| #
6f6174a7 |
| 08-Mar-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Improve the consistency of MAC Framework and MAC policy entry point
naming by renaming certain "proc" entry points to "cred" entry points,
reflecting their manipulation of credentials. For some entr
Improve the consistency of MAC Framework and MAC policy entry point
naming by renaming certain "proc" entry points to "cred" entry points,
reflecting their manipulation of credentials. For some entry points,
the process was passed into the framework but not into policies; in
these cases, stop passing in the process since we don't need it.
mac_proc_check_setaudit -> mac_cred_check_setaudit
mac_proc_check_setaudit_addr -> mac_cred_check_setaudit_addr
mac_proc_check_setauid -> mac_cred_check_setauid
mac_proc_check_setegid -> mac_cred_check_setegid
mac_proc_check_seteuid -> mac_cred_check_seteuid
mac_proc_check_setgid -> mac_cred_check_setgid
mac_proc_check_setgroups -> mac_cred_ceck_setgroups
mac_proc_check_setregid -> mac_cred_check_setregid
mac_proc_check_setresgid -> mac_cred_check_setresgid
mac_proc_check_setresuid -> mac_cred_check_setresuid
mac_proc_check_setreuid -> mac_cred_check_setreuid
mac_proc_check_setuid -> mac_cred_check_setuid
Obtained from: TrustedBSD Project
Sponsored by: Google, Inc.
show more ...
|
| #
2087a58c |
| 08-Mar-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Add static DTrace probes for MAC Framework access control checks and
privilege grants so that dtrace can be more easily used to monitor
the security decisions being generated by the MAC Framework fol
Add static DTrace probes for MAC Framework access control checks and
privilege grants so that dtrace can be more easily used to monitor
the security decisions being generated by the MAC Framework following
policy invocation.
Successful access control checks will be reported by:
mac_framework:kernel:<entrypoint>:mac_check_ok
Failed access control checks will be reported by:
mac_framework:kernel:<entrypoint>:mac_check_err
Successful privilege grants will be reported by:
mac_framework:kernel:priv_grant:mac_grant_ok
Failed privilege grants will be reported by:
mac_framework:kernel:priv_grant:mac_grant_err
In all cases, the return value (always 0 for _ok, otherwise an errno
for _err) will be reported via arg0 on the probe, and subsequent
arguments will hold entrypoint-specific data, in a style similar to
privilege tracing.
Obtained from: TrustedBSD Project
Sponsored by: Google, Inc.
show more ...
|
| #
c7ed8c0a |
| 24-Jan-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Use __FBSDID() for $FreeBSD$ version strings in .c files.
Obtained from: TrustedBSD Project
MFC after: 3 days
|
|
Revision tags: release/7.1.0_cvs, release/7.1.0, release/6.4.0_cvs, release/6.4.0, release/7.0.0_cvs, release/7.0.0, release/6.3.0_cvs, release/6.3.0 |
|
| #
30d239bc |
| 24-Oct-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Merge first in a series of TrustedBSD MAC Framework KPI changes
from Mac OS X Leopard--rationalize naming for entry points to
the following general forms:
mac_<object>_<method/action>
mac_<objec
Merge first in a series of TrustedBSD MAC Framework KPI changes
from Mac OS X Leopard--rationalize naming for entry points to
the following general forms:
mac_<object>_<method/action>
mac_<object>_check_<method/action>
The previous naming scheme was inconsistent and mostly
reversed from the new scheme. Also, make object types more
consistent and remove spaces from object types that contain
multiple parts ("posix_sem" -> "posixsem") to make mechanical
parsing easier. Introduce a new "netinet" object type for
certain IPv4/IPv6-related methods. Also simplify, slightly,
some entry point names.
All MAC policy modules will need to be recompiled, and modules
not updates as part of this commit will need to be modified to
conform to the new KPI.
Sponsored by: SPARTA (original patches against Mac OS X)
Obtained from: TrustedBSD Project, Apple Computer
show more ...
|
| #
f1e8bf6d |
| 26-Jun-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Add a new MAC framework and policy entry point,
mpo_check_proc_setaudit_addr to be used when controlling use of
setaudit_addr(), rather than mpo_check_proc_setaudit(), which takes a
different argumen
Add a new MAC framework and policy entry point,
mpo_check_proc_setaudit_addr to be used when controlling use of
setaudit_addr(), rather than mpo_check_proc_setaudit(), which takes a
different argument type.
Reviewed by: csjp
Approved by: re (kensmith)
show more ...
|
| #
18717f69 |
| 22-Apr-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Allow MAC policy modules to control access to audit configuration system
calls. Add MAC Framework entry points and MAC policy entry points for
audit(), auditctl(), auditon(), setaudit(), aud setauid
Allow MAC policy modules to control access to audit configuration system
calls. Add MAC Framework entry points and MAC policy entry points for
audit(), auditctl(), auditon(), setaudit(), aud setauid().
MAC Framework entry points are only added for audit system calls where
additional argument context may be useful for policy decision-making; other
audit system calls without arguments may be controlled via the priv(9)
entry points.
Update various policy modules to implement audit-related checks, and in
some cases, other missing system-related checks.
Obtained from: TrustedBSD Project
Sponsored by: SPARTA, Inc.
show more ...
|