32-bit versions as
signed int so that sign extension happens correctly. Improve
decleration quality and add a few minimal syscall implementations.

Reviewed by: kevans

show more ...

freebsd32: add missing pads to preadv and pwritev

Reviewed by: kevans

freebsd32: add stubs for ofreebsd32_(send|recv)msg

The upcoming change to generate freebsd32 generated files from
sys/kern/syscalls.master doesn't have a way to handle disabling
this one without dis

freebsd32: add stubs for ofreebsd32_(send|recv)msg

The upcoming change to generate freebsd32 generated files from
sys/kern/syscalls.master doesn't have a way to handle disabling
this one without disabling the non-COMPAT counterpart so just add
a stub for now.

Reviewed by: kevans

show more ...